commit 75ba5a42f39cb2a4be8ee265a5ec66862327ef73
author Steven Moreland <smoreland@google.com> Wed Aug 08 16:24:55 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Aug 08 16:24:55 2018 +0000
tree 1756742d4748fe0d7fd9348313fb32df77804763
parent f3eb9854475640e552b95dc14e139a307caf09e6
parent c8ba9091170d98de91425015a4d9c56d04a74159

Merge "Fix type of ro.kernel.qemu: int -> bool"

private/untrusted_app_25.te

diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 09207e2..48a7c45 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -46,3 +46,7 @@
 allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
 r_dir_file(untrusted_app_25, proc_qtaguid_stat)
 allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
+
+# Text relocation support for API < 23
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;

private/untrusted_app_all.te

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6ec2183..fdda730 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -20,13 +20,9 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to ephemeral_app.te.
 
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
-allow untrusted_app_all app_data_file:file execmod;
 
 # Executing files from an application home directory violates
 # W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
@@ -38,7 +34,7 @@
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
+allow untrusted_app_all asec_public_file:file { execute };
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
@@ -157,10 +153,6 @@
   }:{ dir file lnk_file } { getattr open read };
 ')
 
-# Temporary auditing to get data on what apps use execmod.
-# TODO(b/111544476) Remove this and deny the permission if feasible.
-auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
-
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 85b8ff2..ce6ec3a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -819,7 +819,7 @@
   } {
     data_file_type
     -core_data_file_type
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
 ')
 full_treble_only(`
   neverallow {
@@ -851,7 +851,7 @@
     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
     # vndk-stable and thus must be allowed for all processes.
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   neverallow {
     vendor_init
     -data_between_core_and_vendor_violators
@@ -859,7 +859,7 @@
     core_data_file_type
     -unencrypted_data_file
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
   # The vendor init binary lives on the system partition so there is not a concern with stability.
   neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -925,7 +925,7 @@
     -init
     } {
       vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
-    }:file_class_set ~{ append getattr ioctl read write };
+    }:file_class_set ~{ append getattr ioctl read write map };
 ')
 
 # On TREBLE devices, a limited set of files in /vendor are accessible to
@@ -1036,7 +1036,10 @@
       coredomain
       -shell
       -system_executes_vendor_violators
-    } vendor_file_type:file execute_no_trans;
+    } {
+      vendor_file_type
+      -same_process_hal_file
+    }:file execute_no_trans;
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
@@ -1131,9 +1134,9 @@
 # required by some device-specific service domains.
 neverallow * self:process { execstack execheap };
 
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_all } file_type:file execmod;
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+neverallow { domain -untrusted_app_25 } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;