sepolicy: restrict /vendor/app from most coredomains

am: 1b5f81a2 Change-Id: Ic9e87837f68ac31cfedd735bd20a44cdf029c79e

sepolicy: restrict /vendor/app from most coredomains
ec5e26e4 · Sandeep Patil · android-build-merger · c01e5a13 · 1b5f81a2 · ec5e26e4
Commit ec5e26e4 authored 7 years ago by Sandeep Patil Committed by android-build-merger 7 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -94,6 +94,10 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p
 allow appdomain system_file:dir r_dir_perms;
 allow appdomain system_file:lnk_file { getattr open read };

+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;


--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -3,6 +3,8 @@ type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;

 r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)

 allow dex2oat tmpfs:file { read getattr };


--- a/public/domain.te
+++ b/public/domain.te
@@ -131,11 +131,6 @@ full_treble_only(`
    # through linker/loader.
    allow domain vendor_file:dir { getattr search };

-    # TODO: b/36681210, find out who needs access and only allow
-    # specific domains for Treble
-    allow domain vendor_app_file:dir r_dir_perms;
-    allow domain vendor_app_file:file { read open getattr };
-
    # Some apps (com.android.phone) need to be able to open
    # symlinked libraries
    # TODO: b/36806861
@@ -689,6 +684,31 @@ full_treble_only(`
  }:sock_file ~{ append getattr ioctl read write };
 ')

+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+    # Limit access to /vendor/app except for whitelisted domains
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        -system_server
+    } vendor_app_file:dir { open read getattr search };
+
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        -system_server
+    } vendor_app_file:{ file lnk_file } r_file_perms;
+')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
  domain
@@ -908,6 +928,7 @@ neverallow {
  userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;

+
 # servicemanager is the only process which handles list request
 neverallow * ~servicemanager:service_manager list;


--- a/public/idmap.te
+++ b/public/idmap.te
@@ -9,3 +9,6 @@ allow idmap resourcecache_data_file:file { getattr read write };
 # Open and read from target and overlay apk files passed by argument.
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,8 @@ selinux_check_context(installd)
 r_dir_file(installd, rootfs)
 # Scan through APKs in /system/app and /system/priv-app
 r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
 # Get seapp_context