From 0b74305011e70bc58490720709e86aac6eb7700f Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Tue, 21 Mar 2017 19:39:01 -0700
Subject: [PATCH] Sepolicy: Add ASAN-Extract

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
---
 private/asan_extract.te    |  8 ++++++++
 private/file_contexts_asan |  1 +
 private/property_contexts  |  3 +++
 public/asan_extract.te     | 36 ++++++++++++++++++++++++++++++++++++
 public/domain.te           |  6 ++++--
 public/property.te         |  1 +
 6 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 private/asan_extract.te
 create mode 100644 public/asan_extract.te

diff --git a/private/asan_extract.te b/private/asan_extract.te
new file mode 100644
index 000000000..1c20d78ec
--- /dev/null
+++ b/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 5e756fc79..d35cd3c94 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -2,3 +2,4 @@
 /data/asan/system/lib64(/.*)?              u:object_r:system_file:s0
 /data/asan/vendor/lib(/.*)?                u:object_r:system_file:s0
 /data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0
+/system/bin/asan_extract       u:object_r:asan_extract_exec:s0
diff --git a/private/property_contexts b/private/property_contexts
index c205e594c..498bab8f4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -112,3 +112,6 @@ wlan.                   u:object_r:wifi_prop:s0
 
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
+
+# ASAN install trigger
+asan.restore_reboot  u:object_r:asan_reboot_prop:s0
diff --git a/public/asan_extract.te b/public/asan_extract.te
new file mode 100644
index 000000000..6d0de6cf1
--- /dev/null
+++ b/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+  type asan_extract, domain, coredomain;
+  type asan_extract_exec, exec_type, file_type;
+
+  # Allow asan_extract to execute itself using #!/system/bin/sh
+  allow asan_extract shell_exec:file rx_file_perms;
+
+  # We execute log, rm, gzip and tar.
+  allow asan_extract toolbox_exec:file rx_file_perms;
+  allow asan_extract system_file:file execute_no_trans;
+
+  # asan_extract deletes old /data/lib.
+  allow asan_extract system_file:dir { open read remove_name rmdir write };
+  allow asan_extract system_file:file unlink;
+
+  # asan_extract untars ASAN libraries into /data.
+  allow asan_extract system_data_file:dir create_dir_perms ;
+  allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+  # Relabel the libraries with restorecon.
+  allow asan_extract file_contexts_file:file r_file_perms;
+  allow asan_extract system_data_file:{ dir file } relabelfrom;
+  allow asan_extract system_file:dir { relabelto setattr };
+  allow asan_extract system_file:file relabelto;
+
+  # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+  allow asan_extract system_data_file:file execute;
+
+  # We use asan.restore_reboot to signal a reboot is required.
+  set_prop(asan_extract, asan_reboot_prop)
+')
diff --git a/public/domain.te b/public/domain.te
index fc4db7e2b..6cee764a9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -300,6 +300,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
 neverallow {
     domain
     -appdomain
+    with_asan(`-asan_extract')
     -dumpstate
     -shell
     userdebug_or_eng(`-su')
@@ -336,9 +337,9 @@ neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_p
 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
 # Only recovery should be doing writes to /system
-neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
+neverallow { domain -recovery with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
@@ -713,6 +714,7 @@ neverallow {
   -system_app
   -init
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
+  with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink
 # to installd
diff --git a/public/property.te b/public/property.te
index a3f5a1e43..691060362 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,3 +1,4 @@
+type asan_reboot_prop, property_type;
 type audio_prop, property_type, core_property_type;
 type boottime_prop, property_type;
 type bluetooth_prop, property_type;
-- 
GitLab