From f8dfb5f83b9758afd9d41280d536b7d7f90ae9c9 Mon Sep 17 00:00:00 2001 From: Eric Holk <eholk@google.com> Date: Fri, 11 Jan 2019 08:13:01 -0800 Subject: [PATCH] [layout compilation] Modify sepolicy to allow installd to run viewcompiler We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b --- private/domain.te | 1 + private/file_contexts | 1 + private/installd.te | 3 +++ private/viewcompiler.te | 24 ++++++++++++++++++++++++ 4 files changed, 29 insertions(+) create mode 100644 private/viewcompiler.te diff --git a/private/domain.te b/private/domain.te index e33a9cd4d..6d62a592e 100644 --- a/private/domain.te +++ b/private/domain.te @@ -108,6 +108,7 @@ neverallow { -rs # spawned by appdomain, so carryover the exception above -runas -system_server + -viewcompiler } { privapp_data_file app_data_file }:dir *; # Only apps should be modifying app data. installd is exempted for diff --git a/private/file_contexts b/private/file_contexts index 13cc72842..474c63700 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -272,6 +272,7 @@ /system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0 # patchoat executable has (essentially) the same requirements as dex2oat. /system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0 +/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0 /system/bin/profman(d)? u:object_r:profman_exec:s0 /system/bin/iorapd u:object_r:iorapd_exec:s0 /system/bin/sgdisk u:object_r:sgdisk_exec:s0 diff --git a/private/installd.te b/private/installd.te index 0b7ec4e74..c511b804a 100644 --- a/private/installd.te +++ b/private/installd.te @@ -8,6 +8,9 @@ domain_auto_trans(installd, dex2oat_exec, dex2oat) # Run dexoptanalyzer in its own sandbox. domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer) +# Run viewcompiler in its own sandbox. +domain_auto_trans(installd, viewcompiler_exec, viewcompiler) + # Run profman in its own sandbox. domain_auto_trans(installd, profman_exec, profman) diff --git a/private/viewcompiler.te b/private/viewcompiler.te new file mode 100644 index 000000000..14009c606 --- /dev/null +++ b/private/viewcompiler.te @@ -0,0 +1,24 @@ +# viewcompiler +type viewcompiler, domain, coredomain, mlstrustedsubject; +type viewcompiler_exec, system_file_type, exec_type, file_type; + +# Reading an APK opens a ZipArchive, which unpack to tmpfs. +# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their +# own label, which differs from other labels created by other processes. +# This allows to distinguish in policy files created by viewcompiler vs other +# processes. +tmpfs_domain(viewcompiler) + +allow viewcompiler installd:fd use; + +# Include write permission for app data files so viewcompiler can generate +# compiled layout dex files +allow viewcompiler app_data_file:file { getattr write }; + +# Allow the view compiler to read resources from the apps APK. +allow viewcompiler apk_data_file:file read; + +# priv-apps are moving to a world where they can only execute +# signed code. Make sure viewcompiler never can write to privapp +# directories to avoid introducing unsigned executable code +neverallow viewcompiler privapp_data_file:file no_w_file_perms; -- GitLab