From 75d63fcfd264ae741ec23dccad6bb54fa819e40c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 2 Jul 2014 22:59:19 -0700
Subject: [PATCH] Put dex2oat in it's own sandbox

Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.

dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.

Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
---
 app.te        | 3 +++
 dex2oat.te    | 6 ++++++
 file_contexts | 1 +
 installd.te   | 6 ++++++
 zygote.te     | 1 +
 5 files changed, 17 insertions(+)
 create mode 100644 dex2oat.te

diff --git a/app.te b/app.te
index 2d6416f3e..8288ea054 100644
--- a/app.te
+++ b/app.te
@@ -61,6 +61,9 @@ allow appdomain oemfs:file rx_file_perms;
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
 
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write };
 
diff --git a/dex2oat.te b/dex2oat.te
new file mode 100644
index 000000000..51acc86bf
--- /dev/null
+++ b/dex2oat.te
@@ -0,0 +1,6 @@
+# dex2oat
+type dex2oat, domain;
+type dex2oat_exec, exec_type, file_type;
+
+allow dex2oat dalvikcache_data_file:file write;
+allow dex2oat installd:fd use;
diff --git a/file_contexts b/file_contexts
index 57fc1f2f9..def1e5349 100644
--- a/file_contexts
+++ b/file_contexts
@@ -160,6 +160,7 @@
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat     u:object_r:dex2oat_exec:s0
 
 #############################
 # Vendor files
diff --git a/installd.te b/installd.te
index 5faa1ec82..6257edeb6 100644
--- a/installd.te
+++ b/installd.te
@@ -53,6 +53,12 @@ allow installd dalvikcache_profiles_data_file:file create_file_perms;
 allow installd resourcecache_data_file:dir rw_dir_perms;
 allow installd resourcecache_data_file:file create_file_perms;
 
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# dex2oat needs LD_PRELOAD, passed down from init
+# https://android-review.googlesource.com/94851
+allow installd dex2oat:process noatsecure;
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/zygote.te b/zygote.te
index c2a325eec..c2a239593 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:file create_file_perms;
 allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.
 allow zygote system_file:file x_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote self:capability sys_admin;
-- 
GitLab