Only allow PROT_EXEC for ashmem where required.

tmpfs_domain() macro defines a per-domain type and allows access for tmpfs-backed files, including ashmem regions. execute-related permissions crept into it, thereby allowing write + execute to ashmem regions for most domains. Move the execute permission out of tmpfs_domain() to app_domain() and specific domains as required. Drop execmod for now we are not seeing it. Similarly, execute permission for /dev/ashmem crept into binder_use() as it was common to many binder using domains. Move it out of binder_use() to app_domain() and specific domains as required. Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only allow PROT_EXEC for ashmem where required.
e7ec2f52 · Stephen Smalley · ad7df7bb · e7ec2f52 · e7ec2f52 · e7ec2f52
Commit e7ec2f52 authored 11 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -9,6 +9,7 @@

 # Dalvik Compiler JIT Mapping.
 allow appdomain self:process execmem;
+allow appdomain ashmem_device:chr_file execute;

 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)

--- a/system_server.te
+++ b/system_server.te
@@ -5,8 +5,13 @@
 type system_server, domain, mlstrustedsubject;
 permissive system_server;

+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
 # Dalvik Compiler JIT Mapping.
 allow system_server self:process execmem;
+allow system_server ashmem_device:chr_file execute;
+allow system_server system_server_tmpfs:file execute;

 # For art.
 allow system_server dalvikcache_data_file:file execute;
@@ -95,7 +100,6 @@ unix_socket_send(system_server, wpa, wpa)
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };

 # Perform Binder IPC.
-tmpfs_domain(system_server)
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)

--- a/te_macros
+++ b/te_macros
@@ -88,8 +88,7 @@ typeattribute $1 unconfineddomain;
 define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file { read write execute execmod };
+allow $1 $1_tmpfs:file { read write };
 ')

 #####################################
@@ -108,6 +107,8 @@ define(`app_domain', `
 typeattribute $1 appdomain;
 # Label ashmem objects with our own unique type.
 tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
 ')

 #####################################
@@ -163,8 +164,6 @@ allow $1 $3:unix_dgram_socket sendto;
 define(`binder_use', `
 # Call the servicemanager and transfer references to it.
 allow $1 servicemanager:binder { call transfer };
-# Map /dev/ashmem with PROT_EXEC.
-allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
 # all domains in domain.te.
 ')