Merge "Remove overpermissive neverallow exceptions."
diff --git a/private/app.te b/private/app.te
index b2c1be3..ffe6598 100644
--- a/private/app.te
+++ b/private/app.te
@@ -16,8 +16,10 @@
# Transition to a non-app domain.
# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
- { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { dyntransition };
+# Exception for crash_dump to allow for app crash reporting.
+# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
+# to allow renderscript to create privileged executable files.
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+ { domain -appdomain -crash_dump -rs }:process { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+ { domain -appdomain }:process { dyntransition };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7e14dd4..10b0b3b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -41,7 +41,13 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
-# Block calling execve() on files in an apps home directory.
+# Renderscript created files within an app home directory can be
+# dlopen()ed. To maintain the W^X property, these files
+# must never be writable to the app.
+neverallow all_untrusted_apps rs_data_file:file
+ { append create link relabelfrom relabelto rename setattr write };
+
+# Block calling execve() in app /data/data files.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
@@ -52,6 +58,17 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
+# Block calling dlopen() in app /data/data files.
+# This is a W^X violation (loading executable code from a writable
+# home directory). For compatibility, allow for targetApi <= 28.
+# b/112357170
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -runas_app
+} app_data_file:file execute;
+
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
@@ -121,6 +138,7 @@
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
+ -rs_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
diff --git a/private/coredomain.te b/private/coredomain.te
index 04f7a46..7413515 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -28,6 +28,7 @@
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
+ -rs # spawned by appdomain, so carryover the exception above
-system_server
} vendor_app_file:dir { open read getattr search };
')
@@ -43,6 +44,7 @@
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
+ -rs # spawned by appdomain, so carryover the exception above
-system_server
-mediaserver
} vendor_app_file:file r_file_perms;
@@ -56,6 +58,7 @@
-idmap
-init
-installd
+ -rs # spawned by appdomain, so carryover the exception above
-system_server
-webview_zygote
-zygote
@@ -70,6 +73,7 @@
-idmap
-init
-installd
+ -rs # spawned by appdomain, so carryover the exception above
-system_server
-webview_zygote
-zygote
diff --git a/private/domain.te b/private/domain.te
index 7a41ab2..15179e2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,8 +25,8 @@
# Path resolution access in cgroups.
allow domain cgroup:dir search;
-allow { domain -appdomain } cgroup:dir w_dir_perms;
-allow { domain -appdomain } cgroup:file w_file_perms;
+allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup:file w_file_perms;
# For now, everyone can access core property files
# Device specific properties are not granted by default
@@ -105,6 +105,7 @@
-installd
userdebug_or_eng(`-perfprofd')
-profman
+ -rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
} { privapp_data_file app_data_file }:dir *;
@@ -115,6 +116,7 @@
domain
-appdomain
-installd
+ -rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
@@ -122,6 +124,7 @@
-appdomain
-installd
userdebug_or_eng(`-perfprofd')
+ -rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index f28d28f..92fd325 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -21,7 +21,15 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
+allow ephemeral_app privapp_data_file:file { r_file_perms execute };
+allow ephemeral_app app_data_file:file r_file_perms;
+
+# Allow the renderscript compiler to be run.
+domain_auto_trans(ephemeral_app, rs_exec, rs)
+
+# Allow loading and deleting renderscript created shared libraries
+# within an application home directory.
+allow ephemeral_app rs_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
diff --git a/private/file.te b/private/file.te
index fd1c2ee..8843743 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,3 +13,5 @@
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
+# renderscript created files in /data/data directories
+type rs_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index abef72b..fac31a0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -176,6 +176,7 @@
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
@@ -189,6 +190,7 @@
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/ld\.mc u:object_r:rs_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logcatd -- u:object_r:logcat_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
diff --git a/private/installd.te b/private/installd.te
index 0553716..fd3535c 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -20,3 +20,6 @@
# For collecting bugreports.
allow installd dumpstate:fd use;
allow installd dumpstate:fifo_file r_file_perms;
+
+# Delete /system/bin/bcc generated artifacts
+allow installd rs_data_file:file unlink;
diff --git a/private/rs.te b/private/rs.te
new file mode 100644
index 0000000..94cf6b4
--- /dev/null
+++ b/private/rs.te
@@ -0,0 +1,42 @@
+type rs, domain, coredomain;
+type rs_exec, system_file_type, exec_type, file_type;
+
+# Any files which would have been created as app_data_file
+# will be created as rs_data_file instead.
+allow rs app_data_file:dir ra_dir_perms;
+allow rs rs_data_file:file create_file_perms;
+type_transition rs app_data_file:file rs_data_file;
+
+# Read files from the app home directory.
+allow rs app_data_file:file r_file_perms;
+allow rs app_data_file:dir r_dir_perms;
+
+# Cleanup rs_data_file files in the app home directory.
+allow rs app_data_file:dir remove_name;
+
+# Use vendor resources
+allow rs vendor_file:dir r_dir_perms;
+r_dir_file(rs, vendor_overlay_file)
+r_dir_file(rs, vendor_app_file)
+
+# Read contents of app apks
+r_dir_file(rs, apk_data_file)
+
+allow rs gpu_device:chr_file rw_file_perms;
+allow rs ion_device:chr_file r_file_perms;
+allow rs same_process_hal_file:file { r_file_perms execute };
+
+# File descriptors passed from app to renderscript
+allow rs untrusted_app_all:fd use;
+
+# TODO: Explain why these dontaudits are needed. Most likely
+# these are file descriptors leaking across an exec() boundary
+# due to a missing O_CLOEXEC / SOCK_CLOEXEC
+dontaudit rs untrusted_app_all:unix_stream_socket { read write };
+dontaudit rs untrusted_app_all:fifo_file { read write };
+
+# TODO: Explain why this is necessary. I think this is a zygote
+# created logging socket and system server parceled file descriptor
+# which is not using the O_CLOEXEC flag.
+dontaudit rs zygote:fd use;
+dontaudit rs system_server:fd use;
diff --git a/private/runas_app.te b/private/runas_app.te
index b976b91..00baa83 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -6,6 +6,7 @@
net_domain(runas_app)
bluetooth_domain(runas_app)
-# The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Needed by simpleperf.
-allow runas_app app_data_file:file execute_no_trans;
+# The ability to call exec() or dlopen() on app /data/data
+# files when using run-as on a debuggable app.
+# Needed by simpleperf.
+allow runas_app app_data_file:file { execute_no_trans execute };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7c266a5..8825e2e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -45,10 +45,10 @@
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-# The ability to call exec() on files in the apps home directories
-# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
-# and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file execute_no_trans;
+# The ability to call exec() or dlopen() on files in the apps home
+# directories for targetApi<=25. This is also allowed for targetAPIs 26,
+# 27, and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file { execute execute_no_trans };
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b8fd22e..fab6acc 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -27,9 +27,9 @@
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
-# The ability to call exec() on files in the apps home directories
-# for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file execute_no_trans;
+# The ability to call exec() or dlopen() on files in the apps home
+# directories for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file { execute execute_no_trans };
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 72e03e1..2c81ebd 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -22,7 +22,12 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };
+allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_all app_data_file:file r_file_perms;
+
+# Allow loading and deleting renderscript created shared libraries
+# within an application home directory.
+allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
@@ -122,6 +127,9 @@
allow untrusted_app_all system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Allow the renderscript compiler to be run.
+domain_auto_trans(untrusted_app_all, rs_exec, rs)
+
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 58a42e0..9ed0468 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -21,7 +21,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.2-service u:object_r:hal_graphics_composer_default_exec:s0