From 3c77d4d1c113282315fbccf696298e04f99a20b4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 30 Jan 2015 10:29:30 -0800
Subject: [PATCH] Add compile time checks for /data/dalvik-cache access

Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.

Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache

  * init
  * zygote
  * installd
  * dex2oat

For zygote, installd, and dex2oat, these accesses make sense.

For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.

This change was motivated by the discussion
in https://android-review.googlesource.com/127582

Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.

The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.

Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd
---
 domain.te     | 10 ++++++++++
 unconfined.te |  1 +
 2 files changed, 11 insertions(+)

diff --git a/domain.te b/domain.te
index 06c0bddbc..d9935fe87 100644
--- a/domain.te
+++ b/domain.te
@@ -331,3 +331,13 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
 
 # Only servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager } *:binder set_context_mgr;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+# (excluding /data/dalvik-cache/profiles, which is labeled differently)
+neverallow {
+  domain
+  -init # TODO: limit init to relabelfrom for files
+  -zygote
+  -installd
+  -dex2oat
+} dalvikcache_data_file:file no_w_file_perms;
diff --git a/unconfined.te b/unconfined.te
index 32044eccc..385af469f 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -83,6 +83,7 @@ allow unconfineddomain {
     -shell_data_file
     -app_data_file
     -unlabeled
+    -dalvikcache_data_file
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;
-- 
GitLab