tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Revert "auditallow app_data_file execute"

Browse source 
There is a problem with on-disk labeling of files created by secondary
dex background compilation which is causing unexpected denials to show
up. Drop the auditallow rule to avoid logspam.

Steps to reproduce:
  1) boot android device.
  2) adb root
  3) Run cmd package compile -r bg-dexopt --secondary-dex com.google.android.gms
  4) Examine the files in /data/user_de/0/com.google.android.gms
Expected:
  All files have the label privapp_data_file
Actual:
  The files in /data/user_de/0/com.google.android.gms/app_chimera/m
  are labeled "app_data_file", not "privapp_data_file".

Addresses the following audit logspam:
  type=1400 audit(0.0:117): avc: granted { execute } for comm=4173796E635461736B202331 path="/data/user_de/0/com.google.android.gms/app_chimera/m/00000002/oat/arm/DynamiteLoader.odex" dev="dm-0" ino=5775 scontext=u:r:untrusted_app:s0:c111,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.android.chrome

Additionally, this removes auditallow statements for older untrusted
apps. Lots of big apps are executing files from their home directory.
Additional restrictions in this area will need to be tied to API
versions.

Addresses the following audit logspam:
  type=1400 audit(0.0:619): avc: granted { execute } for comm="na:notification" path="/data/data/com.facebook.katana/lib-xzs/libbreakpad.so" dev="dm-3" ino=28333 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.katana
  type=1400 audit(0.0:129): avc: granted { execute } for comm="ticlock" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1239): avc: granted { execute } for comm="Analytics-Norma" path="/data/data/com.facebook.orca/lib-xzs/libchipsetmerged.so" dev="dm-3" ino=50243 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.orca
  type=1400 audit(0.0:58): avc: granted { execute_no_trans } for comm="sh" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1948): avc: granted { execute_no_trans } for comm="sh" path="/data/data/com.mxdata.tube.Market/files/osmcore" dev="sda13" ino=2752651 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.mxdata.tube.Market
  type=1400 audit(0.0:2875): avc: granted { execute_no_trans } for comm="ThreadPoolManag" path="/data/data/com.amazon.kindle/files/hardwareTest" dev="sda13" ino=1935346 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.amazon.kindle

This reverts commit 4738b93db2.

Bug: 112357170
Test: policy compiles
This commit is contained in:
Nick Kralevich 2018-08-13 11:23:02 -07:00
parent 383471c267
commit c47e149a0b
2 changed files with 0 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
private/ephemeral_app.te
View file

@ -23,12 +23,6 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
# to their sandbox directory and then execute.
allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
# Executing files from an application home directory violates
# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
# from a writable file) and is an unsafe application behavior. Test to see if we
# can get rid of it.
auditallow ephemeral_app app_data_file:file execute;
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;

6
private/untrusted_app_all.te
View file

@ -24,12 +24,6 @@
# to their sandbox directory and then execute.
allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
# Executing files from an application home directory violates
# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
# from a writable file) and is an unsafe application behavior. Test to see if we
# can get rid of it.
auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;