system_server: neverallow new file exec types

Add a neverallow rule (CTS test + compile time assertion) blocking system_server from executing files outside of a few select file types. In general, it's dangerous to fork()/exec() from within a multi-threaded program. See https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them This change helps discourage the introduction of new execs. Bug: 28035297 Change-Id: Idac824308183fa2cef75f17159dae14447290e5b

system_server: neverallow new file exec types
Add a neverallow rule (CTS test + compile time assertion) blocking system_server from executing files outside of a few select file types. In general, it's dangerous to fork()/exec() from within a multi-threaded program. See https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them This change helps discourage the introduction of new execs. Bug: 28035297 Change-Id: Idac824308183fa2cef75f17159dae14447290e5b
f84b7981 · Nick Kralevich · d7bd03c5 · f84b7981
Commit f84b7981 authored 8 years ago by Nick Kralevich
--- a/system_server.te
+++ b/system_server.te
@@ -314,8 +314,9 @@ allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_
 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;

-# Run system programs, e.g. dexopt.
+# Run system programs, e.g. dexopt. Needed? (b/28035297)
 allow system_server system_file:file x_file_perms;
+auditallow system_server system_file:file execute_no_trans;

 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
@@ -467,13 +468,24 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };

+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server { file_type -toolbox_exec -logcat_exec -system_file }:file execute_no_trans;
+
+# System server should never transition to a new domain. This compliments
+# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
+neverallow system_server *:process { transition dyntransition };
+
 # system_server should never be executing dex2oat. This is either
 # a bug (for example, bug 16317188), or represents an attempt by
 # system server to dynamically load a dex file, something we do not
 # want to allow.
 neverallow system_server dex2oat_exec:file no_x_file_perms;

-# system_server should never execute anything from /data except for /data/dalvik-cache files.
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
 neverallow system_server {
  data_file_type
  -dalvikcache_data_file #mapping with PROT_EXEC