Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d40dfdc4c067390cc9cad5a2d66f47c792143be9^! / . / private
commitd40dfdc4c067390cc9cad5a2d66f47c792143be9[log] [tgz]
authorMartijn Coenen <maco@google.com>Mon Jun 08 20:31:33 2020 +0200
committerMartijn Coenen <maco@google.com>Tue Jun 09 12:32:59 2020 +0000
treeeda7c683ac325d0afc7a89b6ee2abb55fe054cfd
parente313de6db17b10cd26581860a33b17f1639cd189 [diff]
Don't give uid-based categories to app_zygote and isolated processes.

The mapping of UIDs to categories can only take 16 bits, yet isolated
processes start at UID 90000. Additionally, the main purpose of these
categories was to isolate app-private storage, but since isolated
processes don't have access to app-private storage anyway, removing them
doesn't hurt.

The upside is that this allows us to remove mIstrustedsubject from the
app_zygote domain, which prevents app code running in that context from
assigning itself arbitrary categories.

Bug: 157598026
Test: inspect categories of app_zygote and children; verify Chrome works
Merged-In: Idfa8625d939cf30f3683436949bb4f335851622a
Change-Id: Idfa8625d939cf30f3683436949bb4f335851622a

diff --git a/private/app_zygote.te b/private/app_zygote.te
index a826f7f..9285323 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te

@@ -4,9 +4,6 @@
 ###### Policy below is different from regular zygote-spawned apps
 ######
 
-# The app_zygote needs to be able to transition domains.
-typeattribute app_zygote mlstrustedsubject;
-
 # Allow access to temporary files, which is normally permitted through
 # a domain macro.
 tmpfs_domain(app_zygote);
@@ -95,12 +92,14 @@
 neverallow app_zygote property_socket:sock_file write;
 neverallow app_zygote property_type:property_service set;
 
-# Should not have any access to non-app data files.
+# Should not have any access to data files.
 neverallow app_zygote {
     bluetooth_data_file
     nfc_data_file
     radio_data_file
     shell_data_file
+    app_data_file
+    privapp_data_file
 }:file { rwx_file_perms };
 
 neverallow app_zygote {

diff --git a/private/seapp_contexts b/private/seapp_contexts
index e944063..a40b16f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -151,8 +151,8 @@
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
 user=webview_zygote seinfo=webview_zygote domain=webview_zygote
-user=_isolated domain=isolated_app levelFrom=all
-user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all