From f84b798151c0b4f2cf2e75c3822d983ffcad8e09 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 6 Apr 2016 11:14:07 -0700
Subject: [PATCH] system_server: neverallow new file exec types

Add a neverallow rule (CTS test + compile time assertion) blocking
system_server from executing files outside of a few select file
types.

In general, it's dangerous to fork()/exec() from within a multi-threaded
program. See
https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
This change helps discourage the introduction of new execs.

Bug: 28035297
Change-Id: Idac824308183fa2cef75f17159dae14447290e5b
---
 system_server.te | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/system_server.te b/system_server.te
index 6ab48e76b..7baf3ee4a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -314,8 +314,9 @@ allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_
 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
-# Run system programs, e.g. dexopt.
+# Run system programs, e.g. dexopt. Needed? (b/28035297)
 allow system_server system_file:file x_file_perms;
+auditallow system_server system_file:file execute_no_trans;
 
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
@@ -467,13 +468,24 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
 
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server { file_type -toolbox_exec -logcat_exec -system_file }:file execute_no_trans;
+
+# System server should never transition to a new domain. This compliments
+# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
+neverallow system_server *:process { transition dyntransition };
+
 # system_server should never be executing dex2oat. This is either
 # a bug (for example, bug 16317188), or represents an attempt by
 # system server to dynamically load a dex file, something we do not
 # want to allow.
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
-# system_server should never execute anything from /data except for /data/dalvik-cache files.
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
 neverallow system_server {
   data_file_type
   -dalvikcache_data_file #mapping with PROT_EXEC
-- 
GitLab