Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 75d63fcfd264ae741ec23dccad6bb54fa819e40c^! / .
commit75d63fcfd264ae741ec23dccad6bb54fa819e40c[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Jul 02 22:59:19 2014 -0700
committerNick Kralevich <nnk@google.com>Thu Jul 10 15:33:11 2014 -0700
tree41568ebd8456ba71c8c70b2eb796a950d9b3cf14
parentbad4e91dd2c7c043707d93b347b06d45f1f9b25b [diff]
Put dex2oat in it's own sandbox

Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.

dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.

Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be

diff --git a/app.te b/app.te
index 2d6416f..8288ea0 100644
--- a/app.te
+++ b/app.te

@@ -61,6 +61,9 @@
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
 
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write };
 

diff --git a/dex2oat.te b/dex2oat.te
new file mode 100644
index 0000000..51acc86
--- /dev/null
+++ b/dex2oat.te

@@ -0,0 +1,6 @@
+# dex2oat
+type dex2oat, domain;
+type dex2oat_exec, exec_type, file_type;
+
+allow dex2oat dalvikcache_data_file:file write;
+allow dex2oat installd:fd use;

diff --git a/file_contexts b/file_contexts
index 57fc1f2..def1e53 100644
--- a/file_contexts
+++ b/file_contexts

@@ -160,6 +160,7 @@
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat     u:object_r:dex2oat_exec:s0
 
 #############################
 # Vendor files

diff --git a/installd.te b/installd.te
index 5faa1ec..6257ede 100644
--- a/installd.te
+++ b/installd.te

@@ -53,6 +53,12 @@
 allow installd resourcecache_data_file:dir rw_dir_perms;
 allow installd resourcecache_data_file:file create_file_perms;
 
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# dex2oat needs LD_PRELOAD, passed down from init
+# https://android-review.googlesource.com/94851
+allow installd dex2oat:process noatsecure;
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };

diff --git a/zygote.te b/zygote.te
index c2a325e..c2a2395 100644
--- a/zygote.te
+++ b/zygote.te

@@ -31,6 +31,7 @@
 allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.
 allow zygote system_file:file x_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote self:capability sys_admin;