Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 0eb0a16fbdfbb986d4209c86fe0261db35129c01^! / . / private / untrusted_app_all.te
commit0eb0a16fbdfbb986d4209c86fe0261db35129c01[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Dec 12 09:06:05 2018 -0800
committerNick Kralevich <nnk@google.com>Wed Dec 12 13:20:22 2018 -0800
treede4507ae4a20725cba5af0dc64fd9c23159c5a25
parent85762ff9835ac116361eb518bea8899220037c95 [diff] [blame]
bless app created renderscript files

When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 72e03e1..aebb711 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -22,7 +22,12 @@
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };
+allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_all app_data_file:file     { r_file_perms execute };
+
+# Allow loading and deleting renderscript created shared libraries
+# within an application home directory.
+allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
@@ -122,6 +127,9 @@
 allow untrusted_app_all system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
+# Allow the renderscript compiler to be run.
+domain_auto_trans(untrusted_app_all, rs_exec, rs)
+
 # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
 dontaudit untrusted_app_all net_dns_prop:file read;