sepolicy: restrict /vendor/app from most coredomains
The change makes 'vendor_app_file' accessible only to few platform domains like dex2oat, idmap, installd, system_server and appdomain. Bug: 36681210 Test: Boot sailfish (treble device) from wiped flashall Test: Connect to wifi and launch chrome to load few websites. Test: Launch camera and record + playback video Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b Signed-off-by: Sandeep Patil <sspatil@google.com>
This commit is contained in:
parent
37792cecad
commit
1b5f81a2d2
@ -94,6 +94,10 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p
|
||||
allow appdomain system_file:dir r_dir_perms;
|
||||
allow appdomain system_file:lnk_file { getattr open read };
|
||||
|
||||
# Allow apps access to /vendor/app except for privileged
|
||||
# apps which cannot be in /vendor.
|
||||
r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
|
||||
|
||||
# Execute dex2oat when apps call dexclassloader
|
||||
allow appdomain dex2oat_exec:file rx_file_perms;
|
||||
|
||||
|
@ -3,6 +3,8 @@ type dex2oat, domain, domain_deprecated;
|
||||
type dex2oat_exec, exec_type, file_type;
|
||||
|
||||
r_dir_file(dex2oat, apk_data_file)
|
||||
# Access to /vendor/app
|
||||
r_dir_file(dex2oat, vendor_app_file)
|
||||
|
||||
allow dex2oat tmpfs:file { read getattr };
|
||||
|
||||
|
@ -131,11 +131,6 @@ full_treble_only(`
|
||||
# through linker/loader.
|
||||
allow domain vendor_file:dir { getattr search };
|
||||
|
||||
# TODO: b/36681210, find out who needs access and only allow
|
||||
# specific domains for Treble
|
||||
allow domain vendor_app_file:dir r_dir_perms;
|
||||
allow domain vendor_app_file:file { read open getattr };
|
||||
|
||||
# Some apps (com.android.phone) need to be able to open
|
||||
# symlinked libraries
|
||||
# TODO: b/36806861
|
||||
@ -689,6 +684,31 @@ full_treble_only(`
|
||||
}:sock_file ~{ append getattr ioctl read write };
|
||||
')
|
||||
|
||||
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
||||
# only a few whitelisted coredomains to keep system/vendor separation.
|
||||
full_treble_only(`
|
||||
# Limit access to /vendor/app except for whitelisted domains
|
||||
neverallow {
|
||||
coredomain
|
||||
-appdomain
|
||||
-dex2oat
|
||||
-idmap
|
||||
-init
|
||||
-installd
|
||||
-system_server
|
||||
} vendor_app_file:dir { open read getattr search };
|
||||
|
||||
neverallow {
|
||||
coredomain
|
||||
-appdomain
|
||||
-dex2oat
|
||||
-idmap
|
||||
-init
|
||||
-installd
|
||||
-system_server
|
||||
} vendor_app_file:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
# Only authorized processes should be writing to files in /data/dalvik-cache
|
||||
neverallow {
|
||||
domain
|
||||
@ -908,6 +928,7 @@ neverallow {
|
||||
userdebug_or_eng(`-uncrypt')
|
||||
} shell_data_file:file open;
|
||||
|
||||
|
||||
# servicemanager is the only process which handles list request
|
||||
neverallow * ~servicemanager:service_manager list;
|
||||
|
||||
|
@ -9,3 +9,6 @@ allow idmap resourcecache_data_file:file { getattr read write };
|
||||
# Open and read from target and overlay apk files passed by argument.
|
||||
allow idmap apk_data_file:file r_file_perms;
|
||||
allow idmap apk_data_file:dir search;
|
||||
|
||||
# Allow apps access to /vendor/app
|
||||
r_dir_file(idmap, vendor_app_file)
|
||||
|
@ -27,6 +27,8 @@ selinux_check_context(installd)
|
||||
r_dir_file(installd, rootfs)
|
||||
# Scan through APKs in /system/app and /system/priv-app
|
||||
r_dir_file(installd, system_file)
|
||||
# Scan through APKs in /vendor/app
|
||||
r_dir_file(installd, vendor_app_file)
|
||||
# Get file context
|
||||
allow installd file_contexts_file:file r_file_perms;
|
||||
# Get seapp_context
|
||||
|
Loading…
Reference in New Issue
Block a user