Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e1ddd741deb7ef393d907dd2bd089e36847f831f^! / . / private / priv_app.te
commite1ddd741deb7ef393d907dd2bd089e36847f831f[log] [tgz]
authorNick Kralevich <nnk@google.com>Sat Oct 27 15:20:38 2018 -0700
committerNick Kralevich <nnk@google.com>Sat Oct 27 15:20:38 2018 -0700
tree44fc4a4bb514f9bd93d48d6f461fe162cfe6a0b0
parentde8dfc752c2dffd8866e471ad27492dbce946da9 [diff] [blame]
drop priv_app app_data_file:file execute;

system/sepolicy commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c
introduced a new type called privapp_data_file. This type is used to
label priv-app's /home files. For backwards compatibility, priv-app
rules involving normal app_data_files were preserved. Subsequently,
system/sepolicy commit 5d1755194a841ab727467a30757fd1606cef905b
assigned the file label privapp_data_file to /home files owned
by priv-apps.

Because of the previous labeling of priv-app data files, priv-apps were
granted the ability to mmap(PROT_EXEC) any other app's /home files,
regardless of how trustworthy or untrustworthy those files were. Commit
23c9d91b46352bd91cdc58f33d55378e5567dc1c preserved the status quo.
However, now that we have a more refined label for priv-app /home files,
we no longer need to be as permissive.

Drop the ability for priv-apps to map executable code from
untrusted_apps home directories. "execute" is removed in this change,
and "execute_no_trans" was previously removed in commit
8fb4cb8bc20b999d69210f6fc6b552c6e22b8e09. Add a neverallow assertion
(compile time assertion + CTS test) to prevent regressions.

Further clarify why we need to support priv-apps loading executable code
from their own home directories, at least for now. b/112037137 covers
further tightening we can do in this area.

Bug: 112357170
Test: Device boots and no problems.
Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda

diff --git a/private/priv_app.te b/private/priv_app.te
index 41d2a90..b6828f0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -17,9 +17,16 @@
 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
 allow priv_app self:process ptrace;
 
-# Some apps ship with shared libraries that they write out
-# to their sandbox directory and then dlopen().
-allow priv_app { app_data_file privapp_data_file }:file execute;
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+#   1) com.android.opengl.shaders_cache
+#   2) com.android.skia.shaders_cache
+#   3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow priv_app privapp_data_file:file execute;
 
 allow priv_app app_api_service:service_manager find;
 allow priv_app audioserver_service:service_manager find;
@@ -214,3 +221,9 @@
 
 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
+
+# Do not allow loading executable code from non-privileged
+# application home directories. Code loading across a security boundary
+# is dangerous and allows a full compromise of a privileged process
+# by an unprivileged process. b/112357170
+neverallow priv_app app_data_file:file no_x_file_perms;