From e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 23 Dec 2013 16:18:55 -0500
Subject: [PATCH] Only allow PROT_EXEC for ashmem where required.

tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions.  execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains.  Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te           | 1 +
 system_server.te | 6 +++++-
 te_macros        | 7 +++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/app.te b/app.te
index 80c40aac8..02e3f11aa 100644
--- a/app.te
+++ b/app.te
@@ -9,6 +9,7 @@
 
 # Dalvik Compiler JIT Mapping.
 allow appdomain self:process execmem;
+allow appdomain ashmem_device:chr_file execute;
 
 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)
diff --git a/system_server.te b/system_server.te
index 4c73627ee..1b60ea716 100644
--- a/system_server.te
+++ b/system_server.te
@@ -5,8 +5,13 @@
 type system_server, domain, mlstrustedsubject;
 permissive system_server;
 
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
 # Dalvik Compiler JIT Mapping.
 allow system_server self:process execmem;
+allow system_server ashmem_device:chr_file execute;
+allow system_server system_server_tmpfs:file execute;
 
 # For art.
 allow system_server dalvikcache_data_file:file execute;
@@ -95,7 +100,6 @@ unix_socket_send(system_server, wpa, wpa)
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 
 # Perform Binder IPC.
-tmpfs_domain(system_server)
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
diff --git a/te_macros b/te_macros
index 3ccb86fea..a05b7aca2 100644
--- a/te_macros
+++ b/te_macros
@@ -88,8 +88,7 @@ typeattribute $1 unconfineddomain;
 define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file { read write execute execmod };
+allow $1 $1_tmpfs:file { read write };
 ')
 
 #####################################
@@ -108,6 +107,8 @@ define(`app_domain', `
 typeattribute $1 appdomain;
 # Label ashmem objects with our own unique type.
 tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
 ')
 
 #####################################
@@ -163,8 +164,6 @@ allow $1 $3:unix_dgram_socket sendto;
 define(`binder_use', `
 # Call the servicemanager and transfer references to it.
 allow $1 servicemanager:binder { call transfer };
-# Map /dev/ashmem with PROT_EXEC.
-allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
 # all domains in domain.te.
 ')
-- 
GitLab