Sepolicy: Add ASAN-Extract
Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.
Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b74305011)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
This commit is contained in:
Andreas Gampe
Sandeep Patil
parent
6821bb4079
commit
82071b6859
6 changed files with 53 additions and 2 deletions
8
private/asan_extract.te
Normal file
8
private/asan_extract.te
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
# type_transition must be private policy the domain_trans rules could stay
|
||||
# public, but conceptually should go with this
|
||||
# Technically not a daemon but we do want the transition from init domain to
|
||||
# asan_extract to occur.
|
||||
with_asan(`
|
||||
typeattribute asan_extract coredomain;
|
||||
init_daemon_domain(asan_extract)
|
||||
')
|
||||
|
|
@ -2,3 +2,4 @@
|
|||
/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
|
||||
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
|
||||
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
|
||||
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
|
||||
|
|
|
|||
|
|
@ -111,3 +111,6 @@ wlan. u:object_r:wifi_prop:s0
|
|||
|
||||
# hwservicemanager properties
|
||||
hwservicemanager. u:object_r:hwservicemanager_prop:s0
|
||||
|
||||
# ASAN install trigger
|
||||
asan.restore_reboot u:object_r:asan_reboot_prop:s0
|
||||
|
|
|
|||
36
public/asan_extract.te
Normal file
36
public/asan_extract.te
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
# asan_extract
|
||||
#
|
||||
# This command set moves the artifact corresponding to the current slot
|
||||
# from /data/ota to /data/dalvik-cache.
|
||||
|
||||
with_asan(`
|
||||
type asan_extract, domain, coredomain;
|
||||
type asan_extract_exec, exec_type, file_type;
|
||||
|
||||
# Allow asan_extract to execute itself using #!/system/bin/sh
|
||||
allow asan_extract shell_exec:file rx_file_perms;
|
||||
|
||||
# We execute log, rm, gzip and tar.
|
||||
allow asan_extract toolbox_exec:file rx_file_perms;
|
||||
allow asan_extract system_file:file execute_no_trans;
|
||||
|
||||
# asan_extract deletes old /data/lib.
|
||||
allow asan_extract system_file:dir { open read remove_name rmdir write };
|
||||
allow asan_extract system_file:file unlink;
|
||||
|
||||
# asan_extract untars ASAN libraries into /data.
|
||||
allow asan_extract system_data_file:dir create_dir_perms ;
|
||||
allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
|
||||
|
||||
# Relabel the libraries with restorecon.
|
||||
allow asan_extract file_contexts_file:file r_file_perms;
|
||||
allow asan_extract system_data_file:{ dir file } relabelfrom;
|
||||
allow asan_extract system_file:dir { relabelto setattr };
|
||||
allow asan_extract system_file:file relabelto;
|
||||
|
||||
# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
|
||||
allow asan_extract system_data_file:file execute;
|
||||
|
||||
# We use asan.restore_reboot to signal a reboot is required.
|
||||
set_prop(asan_extract, asan_reboot_prop)
|
||||
')
|
||||
|
|
@ -300,6 +300,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
|
|||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
with_asan(`-asan_extract')
|
||||
-dumpstate
|
||||
-shell
|
||||
userdebug_or_eng(`-su')
|
||||
|
|
@ -336,9 +337,9 @@ neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_p
|
|||
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
|
||||
|
||||
# Only recovery should be doing writes to /system
|
||||
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
||||
neverallow { domain -recovery with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set
|
||||
{ create write setattr relabelfrom append unlink link rename };
|
||||
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
|
||||
neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set relabelto;
|
||||
|
||||
# Don't allow mounting on top of /system files or directories
|
||||
neverallow * exec_type:dir_file_class_set mounton;
|
||||
|
|
@ -739,6 +740,7 @@ neverallow {
|
|||
-system_app
|
||||
-init
|
||||
-installd # for relabelfrom and unlink, check for this in explicit neverallow
|
||||
with_asan(`-asan_extract')
|
||||
} system_data_file:file no_w_file_perms;
|
||||
# do not grant anything greater than r_file_perms and relabelfrom unlink
|
||||
# to installd
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
type asan_reboot_prop, property_type;
|
||||
type audio_prop, property_type, core_property_type;
|
||||
type boottime_prop, property_type;
|
||||
type bluetooth_prop, property_type;
|
||||
|
|
|
|||
Loading…
Reference in a new issue