Skip to content
Snippets Groups Projects
Commit f84b7981 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

system_server: neverallow new file exec types 

Add a neverallow rule (CTS test + compile time assertion) blocking
system_server from executing files outside of a few select file
types.

In general, it's dangerous to fork()/exec() from within a multi-threaded
program. See
https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
This change helps discourage the introduction of new execs.

Bug: 28035297
Change-Id: Idac824308183fa2cef75f17159dae14447290e5b
parent d7bd03c5
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 14 additions and 2 deletions
system_server.te
+ 14
2
View file @ f84b7981
...@@ -314,8 +314,9 @@ allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_ ...@@ -314,8 +314,9 @@ allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
# Run system programs, e.g. dexopt. # Run system programs, e.g. dexopt. Needed? (b/28035297)
allow system_server system_file:file x_file_perms; allow system_server system_file:file x_file_perms;
auditallow system_server system_file:file execute_no_trans;
# LocationManager(e.g, GPS) needs to read and write # LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry # to uart driver and ctrl proc entry
...@@ -467,13 +468,24 @@ neverallow system_server sdcard_type:file rw_file_perms; ...@@ -467,13 +468,24 @@ neverallow system_server sdcard_type:file rw_file_perms;
# those types that system_server needs to open directly. # those types that system_server needs to open directly.
neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
# Prevent the addition of new file execs to stop the problem from
# getting worse. b/28035297
neverallow system_server { file_type -toolbox_exec -logcat_exec -system_file }:file execute_no_trans;
# System server should never transition to a new domain. This compliments
# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
neverallow system_server *:process { transition dyntransition };
# system_server should never be executing dex2oat. This is either # system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by # a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not # system server to dynamically load a dex file, something we do not
# want to allow. # want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms; neverallow system_server dex2oat_exec:file no_x_file_perms;
# system_server should never execute anything from /data except for /data/dalvik-cache files. # system_server should never execute or load executable shared libraries
# in /data except for /data/dalvik-cache files.
neverallow system_server { neverallow system_server {
data_file_type data_file_type
-dalvikcache_data_file #mapping with PROT_EXEC -dalvikcache_data_file #mapping with PROT_EXEC
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment