tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove rules for starting the webview_zygote as a child of init.

Browse source 
The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Change-Id: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
This commit is contained in:
Robert Sesek 2018-01-30 10:54:33 -05:00
parent 2d0b211245
commit ca4c4e57b2
7 changed files with 11 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/compat/26.0/26.0.cil
View file

@ -11,6 +11,7 @@
(type tracing_shell_writable) (type tracing_shell_writable)
(type tracing_shell_writable_debug) (type tracing_shell_writable_debug)
(type vold_socket) (type vold_socket)
(type webview_zygote_socket)
(typeattributeset accessibility_service_26_0 (accessibility_service)) (typeattributeset accessibility_service_26_0 (accessibility_service))
(typeattributeset account_service_26_0 (account_service)) (typeattributeset account_service_26_0 (account_service))

3
private/file_contexts
View file

@ -155,7 +155,6 @@
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0 /dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0 /dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0 /dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0 /dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0 /dev/socket/zygote u:object_r:zygote_socket:s0
@ -274,8 +273,6 @@
/system/bin/bspatch u:object_r:update_engine_exec:s0 /system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0 /system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0 /system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0 /system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0 /system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0 /system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0

2
private/isolated_app.te
View file

@ -108,7 +108,7 @@ neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket. # Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote_socket:sock_file write; neverallow isolated_app webview_zygote:sock_file write;
# Limit the /sys files which isolated_app can access. This is important # Limit the /sys files which isolated_app can access. This is important
# for controlling isolated_app attack surface. # for controlling isolated_app attack surface.

4
private/system_server.te
View file

@ -152,7 +152,6 @@ allow system_server self:tun_socket create_socket_perms_no_ioctl;
unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp) unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, netd, netd) unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote) unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon) unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt) unix_socket_connect(system_server, uncrypt, uncrypt)
@ -160,6 +159,9 @@ unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger. # Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt }; allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
# Perform Binder IPC. # Perform Binder IPC.
binder_use(system_server) binder_use(system_server)
binder_call(system_server, appdomain) binder_call(system_server, appdomain)

11
private/webview_zygote.te
View file

@ -6,9 +6,9 @@ typeattribute webview_zygote coredomain;
# The webview_zygote needs to be able to transition domains. # The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject; typeattribute webview_zygote mlstrustedsubject;
# When init launches the WebView zygote's executable, transition the # Allow access to temporary files, which is normally permitted through
# resulting process into webview_zygote domain. # a domain macro.
init_daemon_domain(webview_zygote) tmpfs_domain(webview_zygote);
# Allow reading/executing installed binaries to enable preloading the # Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation. # installed WebView implementation.
@ -84,9 +84,8 @@ neverallow webview_zygote { domain -crash_dump }:process transition;
# Having said that, exec() above is not allowed. # Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans; neverallow webview_zygote *:file execute_no_trans;
# The only way to enter this domain is for init to exec() us or the zygote # The only way to enter this domain is for the zygote to fork a new
# to fork a new webview_zygote child. # webview_zygote child.
neverallow { domain -init } webview_zygote:process transition;
neverallow { domain -zygote } webview_zygote:process dyntransition; neverallow { domain -zygote } webview_zygote:process dyntransition;
# Disallow write access to properties. # Disallow write access to properties.

2
public/domain.te
View file

@ -993,7 +993,7 @@ neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto
neverallow { domain -system_server } zygote_socket:sock_file write; neverallow { domain -system_server } zygote_socket:sock_file write;
neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote_socket:sock_file write; neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { neverallow {
domain domain

1
public/file.te
View file

@ -332,7 +332,6 @@ type tombstoned_intercept_socket, file_type, coredomain_socket;
type traced_producer_socket, file_type, coredomain_socket; type traced_producer_socket, file_type, coredomain_socket;
type traced_consumer_socket, file_type, coredomain_socket; type traced_consumer_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket; type uncrypt_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type; type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket; type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file # UART (for GPS) control proc file