SELinux changes to accomodate starting the webview_zygote as a child of the zygote.
In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.
A follow-up CL will remove the rules for starting webview_zygote via
init.
Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
renders correctly via the WebView.
Change-Id: I864743943c11c18de386010ecd4b616721cb9954
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1b92962..45a6550 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -103,6 +103,7 @@
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=all
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 5ae9409..6d485ff 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -36,6 +36,7 @@
# May kill zygote on crashes.
allow system_server zygote:process sigkill;
allow system_server crash_dump:process sigkill;
+allow system_server webview_zygote:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 9a3a7a3..e092112 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -61,6 +61,15 @@
# Directory listing in /system.
allow webview_zygote system_file:dir r_dir_perms;
+# Read system properties managed by zygote.
+allow webview_zygote zygote_tmpfs:file read;
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
+
#####
##### Neverallow
#####
@@ -75,9 +84,10 @@
# Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans;
-# The only way to enter this domain is for init to exec() us.
+# The only way to enter this domain is for init to exec() us or the zygote
+# to fork a new webview_zygote child.
neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
+neverallow { domain -zygote } webview_zygote:process dyntransition;
# Disallow write access to properties.
neverallow webview_zygote property_socket:sock_file write;
diff --git a/private/zygote.te b/private/zygote.te
index b592591..43364ab 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -16,6 +16,7 @@
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
allow zygote appdomain:dir { getattr search };
@@ -121,8 +122,8 @@
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+# with appdomain plus system_server and webview_zygote.
+neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
diff --git a/public/domain.te b/public/domain.te
index 329d54f..0cc29fb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -905,6 +905,7 @@
-init
-installd
-system_server
+ -webview_zygote
-zygote
} vendor_overlay_file:dir { getattr open read search };
@@ -915,6 +916,7 @@
-init
-installd
-system_server
+ -webview_zygote
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;