Remove 'dex2oat_exec' from untrusted_app

Remove the permission to execute dex2oat from apps targetSdkVersion>28. This has been historically used by ART to compile secondary dex files but that functionality has been removed in Q and the permission is therefore not needed. Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for targetSdkVersion<= 28. Test: atest CtsSelinuxTargetSdk25TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Bug: 117606664 Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-19 23:02:49 +00:00 · 2018-11-19 23:02:49 +00:00 · 535c5d2be0
commit 535c5d2be0
parent 41ddb80cd8
4 changed files with 21 additions and 3 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -51,6 +51,15 @@ neverallow {
  -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;

+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
 # enforced via levelFrom=user in seapp_contexts and the mls
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@ -49,3 +49,9 @@ allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file exe
 # for targetApi<=25. This is also allowed for targetAPIs 26, 27,
 # and 28 in untrusted_app_27.te.
 allow untrusted_app_25 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@ -30,3 +30,9 @@ bluetooth_domain(untrusted_app_27)
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+
--- a/public/app.te
+++ b/public/app.te
@ -119,9 +119,6 @@ r_dir_file(appdomain, vendor_framework_file)
 allow appdomain vendor_public_lib_file:dir r_dir_perms;
 allow appdomain vendor_public_lib_file:file { execute read open getattr map };

-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write map };