From bacb19b9add0fede8627f8add24669500a0c4bb0 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@google.com>
Date: Tue, 30 Jan 2018 10:54:33 -0500
Subject: [PATCH] SELinux changes to accomodate starting the webview_zygote as
 a child of the zygote.

In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Change-Id: I864743943c11c18de386010ecd4b616721cb9954
---
 private/seapp_contexts    |  1 +
 private/system_server.te  |  1 +
 private/webview_zygote.te | 14 ++++++++++++--
 private/zygote.te         |  5 +++--
 public/domain.te          |  2 ++
 5 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1b929625c..45a6550cf 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -103,6 +103,7 @@ user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_isolated domain=isolated_app levelFrom=all
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 5ae94096a..6d485ff1a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -36,6 +36,7 @@ allow system_server zygote:process sigchld;
 # May kill zygote on crashes.
 allow system_server zygote:process sigkill;
 allow system_server crash_dump:process sigkill;
+allow system_server webview_zygote:process sigkill;
 
 # Read /system/bin/app_process.
 allow system_server zygote_exec:file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 9a3a7a35d..e0921127b 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -61,6 +61,15 @@ selinux_check_access(webview_zygote)
 # Directory listing in /system.
 allow webview_zygote system_file:dir r_dir_perms;
 
+# Read system properties managed by zygote.
+allow webview_zygote zygote_tmpfs:file read;
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
+
 #####
 ##### Neverallow
 #####
@@ -75,9 +84,10 @@ neverallow webview_zygote { domain -crash_dump }:process transition;
 # Having said that, exec() above is not allowed.
 neverallow webview_zygote *:file execute_no_trans;
 
-# The only way to enter this domain is for init to exec() us.
+# The only way to enter this domain is for init to exec() us or the zygote
+# to fork a new webview_zygote child.
 neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
+neverallow { domain -zygote } webview_zygote:process dyntransition;
 
 # Disallow write access to properties.
 neverallow webview_zygote property_socket:sock_file write;
diff --git a/private/zygote.te b/private/zygote.te
index b59259106..43364ab39 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -16,6 +16,7 @@ allow zygote self:global_capability_class_set setpcap;
 allow zygote self:process setcurrent;
 allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
 
 # Allow zygote to read app /proc/pid dirs (b/10455872).
 allow zygote appdomain:dir { getattr search };
@@ -121,8 +122,8 @@ get_prop(zygote, exported_overlay_prop)
 # written on appdomain are applied to all app processes.
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+# with appdomain plus system_server and webview_zygote.
+neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
 
 # Zygote should never execute anything from /data except for /data/dalvik-cache files.
 neverallow zygote {
diff --git a/public/domain.te b/public/domain.te
index 329d54f43..0cc29fb17 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -905,6 +905,7 @@ full_treble_only(`
         -init
         -installd
         -system_server
+        -webview_zygote
         -zygote
     } vendor_overlay_file:dir { getattr open read search };
 
@@ -915,6 +916,7 @@ full_treble_only(`
         -init
         -installd
         -system_server
+        -webview_zygote
         -zygote
     } vendor_overlay_file:{ file lnk_file } r_file_perms;
 
-- 
GitLab