Permissions for odrefresh and /data/misc/apexdata/com.android.art

odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
This commit is contained in:
Orion Hodson 2020-10-16 15:29:55 +01:00
parent b8e865e1ee
commit 8f75f76fbd
25 changed files with 167 additions and 35 deletions

View file

@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0

View file

@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0

View file

@ -12,6 +12,8 @@ allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
allow apexd apex_permission_data_file:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };

View file

@ -62,3 +62,25 @@ get_prop(appdomain, camera_calibration_prop)
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
# Read /data/misc/apexdata/com.android.art
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
allow appdomain apex_art_data_file:file r_file_perms;
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
neverallow {
bluetooth
isolated_app
nfc
radio
shared_relro
system_app
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;

View file

@ -8,6 +8,8 @@
ab_update_gki_prop
adbd_config_prop
apc_service
apex_art_data_file
apex_art_staging_data_file
apex_info_file
cgroup_desc_api_file
cgroup_v2
@ -44,6 +46,8 @@
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
odrefresh
odrefresh_exec
people_service
persist_vendor_debug_wifi_prop
power_debug_prop

View file

@ -47,3 +47,7 @@ neverallow crash_dump {
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;

View file

@ -32,6 +32,21 @@ allow dex2oat user_profile_data_file:file { getattr read lock map };
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
# Allow dex2oat to use file descriptors passed from odrefresh.
allow dex2oat odrefresh:fd use;
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
# Allow dex2oat to read artifacts from odrefresh.
allow dex2oat apex_art_data_file:dir r_dir_perms;
allow dex2oat apex_art_data_file:file r_file_perms;
##################
# A/B OTA Dexopt #
##################

View file

@ -14,12 +14,21 @@ r_dir_file(dexoptanalyzer, vendor_app_file)
# processes.
tmpfs_domain(dexoptanalyzer)
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
# Allow dexoptanalyzer to read files in the dalvik cache.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
# Allow dexoptanalyzer to read files in the ART APEX data directory.
allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
allow dexoptanalyzer apex_art_data_file:file r_file_perms;
# Allow dexoptanalyzer to use file descriptors from odrefresh.
allow dexoptanalyzer odrefresh:fd use;
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };

View file

@ -271,6 +271,40 @@ neverallow {
-otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
# art processes
-odrefresh
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:file no_w_file_perms;
neverallow {
domain
# art processes
-odrefresh
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:dir no_w_dir_perms;
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-appdomain
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.

View file

@ -32,3 +32,9 @@ type emergency_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/profcollectd
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.art
type apex_art_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -555,6 +555,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0

View file

@ -41,6 +41,7 @@ perfetto_producer(heapprofd)
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)

View file

@ -136,6 +136,8 @@ get_prop(incidentd, device_config_runtime_native_boot_prop)
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
dontaudit incidentd apex_module_data_file:dir r_dir_perms;
dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)

View file

@ -1,6 +1,8 @@
typeattribute iorap_inode2filename coredomain;
# Grant access to open most of the files under /
allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
allow iorap_inode2filename apex_data_file:file { getattr };
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };

32
private/odrefresh.te Normal file
View file

@ -0,0 +1,32 @@
# odrefresh
type odrefresh, domain, coredomain;
type odrefresh_exec, system_file_type, exec_type, file_type;
# Allow odrefresh to create files and directories for on device signing.
allow odrefresh apex_module_data_file:dir { getattr search };
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
# sets up files here and passes file descriptors for dex2oat to write to.
allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
allow odrefresh apex_art_staging_data_file:file create_file_perms;
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
dontaudit odrefresh devpts:chr_file rw_file_perms;
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
# Allow odrefresh to read /apex/apex-info-list.xml to determine
# whether current apex is in /system or /data.
allow odrefresh apex_info_file:file r_file_perms;
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;

View file

@ -13,6 +13,9 @@ userdebug_or_eng(`
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
# Put the odrefresh command into its domain.
domain_auto_trans(su, odrefresh_exec, odrefresh)
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)

View file

@ -32,8 +32,8 @@ allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREAT
allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.

View file

@ -28,6 +28,7 @@ allow traced_perf packages_list_file:file r_file_perms;
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)

View file

@ -48,6 +48,7 @@ allow traced_probes system_file:dir { open read };
allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
@ -104,6 +105,8 @@ neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
-apex_module_data_file
-apex_art_data_file
-apk_data_file
-dalvikcache_data_file
-system_data_file

View file

@ -16,6 +16,7 @@ allow vold_prepare_subdirs {
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_art_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
@ -30,6 +31,8 @@ allow vold_prepare_subdirs {
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
apex_art_data_file
apex_art_staging_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file

View file

@ -28,9 +28,10 @@ allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;
# For art.
allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
allow webview_zygote apex_module_data_file:dir search;
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;

View file

@ -50,6 +50,13 @@ allow zygote resourcecache_data_file:file create_file_perms;
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
# Allow zygote to find files in APEX data directories.
allow zygote apex_module_data_file:dir search;
# Allow zygote to find and map files created by on device signing.
allow zygote apex_art_data_file:dir { getattr search };
allow zygote apex_art_data_file:file { r_file_perms execute };
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
@ -225,9 +232,12 @@ neverallow zygote ~{
app_zygote
}:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
# Zygote should never execute anything from /data except for
# /data/dalvik-cache files or files generated during on-device
# signing under /data/misc/apexdata/com.android.art/.
neverallow zygote {
data_file_type
-apex_art_data_file # map PROT_EXEC
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;

View file

@ -545,23 +545,6 @@ neverallow appdomain {
tmpfs
}:lnk_file no_w_file_perms;
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
neverallow {
bluetooth
isolated_app
nfc
radio
shared_relro
system_app
} {
data_file_type
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# Applications should use the activity model for receiving events
neverallow {
appdomain

View file

@ -28,6 +28,9 @@ allow crash_dump exec_type:file r_file_perms;
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
# Read APEX data directories.
allow crash_dump apex_module_data_file:dir { getattr search };
# Read APK files.
r_dir_file(crash_dump, apk_data_file);

View file

@ -469,17 +469,6 @@ neverallow domain device:chr_file { open read write };
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-appdomain
} {
data_file_type
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;