Move webview_zygote policy to private
This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: Device boots, with Multiproces WebView developer setting
enabled, apps with WebView work fine. No new denials.
Bug: 31364497
Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 7cadcf3..b5cab2c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -1,3 +1,111 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+# The webview_zygote needs to be able to transition domains.
+typeattribute webview_zygote mlstrustedsubject;
+
+# When init launches the WebView zygote's executable, transition the
+# resulting process into webview_zygote domain.
init_daemon_domain(webview_zygote)
+
+# Access to system files for SELinux contexts.
+allow webview_zygote rootfs:file r_file_perms;
+
+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:capability { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+
+# Allow webview_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow webview_zygote debugfs_trace_marker:file getattr;
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for init to exec() us.
+neverallow { domain -init } webview_zygote:process transition;
+neverallow * webview_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote {
+ app_data_file
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ ephemeral_data_file
+}:file { rwx_file_perms };
+
+neverallow webview_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 29e5ba4..5d19b32 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -1,108 +1,5 @@
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
-# The webview_zygote needs to be able to transition domains.
-type webview_zygote, domain, mlstrustedsubject;
+type webview_zygote, domain;
type webview_zygote_exec, exec_type, file_type;
-
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
-# Access to the WebView relro file.
-allow webview_zygote shared_relro_file:dir search;
-allow webview_zygote shared_relro_file:file r_file_perms;
-
-# Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
-# Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
-# Switch SELinux context to app domains.
-allow webview_zygote self:process setcurrent;
-allow webview_zygote isolated_app:process dyntransition;
-
-# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
-allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
-
-# Allow webview_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow webview_zygote debugfs_trace_marker:file getattr;
-
-# Allow webview_zygote to manage the pgroup of its children.
-allow webview_zygote system_server:process getpgid;
-
-# Interaction between the webview_zygote and its children.
-allow webview_zygote isolated_app:process setpgid;
-
-# Check validity of SELinux context before use.
-selinux_check_context(webview_zygote)
-# Check SELinux permissions.
-selinux_check_access(webview_zygote)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow webview_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow webview_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for init to exec() us.
-neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow webview_zygote property_socket:sock_file write;
-neverallow webview_zygote property_type:property_service set;
-
-# Should not have any access to app data files.
-neverallow webview_zygote {
- app_data_file
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- ephemeral_data_file
-}:file { rwx_file_perms };
-
-neverallow webview_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow webview_zygote access to /cache.
-neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
-neverallow webview_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow webview_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
-} *;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote bluetooth_prop:file create_file_perms;