From 76035ea01971156895cf0d8efc1876bfa2025bd6 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Thu, 8 Dec 2016 11:23:34 -0800
Subject: [PATCH] Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
---
private/bluetooth.te | 5 +----
private/isolated_app.te | 5 +----
private/nfc.te | 5 +----
private/platform_app.te | 5 +----
private/priv_app.te | 5 +----
private/radio.te | 5 +----
private/shared_relro.te | 7 +++----
private/shell.te | 7 +++----
private/su.te | 5 +----
private/system_app.te | 5 +----
private/untrusted_app.te | 5 +----
public/bluetooth.te | 2 +-
public/isolated_app.te | 1 -
public/nfc.te | 2 +-
public/platform_app.te | 2 +-
public/priv_app.te | 2 +-
public/radio.te | 2 +-
public/shared_relro.te | 4 ----
public/shell.te | 4 ----
public/su.te | 1 -
public/system_app.te | 2 +-
public/te_macros | 4 ++++
public/untrusted_app.te | 2 +-
23 files changed, 26 insertions(+), 61 deletions(-)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index e8c0e76a2..40ce8c166 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -3,7 +3,4 @@
# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-# app_domain macro fallout
-tmpfs_domain(bluetooth)
-# Map with PROT_EXEC.
-allow bluetooth bluetooth_tmpfs:file execute;
+app_domain(bluetooth)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0a9901aa3..a2777526a 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(isolated_app)
-# Map with PROT_EXEC.
-allow isolated_app isolated_app_tmpfs:file execute;
+app_domain(isolated_app)
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
diff --git a/private/nfc.te b/private/nfc.te
index 33b547702..52b0d2038 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,4 +1 @@
-# app_domain_fallout
-tmpfs_domain(nfc)
-# Map with PROT_EXEC.
-allow nfc nfc_tmpfs:file execute;
+app_domain(nfc)
\ No newline at end of file
diff --git a/private/platform_app.te b/private/platform_app.te
index e478039fc..93cdc75a6 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(platform_app)
-# Map with PROT_EXEC.
-allow platform_app platform_app_tmpfs:file execute;
+app_domain(platform_app)
\ No newline at end of file
diff --git a/private/priv_app.te b/private/priv_app.te
index 9a535d905..4e7e33075 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(priv_app)
-# Map with PROT_EXEC.
-allow priv_app priv_app_tmpfs:file execute;
+app_domain(priv_app)
# Allow the allocation and use of ptys
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
diff --git a/private/radio.te b/private/radio.te
index 7218b2311..dede5d755 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(radio)
-# Map with PROT_EXEC.
-allow radio radio_tmpfs:file execute;
+app_domain(radio)
\ No newline at end of file
diff --git a/private/shared_relro.te b/private/shared_relro.te
index c3c43ab7b..b1ba0ff4a 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,4 +1,3 @@
-# app_domain fallout
-tmpfs_domain(shared_relro)
-# Map with PROT_EXEC.
-allow shared_relro shared_relro_tmpfs:file execute;
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
index 802ffc0ab..333265f8b 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -4,7 +4,6 @@ allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
-# app_domain fallout
-tmpfs_domain(shell)
-# Map with PROT_EXEC.
-allow shell shell_tmpfs:file execute;
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
diff --git a/private/su.te b/private/su.te
index 3dda00f9b..b594ebed4 100644
--- a/private/su.te
+++ b/private/su.te
@@ -11,8 +11,5 @@ userdebug_or_eng(`
# su is also permissive to permit setenforce.
permissive su;
- # app_domain fallout
- tmpfs_domain(su)
- # Map with PROT_EXEC.
- allow su su_tmpfs:file execute;
+ app_domain(su)
')
diff --git a/private/system_app.te b/private/system_app.te
index 4319c979c..f6b03053f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(system_app)
-# Map with PROT_EXEC.
-allow system_app system_app_tmpfs:file execute;
+app_domain(system_app)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c9ed000f2..b142ebfa0 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(untrusted_app)
-# Map with PROT_EXEC.
-allow untrusted_app untrusted_app_tmpfs:file execute;
+app_domain(untrusted_app)
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 738d9c206..75a11f43e 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,6 +1,6 @@
# bluetooth subsystem
type bluetooth, domain, domain_deprecated;
-app_domain(bluetooth)
+
net_domain(bluetooth)
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 0fe2e6189..f2216ee9d 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -10,7 +10,6 @@
###
type isolated_app, domain;
-app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { append read write getattr lock };
diff --git a/public/nfc.te b/public/nfc.te
index 3d40867db..f887c2894 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,6 +1,6 @@
# nfc subsystem
type nfc, domain, domain_deprecated;
-app_domain(nfc)
+
net_domain(nfc)
binder_service(nfc)
diff --git a/public/platform_app.te b/public/platform_app.te
index 8a988e562..64843195b 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,7 +3,7 @@
###
type platform_app, domain, domain_deprecated;
-app_domain(platform_app)
+
# Access the network.
net_domain(platform_app)
# Access bluetooth.
diff --git a/public/priv_app.te b/public/priv_app.te
index 9ee347fbb..94d671725 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -2,7 +2,7 @@
### A domain for further sandboxing privileged apps.
###
type priv_app, domain, domain_deprecated;
-app_domain(priv_app)
+
# Access the network.
net_domain(priv_app)
# Access bluetooth.
diff --git a/public/radio.te b/public/radio.te
index b2a878e19..07444afcd 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,6 +1,6 @@
# phone subsystem
type radio, domain, domain_deprecated, mlstrustedsubject;
-app_domain(radio)
+
net_domain(radio)
bluetooth_domain(radio)
binder_service(radio)
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 30af14a08..9794b0b8a 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,10 +1,6 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain, domain_deprecated;
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
allow shared_relro shared_relro_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index a39b39ffd..38a890c62 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -5,10 +5,6 @@ type shell_exec, exec_type, file_type;
# Create and use network sockets.
net_domain(shell)
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
# logcat
read_logd(shell)
control_logd(shell)
diff --git a/public/su.te b/public/su.te
index 0f8132579..38d7f5cad 100644
--- a/public/su.te
+++ b/public/su.te
@@ -9,7 +9,6 @@ userdebug_or_eng(`
# Add su to various domains
net_domain(su)
- app_domain(su)
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
diff --git a/public/system_app.te b/public/system_app.te
index 6be67313d..9eddf6588 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -4,7 +4,7 @@
# server.
#
type system_app, domain, domain_deprecated;
-app_domain(system_app)
+
net_domain(system_app)
binder_service(system_app)
diff --git a/public/te_macros b/public/te_macros
index 0a20d9250..6a1a5ffe3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -95,6 +95,10 @@ tmpfs_domain($1)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
+# Label ashmem objects with our own unique type.
+tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
')
#####################################
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index ac86330f8..48662f3d9 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -21,7 +21,7 @@
###
type untrusted_app, domain;
-app_domain(untrusted_app)
+
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
--
GitLab