From b5ffbb7eeb55092350af3bf576c0092e240f8c60 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 7 Jan 2015 13:52:43 -0800
Subject: [PATCH] restore shared_relro functionality

Commit 92dfa31f7800ff9184e8525dfd471211c90b9d31 added "seinfo=platform"
to all fixed UID domains. However, that caused problems for shared_relro.
shared_relro runs like an isolated app, and doesn't have an seinfo field
associated with it.

This causes a crash when system_server attempts to start shared_relro.

  W art     : PreZygoteFork called when we already have a zygote space.
  E SELinux : seapp_context_lookup:  No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a
  E SELinux : selinux_android_setcontext:  Error setting context for app with uid 1037, seinfo (null): Success
  E Zygote  : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed
  F art     : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort
  I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  F art     : art/runtime/runtime.cc:331] Runtime aborting...
  F art     : art/runtime/runtime.cc:331] Aborting thread:
  F art     : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native
  F art     : art/runtime/runtime.cc:331]   | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800
  F art     : art/runtime/runtime.cc:331]   | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80
  F art     : art/runtime/runtime.cc:331]   | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  F art     : art/runtime/runtime.cc:331]   | stack=0xbe39d000-0xbe39f000 stackSize=8MB
  F art     : art/runtime/runtime.cc:331]   | held mutexes= "abort lock" "mutator lock"(shared held)
  F art     : art/runtime/runtime.cc:331]   kernel: (couldn't read /proc/self/task/1176/stack)
  F art     : art/runtime/runtime.cc:331]   native: (backtrace::Unwind failed for thread 1176)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227)

removing seinfo=platform from shared_relro fixed this bug, but then
revealed two new SELinux denials:

  E SELinux : avc:  denied  { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
  E SELinux : avc:  denied  { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

Add the needed SELinux rule.

Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810
---
 seapp_contexts  | 2 +-
 shared_relro.te | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/seapp_contexts b/seapp_contexts
index f92d11835..4469b7564 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -45,7 +45,7 @@ user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro seinfo=platform domain=shared_relro
+user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/shared_relro.te b/shared_relro.te
index 54bdbb9cd..8ad53d344 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -8,3 +8,6 @@ app_domain(shared_relro)
 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;
+
+# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro system_server_service:service_manager find;
-- 
GitLab