commit 29db0ebf3d052e16c379e7a8e6f4057dc399fdc4
author Treehugger Robot <treehugger-gerrit@google.com> Wed Oct 31 09:31:02 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Oct 31 09:31:02 2018 +0000
tree a29785e530c3598609209960339eeb2f59fc81e0
parent 18f54312230034e6852cacefe94f2a23d074cd7a
parent 15d1a12f7f57f589c2f1401f8e72813546fd8dda

Merge "Revert "Enforce execve() restrictions for API > 28""

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 41d2a90..b6828f0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -17,9 +17,16 @@
 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
 allow priv_app self:process ptrace;
 
-# Some apps ship with shared libraries that they write out
-# to their sandbox directory and then dlopen().
-allow priv_app { app_data_file privapp_data_file }:file execute;
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+#   1) com.android.opengl.shaders_cache
+#   2) com.android.skia.shaders_cache
+#   3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow priv_app privapp_data_file:file execute;
 
 allow priv_app app_api_service:service_manager find;
 allow priv_app audioserver_service:service_manager find;
@@ -214,3 +221,9 @@
 
 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
+
+# Do not allow loading executable code from non-privileged
+# application home directories. Code loading across a security boundary
+# is dangerous and allows a full compromise of a privileged process
+# by an unprivileged process. b/112357170
+neverallow priv_app app_data_file:file no_x_file_perms;

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 8a0fb8e..42a89d4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -740,7 +740,8 @@
 # For AppFuse.
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:file { read write getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };

public/app.te

diff --git a/public/app.te b/public/app.te
index 63fc388..7f0d554 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,9 +55,6 @@
 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 
-# For AppFuse.
-allow appdomain vold:fd use;
-
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 236604f..9091b69 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -229,8 +229,6 @@
 allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
 
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;