From 5c566d1a5ae344eaa849df0a3b7184c64952190d Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Tue, 17 Jan 2017 13:28:24 -0800
Subject: [PATCH] Move ephemeral_app to appdomain

Ephemeral apps are still apps with very similar capabilities, it makes
more sense to have them under appdomain and benefit from the shared
state (and all the neverallow rules) than to try and dupplicate them and
keep them in sync.

This is an initial move, there are parts of ephemeral_app that still
need to be locked down further and some parts of appdomain that should
be pushed down into the various app domains.

Test: Builds, ephemeral apps work without denials.
Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af
---
 private/ephemeral_app.te | 84 +++-------------------------------------
 public/app.te            | 30 +++++++-------
 2 files changed, 20 insertions(+), 94 deletions(-)

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 23b1e78c6..26d884ef3 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -12,95 +12,21 @@
 ### PackageManager flags an app as ephemeral at install time.
 
 net_domain(ephemeral_app)
-
-# Define and allow access to our own type for ashmem regions.
-# Label ashmem objects with our own unique type.
-tmpfs_domain(ephemeral_app)
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Map with PROT_EXEC.
-allow ephemeral_app ephemeral_app_tmpfs:file execute;
-
-# allow JITing
-allow ephemeral_app self:process execmem;
-allow ephemeral_app ashmem_device:chr_file execute;
-
-# Send logcat messages to logd.
-write_logd(ephemeral_app)
-
-# Receive and use open file descriptors inherited from zygote.
-allow ephemeral_app zygote:fd use;
-
-# Notify zygote of death;
-allow ephemeral_app zygote:process sigchld;
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow ephemeral_app zygote:unix_dgram_socket write;
-
-# Read system properties managed by zygote.
-allow ephemeral_app zygote_tmpfs:file read;
+app_domain(ephemeral_app)
 
 # App sandbox file accesses.
 allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
 allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
 
-# Keychain and user-trusted credentials
-r_dir_file(ephemeral_app, keychain_data_file)
-allow ephemeral_app misc_user_data_file:dir r_dir_perms;
-allow ephemeral_app misc_user_data_file:file r_file_perms;
-
 # Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir search;
+allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
 
-# For art.
-allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
-allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
-allow ephemeral_app dalvikcache_data_file:dir getattr;
-
-# Grant GPU access. ephemeral_app needs that to render the standard UI.
-allow ephemeral_app gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(ephemeral_app)
-# Perform binder IPC to binder services.
-binder_call(ephemeral_app, surfaceflinger)
-binder_call(ephemeral_app, system_server)
-# Perform binder IPC to apps.
-binder_call(ephemeral_app, appdomain)
-
-# Allow read access to ion memory allocation device
-allow ephemeral_app ion_device:chr_file { read open };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow ephemeral_app system_server:fifo_file rw_file_perms;
-allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Inherit or receive open files from system_server.
-allow ephemeral_app system_server:fd use;
-
-# Communicate with surfaceflinger.
-allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Read files already opened under /data.
-allow ephemeral_app system_data_file:file { getattr read };
-allow ephemeral_app system_data_file:lnk_file read;
-
-# System file accesses. Check for libraries
-allow ephemeral_app system_file:dir getattr;
-
 # services
-allow ephemeral_app accessibility_service:service_manager find;
-allow ephemeral_app activity_service:service_manager find;
-allow ephemeral_app assetatlas_service:service_manager find;
-allow ephemeral_app connectivity_service:service_manager find;
-allow ephemeral_app display_service:service_manager find;
-allow ephemeral_app graphicsstats_service:service_manager find;
-allow ephemeral_app input_method_service:service_manager find;
-allow ephemeral_app input_service:service_manager find;
 allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app textservices_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+# TODO: Replace app_api_service with a smaller ephemeral_api_service
+allow ephemeral_app app_api_service:service_manager find;
 
 ###
 ### neverallow rules
diff --git a/public/app.te b/public/app.te
index e350f45f2..23c5ab8fe 100644
--- a/public/app.te
+++ b/public/app.te
@@ -180,20 +180,20 @@ allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
 
 # Allow access to external storage; we have several visible mount points under /storage
 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow { appdomain -isolated_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
-allow { appdomain -isolated_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework
@@ -205,8 +205,8 @@ allow { appdomain -isolated_app } vfat:file rw_file_perms;
 #
 # USB devices are first opened by the system server (USBDeviceManagerService)
 # and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
 
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
@@ -230,9 +230,9 @@ control_logd(appdomain)
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
-allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
 
-use_keystore({ appdomain -isolated_app })
+use_keystore({ appdomain -isolated_app -ephemeral_app })
 
 allow appdomain console_device:chr_file { read write };
 
@@ -270,7 +270,7 @@ selinux_check_context(appdomain)
 
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
-- 
GitLab