SELinux changes to accomodate starting the webview_zygote as a child of the zygote.

In this architecture, the system_server instructs the zygote to fork a child-zygote to be the webview_zygote. The system_server tells this new zygote to listen for fork requests on a random abstract unix socket of its choosing. A follow-up CL will remove the rules for starting webview_zygote via init. Bug: 63749735 Test: m Test: Launch "Third-party licenses" activity from Settings, and it renders correctly via the WebView. Merged-In: I864743943c11c18de386010ecd4b616721cb9954 Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e

SELinux changes to accomodate starting the webview_zygote as a child of the zygote.
In this architecture, the system_server instructs the zygote to fork a child-zygote to be the webview_zygote. The system_server tells this new zygote to listen for fork requests on a random abstract unix socket of its choosing. A follow-up CL will remove the rules for starting webview_zygote via init. Bug: 63749735 Test: m Test: Launch "Third-party licenses" activity from Settings, and it renders correctly via the WebView. Merged-In: I864743943c11c18de386010ecd4b616721cb9954 Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e
febdfa4e · Robert Sesek · 946b4b76 · febdfa4e · febdfa4e · febdfa4e
Commit febdfa4e authored 7 years ago by Robert Sesek
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -104,6 +104,7 @@ user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -36,6 +36,7 @@ allow system_server zygote:process sigchld;
 # May kill zygote on crashes.
 allow system_server zygote:process sigkill;
 allow system_server crash_dump:process sigkill;
+allow system_server webview_zygote:process sigkill;
 # Read /system/bin/app_process.
 allow system_server zygote_exec:file r_file_perms;

--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -61,6 +61,15 @@ selinux_check_access(webview_zygote)
 # Directory listing in /system.
 allow webview_zygote system_file:dir r_dir_perms;
+# Read system properties managed by zygote.
+allow webview_zygote zygote_tmpfs:file read;
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
 #####
 ##### Neverallow
 #####
@@ -75,9 +84,10 @@ neverallow webview_zygote { domain -crash_dump }:process transition;
 # Having said that, exec() above is not allowed.
 neverallow webview_zygote *:file execute_no_trans;
-# The only way to enter this domain is for init to exec() us.
+# The only way to enter this domain is for init to exec() us or the zygote
+# to fork a new webview_zygote child.
 neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
+neverallow { domain -zygote } webview_zygote:process dyntransition;
 # Disallow write access to properties.
 neverallow webview_zygote property_socket:sock_file write;

--- a/private/zygote.te
+++ b/private/zygote.te
@@ -16,6 +16,7 @@ allow zygote self:global_capability_class_set setpcap;
 allow zygote self:process setcurrent;
 allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
 # Allow zygote to read app /proc/pid dirs (b/10455872).
 allow zygote appdomain:dir { getattr search };
@@ -121,8 +122,8 @@ get_prop(zygote, exported_overlay_prop)
 # written on appdomain are applied to all app processes.
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
+# with appdomain plus system_server and webview_zygote.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
 # Zygote should never execute anything from /data except for /data/dalvik-cache files.
 neverallow zygote {

--- a/public/domain.te
+++ b/public/domain.te
@@ -903,6 +903,7 @@ full_treble_only(`
        -init
        -installd
        -system_server
+        -webview_zygote
        -zygote
    } vendor_overlay_file:dir { getattr open read search };
@@ -913,6 +914,7 @@ full_treble_only(`
        -init
        -installd
        -system_server
+        -webview_zygote
        -zygote
    } vendor_overlay_file:{ file lnk_file } r_file_perms;