Merge "Sepolicy: Fix asanwrapper"

c1462504 · TreeHugger Robot · Android (Google) Code Review · a70e6a01 · c848d37d · c1462504
Commit c1462504 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -315,6 +315,9 @@ allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdo
 allow appdomain cache_file:dir getattr;
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
 ###
 ### Neverallow rules
 ###

--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -3,3 +3,7 @@
 /data/asan/vendor/lib(/.*)?                u:object_r:system_file:s0
 /data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0
 /system/bin/asan_extract       u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper        u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process   u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -22,6 +22,9 @@ userdebug_or_eng(`
  # Report dalvikcache_data_file:file execute violations.
  auditallow system_server dalvikcache_data_file:file execute;
 ')
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
@@ -655,6 +658,7 @@ allow system_server debugfs_wifi_tracing:file rw_file_perms;
 # asanwrapper.
 with_asan(`
  allow system_server shell_exec:file rx_file_perms;
+  allow system_server asanwrapper_exec:file rx_file_perms;
 ')
 ###
@@ -682,7 +686,7 @@ neverallow system_server {
  file_type
  -toolbox_exec
  -logcat_exec
-  with_asan(`-shell_exec')
+  with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
 }:file execute_no_trans;
 # Ensure that system_server doesn't perform any domain transitions other than

--- a/public/domain.te
+++ b/public/domain.te
@@ -221,6 +221,9 @@ allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
 # when it's not explicitly used in allow rules
 allow { domain -domain } vndservice_manager_type:service_manager { add find };
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
 ###
 ### neverallow rules
 ###

--- a/public/file.te
+++ b/public/file.te
@@ -315,6 +315,9 @@ allow dev_type tmpfs:filesystem associate;
 allow app_fuse_file app_fusefs:filesystem associate;
 allow postinstall_file self:filesystem associate;
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
 # It's a bug to assign the file_type attribute and fs_type attribute
 # to any type. Do not allow it.
 #