Sepolicy: Fix asanwrapper
Add asanwrapper support for system server under sanitization.
Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0
diff --git a/private/app.te b/private/app.te
index 2ee3bee..b41ebec 100644
--- a/private/app.te
+++ b/private/app.te
@@ -315,6 +315,9 @@
allow appdomain cache_file:dir getattr;
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
###
### Neverallow rules
###
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index d35cd3c..0401ffe 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -3,3 +3,7 @@
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/private/system_server.te b/private/system_server.te
index d02698c..89b14a9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -22,6 +22,9 @@
# Report dalvikcache_data_file:file execute violations.
auditallow system_server dalvikcache_data_file:file execute;
')
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -655,6 +658,7 @@
# asanwrapper.
with_asan(`
allow system_server shell_exec:file rx_file_perms;
+ allow system_server asanwrapper_exec:file rx_file_perms;
')
###
@@ -682,7 +686,7 @@
file_type
-toolbox_exec
-logcat_exec
- with_asan(`-shell_exec')
+ with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
diff --git a/public/domain.te b/public/domain.te
index e75ce1a..b227027 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -221,6 +221,9 @@
# when it's not explicitly used in allow rules
allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index eacfc2c..926fd59 100644
--- a/public/file.te
+++ b/public/file.te
@@ -315,6 +315,9 @@
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#