From 65317124a0bb7db4829f78e74c7bfe18e27f1c43 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 11 Dec 2013 09:08:09 -0500
Subject: [PATCH] Allow untrusted apps to execute binaries from their sandbox
 directories.

Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc:  denied  { execute_no_trans } for  pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file

While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.

Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.

Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.

Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te           | 2 +-
 untrusted_app.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index 5cef948fe..090088f08 100644
--- a/app.te
+++ b/app.te
@@ -46,7 +46,7 @@ binder_call(appdomain, surfaceflinger)
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.
diff --git a/untrusted_app.te b/untrusted_app.te
index 80f60da60..2630f9e14 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -15,6 +15,10 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app app_data_file:file rx_file_perms;
+
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
 # Internal SDCard rw access.
-- 
GitLab