sepolicy: restrict /vendor/overlay from most coredomains
The change makes 'vendor_overlay_file' accessible only to few platform
domains like idmap, system_server, zygote and appdomain.
The overlay files contains RROs (runtime resource overlays)
Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video
Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/private/app.te b/private/app.te
index a086b86..73d7729 100644
--- a/private/app.te
+++ b/private/app.te
@@ -98,6 +98,9 @@
# apps which cannot be in /vendor.
r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 4302343..90e8b10 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -297,6 +297,9 @@
# Access /vendor/app
r_dir_file(system_server, vendor_app_file)
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 15fd951..52250f8 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,6 +51,10 @@
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
+# /vendor/overlay existence is checked before
+# passing it on as an argument to idmap in AssetManager
+allow zygote vendor_overlay_file:dir { getattr open read search };
+
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 92ebde0..ffa8d44 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -136,11 +136,6 @@
# TODO: b/36806861
allow domain vendor_app_file:lnk_file { open read };
- # TODO: b/36656392, find out who needs access and only allow
- # specific domains.
- allow domain vendor_overlay_file:dir r_dir_perms;
- allow domain vendor_overlay_file:file { read open getattr };
-
# TODO: b/36680116, find out who neeeds access and only allow
# specific domains
allow domain vendor_framework_file:dir r_dir_perms;
@@ -687,7 +682,7 @@
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
- # Limit access to /vendor/app except for whitelisted domains
+ # Limit access to /vendor/app
neverallow {
coredomain
-appdomain
@@ -707,6 +702,25 @@
-installd
-system_server
} vendor_app_file:{ file lnk_file } r_file_perms;
+
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -system_server
+ -zygote
+ } vendor_overlay_file:dir { getattr open read search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -system_server
+ -zygote
+ } vendor_overlay_file:{ file lnk_file } r_file_perms;
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/idmap.te b/public/idmap.te
index 437e0cc..1c32f8f 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -12,3 +12,6 @@
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)