From c871c1cc75372ada9821589aa414702bb74db46e Mon Sep 17 00:00:00 2001 From: Jiakai Zhang Date: Tue, 19 Jul 2022 21:29:31 +0100 Subject: [PATCH] Update SELinux policy for app compilation CUJ. - Adapt installd rules for app compilation. - Add profman rules for checking the profile before compilation. This is new behavior compared to installd. Bug: 229268202 Test: - 1. adb shell pm art optimize-package -m speed-profile -f \ com.google.android.youtube 2. See no SELinux denial. Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc --- apex/com.android.art-file_contexts | 1 + apex/com.android.art.debug-file_contexts | 1 + private/artd.te | 25 +++++++++++++++++++++--- private/compat/33.0/33.0.ignore.cil | 1 + private/coredomain.te | 1 + private/dex2oat.te | 10 ++++------ private/file.te | 5 +++++ private/profman.te | 11 +++++++++++ public/artd.te | 2 ++ public/domain.te | 3 ++- public/profman.te | 2 -- 11 files changed, 50 insertions(+), 12 deletions(-) create mode 100644 public/artd.te diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts index 2533cac9d..fd4e7314d 100644 --- a/apex/com.android.art-file_contexts +++ b/apex/com.android.art-file_contexts @@ -2,6 +2,7 @@ # System files # (/.*)? u:object_r:system_file:s0 +/bin/art_exec u:object_r:art_exec_exec:s0 /bin/artd u:object_r:artd_exec:s0 /bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0 /bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0 diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts index a0e9ea037..fa04b2f83 100644 --- a/apex/com.android.art.debug-file_contexts +++ b/apex/com.android.art.debug-file_contexts @@ -2,6 +2,7 @@ # System files # (/.*)? u:object_r:system_file:s0 +/bin/art_exec u:object_r:art_exec_exec:s0 /bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0 /bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0 /bin/odrefresh u:object_r:odrefresh_exec:s0 diff --git a/private/artd.te b/private/artd.te index 4f0db692a..dc6855e9b 100644 --- a/private/artd.te +++ b/private/artd.te @@ -1,5 +1,5 @@ -# art service daemon -type artd, domain, coredomain; +# ART service daemon. +typeattribute artd coredomain; type artd_exec, system_file_type, exec_type, file_type; type artd_tmpfs, file_type; @@ -57,4 +57,23 @@ allow artd apex_info_file:file r_file_perms; # - managing (CRUD) profile files for both primary dex'es and secondary dex'es # - "fowner" is for adjusting the file permissions of compilation artifacts and # profile files based on whether they include user data or not. -allow artd self:global_capability_class_set { dac_override dac_read_search fowner }; +# - "chown" is for transferring the ownership of compilation artifacts and +# profile files to the system or apps. +allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown }; + +# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). +allow artd user_profile_data_file:dir { getattr search }; +allow artd user_profile_data_file:file create_file_perms; + +# Never allow running other binaries without a domain transition. +# The only exception is art_exec. It is allowed to use the artd domain because +# it is a thin wrapper that executes other binaries on behalf of artd. +neverallow artd ~{art_exec_exec}:file execute_no_trans; +allow artd art_exec_exec:file rx_file_perms; + +# Allow running other binaries in their own domains. +domain_auto_trans(artd, profman_exec, profman) +domain_auto_trans(artd, dex2oat_exec, dex2oat) + +# Allow sending sigkill to subprocesses. +allow artd { profman dex2oat }:process sigkill; diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil index 305116c3e..baff321cd 100644 --- a/private/compat/33.0/33.0.ignore.cil +++ b/private/compat/33.0/33.0.ignore.cil @@ -5,6 +5,7 @@ (typeattribute new_objects) (typeattributeset new_objects ( new_objects + artd device_config_memory_safety_native_prop device_config_vendor_system_native_prop hal_bootctl_service diff --git a/private/coredomain.te b/private/coredomain.te index 69367b85c..5dbd7ce74 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -77,6 +77,7 @@ full_treble_only(` -heapprofd userdebug_or_eng(`-profcollectd') -postinstall_dexopt + -profman -rs # spawned by appdomain, so carryover the exception above userdebug_or_eng(`-simpleperf_boot') -system_server diff --git a/private/dex2oat.te b/private/dex2oat.te index e7cdd5f12..2ce24594e 100644 --- a/private/dex2oat.te +++ b/private/dex2oat.te @@ -15,7 +15,6 @@ allow dex2oat tmpfs:file { read getattr map }; r_dir_file(dex2oat, dalvikcache_data_file) allow dex2oat dalvikcache_data_file:file write; -allow dex2oat installd:fd use; # Acquire advisory lock on /system/framework/arm/* allow dex2oat system_file:file lock; @@ -38,12 +37,8 @@ allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock # Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime. allow dex2oat apex_module_data_file:dir search; -# Allow dex2oat to use file descriptors passed from odrefresh. -allow dex2oat odrefresh:fd use; - -# Allow dex2oat to use devpts and file descriptors passed from odsign +# Allow dex2oat to use devpts passed from odsign. allow dex2oat odsign_devpts:chr_file { read write }; -allow dex2oat odsign:fd use; # Allow dex2oat to write to file descriptors from odrefresh for files # in the staging area. @@ -61,6 +56,9 @@ get_prop(dex2oat, device_config_runtime_native_boot_prop) # Allow dex2oat to read /apex/apex-info-list.xml allow dex2oat apex_info_file:file r_file_perms; +# Allow dex2oat to use file descriptors passed from privileged programs. +allow dex2oat { artd installd odrefresh odsign }:fd use; + ################## # A/B OTA Dexopt # ################## diff --git a/private/file.te b/private/file.te index c4ee2aa1d..3f5531f97 100644 --- a/private/file.te +++ b/private/file.te @@ -115,3 +115,8 @@ type sepolicy_metadata_file, file_type; # /dev/selinux/test - used to verify that apex sepolicy is loaded and # property labeled. type sepolicy_test_file, file_type; + +# /apex/com.android.art/bin/art_exec +# This executable does not have its own domain because it is executed in the caller's domain. For +# example, it is executed in the `artd` domain when artd calls it. +type art_exec_exec, system_file_type, exec_type, file_type; diff --git a/private/profman.te b/private/profman.te index f61d05efe..390f83e62 100644 --- a/private/profman.te +++ b/private/profman.te @@ -1 +1,12 @@ typeattribute profman coredomain; + +# Allow profman to read APKs and profile files next to them by FDs passed from +# other programs. In addition, allow profman to acquire flocks on those files. +allow profman { + system_file + apk_data_file + vendor_app_file +}:file { getattr read map lock }; + +# Allow profman to use file descriptors passed from privileged programs. +allow profman { artd installd }:fd use; diff --git a/public/artd.te b/public/artd.te new file mode 100644 index 000000000..0731adc60 --- /dev/null +++ b/public/artd.te @@ -0,0 +1,2 @@ +# ART service daemon. +type artd, domain; diff --git a/public/domain.te b/public/domain.te index 8fba442b1..1db6a17ae 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1230,11 +1230,12 @@ neverallow domain debugfs_type:file { execute execute_no_trans }; neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; # Profiles contain untrusted data and profman parses that. We should only run -# in from installd forked processes. +# it from installd and artd forked processes. neverallow { domain -installd -profman + -artd } profman_exec:file no_x_file_perms; # Enforce restrictions on kernel module origin. diff --git a/public/profman.te b/public/profman.te index c014d7954..727daeecd 100644 --- a/public/profman.te +++ b/public/profman.te @@ -14,8 +14,6 @@ allow profman oemfs:file { read map }; allow profman tmpfs:file { read map }; allow profman profman_dump_data_file:file { write map }; -allow profman installd:fd use; - # Allow profman to analyze profiles for the secondary dex files. These # are application dex files reported back to the framework when using # BaseDexClassLoader.