diff --git a/private/app.te b/private/app.te index 4e433eb58..1ef415a25 100644 --- a/private/app.te +++ b/private/app.te @@ -1,15 +1,3 @@ -# TODO: deal with tmpfs_domain pub/priv split properly -# Read system properties managed by zygote. -allow appdomain zygote_tmpfs:file read; - -# Read from (but not create) system_server buffers transferred through -# ashmem, e.g. battery stats. -allow appdomain system_server_tmpfs:file read; - -# Get info from priv_app through ashmem, such as contact -# info etc. -allow appdomain priv_app_tmpfs:file read; - # Allow apps to read the Test Harness Mode property. This property is used in # the implementation of ActivityManager.isDeviceInTestHarnessMode() get_prop(appdomain, test_harness_prop) diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index 68e207884..ecbc1d739 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -7,8 +7,6 @@ ( new_objects activity_task_service adb_service - app_binding_service - app_prediction_service apex_data_file apex_mnt_dir apex_key_file @@ -17,6 +15,9 @@ apexd_exec apexd_prop apexd_tmpfs + appdomain_tmpfs + app_binding_service + app_prediction_service app_zygote app_zygote_tmpfs biometric_service @@ -48,6 +49,7 @@ external_vibrator_service hal_atrace_hwservice hal_face_hwservice + hal_graphics_composer_server_tmpfs hal_health_storage_hwservice hal_input_classifier_hwservice hal_power_stats_hwservice diff --git a/private/mediaextractor.te b/private/mediaextractor.te index eb90cdc81..2e654d689 100644 --- a/private/mediaextractor.te +++ b/private/mediaextractor.te @@ -2,3 +2,6 @@ typeattribute mediaextractor coredomain; init_daemon_domain(mediaextractor) tmpfs_domain(mediaextractor) +allow mediaextractor appdomain_tmpfs:file { getattr map read write }; +allow mediaextractor mediaserver_tmpfs:file { getattr map read write }; +allow mediaextractor system_server_tmpfs:file { getattr map read write }; diff --git a/private/mls b/private/mls index 421b04628..9690440e8 100644 --- a/private/mls +++ b/private/mls @@ -57,14 +57,14 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto } mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject); mlsconstrain { file sock_file } { open setattr unlink link rename } - ( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); + ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); # For symlinks in app_data_file, require equivalence in order to manipulate or follow (read). mlsconstrain { lnk_file } { open setattr unlink link rename read } ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject); # For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this. # TODO: Migrate to equivalence when it's no longer needed. mlsconstrain { lnk_file } { open setattr unlink link rename read } - ( (t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); + ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); # # Constraints for file types other than app data files. @@ -76,7 +76,7 @@ mlsconstrain dir { read getattr search } (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } - (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Write operations: Subject must be equivalent to the object unless the # subject or the object is trusted. @@ -84,7 +84,7 @@ mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } - (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Special case for FIFOs. # These can be unnamed pipes, in which case they will be labeled with the diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 36e784f92..b1aa77591 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -4,6 +4,7 @@ typeattribute surfaceflinger coredomain; type surfaceflinger_exec, system_file_type, exec_type, file_type; init_daemon_domain(surfaceflinger) +tmpfs_domain(surfaceflinger) typeattribute surfaceflinger mlstrustedsubject; typeattribute surfaceflinger display_service_server; @@ -13,6 +14,7 @@ read_runtime_log_tags(surfaceflinger) # Perform HwBinder IPC. hal_client_domain(surfaceflinger, hal_graphics_allocator) hal_client_domain(surfaceflinger, hal_graphics_composer) +typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; hal_client_domain(surfaceflinger, hal_omx) hal_client_domain(surfaceflinger, hal_configstore) hal_client_domain(surfaceflinger, hal_power) diff --git a/private/system_server.te b/private/system_server.te index 8d95c56cb..356725ccd 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -13,6 +13,7 @@ tmpfs_domain(system_server) type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; allow system_server zygote_tmpfs:file read; +allow system_server appdomain_tmpfs:file { getattr map read write }; # For art. allow system_server dalvikcache_data_file:dir r_dir_perms; diff --git a/public/app.te b/public/app.te index 18603b69b..75f521e5f 100644 --- a/public/app.te +++ b/public/app.te @@ -6,6 +6,7 @@ ### extend from this policy. Only policies which should apply to ALL ### zygote spawned apps should be added here. ### +type appdomain_tmpfs, file_type; # WebView and other application-specific JIT compilers allow appdomain self:process execmem; @@ -351,6 +352,12 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;') # Read access to FDs from the DropboxManagerService. allow appdomain dropbox_data_file:file { getattr read }; +# Read tmpfs types from these processes. +allow appdomain audioserver_tmpfs:file { getattr map read write }; +allow appdomain system_server_tmpfs:file { getattr map read write }; +allow appdomain zygote_tmpfs:file { map read }; + + ### ### Neverallow rules ### diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te index e10daf9ab..cb4a1307f 100644 --- a/public/hal_graphics_composer.te +++ b/public/hal_graphics_composer.te @@ -1,6 +1,12 @@ +type hal_graphics_composer_server_tmpfs, file_type; +attribute hal_graphics_composer_client_tmpfs; +expandattribute hal_graphics_composer_client_tmpfs true; + # HwBinder IPC from client to server, and callbacks binder_call(hal_graphics_composer_client, hal_graphics_composer_server) binder_call(hal_graphics_composer_server, hal_graphics_composer_client) +allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write }; +allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write }; hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice) diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te index ae00287d8..c1e4844a0 100644 --- a/public/surfaceflinger.te +++ b/public/surfaceflinger.te @@ -1,2 +1,3 @@ # surfaceflinger - display compositor service type surfaceflinger, domain; +type surfaceflinger_tmpfs, file_type; diff --git a/public/system_server.te b/public/system_server.te index aa9c6c16d..ff18bdf84 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -3,4 +3,4 @@ # Most of the framework services run in this process. # type system_server, domain; -type system_server_tmpfs, file_type; +type system_server_tmpfs, file_type, mlstrustedobject; diff --git a/public/te_macros b/public/te_macros index 4195b884d..65415253f 100644 --- a/public/te_macros +++ b/public/te_macros @@ -168,10 +168,9 @@ domain_auto_trans(init, $1_exec, $1) # Allow a base set of permissions required for all apps. define(`app_domain', ` typeattribute $1 appdomain; -# Label ashmem objects with our own unique type. -tmpfs_domain($1) -# Map with PROT_EXEC. -allow $1 $1_tmpfs:file execute; +# Label tmpfs objects for all apps. +type_transition $1 tmpfs:file appdomain_tmpfs; +allow $1 appdomain_tmpfs:file { execute getattr map read write }; neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms; neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms; # The Android security model guarantees the confidentiality and integrity diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 72d781db2..7dcd2b2e0 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -3,6 +3,8 @@ hal_server_domain(hal_graphics_composer_default, hal_graphics_composer) type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_graphics_composer_default) +type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs; +allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write }; # b/68864350 dontaudit hal_graphics_composer_default unlabeled:dir search;