From 6f090f69117bf5993872090ee103c579e21027fa Mon Sep 17 00:00:00 2001 From: Chad Brubaker Date: Fri, 4 Nov 2016 10:03:26 -0700 Subject: [PATCH] Label ephemeral APKs and handle their install/uninstall Fixes: 32061937 Test: install/uninstall and verified no denials Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536 --- private/file_contexts | 4 ++++ public/dex2oat.te | 4 ++-- public/domain.te | 1 + public/ephemeral_app.te | 7 +++++++ public/file.te | 3 +++ public/init.te | 2 -- public/installd.te | 10 +++++----- public/platform_app.te | 10 +++++++--- public/system_server.te | 10 ++++++++-- 9 files changed, 37 insertions(+), 14 deletions(-) diff --git a/private/file_contexts b/private/file_contexts index b5c5d8f86..e0018e364 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -271,6 +271,10 @@ /data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 /data/app-private(/.*)? u:object_r:apk_private_data_file:s0 /data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0 +/data/app-ephemeral(/.*)? u:object_r:ephemeral_apk_data_file:s0 +/data/app-ephemeral/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/app-ephemeral/vmdl[^/]+\.tmp(/.*)? u:object_r:ephemeral_apk_tmp_file:s0 +/data/app-ephemeral/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 /data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 /data/local/tmp(/.*)? u:object_r:shell_data_file:s0 /data/media(/.*)? u:object_r:media_rw_data_file:s0 diff --git a/public/dex2oat.te b/public/dex2oat.te index 47aa2fba6..d0de06498 100644 --- a/public/dex2oat.te +++ b/public/dex2oat.te @@ -2,7 +2,7 @@ type dex2oat, domain, domain_deprecated; type dex2oat_exec, exec_type, file_type; -r_dir_file(dex2oat, apk_data_file) +r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file}) allow dex2oat tmpfs:file { read getattr }; @@ -22,7 +22,7 @@ allow dex2oat installd:fd use; allow dex2oat asec_apk_file:file read; allow dex2oat unlabeled:file read; allow dex2oat oemfs:file read; -allow dex2oat apk_tmp_file:file read; +allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read; allow dex2oat user_profile_data_file:file { getattr read lock }; ################## diff --git a/public/domain.te b/public/domain.te index 1dac14295..56424e928 100644 --- a/public/domain.te +++ b/public/domain.te @@ -325,6 +325,7 @@ neverallow { -dalvikcache_data_file -system_data_file # shared libs in apks -apk_data_file + -ephemeral_apk_data_file }:file no_x_file_perms; neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te index 200d78f8c..a96bff7c0 100644 --- a/public/ephemeral_app.te +++ b/public/ephemeral_app.te @@ -38,6 +38,10 @@ allow ephemeral_app zygote:unix_dgram_socket write; allow ephemeral_app ephemeral_data_file:dir create_dir_perms; allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms; +# Allow apps to read/execute installed binaries +allow ephemeral_app ephemeral_apk_data_file:dir search; +allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute }; + # For art. allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms }; allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms; @@ -89,6 +93,9 @@ allow ephemeral_app textservices_service:service_manager find; ### neverallow rules ### +# Executable content should never be loaded from an ephemeral app home directory. +neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans }; + # Receive or send uevent messages. neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; diff --git a/public/file.te b/public/file.te index af84e26b6..19b04899f 100644 --- a/public/file.te +++ b/public/file.te @@ -96,6 +96,9 @@ type apk_tmp_file, file_type, data_file_type, mlstrustedobject; # /data/app-private - forward-locked apps type apk_private_data_file, file_type, data_file_type; type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; +# /data/app-ephemeral - ephemeral apps +type ephemeral_apk_data_file, file_type, data_file_type; +type ephemeral_apk_tmp_file, file_type, data_file_type, mlstrustedobject; # /data/dalvik-cache type dalvikcache_data_file, file_type, data_file_type; # /data/ota diff --git a/public/init.te b/public/init.te index a029219ad..bef8de744 100644 --- a/public/init.te +++ b/public/init.te @@ -337,8 +337,6 @@ unix_socket_connect(init, vold, vold) # Raw writes to misc block device allow init misc_block_device:blk_file w_file_perms; -allow init apk_data_file:dir { getattr search }; -allow init dalvikcache_data_file:dir { search getattr }; r_dir_file(init, system_file) allow init proc_meminfo:file r_file_perms; diff --git a/public/installd.te b/public/installd.te index 4396ea46a..ef5b83aa8 100644 --- a/public/installd.te +++ b/public/installd.te @@ -9,13 +9,13 @@ allow installd dalvikcache_data_file:dir relabelto; allow installd dalvikcache_data_file:file { relabelto link }; # Allow movement of APK files between volumes -allow installd apk_data_file:dir { create_dir_perms relabelfrom }; -allow installd apk_data_file:file { create_file_perms relabelfrom link }; -allow installd apk_data_file:lnk_file { create r_file_perms unlink }; +allow installd {apk_data_file ephemeral_apk_data_file}:dir { create_dir_perms relabelfrom }; +allow installd {apk_data_file ephemeral_apk_data_file}:file { create_file_perms relabelfrom link }; +allow installd {apk_data_file ephemeral_apk_data_file}:lnk_file { create r_file_perms unlink }; allow installd asec_apk_file:file r_file_perms; -allow installd apk_tmp_file:file { r_file_perms unlink }; -allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; +allow installd {apk_tmp_file ephemeral_apk_tmp_file}:file { r_file_perms unlink }; +allow installd {apk_tmp_file ephemeral_apk_tmp_file}:dir { relabelfrom create_dir_perms }; allow installd oemfs:dir r_dir_perms; allow installd oemfs:file r_file_perms; allow installd cgroup:dir create_dir_perms; diff --git a/public/platform_app.te b/public/platform_app.te index d4a27ad91..8a988e562 100644 --- a/public/platform_app.te +++ b/public/platform_app.te @@ -12,10 +12,10 @@ bluetooth_domain(platform_app) allow platform_app shell_data_file:dir search; allow platform_app shell_data_file:file { open getattr read }; allow platform_app icon_file:file { open getattr read }; -# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files +# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files # created by system server. -allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms; -allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms; +allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms; +allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms; allow platform_app apk_private_data_file:dir search; # ASEC allow platform_app asec_apk_file:dir create_dir_perms; @@ -56,3 +56,7 @@ allow platform_app vr_manager_service:service_manager find; # Access to /data/preloads allow platform_app preloads_data_file:file r_file_perms; allow platform_app preloads_data_file:dir r_dir_perms; + +# Access to ephemeral APKs +allow platform_app ephemeral_apk_data_file:dir r_dir_perms; +allow platform_app ephemeral_apk_data_file:file r_file_perms; diff --git a/public/system_server.te b/public/system_server.te index a11f36684..7b2b1b91b 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -252,6 +252,12 @@ allow system_server apk_private_data_file:file create_file_perms; allow system_server apk_private_tmp_file:dir create_dir_perms; allow system_server apk_private_tmp_file:file create_file_perms; +# Manage /data/app-ephemeral +allow system_server ephemeral_apk_data_file:dir create_dir_perms; +allow system_server ephemeral_apk_data_file:file create_file_perms; +allow system_server ephemeral_apk_tmp_file:dir create_dir_perms; +allow system_server ephemeral_apk_tmp_file:file create_file_perms; + # Manage files within asec containers. allow system_server asec_apk_file:dir create_dir_perms; allow system_server asec_apk_file:file create_file_perms; @@ -319,8 +325,8 @@ allow system_server { system_app_data_file bluetooth_data_file nfc_data_file rad allow system_server media_rw_data_file:file { getattr read write append }; # Relabel apk files. -allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; -allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; +allow system_server { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file }:{ dir file } { relabelfrom relabelto }; +allow system_server { apk_data_file apk_private_data_file ephemeral_apk_data_file}:{ dir file } { relabelfrom relabelto }; # Relabel wallpaper. allow system_server system_data_file:file relabelfrom;