From 6f090f69117bf5993872090ee103c579e21027fa Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Fri, 4 Nov 2016 10:03:26 -0700
Subject: [PATCH] Label ephemeral APKs and handle their install/uninstall

Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536
---
 private/file_contexts   |  4 ++++
 public/dex2oat.te       |  4 ++--
 public/domain.te        |  1 +
 public/ephemeral_app.te |  7 +++++++
 public/file.te          |  3 +++
 public/init.te          |  2 --
 public/installd.te      | 10 +++++-----
 public/platform_app.te  | 10 +++++++---
 public/system_server.te | 10 ++++++++--
 9 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/private/file_contexts b/private/file_contexts
index b5c5d8f86..e0018e364 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -271,6 +271,10 @@
 /data/app/vmdl[^/]+\.tmp/oat(/.*)?           u:object_r:dalvikcache_data_file:s0
 /data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
 /data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
+/data/app-ephemeral(/.*)?             u:object_r:ephemeral_apk_data_file:s0
+/data/app-ephemeral/[^/]+/oat(/.*)?   u:object_r:dalvikcache_data_file:s0
+/data/app-ephemeral/vmdl[^/]+\.tmp(/.*)?           u:object_r:ephemeral_apk_tmp_file:s0
+/data/app-ephemeral/vmdl[^/]+\.tmp/oat(/.*)?           u:object_r:dalvikcache_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 47aa2fba6..d0de06498 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -2,7 +2,7 @@
 type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;
 
-r_dir_file(dex2oat, apk_data_file)
+r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
 
 allow dex2oat tmpfs:file { read getattr };
 
@@ -22,7 +22,7 @@ allow dex2oat installd:fd use;
 allow dex2oat asec_apk_file:file read;
 allow dex2oat unlabeled:file read;
 allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:file read;
+allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read;
 allow dex2oat user_profile_data_file:file { getattr read lock };
 
 ##################
diff --git a/public/domain.te b/public/domain.te
index 1dac14295..56424e928 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -325,6 +325,7 @@ neverallow {
   -dalvikcache_data_file
   -system_data_file # shared libs in apks
   -apk_data_file
+  -ephemeral_apk_data_file
 }:file no_x_file_perms;
 
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 200d78f8c..a96bff7c0 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -38,6 +38,10 @@ allow ephemeral_app zygote:unix_dgram_socket write;
 allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
 allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
 
+# Allow apps to read/execute installed binaries
+allow ephemeral_app ephemeral_apk_data_file:dir search;
+allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
+
 # For art.
 allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
 allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
@@ -89,6 +93,9 @@ allow ephemeral_app textservices_service:service_manager find;
 ### neverallow rules
 ###
 
+# Executable content should never be loaded from an ephemeral app home directory.
+neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
+
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
 
diff --git a/public/file.te b/public/file.te
index af84e26b6..19b04899f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -96,6 +96,9 @@ type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/app-private - forward-locked apps
 type apk_private_data_file, file_type, data_file_type;
 type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+# /data/app-ephemeral - ephemeral apps
+type ephemeral_apk_data_file, file_type, data_file_type;
+type ephemeral_apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/ota
diff --git a/public/init.te b/public/init.te
index a029219ad..bef8de744 100644
--- a/public/init.te
+++ b/public/init.te
@@ -337,8 +337,6 @@ unix_socket_connect(init, vold, vold)
 # Raw writes to misc block device
 allow init misc_block_device:blk_file w_file_perms;
 
-allow init apk_data_file:dir { getattr search };
-allow init dalvikcache_data_file:dir { search getattr };
 r_dir_file(init, system_file)
 allow init proc_meminfo:file r_file_perms;
 
diff --git a/public/installd.te b/public/installd.te
index 4396ea46a..ef5b83aa8 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -9,13 +9,13 @@ allow installd dalvikcache_data_file:dir relabelto;
 allow installd dalvikcache_data_file:file { relabelto link };
 
 # Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+allow installd {apk_data_file ephemeral_apk_data_file}:dir { create_dir_perms relabelfrom };
+allow installd {apk_data_file ephemeral_apk_data_file}:file { create_file_perms relabelfrom link };
+allow installd {apk_data_file ephemeral_apk_data_file}:lnk_file { create r_file_perms unlink };
 
 allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
+allow installd {apk_tmp_file ephemeral_apk_tmp_file}:file { r_file_perms unlink };
+allow installd {apk_tmp_file ephemeral_apk_tmp_file}:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
diff --git a/public/platform_app.te b/public/platform_app.te
index d4a27ad91..8a988e562 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -12,10 +12,10 @@ bluetooth_domain(platform_app)
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files
 # created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms;
 allow platform_app apk_private_data_file:dir search;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
@@ -56,3 +56,7 @@ allow platform_app vr_manager_service:service_manager find;
 # Access to /data/preloads
 allow platform_app preloads_data_file:file r_file_perms;
 allow platform_app preloads_data_file:dir r_dir_perms;
+
+# Access to ephemeral APKs
+allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
+allow platform_app ephemeral_apk_data_file:file r_file_perms;
diff --git a/public/system_server.te b/public/system_server.te
index a11f36684..7b2b1b91b 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -252,6 +252,12 @@ allow system_server apk_private_data_file:file create_file_perms;
 allow system_server apk_private_tmp_file:dir create_dir_perms;
 allow system_server apk_private_tmp_file:file create_file_perms;
 
+# Manage /data/app-ephemeral
+allow system_server ephemeral_apk_data_file:dir create_dir_perms;
+allow system_server ephemeral_apk_data_file:file create_file_perms;
+allow system_server ephemeral_apk_tmp_file:dir create_dir_perms;
+allow system_server ephemeral_apk_tmp_file:file create_file_perms;
+
 # Manage files within asec containers.
 allow system_server asec_apk_file:dir create_dir_perms;
 allow system_server asec_apk_file:file create_file_perms;
@@ -319,8 +325,8 @@ allow system_server { system_app_data_file bluetooth_data_file nfc_data_file rad
 allow system_server media_rw_data_file:file { getattr read write append };
 
 # Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file ephemeral_apk_data_file}:{ dir file } { relabelfrom relabelto };
 
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;
-- 
GitLab