From eedacf8341aaa127411f246a653c618d9dde4f5e Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Fri, 24 Jun 2016 13:09:54 -0700
Subject: [PATCH] Rework neverallow for /data execute permission

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df925169b959977d3fa03b4b369253db837)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924
---
 app.te    | 16 ++++++++++++++++
 domain.te |  9 ++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index f2adf3719..f96f3baa5 100644
--- a/app.te
+++ b/app.te
@@ -438,6 +438,22 @@ neverallow appdomain {
   tmpfs
 }:lnk_file no_w_file_perms;
 
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+  bluetooth
+  isolated_app
+  nfc
+  platform_app
+  radio
+  shared_relro
+  system_app
+} {
+  data_file_type
+  -dalvikcache_data_file
+  -system_data_file # shared libs in apks
+  -apk_data_file
+}:file no_x_file_perms;
+
 # Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
 neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
 neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
diff --git a/domain.te b/domain.te
index 1ac33f1a4..332db9401 100644
--- a/domain.te
+++ b/domain.te
@@ -292,9 +292,7 @@ neverallow domain { cache_file cache_backup_file cache_private_backup_file cache
 # Protect most domains from executing arbitrary content from /data.
 neverallow {
   domain
-  -untrusted_app
-  -priv_app
-  -shell
+  -appdomain
 } {
   data_file_type
   -dalvikcache_data_file
@@ -485,6 +483,11 @@ neverallow {
   -zygote
 } shell:process { transition dyntransition };
 
+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -zygote } {
+  appdomain -shell userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
 # Minimize read access to shell- or app-writable symlinks.
 # This is to prevent malicious symlink attacks.
 neverallow {
-- 
GitLab