From fb66c6f81b9fae71be381d30b7ebb4a84756df02 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 11 Jan 2019 09:37:46 -0800
Subject: [PATCH] rename rs_data_file to app_exec_data_file
There are multiple trusted system components which may be responsible
for creating executable code within an application's home directory.
Renderscript is just one of those trusted components.
Generalize rs_data_file to app_exec_data_file. This label is intended to
be used for any executable code created by trusted components placed
into an application's home directory.
Introduce a typealias statement to ensure files with the previous label
continue to be understood by policy.
This change is effectively a no-op, as it just renames a type, but
neither adds or removes any rules.
Bug: 121375718
Bug: 112357170
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
---
private/app_neverallows.te | 8 ++++----
private/ephemeral_app.te | 6 +++---
private/file.te | 5 +++--
private/installd.te | 2 +-
private/rs.te | 8 ++++----
private/untrusted_app_all.te | 7 ++++---
6 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 892eb9acd..0a8172692 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -41,10 +41,10 @@ neverallow { all_untrusted_apps -mediaprovider } property_type:property_service
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
-# Renderscript created files within an app home directory can be
-# dlopen()ed. To maintain the W^X property, these files
+# Shared libraries created by trusted components within an app home
+# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
-neverallow all_untrusted_apps rs_data_file:file
+neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
@@ -127,7 +127,7 @@ neverallow { all_untrusted_apps -mediaprovider } {
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
- -rs_data_file # stored within the app sandbox directory
+ -app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 4935f3340..3500c0f7f 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -27,9 +27,9 @@ allow ephemeral_app app_data_file:file { r_file_perms execute };
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow ephemeral_app rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting shared libraries created by trusted system
+# components within an application home directory.
+allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
diff --git a/private/file.te b/private/file.te
index 884374397..6704c7934 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,5 +13,6 @@ type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
-# renderscript created files in /data/data directories
-type rs_data_file, file_type, data_file_type, core_data_file_type;
+# App executable files in /data/data directories
+type app_exec_data_file, file_type, data_file_type, core_data_file_type;
+typealias app_exec_data_file alias rs_data_file;
diff --git a/private/installd.te b/private/installd.te
index fd3535c86..26d5ef66b 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -22,4 +22,4 @@ allow installd dumpstate:fd use;
allow installd dumpstate:fifo_file r_file_perms;
# Delete /system/bin/bcc generated artifacts
-allow installd rs_data_file:file unlink;
+allow installd app_exec_data_file:file unlink;
diff --git a/private/rs.te b/private/rs.te
index 56f8dfcc7..f0c9409b7 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,8 +1,8 @@
# Any files which would have been created as app_data_file
-# will be created as rs_data_file instead.
+# will be created as app_exec_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
-allow rs rs_data_file:file create_file_perms;
-type_transition rs app_data_file:file rs_data_file;
+allow rs app_exec_data_file:file create_file_perms;
+type_transition rs app_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
@@ -11,7 +11,7 @@ allow rs system_data_file:lnk_file read;
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
-# Cleanup rs_data_file files in the app home directory.
+# Cleanup app_exec_data_file files in the app home directory.
allow rs app_data_file:dir remove_name;
# Use vendor resources
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index aebb7118a..ba707516b 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,9 +25,10 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
--
GitLab