Merge "Allow update_verifier to use boot HIDL HAL"
diff --git a/private/file_contexts b/private/file_contexts
index ebc8a71..a341d7e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -119,6 +119,7 @@
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
+/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
@@ -218,10 +219,14 @@
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
+/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
+/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
+/system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_exec:s0
+/system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_exec:s0
/system/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_exec:s0
/system/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_exec:s0
/system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_exec:s0
@@ -268,6 +273,10 @@
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/app-ephemeral(/.*)? u:object_r:ephemeral_apk_data_file:s0
+/data/app-ephemeral/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app-ephemeral/vmdl[^/]+\.tmp(/.*)? u:object_r:ephemeral_apk_tmp_file:s0
+/data/app-ephemeral/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
diff --git a/private/hal_graphics_allocator.te b/private/hal_graphics_allocator.te
new file mode 100644
index 0000000..d00cf68
--- /dev/null
+++ b/private/hal_graphics_allocator.te
@@ -0,0 +1 @@
+init_daemon_domain(hal_graphics_allocator)
diff --git a/private/hal_graphics_composer.te b/private/hal_graphics_composer.te
new file mode 100644
index 0000000..128171f
--- /dev/null
+++ b/private/hal_graphics_composer.te
@@ -0,0 +1 @@
+init_daemon_domain(hal_graphics_composer)
diff --git a/private/property_contexts b/private/property_contexts
index df82223..2e0b2dd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -56,6 +56,8 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
+persist.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
@@ -63,7 +65,6 @@
# selinux non-persistent properties
selinux.restorecon_recursive u:object_r:restorecon_prop:s0
-selinux. u:object_r:security_prop:s0
# default property context
* u:object_r:default_prop:s0
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
new file mode 100644
index 0000000..7cadcf3
--- /dev/null
+++ b/private/webview_zygote.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(webview_zygote)
diff --git a/public/app.te b/public/app.te
index 985e358..fe9ad52 100644
--- a/public/app.te
+++ b/public/app.te
@@ -243,6 +243,8 @@
# TODO audit ion ioctl usage by apps
auditallow appdomain ion_device:chr_file ioctl;
+allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
+
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/public/bootanim.te b/public/bootanim.te
index abbcaca..3e0af8e 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -20,6 +20,10 @@
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
# Read access to pseudo filesystems.
r_dir_file(bootanim, proc)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index b12d17c..51f96d7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -15,6 +15,7 @@
allow cameraserver video_device:chr_file rw_file_perms;
allow cameraserver camera_device:chr_file rw_file_perms;
allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver hal_graphics_allocator:fd use;
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 47aa2fb..d0de064 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -2,7 +2,7 @@
type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
-r_dir_file(dex2oat, apk_data_file)
+r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
allow dex2oat tmpfs:file { read getattr };
@@ -22,7 +22,7 @@
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:file read;
+allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read;
allow dex2oat user_profile_data_file:file { getattr read lock };
##################
diff --git a/public/domain.te b/public/domain.te
index 88abff3..56424e9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -112,6 +112,7 @@
-dumpstate
-profman
-recovery
+ -webview_zygote
-zygote
} libart_file:file { execute read open getattr };
@@ -177,7 +178,7 @@
###
# All socket ioctls must be restricted to a whitelist.
-neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
+neverallowxperm domain domain:socket_class_set ioctl { 0 };
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
@@ -228,9 +229,6 @@
# It is sealed.
neverallow * kernel:security load_policy;
-# Only init and the system_server shall use the property_service.
-neverallow { domain -init -system_server } security_prop:property_service set;
-
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
@@ -307,6 +305,7 @@
-shell
userdebug_or_eng(`-su')
-system_server
+ -webview_zygote
-zygote
} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
neverallow {
@@ -326,6 +325,7 @@
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
+ -ephemeral_apk_data_file
}:file no_x_file_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
@@ -434,6 +434,9 @@
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
+neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
@@ -540,7 +543,7 @@
} shell:process { transition dyntransition };
# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -zygote } {
+neverallow { domain -runas -webview_zygote -zygote } {
appdomain -shell userdebug_or_eng(`-su') -bluetooth
}:process { transition dyntransition };
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 200d78f..a96bff7 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -38,6 +38,10 @@
allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
+# Allow apps to read/execute installed binaries
+allow ephemeral_app ephemeral_apk_data_file:dir search;
+allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
+
# For art.
allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
@@ -89,6 +93,9 @@
### neverallow rules
###
+# Executable content should never be loaded from an ephemeral app home directory.
+neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
+
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/public/file.te b/public/file.te
index 4867b67..19b0489 100644
--- a/public/file.te
+++ b/public/file.te
@@ -96,6 +96,9 @@
# /data/app-private - forward-locked apps
type apk_private_data_file, file_type, data_file_type;
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+# /data/app-ephemeral - ephemeral apps
+type ephemeral_apk_data_file, file_type, data_file_type;
+type ephemeral_apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota
@@ -236,6 +239,7 @@
type system_ndebug_socket, file_type;
type uncrypt_socket, file_type;
type vold_socket, file_type;
+type webview_zygote_socket, file_type;
type wpa_socket, file_type;
# hostapd control interface.
type hostapd_socket, file_type;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
new file mode 100644
index 0000000..8b33f93
--- /dev/null
+++ b/public/hal_graphics_allocator.te
@@ -0,0 +1,10 @@
+# graphics buffer allocator subsystem
+type hal_graphics_allocator, domain;
+type hal_graphics_allocator_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(hal_graphics_allocator)
+
+# GPU device access
+allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
new file mode 100644
index 0000000..e92eeaf
--- /dev/null
+++ b/public/hal_graphics_composer.te
@@ -0,0 +1,22 @@
+# graphics composer subsystem
+type hal_graphics_composer, domain;
+type hal_graphics_composer_exec, exec_type, file_type;
+
+# HwBinder access
+hwbinder_use(hal_graphics_composer)
+# IComposerCallback
+binder_call(hal_graphics_composer, surfaceflinger)
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer {appdomain ephemeral_app}:fd use;
diff --git a/public/init.te b/public/init.te
index a029219..bef8de7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -337,8 +337,6 @@
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
-allow init apk_data_file:dir { getattr search };
-allow init dalvikcache_data_file:dir { search getattr };
r_dir_file(init, system_file)
allow init proc_meminfo:file r_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 4396ea4..ef5b83a 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -9,13 +9,13 @@
allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+allow installd {apk_data_file ephemeral_apk_data_file}:dir { create_dir_perms relabelfrom };
+allow installd {apk_data_file ephemeral_apk_data_file}:file { create_file_perms relabelfrom link };
+allow installd {apk_data_file ephemeral_apk_data_file}:lnk_file { create r_file_perms unlink };
allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
+allow installd {apk_tmp_file ephemeral_apk_tmp_file}:file { r_file_perms unlink };
+allow installd {apk_tmp_file ephemeral_apk_tmp_file}:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 081849e..8f2175b 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -26,6 +26,18 @@
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+
#####
##### Neverallow
#####
@@ -83,3 +95,6 @@
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote_socket:sock_file write;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 0b562c1..a1d90a0 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -15,6 +15,7 @@
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
allow mediacodec ion_device:chr_file rw_file_perms;
+allow mediacodec hal_graphics_allocator:fd use;
###
### neverallow rules
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index db8e082..ba4fc9b 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -30,6 +30,7 @@
# Allow access to ion memory allocation device
allow mediadrmserver ion_device:chr_file rw_file_perms;
+allow mediadrmserver hal_graphics_allocator:fd use;
# Allow access to app_data and media_data_files
allow mediadrmserver media_data_file:dir create_dir_perms;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 94566e0..249f63f 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -124,6 +124,8 @@
allow mediaserver preloads_data_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+
allow mediaserver system_server:fd use;
###
diff --git a/public/platform_app.te b/public/platform_app.te
index d4a27ad..8a988e5 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -12,10 +12,10 @@
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files
# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
@@ -56,3 +56,7 @@
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
+
+# Access to ephemeral APKs
+allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
+allow platform_app ephemeral_apk_data_file:file r_file_perms;
diff --git a/public/property.te b/public/property.te
index 379320f..e4b8d6e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,45 +1,45 @@
-type default_prop, property_type, core_property_type;
-type shell_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type dumpstate_prop, property_type, core_property_type;
-type dumpstate_options_prop, property_type;
-type persist_debug_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type dhcp_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type ffs_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type net_radio_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type system_prop, property_type, core_property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
-type wifi_prop, property_type;
+type audio_prop, property_type, core_property_type;
+type bluetooth_prop, property_type, core_property_type;
+type config_prop, property_type, core_property_type;
+type cppreopt_prop, property_type, core_property_type;
type ctl_bootanim_prop, property_type;
+type ctl_bugreport_prop, property_type;
+type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
type ctl_mdnsd_prop, property_type;
type ctl_rildaemon_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
+type dalvik_prop, property_type, core_property_type;
+type debuggerd_prop, property_type, core_property_type;
+type debug_prop, property_type, core_property_type;
+type default_prop, property_type, core_property_type;
+type device_logging_prop, property_type;
+type dhcp_prop, property_type, core_property_type;
+type dumpstate_options_prop, property_type;
+type dumpstate_prop, property_type, core_property_type;
+type ffs_prop, property_type, core_property_type;
+type fingerprint_prop, property_type, core_property_type;
+type hwservicemanager_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
+type log_prop, property_type, log_property_type;
+type log_tag_prop, property_type, log_property_type;
type mmc_prop, property_type;
-type restorecon_prop, property_type, core_property_type;
-type security_prop, property_type, core_property_type;
-type bluetooth_prop, property_type, core_property_type;
-type pan_result_prop, property_type, core_property_type;
-type powerctl_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
+type net_radio_prop, property_type, core_property_type;
type nfc_prop, property_type, core_property_type;
-type dalvik_prop, property_type, core_property_type;
-type config_prop, property_type, core_property_type;
-type device_logging_prop, property_type;
+type overlay_prop, property_type;
+type pan_result_prop, property_type, core_property_type;
+type persist_debug_prop, property_type, core_property_type;
+type powerctl_prop, property_type, core_property_type;
+type radio_prop, property_type, core_property_type;
+type restorecon_prop, property_type, core_property_type;
type safemode_prop, property_type;
-type hwservicemanager_prop, property_type;
+type shell_prop, property_type, core_property_type;
+type system_prop, property_type, core_property_type;
+type system_radio_prop, property_type, core_property_type;
+type vold_prop, property_type, core_property_type;
+type wifi_log_prop, property_type, log_property_type;
+type wifi_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 2afb7d1..608afc5 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -4,6 +4,11 @@
typeattribute surfaceflinger mlstrustedsubject;
+# Perform HwBinder IPC.
+hwbinder_use(surfaceflinger)
+binder_call(surfaceflinger, hal_graphics_allocator)
+binder_call(surfaceflinger, hal_graphics_composer)
+
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
diff --git a/public/system_server.te b/public/system_server.te
index ac1e8bd..06ec624 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -81,7 +81,7 @@
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
# whitelisted.
-allow system_server self:socket create_socket_perms;
+allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
@@ -137,6 +137,7 @@
unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, vold, vold)
+unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_send(system_server, wpa, wpa)
@@ -251,6 +252,12 @@
allow system_server apk_private_tmp_file:dir create_dir_perms;
allow system_server apk_private_tmp_file:file create_file_perms;
+# Manage /data/app-ephemeral
+allow system_server ephemeral_apk_data_file:dir create_dir_perms;
+allow system_server ephemeral_apk_data_file:file create_file_perms;
+allow system_server ephemeral_apk_tmp_file:dir create_dir_perms;
+allow system_server ephemeral_apk_tmp_file:file create_file_perms;
+
# Manage files within asec containers.
allow system_server asec_apk_file:dir create_dir_perms;
allow system_server asec_apk_file:file create_file_perms;
@@ -318,8 +325,8 @@
allow system_server media_rw_data_file:file { getattr read write append };
# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file ephemeral_apk_data_file}:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
@@ -357,6 +364,7 @@
set_prop(system_server, device_logging_prop)
set_prop(system_server, wifi_prop)
set_prop(system_server, dumpstate_options_prop)
+set_prop(system_server, overlay_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -559,6 +567,7 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server hal_graphics_allocator:fd use;
r_dir_file(system_server, proc)
r_dir_file(system_server, proc_meminfo)
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
new file mode 100644
index 0000000..cc7cd0b
--- /dev/null
+++ b/public/webview_zygote.te
@@ -0,0 +1,83 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+# The webview_zygote needs to be able to transition domains.
+type webview_zygote, domain, mlstrustedsubject;
+type webview_zygote_exec, exec_type, file_type;
+
+# Access to system files for SELinux contexts.
+allow webview_zygote rootfs:file r_file_perms;
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:capability { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote {
+ app_data_file
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ ephemeral_data_file
+}:file { rwx_file_perms };
+
+neverallow webview_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+} *;
diff --git a/public/zygote.te b/public/zygote.te
index bb411e8..08e6e3c 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -88,6 +88,9 @@
allow zygote ion_device:chr_file r_file_perms;
allow zygote tmpfs:dir r_dir_perms;
+# Let the zygote access overlays so it can initialize the AssetManager
+get_prop(zygote, overlay_prop)
+
###
### neverallow rules
###