From c47e149a0b8c16339bbebe43e5033dd1174035d3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 13 Aug 2018 11:23:02 -0700
Subject: [PATCH] Revert "auditallow app_data_file execute"

There is a problem with on-disk labeling of files created by secondary
dex background compilation which is causing unexpected denials to show
up. Drop the auditallow rule to avoid logspam.

Steps to reproduce:
  1) boot android device.
  2) adb root
  3) Run cmd package compile -r bg-dexopt --secondary-dex com.google.android.gms
  4) Examine the files in /data/user_de/0/com.google.android.gms
Expected:
  All files have the label privapp_data_file
Actual:
  The files in /data/user_de/0/com.google.android.gms/app_chimera/m
  are labeled "app_data_file", not "privapp_data_file".

Addresses the following audit logspam:
  type=1400 audit(0.0:117): avc: granted { execute } for comm=4173796E635461736B202331 path="/data/user_de/0/com.google.android.gms/app_chimera/m/00000002/oat/arm/DynamiteLoader.odex" dev="dm-0" ino=5775 scontext=u:r:untrusted_app:s0:c111,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.android.chrome

Additionally, this removes auditallow statements for older untrusted
apps. Lots of big apps are executing files from their home directory.
Additional restrictions in this area will need to be tied to API
versions.

Addresses the following audit logspam:
  type=1400 audit(0.0:619): avc: granted { execute } for comm="na:notification" path="/data/data/com.facebook.katana/lib-xzs/libbreakpad.so" dev="dm-3" ino=28333 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.katana
  type=1400 audit(0.0:129): avc: granted { execute } for comm="ticlock" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1239): avc: granted { execute } for comm="Analytics-Norma" path="/data/data/com.facebook.orca/lib-xzs/libchipsetmerged.so" dev="dm-3" ino=50243 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.orca
  type=1400 audit(0.0:58): avc: granted { execute_no_trans } for comm="sh" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1948): avc: granted { execute_no_trans } for comm="sh" path="/data/data/com.mxdata.tube.Market/files/osmcore" dev="sda13" ino=2752651 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.mxdata.tube.Market
  type=1400 audit(0.0:2875): avc: granted { execute_no_trans } for comm="ThreadPoolManag" path="/data/data/com.amazon.kindle/files/hardwareTest" dev="sda13" ino=1935346 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.amazon.kindle

This reverts commit 4738b93db250175f0915cee2f08ab01aaf8d28f9.

Bug: 112357170
Test: policy compiles
---
 private/ephemeral_app.te     | 6 ------
 private/untrusted_app_all.te | 6 ------
 2 files changed, 12 deletions(-)

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index f75a87dd2..f28d28f04 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -23,12 +23,6 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 # to their sandbox directory and then execute.
 allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
 
-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow ephemeral_app app_data_file:file execute;
-
 # services
 allow ephemeral_app audioserver_service:service_manager find;
 allow ephemeral_app cameraserver_service:service_manager find;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fdda73031..11cea6ea2 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,12 +24,6 @@
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
 
-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
-
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
-- 
GitLab