From baeac1fd26365e5e8b6e58a85a50e87ad77cc2a1 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 9 Jan 2017 15:34:27 -0800
Subject: [PATCH] Move ephemeral_app policy to private

This leaves only the existence of ephemeral_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private. There are a few rules, defined by other domains'
files remaining in the public policy until the rules from these
domains also move to the private policy:

allow ephemeral_app_current appdomain:binder transfer;
allow ephemeral_app_current audioserver_current:binder transfer;
allow ephemeral_app_current drmserver_current:binder transfer;
allow ephemeral_app_current dumpstate_current:binder transfer;
allow ephemeral_app_current mediaserver_current:binder transfer;
allow ephemeral_app_current surfaceflinger_current:binder transfer;
allow ephemeral_app_current system_server_current:binder transfer;

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I98687181434a98a141469ef676c461fcd1db2d4e
---
 private/ephemeral_app.te | 123 ++++++++++++++++++++++++++++++++++++++-
 public/ephemeral_app.te  | 106 +--------------------------------
 2 files changed, 122 insertions(+), 107 deletions(-)

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3375bc9ea..23b1e78c6 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -1,11 +1,130 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+net_domain(ephemeral_app)
+
 # Define and allow access to our own type for ashmem regions.
 # Label ashmem objects with our own unique type.
 tmpfs_domain(ephemeral_app)
+
 # TODO: deal with tmpfs_domain pub/priv split properly
 # Map with PROT_EXEC.
 allow ephemeral_app ephemeral_app_tmpfs:file execute;
 
+# allow JITing
+allow ephemeral_app self:process execmem;
+allow ephemeral_app ashmem_device:chr_file execute;
+
+# Send logcat messages to logd.
+write_logd(ephemeral_app)
+
+# Receive and use open file descriptors inherited from zygote.
+allow ephemeral_app zygote:fd use;
+
+# Notify zygote of death;
+allow ephemeral_app zygote:process sigchld;
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow ephemeral_app zygote:unix_dgram_socket write;
+
 # Read system properties managed by zygote.
 allow ephemeral_app zygote_tmpfs:file read;
+
+# App sandbox file accesses.
+allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
+allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(ephemeral_app, keychain_data_file)
+allow ephemeral_app misc_user_data_file:dir r_dir_perms;
+allow ephemeral_app misc_user_data_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow ephemeral_app ephemeral_apk_data_file:dir search;
+allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
+
+# For art.
+allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
+allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
+allow ephemeral_app dalvikcache_data_file:dir getattr;
+
+# Grant GPU access. ephemeral_app needs that to render the standard UI.
+allow ephemeral_app gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(ephemeral_app)
+# Perform binder IPC to binder services.
+binder_call(ephemeral_app, surfaceflinger)
+binder_call(ephemeral_app, system_server)
+# Perform binder IPC to apps.
+binder_call(ephemeral_app, appdomain)
+
+# Allow read access to ion memory allocation device
+allow ephemeral_app ion_device:chr_file { read open };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow ephemeral_app system_server:fifo_file rw_file_perms;
+allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Inherit or receive open files from system_server.
+allow ephemeral_app system_server:fd use;
+
+# Communicate with surfaceflinger.
+allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# Read files already opened under /data.
+allow ephemeral_app system_data_file:file { getattr read };
+allow ephemeral_app system_data_file:lnk_file read;
+
+# System file accesses. Check for libraries
+allow ephemeral_app system_file:dir getattr;
+
+# services
+allow ephemeral_app accessibility_service:service_manager find;
+allow ephemeral_app activity_service:service_manager find;
+allow ephemeral_app assetatlas_service:service_manager find;
+allow ephemeral_app connectivity_service:service_manager find;
+allow ephemeral_app display_service:service_manager find;
+allow ephemeral_app graphicsstats_service:service_manager find;
+allow ephemeral_app input_method_service:service_manager find;
+allow ephemeral_app input_service:service_manager find;
+allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app textservices_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# Executable content should never be loaded from an ephemeral app home directory.
+neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index bef547296..dc39a22b5 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -10,109 +10,5 @@
 ### additional security features.
 ###
 ### PackageManager flags an app as ephemeral at install time.
-type ephemeral_app, domain;
-net_domain(ephemeral_app)
-# allow JITing
-allow ephemeral_app self:process execmem;
-allow ephemeral_app ashmem_device:chr_file execute;
-
-# Send logcat messages to logd.
-write_logd(ephemeral_app)
-
-# Receive and use open file descriptors inherited from zygote.
-allow ephemeral_app zygote:fd use;
-
-# Notify zygote of death;
-allow ephemeral_app zygote:process sigchld;
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow ephemeral_app zygote:unix_dgram_socket write;
-
-# App sandbox file accesses.
-allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
-allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(ephemeral_app, keychain_data_file)
-allow ephemeral_app misc_user_data_file:dir r_dir_perms;
-allow ephemeral_app misc_user_data_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir search;
-allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
-
-# For art.
-allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
-allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
-allow ephemeral_app dalvikcache_data_file:dir getattr;
-
-# Grant GPU access. ephemeral_app needs that to render the standard UI.
-allow ephemeral_app gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(ephemeral_app)
-# Perform binder IPC to binder services.
-binder_call(ephemeral_app, surfaceflinger)
-binder_call(ephemeral_app, system_server)
-# Perform binder IPC to apps.
-binder_call(ephemeral_app, appdomain)
-
-# Allow read access to ion memory allocation device
-allow ephemeral_app ion_device:chr_file { read open };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow ephemeral_app system_server:fifo_file rw_file_perms;
-allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Inherit or receive open files from system_server.
-allow ephemeral_app system_server:fd use;
 
-# Communicate with surfaceflinger.
-allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Read files already opened under /data.
-allow ephemeral_app system_data_file:file { getattr read };
-allow ephemeral_app system_data_file:lnk_file read;
-
-# System file accesses. Check for libraries
-allow ephemeral_app system_file:dir getattr;
-
-# services
-allow ephemeral_app accessibility_service:service_manager find;
-allow ephemeral_app activity_service:service_manager find;
-allow ephemeral_app assetatlas_service:service_manager find;
-allow ephemeral_app connectivity_service:service_manager find;
-allow ephemeral_app display_service:service_manager find;
-allow ephemeral_app graphicsstats_service:service_manager find;
-allow ephemeral_app input_method_service:service_manager find;
-allow ephemeral_app input_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app textservices_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+type ephemeral_app, domain;
-- 
GitLab