From b335e3847fb6cdeb6293c6b7395b1e7588971789 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 19 Jun 2015 13:47:26 -0400
Subject: [PATCH] Run idmap in its own domain.

Run idmap in its own domain rather than leaving it in installd's domain.
This prevents misuse of installd's permissions by idmap.

zygote also needs to run idmap.  For now, just run it in zygote's
domain as it was previously since that is what is done for dex2oat
invocation by zygote.  zygote appears to run idmap with system uid
while installd runs it with app UIDs, so using different domains
seems appropriate.

Remove system_file execute_no_trans from both installd and zygote;
this should no longer be needed with explicit labels for dex2oat and
idmap.

Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 file_contexts |  1 +
 idmap.te      | 10 ++++++++++
 installd.te   |  4 +++-
 zygote.te     |  6 ++++--
 4 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 idmap.te

diff --git a/file_contexts b/file_contexts
index 5ca2852de..2255436c1 100644
--- a/file_contexts
+++ b/file_contexts
@@ -178,6 +178,7 @@
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
 
 #############################
 # Vendor files
diff --git a/idmap.te b/idmap.te
new file mode 100644
index 000000000..1ab497ee0
--- /dev/null
+++ b/idmap.te
@@ -0,0 +1,10 @@
+# idmap, when executed by installd
+type idmap, domain;
+type idmap_exec, exec_type, file_type;
+
+# Use open file to /data/resource-cache file inherited from installd.
+allow idmap installd:fd use;
+allow idmap resourcecache_data_file:file { getattr read write };
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;
diff --git a/installd.te b/installd.te
index a47853f80..54f276a71 100644
--- a/installd.te
+++ b/installd.te
@@ -20,7 +20,6 @@ allow installd apk_tmp_file:file { r_file_perms unlink };
 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
-allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 allow installd mnt_expand_file:dir search;
 # Check validity of SELinux context before use.
@@ -71,6 +70,9 @@ allow installd resourcecache_data_file:file create_file_perms;
 # Run dex2oat in its own sandbox.
 domain_auto_trans(installd, dex2oat_exec, dex2oat)
 
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/zygote.te b/zygote.te
index 0dba9b619..2b869c0e4 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,8 +31,10 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
-# Execute dexopt.
-allow zygote system_file:file x_file_perms;
+# Execute idmap and dex2oat within zygote's own domain.
+# TODO:  Should either of these be transitioned to the same domain
+# used by installd or stay in-domain for zygote?
+allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
-- 
GitLab