Merge "Allow BLKIOMIN and BLKALIGNOFF ioctls to the super device in fastbootd."
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 4cbb4ba..c1f9a2b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -40,16 +40,6 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
-# Block calling execve() on files in an apps home directory.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
-} { app_data_file privapp_data_file }:file execute_no_trans;
-
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
diff --git a/private/domain.te b/private/domain.te
index 7945d89..8e3c4e6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -175,3 +175,38 @@
-init
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -bootanim # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the rootfs or /system partition except for a few whitelisted domains.
+# Executable files loaded from /data is a persistence vector
+# we want to avoid. See
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
+#
+neverallow {
+ domain
+ -appdomain
+ with_asan(`-asan_extract')
+ -shell
+ userdebug_or_eng(`-su')
+ -system_server_startup # for memfd backed executable regions
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-mediaextractor')
+ userdebug_or_eng(`-mediaswcodec')
+} {
+ file_type
+ -system_file_type
+ -system_lib_file
+ -system_linker_exec
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index e2e5e53..d0cf2a5 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -98,7 +98,8 @@
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
-isSystemServer=true domain=system_server
+isSystemServer=true domain=system_server_startup
+
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
@@ -113,7 +114,6 @@
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 8a0fb8e..506378e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -740,7 +740,8 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:file { read write getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
@@ -911,6 +912,11 @@
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
+# Resources handed off by system_server_startup
+allow system_server system_server_startup:fd use;
+allow system_server system_server_startup_tmpfs:file { read write map };
+allow system_server system_server_startup:unix_dgram_socket write;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
new file mode 100644
index 0000000..4bd10c8
--- /dev/null
+++ b/private/system_server_startup.te
@@ -0,0 +1,12 @@
+type system_server_startup, domain, coredomain;
+
+tmpfs_domain(system_server_startup)
+
+# Create JIT memory
+allow system_server_startup self:process execmem;
+allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+
+# Allow system_server_startup to run setcon() and enter the
+# system_server domain
+allow system_server_startup self:process setcurrent;
+allow system_server_startup system_server:process dyntransition;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index d264aaf..61c9a81 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -44,8 +44,3 @@
# Text relocation support for API < 23
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
-# and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file execute_no_trans;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7b9060d..79c7762 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -2,7 +2,7 @@
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 28.
+### 25 < targetSdkVersion <= 27.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
@@ -26,7 +26,3 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file execute_no_trans;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 527216d..54d278e 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -22,7 +22,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 0e21d51..491f079 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -14,7 +14,7 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
-allow zygote system_server:process dyntransition;
+allow zygote system_server_startup:process dyntransition;
allow zygote appdomain:process dyntransition;
allow zygote webview_zygote:process dyntransition;
@@ -132,8 +132,12 @@
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server and webview_zygote.
-neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
+# with appdomain plus system_server_startup and webview_zygote.
+neverallow zygote ~{
+ appdomain
+ system_server_startup
+ webview_zygote
+}:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
diff --git a/public/app.te b/public/app.te
index 63fc388..7f0d554 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,9 +55,6 @@
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-# For AppFuse.
-allow appdomain vold:fd use;
-
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index dcd12b1..89f1635 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -476,40 +476,6 @@
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
-# Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -shell
- userdebug_or_eng(`-su')
- -webview_zygote
- -zygote
- userdebug_or_eng(`-mediaextractor')
- userdebug_or_eng(`-mediaswcodec')
-} {
- file_type
- -system_file_type
- -system_lib_file
- -system_linker_exec
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-neverallow {
- domain
- -appdomain # for oemfs
- -bootanim # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
diff --git a/public/vold.te b/public/vold.te
index 236604f..9091b69 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -229,8 +229,6 @@
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;