From 8f81dcad5bb322a75bc61c8b42f8287e2afeaddc Mon Sep 17 00:00:00 2001 From: dcashman Date: Mon, 9 Mar 2015 10:13:13 -0700 Subject: [PATCH] Only allow system_server to send commands to zygote. Add neverallow rules to ensure that zygote commands are only taken from system_server. Also remove the zygote policy class which was removed as an object manager in commit: ccb3424639821b5ef85264bc5836451590e8ade7 Bug: 19624279 Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f --- access_vectors | 8 -------- domain.te | 4 ++++ system_server.te | 3 --- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/access_vectors b/access_vectors index 320a1c897..43b81e9f4 100644 --- a/access_vectors +++ b/access_vectors @@ -876,14 +876,6 @@ class binder transfer } -class zygote -{ - specifyids - specifyrlimits - specifyinvokewith - specifyseinfo -} - class property_service { set diff --git a/domain.te b/domain.te index d835ee940..b2eaa7905 100644 --- a/domain.te +++ b/domain.te @@ -344,6 +344,10 @@ neverallow { -dex2oat } dalvikcache_data_file:file no_w_file_perms; +# Only system_server should be able to send commands via the zygote socket +neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; +neverallow { domain -system_server } zygote_socket:sock_file write; + # Android does not support System V IPCs. # # The reason for this is due to the fact that, by design, they lead to global diff --git a/system_server.te b/system_server.te index 537876664..6b580f578 100644 --- a/system_server.te +++ b/system_server.te @@ -296,9 +296,6 @@ allow system_server wpa_socket:sock_file unlink; type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; allow system_server system_ndebug_socket:sock_file create_file_perms; -# Specify any arguments to zygote. -allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; - # Manage cache files. allow system_server cache_file:dir { relabelfrom create_dir_perms }; allow system_server cache_file:file { relabelfrom create_file_perms };