sepolicy: restrict /vendor/overlay from most coredomains
The change makes 'vendor_overlay_file' accessible only to few platform
domains like idmap, system_server, zygote and appdomain.
The overlay files contains RROs (runtime resource overlays)
Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video
Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/private/app.te b/private/app.te
index a086b86..73d7729 100644
--- a/private/app.te
+++ b/private/app.te
@@ -98,6 +98,9 @@
# apps which cannot be in /vendor.
r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 4302343..90e8b10 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -297,6 +297,9 @@
# Access /vendor/app
r_dir_file(system_server, vendor_app_file)
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 15fd951..52250f8 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,6 +51,10 @@
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
+# /vendor/overlay existence is checked before
+# passing it on as an argument to idmap in AssetManager
+allow zygote vendor_overlay_file:dir { getattr open read search };
+
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;