android_system_sepolicy

Author SHA1 Message Date

Author	SHA1	Message	Date
Jeff Vander Stoep	41a2abfc0d	Properly Treble-ize tmpfs access This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358 Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358 (cherry picked from commit `e16fb9109c`)	2019-01-26 17:30:41 +00:00
Martijn Coenen	1bbda7e662	Initial sepolicy for app_zygote. The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832	2019-01-21 08:24:41 +00:00

Jeff Vander Stoep

41a2abfc0d

Properly Treble-ize tmpfs access

This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)

2019-01-26 17:30:41 +00:00

Martijn Coenen

1bbda7e662

Initial sepolicy for app_zygote.

The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832

2019-01-21 08:24:41 +00:00

2 Commits