platform_system_sepolicy/private/webview_zygote.te

# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.

typeattribute webview_zygote coredomain;

# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;

# When init launches the WebView zygote's executable, transition the
# resulting process into webview_zygote domain.
init_daemon_domain(webview_zygote)

# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
allow webview_zygote apk_data_file:file { r_file_perms execute };

# Access to the WebView relro file.
allow webview_zygote shared_relro_file:dir search;
allow webview_zygote shared_relro_file:file r_file_perms;

# Set the UID/GID of the process.
allow webview_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
allow webview_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;

# For art.
allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };

# Allow webview_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow webview_zygote debugfs_trace_marker:file getattr;

# Allow webview_zygote to manage the pgroup of its children.
allow webview_zygote system_server:process getpgid;

# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;

# TODO (b/63631799) fix this access
# Suppress denials to storage. Webview zygote should not be accessing.
dontaudit webview_zygote mnt_expand_file:dir getattr;

# TODO (b/72957399) remove this when webview_zygote is reparented to
# app_process zygote
dontaudit webview_zygote dex2oat_exec:file execute;

# Get seapp_contexts
allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(webview_zygote)
# Check SELinux permissions.
selinux_check_access(webview_zygote)

# Directory listing in /system.
allow webview_zygote system_file:dir r_dir_perms;

#####
##### Neverallow
#####

# Only permit transition to isolated_app.
neverallow webview_zygote { domain -isolated_app }:process dyntransition;

# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow webview_zygote { domain -crash_dump }:process transition;

# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans;

# The only way to enter this domain is for init to exec() us.
neverallow { domain -init } webview_zygote:process transition;
neverallow * webview_zygote:process dyntransition;

# Disallow write access to properties.
neverallow webview_zygote property_socket:sock_file write;
neverallow webview_zygote property_type:property_service set;

# Should not have any access to app data files.
neverallow webview_zygote {
    app_data_file
    system_app_data_file
    bluetooth_data_file
    nfc_data_file
    radio_data_file
    shell_data_file
}:file { rwx_file_perms };

neverallow webview_zygote {
    service_manager_type
    -activity_service
    -webviewupdate_service
}:service_manager find;

# Isolated apps shouldn't be able to access the driver directly.
neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };

# Do not allow webview_zygote access to /cache.
neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
neverallow webview_zygote cache_file:file ~{ read getattr };

# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow webview_zygote domain:{
  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
  appletalk_socket netlink_route_socket netlink_tcpdiag_socket
  netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
  sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
  x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
  pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
  rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;

# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow webview_zygote bluetooth_prop:file create_file_perms;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`# webview_zygote is an auxiliary zygote process that is used to spawn`
			`# isolated_app processes for rendering untrusted web content.`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute webview_zygote coredomain;`

Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`# The webview_zygote needs to be able to transition domains.`
			`typeattribute webview_zygote mlstrustedsubject;`

			`# When init launches the WebView zygote's executable, transition the`
			`# resulting process into webview_zygote domain.`
Add the "webview_zygote" domain. The webview_zygote is a new unprivileged zygote and has its own sockets for listening to fork requests. However the webview_zygote does not run as root (though it does require certain capabilities) and only allows dyntransition to the isolated_app domain. Test: m Test: angler boots Bug: 21643067 Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83 2016-09-21 23:01:50 +02:00			`init_daemon_domain(webview_zygote)`
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00
			`# Allow reading/executing installed binaries to enable preloading the`
			`# installed WebView implementation.`
			`allow webview_zygote apk_data_file:dir r_dir_perms;`
			`allow webview_zygote apk_data_file:file { r_file_perms execute };`

			`# Access to the WebView relro file.`
			`allow webview_zygote shared_relro_file:dir search;`
			`allow webview_zygote shared_relro_file:file r_file_perms;`

			`# Set the UID/GID of the process.`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow webview_zygote self:global_capability_class_set { setgid setuid };`
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`# Drop capabilities from bounding set.`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow webview_zygote self:global_capability_class_set setpcap;`
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`# Switch SELinux context to app domains.`
			`allow webview_zygote self:process setcurrent;`
			`allow webview_zygote isolated_app:process dyntransition;`

			`# For art.`
			`allow webview_zygote dalvikcache_data_file:dir r_dir_perms;`
			`allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;`
			`allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };`

			`# Allow webview_zygote to stat the files that it opens. It must`
			`# be able to inspect them so that it can reopen them on fork`
			`# if necessary: b/30963384.`
			`allow webview_zygote debugfs_trace_marker:file getattr;`

			`# Allow webview_zygote to manage the pgroup of its children.`
			`allow webview_zygote system_server:process getpgid;`

			`# Interaction between the webview_zygote and its children.`
			`allow webview_zygote isolated_app:process setpgid;`

Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`# TODO (b/63631799) fix this access`
			`# Suppress denials to storage. Webview zygote should not be accessing.`
			`dontaudit webview_zygote mnt_expand_file:dir getattr;`

prevent benign dex2oat selinux denial temporarily Since we now call patchoat --verify in zygote art loading code, we have the unintended effect of webview zygote calling patchoat --verify. This is undesireable since webview zygote doesn't need to verify the .art files after the app_process zygote has already done so. The exec of patchoat fails for webview zygote, and this change hides that. This change should be reverted when b/72957399 is resolved. Bug: 66697305 Test: Ensure no new selinux denials were introduced. Change-Id: I4152edc920e5c436516b958b8c861dcc1c4751d8 2018-02-05 23:26:04 +01:00			`# TODO (b/72957399) remove this when webview_zygote is reparented to`
			`# app_process zygote`
			`dontaudit webview_zygote dex2oat_exec:file execute;`

seapp_context: explicitly label all seapp context files seapp_context files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'seapp_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospSeappContexts Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7 Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-03-27 19:57:07 +02:00			`# Get seapp_contexts`
			`allow webview_zygote seapp_contexts_file:file r_file_perms;`
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`# Check validity of SELinux context before use.`
			`selinux_check_context(webview_zygote)`
			`# Check SELinux permissions.`
			`selinux_check_access(webview_zygote)`

webview_zygote: allow listing dirs in /system For consistency with zygote, allow webview_zygote to list directories in /system. Test: Boot Taimen. Verify webiew_zygote denials during boot. Bug: 70857705 Change-Id: I27eb18c377a5240d7430abf301c1c3af61704d59 2018-01-02 22:15:16 +01:00			`# Directory listing in /system.`
Fix permission typo zygote->webview_zygote. Forgot to ammend local change. Test: webview_zygote denials are gone. Change-Id: I02869812feafd127b39e567c28e7278133770e97 2018-01-03 17:46:05 +01:00			`allow webview_zygote system_file:dir r_dir_perms;`
webview_zygote: allow listing dirs in /system For consistency with zygote, allow webview_zygote to list directories in /system. Test: Boot Taimen. Verify webiew_zygote denials during boot. Bug: 70857705 Change-Id: I27eb18c377a5240d7430abf301c1c3af61704d59 2018-01-02 22:15:16 +01:00
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`#####`
			`##### Neverallow`
			`#####`

			`# Only permit transition to isolated_app.`
			`neverallow webview_zygote { domain -isolated_app }:process dyntransition;`

			`# Only setcon() transitions, no exec() based transitions, except for crash_dump.`
			`neverallow webview_zygote { domain -crash_dump }:process transition;`

			`# Must not exec() a program without changing domains.`
			`# Having said that, exec() above is not allowed.`
			`neverallow webview_zygote *:file execute_no_trans;`

			`# The only way to enter this domain is for init to exec() us.`
			`neverallow { domain -init } webview_zygote:process transition;`
			`neverallow * webview_zygote:process dyntransition;`

			`# Disallow write access to properties.`
			`neverallow webview_zygote property_socket:sock_file write;`
			`neverallow webview_zygote property_type:property_service set;`

			`# Should not have any access to app data files.`
			`neverallow webview_zygote {`
			`app_data_file`
			`system_app_data_file`
			`bluetooth_data_file`
			`nfc_data_file`
			`radio_data_file`
			`shell_data_file`
			`}:file { rwx_file_perms };`

			`neverallow webview_zygote {`
			`service_manager_type`
			`-activity_service`
			`-webviewupdate_service`
			`}:service_manager find;`

			`# Isolated apps shouldn't be able to access the driver directly.`
			`neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };`

			`# Do not allow webview_zygote access to /cache.`
			`neverallow webview_zygote cache_file:dir ~{ r_dir_perms };`
			`neverallow webview_zygote cache_file:file ~{ read getattr };`

			`# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,`
			`# unix_stream_socket, and netlink_selinux_socket.`
			`neverallow webview_zygote domain:{`
			`socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket`
Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2017-02-06 20:14:58 +01:00			`appletalk_socket netlink_route_socket netlink_tcpdiag_socket`
			`netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket`
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket`
			`netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket`
			`netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket`
Define extended_socket_class policy capability and socket classes Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2016-12-08 19:35:27 +01:00			`sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket`
			`x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket`
			`pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket`
			`rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket`
Define smc_socket security class. Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all network address families") triggers a build error if a new address family is added without defining a corresponding SELinux security class. As a result, the smc_socket class was added to the kernel to resolve a build failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa Linux 4.11. Define this security class and its access vector, add it to the socket_class_set macro, and exclude it from webview_zygote like other socket classes. Test: Policy builds Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2017-05-17 18:06:49 +02:00			`alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket`
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d 2017-01-26 22:45:31 +01:00			`} *;`

			`# Do not allow access to Bluetooth-related system properties.`
			`# neverallow rules for Bluetooth-related data files are listed above.`
			`neverallow webview_zygote bluetooth_prop:file create_file_perms;`