From a0f998e6deffa4bec30f5e13d7baee266dda3809 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 15 Mar 2019 02:45:33 +0900
Subject: [PATCH] Allow bootstrap bionic only to init, ueventd, and apexd

The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.

Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
---
 private/apexd.te                    |  4 ++++
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/compat/27.0/27.0.ignore.cil |  1 +
 private/compat/28.0/28.0.ignore.cil |  1 +
 private/file_contexts               |  1 +
 public/app.te                       | 10 ++++++++++
 public/file.te                      |  2 ++
 public/init.te                      |  4 ++++
 public/ueventd.te                   |  4 ++++
 public/vendor_init.te               |  4 ++++
 10 files changed, 32 insertions(+)

diff --git a/private/apexd.te b/private/apexd.te
index 6066fd600..b3aabea9a 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -93,6 +93,10 @@ allow apexd rootfs:dir mounton;
 # rule is required, thus restricted to execute and not execute_no_trans.
 allow apexd shell_exec:file { r_file_perms execute };
 
+# apexd is using bootstrap bionic
+allow apexd system_bootstrap_lib_file:dir r_dir_perms;
+allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+
 # Allow transition to ART APEX preinstall domain.
 domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
 # Allow transition to ART APEX postinstall domain.
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d47c7712f..45e1dd9e8 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -160,6 +160,7 @@
     super_block_device
     sysfs_fs_ext4_features
     system_boot_reason_prop
+    system_bootstrap_lib_file
     system_lmk_prop
     system_net_netd_hwservice
     system_update_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index b39dd4b43..0e830f82c 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -146,6 +146,7 @@
     super_block_device
     staging_data_file
     system_boot_reason_prop
+    system_bootstrap_lib_file
     system_lmk_prop
     system_update_service
     test_boot_reason_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 14964699f..2ea4d2c04 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -121,6 +121,7 @@
     su_tmpfs
     super_block_device
     sysfs_fs_f2fs
+    system_bootstrap_lib_file
     system_event_log_tags_file
     system_lmk_prop
     system_suspend_hwservice
diff --git a/private/file_contexts b/private/file_contexts
index c8c881db8..7cbb6231e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -180,6 +180,7 @@
 #
 /system(/.*)?		u:object_r:system_file:s0
 /system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
+/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
 /system/bin/ashmemd	u:object_r:ashmemd_exec:s0
 /system/bin/auditctl	u:object_r:auditctl_exec:s0
diff --git a/public/app.te b/public/app.te
index e26ec0a0f..5c48e71f5 100644
--- a/public/app.te
+++ b/public/app.te
@@ -582,3 +582,13 @@ neverallow appdomain proc_uid_cpupower:file *;
 # application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
 # perform UID lookups.
 neverallow { appdomain -shell } proc_net_tcp_udp:file *;
+
+# Apps cannot access bootstrap files. The bootstrap files are only for
+# extremely early processes (like init, etc.) which are started before
+# the runtime APEX is activated and Bionic libs are provided from there.
+# If app process accesses (or even load/execute) the bootstrap files,
+# it might cause problems such as ODR violation, etc.
+neverallow appdomain system_bootstrap_lib_file:file
+    { open read write append execute execute_no_trans map };
+neverallow appdomain system_bootstrap_lib_file:dir
+    { open read getattr search };
diff --git a/public/file.te b/public/file.te
index 58acfca1e..7d48fb4cb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -148,6 +148,8 @@ type system_asan_options_file, system_file_type, file_type;
 type system_event_log_tags_file, system_file_type, file_type;
 # Default type for anything under /system/lib[64].
 type system_lib_file, system_file_type, file_type;
+# system libraries that are available only to bootstrap processes
+type system_bootstrap_lib_file, system_file_type, file_type;
 # Default type for linker executable /system/bin/linker[64].
 type system_linker_exec, system_file_type, file_type;
 # Default type for linker config /system/etc/ld.config.*.
diff --git a/public/init.te b/public/init.te
index f0f98356c..06af3026d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -557,6 +557,10 @@ allow init apexd:binder call;
 # Allow init to touch PSI monitors
 allow init proc_pressure_mem:file { rw_file_perms setattr };
 
+# init is using bootstrap bionic
+allow init system_bootstrap_lib_file:dir r_dir_perms;
+allow init system_bootstrap_lib_file:file { execute read open getattr map };
+
 ###
 ### neverallow rules
 ###
diff --git a/public/ueventd.te b/public/ueventd.te
index db02d3fed..98e3bda7c 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -55,6 +55,10 @@ allow ueventd self:global_capability_class_set sys_module;
 allow ueventd vendor_file:system module_load;
 allow ueventd kernel:key search;
 
+# ueventd is using bootstrap bionic
+allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
+allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+
 #####
 ##### neverallow rules
 #####
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3925df220..7114a024f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -180,6 +180,10 @@ allow vendor_init self:global_capability_class_set sys_admin;
 # Raw writes to misc block device
 allow vendor_init misc_block_device:blk_file w_file_perms;
 
+# vendor_init is using bootstrap bionic
+allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
+allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+
 # Everything is labeled as rootfs in recovery mode. Vendor init has to execute
 # the dynamic linker and shared libraries.
 recovery_only(`