From 9786af2bcaaf0ba25c0a50c81c748a05793ec847 Mon Sep 17 00:00:00 2001
From: "Torne (Richard Coles)" <torne@google.com>
Date: Fri, 23 May 2014 11:01:58 +0100
Subject: [PATCH] Define SELinux policy for RELRO sharing support.

Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.

Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e
---
 app.te          |  4 ++++
 file.te         |  1 +
 file_contexts   |  1 +
 seapp_contexts  |  1 +
 shared_relro.te | 10 ++++++++++
 5 files changed, 17 insertions(+)
 create mode 100644 shared_relro.te

diff --git a/app.te b/app.te
index 7e53724b9..8318b1621 100644
--- a/app.te
+++ b/app.te
@@ -133,6 +133,10 @@ allow appdomain dalvikcache_data_file:file execute;
 # /data/dalvik-cache/profiles
 allow appdomain dalvikcache_profiles_data_file:file write;
 
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/file.te b/file.te
index 00f158936..874f45f56 100644
--- a/file.te
+++ b/file.te
@@ -75,6 +75,7 @@ type media_data_file, file_type, data_file_type;
 type media_rw_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type;
+type shared_relro_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type wifi_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index b7d3cb1ed..c871d95c3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -196,6 +196,7 @@
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
+/data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
diff --git a/seapp_contexts b/seapp_contexts
index 91cfe72af..57b443f7d 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,6 +39,7 @@ user=system domain=system_app type=system_app_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
 user=shell domain=shell type=shell_data_file
 user=_isolated domain=isolated_app
 user=_app seinfo=platform domain=platform_app type=app_data_file
diff --git a/shared_relro.te b/shared_relro.te
new file mode 100644
index 000000000..54bdbb9cd
--- /dev/null
+++ b/shared_relro.te
@@ -0,0 +1,10 @@
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
+
+# Grant write access to the shared relro files/directory.
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
-- 
GitLab