Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7443484831a858848d71b95c3e9fa4e96dcbf830^! / . / private / system_server.te
commit7443484831a858848d71b95c3e9fa4e96dcbf830[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Mon Mar 13 12:22:15 2017 -0700
committerJeff Vander Stoep <jeffv@google.com>Wed Mar 22 14:03:07 2017 -0700
tree42aae1c9ef345f5ee9db353be8ccf0bf93478a0f
parente1a350a0351050d89ad9c384d6787044b547e775 [diff] [blame]
Grant additional permissions for ASAN builds

ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8

diff --git a/private/system_server.te b/private/system_server.te
index 7361307..d1f9bc3 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -623,6 +623,12 @@
 allow system_server debugfs_tracing_instances:dir search;
 allow system_server debugfs_wifi_tracing:file rw_file_perms;
 
+# allow system_server to exec shell on ASAN builds. Needed to run
+# asanwrapper.
+with_asan(`
+  allow system_server shell_exec:file rx_file_perms;
+')
+
 ###
 ### Neverallow rules
 ###
@@ -644,7 +650,12 @@
 # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
 # Prevent the addition of new file execs to stop the problem from
 # getting worse. b/28035297
-neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
+neverallow system_server {
+  file_type
+  -toolbox_exec
+  -logcat_exec
+  with_asan(`-shell_exec')
+}:file execute_no_trans;
 
 # Ensure that system_server doesn't perform any domain transitions other than
 # transitioning to the crash_dump domain when a crash occurs.