commit c848d37d5aa0842cf17fe7654654bc5298bc1534
author Andreas Gampe <agampe@google.com> Mon Apr 03 15:23:16 2017 -0700
committer Andreas Gampe <agampe@google.com> Wed Apr 19 16:33:45 2017 -0700
tree 95937b15882c9765ead4db6798f9c048fb696f4b
parent 4987db0cf16bd51d7dcb4b445ca3688d85f8bf02

Sepolicy: Fix asanwrapper

Add asanwrapper support for system server under sanitization.

Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0

private/app.te

diff --git a/private/app.te b/private/app.te
index 2ee3bee..b41ebec 100644
--- a/private/app.te
+++ b/private/app.te
@@ -315,6 +315,9 @@
 
 allow appdomain cache_file:dir getattr;
 
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
 ###
 ### Neverallow rules
 ###

private/file_contexts_asan

diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index d35cd3c..0401ffe 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -3,3 +3,7 @@
 /data/asan/vendor/lib(/.*)?                u:object_r:system_file:s0
 /data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0
 /system/bin/asan_extract       u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper        u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process   u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index d02698c..89b14a9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -22,6 +22,9 @@
   # Report dalvikcache_data_file:file execute violations.
   auditallow system_server dalvikcache_data_file:file execute;
 ')
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
 
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
@@ -655,6 +658,7 @@
 # asanwrapper.
 with_asan(`
   allow system_server shell_exec:file rx_file_perms;
+  allow system_server asanwrapper_exec:file rx_file_perms;
 ')
 
 ###
@@ -682,7 +686,7 @@
   file_type
   -toolbox_exec
   -logcat_exec
-  with_asan(`-shell_exec')
+  with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
 }:file execute_no_trans;
 
 # Ensure that system_server doesn't perform any domain transitions other than