Add the "webview_zygote" domain.

The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83

private/file_contexts

@@ -119,6 +119,7 @@
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
 /dev/socket/uncrypt	u:object_r:uncrypt_socket:s0
 /dev/socket/vold	u:object_r:vold_socket:s0
+/dev/socket/webview_zygote	u:object_r:webview_zygote_socket:s0
 /dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
 /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
 /dev/socket/zygote	u:object_r:zygote_socket:s0
@@ -218,6 +219,8 @@
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
+/system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
+/system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
 /system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
 /system/lib(64)?/libart.*        u:object_r:libart_file:s0
 /system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_exec:s0

private/webview_zygote.te

@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(webview_zygote)

public/domain.te

@@ -112,6 +112,7 @@ auditallow {
   -dumpstate
   -profman
   -recovery
+  -webview_zygote
   -zygote
 } libart_file:file { execute read open getattr };
 
@@ -307,6 +308,7 @@ neverallow {
     -shell
     userdebug_or_eng(`-su')
     -system_server
+    -webview_zygote
     -zygote
 } { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
@@ -434,6 +436,9 @@ neverallow {
 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
 neverallow { domain -system_server } zygote_socket:sock_file write;
 
+neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+
 # Android does not support System V IPCs.
 #
 # The reason for this is due to the fact that, by design, they lead to global
@@ -540,7 +545,7 @@ neverallow {
 } shell:process { transition dyntransition };
 
 # Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -zygote } {
+neverallow { domain -runas -webview_zygote -zygote } {
   appdomain -shell userdebug_or_eng(`-su') -bluetooth
 }:process { transition dyntransition };
 

public/file.te

@@ -236,6 +236,7 @@ type system_wpa_socket, file_type;
 type system_ndebug_socket, file_type;
 type uncrypt_socket, file_type;
 type vold_socket, file_type;
+type webview_zygote_socket, file_type;
 type wpa_socket, file_type;
 # hostapd control interface.
 type hostapd_socket, file_type;

public/isolated_app.te

@@ -26,6 +26,18 @@ allow isolated_app webviewupdate_service:service_manager find;
 # https://code.google.com/p/chromium/issues/detail?id=475270
 allow isolated_app self:process ptrace;
 
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+
 #####
 ##### Neverallow
 #####
@@ -83,3 +95,6 @@ neverallow isolated_app { storage_file mnt_user_file sdcard_type }:file_class_se
 
 # Do not allow USB access
 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote_socket:sock_file write;

public/system_server.te

@@ -137,6 +137,7 @@ unix_socket_connect(system_server, lmkd, lmkd)
 unix_socket_connect(system_server, mtpd, mtp)
 unix_socket_connect(system_server, netd, netd)
 unix_socket_connect(system_server, vold, vold)
+unix_socket_connect(system_server, webview_zygote, webview_zygote)
 unix_socket_connect(system_server, zygote, zygote)
 unix_socket_connect(system_server, racoon, racoon)
 unix_socket_send(system_server, wpa, wpa)

public/webview_zygote.te

@@ -0,0 +1,83 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+# The webview_zygote needs to be able to transition domains.
+type webview_zygote, domain, mlstrustedsubject;
+type webview_zygote_exec, exec_type, file_type;
+
+# Access to system files for SELinux contexts.
+allow webview_zygote rootfs:file r_file_perms;
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:capability { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote {
+    app_data_file
+    system_app_data_file
+    bluetooth_data_file
+    nfc_data_file
+    radio_data_file
+    shell_data_file
+    ephemeral_data_file
+}:file { rwx_file_perms };
+
+neverallow webview_zygote {
+    service_manager_type
+    -activity_service
+    -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+  appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
+  netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+} *;