Allow bootstrap bionic only to init, ueventd, and apexd
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
diff --git a/private/apexd.te b/private/apexd.te
index 6066fd6..b3aabea 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -93,6 +93,10 @@
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
+# apexd is using bootstrap bionic
+allow apexd system_bootstrap_lib_file:dir r_dir_perms;
+allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+
# Allow transition to ART APEX preinstall domain.
domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
# Allow transition to ART APEX postinstall domain.
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d47c771..45e1dd9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -160,6 +160,7 @@
super_block_device
sysfs_fs_ext4_features
system_boot_reason_prop
+ system_bootstrap_lib_file
system_lmk_prop
system_net_netd_hwservice
system_update_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index b39dd4b..0e830f8 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -146,6 +146,7 @@
super_block_device
staging_data_file
system_boot_reason_prop
+ system_bootstrap_lib_file
system_lmk_prop
system_update_service
test_boot_reason_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 1496469..2ea4d2c 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -121,6 +121,7 @@
su_tmpfs
super_block_device
sysfs_fs_f2fs
+ system_bootstrap_lib_file
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
diff --git a/private/file_contexts b/private/file_contexts
index c8c881d..7cbb623 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -180,6 +180,7 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
diff --git a/public/app.te b/public/app.te
index e26ec0a..5c48e71 100644
--- a/public/app.te
+++ b/public/app.te
@@ -582,3 +582,13 @@
# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
# perform UID lookups.
neverallow { appdomain -shell } proc_net_tcp_udp:file *;
+
+# Apps cannot access bootstrap files. The bootstrap files are only for
+# extremely early processes (like init, etc.) which are started before
+# the runtime APEX is activated and Bionic libs are provided from there.
+# If app process accesses (or even load/execute) the bootstrap files,
+# it might cause problems such as ODR violation, etc.
+neverallow appdomain system_bootstrap_lib_file:file
+ { open read write append execute execute_no_trans map };
+neverallow appdomain system_bootstrap_lib_file:dir
+ { open read getattr search };
diff --git a/public/file.te b/public/file.te
index 58acfca..7d48fb4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -148,6 +148,8 @@
type system_event_log_tags_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
type system_lib_file, system_file_type, file_type;
+# system libraries that are available only to bootstrap processes
+type system_bootstrap_lib_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
type system_linker_exec, system_file_type, file_type;
# Default type for linker config /system/etc/ld.config.*.
diff --git a/public/init.te b/public/init.te
index f0f9835..06af302 100644
--- a/public/init.te
+++ b/public/init.te
@@ -557,6 +557,10 @@
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
+# init is using bootstrap bionic
+allow init system_bootstrap_lib_file:dir r_dir_perms;
+allow init system_bootstrap_lib_file:file { execute read open getattr map };
+
###
### neverallow rules
###
diff --git a/public/ueventd.te b/public/ueventd.te
index db02d3f..98e3bda 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -55,6 +55,10 @@
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
+# ueventd is using bootstrap bionic
+allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
+allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+
#####
##### neverallow rules
#####
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3925df2..7114a02 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -180,6 +180,10 @@
# Raw writes to misc block device
allow vendor_init misc_block_device:blk_file w_file_perms;
+# vendor_init is using bootstrap bionic
+allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
+allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`