Put dex2oat in it's own sandbox
Currently, dex2oat runs in the installd sandbox, and has all the SELinux capabilities that installd does. That's too excessive. dex2oat handles untrusted user data, so we want to put it in it's own tighter sandbox. Bug: 15358102 Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
This commit is contained in:
Nick Kralevich
parent
bad4e91dd2
commit
75d63fcfd2
5 changed files with 17 additions and 0 deletions
3
app.te
3
app.te
|
|
@ -61,6 +61,9 @@ allow appdomain oemfs:file rx_file_perms;
|
|||
allow appdomain shell_exec:file rx_file_perms;
|
||||
allow appdomain system_file:file rx_file_perms;
|
||||
|
||||
# Execute dex2oat when apps call dexclassloader
|
||||
allow appdomain dex2oat_exec:file rx_file_perms;
|
||||
|
||||
# Read/write wallpaper file (opened by system).
|
||||
allow appdomain wallpaper_file:file { getattr read write };
|
||||
|
||||
|
|
|
|||
6
dex2oat.te
Normal file
6
dex2oat.te
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
# dex2oat
|
||||
type dex2oat, domain;
|
||||
type dex2oat_exec, exec_type, file_type;
|
||||
|
||||
allow dex2oat dalvikcache_data_file:file write;
|
||||
allow dex2oat installd:fd use;
|
||||
|
|
@ -160,6 +160,7 @@
|
|||
/system/bin/logwrapper u:object_r:system_file:s0
|
||||
/system/bin/vdc u:object_r:vdc_exec:s0
|
||||
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
|
||||
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
|
|
|
|||
|
|
@ -53,6 +53,12 @@ allow installd dalvikcache_profiles_data_file:file create_file_perms;
|
|||
allow installd resourcecache_data_file:dir rw_dir_perms;
|
||||
allow installd resourcecache_data_file:file create_file_perms;
|
||||
|
||||
# Run dex2oat in its own sandbox.
|
||||
domain_auto_trans(installd, dex2oat_exec, dex2oat)
|
||||
# dex2oat needs LD_PRELOAD, passed down from init
|
||||
# https://android-review.googlesource.com/94851
|
||||
allow installd dex2oat:process noatsecure;
|
||||
|
||||
# Upgrade from unlabeled userdata.
|
||||
# Just need enough to remove and/or relabel it.
|
||||
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:file create_file_perms;
|
|||
allow zygote dalvikcache_data_file:file execute;
|
||||
# Execute dexopt.
|
||||
allow zygote system_file:file x_file_perms;
|
||||
allow zygote dex2oat_exec:file rx_file_perms;
|
||||
# Control cgroups.
|
||||
allow zygote cgroup:dir create_dir_perms;
|
||||
allow zygote self:capability sys_admin;
|
||||
|
|
|
|||
Loading…
Reference in a new issue