From c848d37d5aa0842cf17fe7654654bc5298bc1534 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Mon, 3 Apr 2017 15:23:16 -0700
Subject: [PATCH] Sepolicy: Fix asanwrapper
Add asanwrapper support for system server under sanitization.
Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0
---
private/app.te | 3 +++
private/file_contexts_asan | 4 ++++
private/system_server.te | 6 +++++-
public/domain.te | 3 +++
public/file.te | 3 +++
5 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/private/app.te b/private/app.te
index 2ee3bee91..b41ebec49 100644
--- a/private/app.te
+++ b/private/app.te
@@ -315,6 +315,9 @@ allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdo
allow appdomain cache_file:dir getattr;
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
###
### Neverallow rules
###
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index d35cd3c94..0401ffe41 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -3,3 +3,7 @@
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/private/system_server.te b/private/system_server.te
index d02698cb0..89b14a926 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -22,6 +22,9 @@ userdebug_or_eng(`
# Report dalvikcache_data_file:file execute violations.
auditallow system_server dalvikcache_data_file:file execute;
')
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -655,6 +658,7 @@ allow system_server debugfs_wifi_tracing:file rw_file_perms;
# asanwrapper.
with_asan(`
allow system_server shell_exec:file rx_file_perms;
+ allow system_server asanwrapper_exec:file rx_file_perms;
')
###
@@ -682,7 +686,7 @@ neverallow system_server {
file_type
-toolbox_exec
-logcat_exec
- with_asan(`-shell_exec')
+ with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
diff --git a/public/domain.te b/public/domain.te
index e75ce1a4b..b22702783 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -221,6 +221,9 @@ allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
# when it's not explicitly used in allow rules
allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index eacfc2cfd..926fd596c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -315,6 +315,9 @@ allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
--
GitLab