Merge "bless app created renderscript files"

private/app.te

@@ -16,8 +16,10 @@ neverallow appdomain system_server:udp_socket {
 
 # Transition to a non-app domain.
 # Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
-    { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
-    { dyntransition };
+# Exception for crash_dump to allow for app crash reporting.
+# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
+# to allow renderscript to create privileged executable files.
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+    { domain -appdomain -crash_dump -rs }:process { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+    { domain -appdomain }:process { dyntransition };

private/app_neverallows.te

@@ -41,6 +41,12 @@ neverallow { all_untrusted_apps -mediaprovider } property_type:property_service
 # but otherwise disallow untrusted apps from reading this property.
 neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
 
+# Renderscript created files within an app home directory can be
+# dlopen()ed. To maintain the W^X property, these files
+# must never be writable to the app.
+neverallow all_untrusted_apps rs_data_file:file
+  { append create link relabelfrom relabelto rename setattr write };
+
 # Block calling execve() on files in an apps home directory.
 # This is a W^X violation (loading executable code from a writable
 # home directory). For compatibility, allow for targetApi <= 28.
@@ -121,6 +127,7 @@ neverallow { all_untrusted_apps -mediaprovider } {
   file_type
   -app_data_file            # The apps sandbox itself
   -privapp_data_file
+  -rs_data_file             # stored within the app sandbox directory
   -media_rw_data_file       # Internal storage. Known that apps can
                             # leave artfacts here after uninstall.
   -user_profile_data_file   # Access to profile files

private/coredomain.te

@@ -28,6 +28,7 @@ full_treble_only(`
         userdebug_or_eng(`-perfprofd')
         userdebug_or_eng(`-heapprofd')
         -postinstall_dexopt
+        -rs # spawned by appdomain, so carryover the exception above
         -system_server
     } vendor_app_file:dir { open read getattr search };
 ')
@@ -43,6 +44,7 @@ full_treble_only(`
         userdebug_or_eng(`-perfprofd')
         userdebug_or_eng(`-heapprofd')
         -postinstall_dexopt
+        -rs # spawned by appdomain, so carryover the exception above
         -system_server
         -mediaserver
     } vendor_app_file:file r_file_perms;
@@ -56,6 +58,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        -rs # spawned by appdomain, so carryover the exception above
         -system_server
         -webview_zygote
         -zygote
@@ -70,6 +73,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        -rs # spawned by appdomain, so carryover the exception above
         -system_server
         -webview_zygote
         -zygote

private/domain.te

@@ -25,8 +25,8 @@ userdebug_or_eng(`can_profile_heap({
 
 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
-allow { domain -appdomain } cgroup:dir w_dir_perms;
-allow { domain -appdomain } cgroup:file w_file_perms;
+allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup:file w_file_perms;
 
 # For now, everyone can access core property files
 # Device specific properties are not granted by default
@@ -105,6 +105,7 @@ neverallow {
   -installd
   userdebug_or_eng(`-perfprofd')
   -profman
+  -rs # spawned by appdomain, so carryover the exception above
   -runas
   -system_server
 } { privapp_data_file app_data_file }:dir *;
@@ -115,6 +116,7 @@ neverallow {
   domain
   -appdomain
   -installd
+  -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
 
 neverallow {
@@ -122,6 +124,7 @@ neverallow {
   -appdomain
   -installd
   userdebug_or_eng(`-perfprofd')
+  -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;
 
 neverallow {

private/ephemeral_app.te

@@ -21,7 +21,15 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
+allow ephemeral_app privapp_data_file:file { r_file_perms execute };
+allow ephemeral_app app_data_file:file     { r_file_perms execute };
+
+# Allow the renderscript compiler to be run.
+domain_auto_trans(ephemeral_app, rs_exec, rs)
+
+# Allow loading and deleting renderscript created shared libraries
+# within an application home directory.
+allow ephemeral_app rs_data_file:file { r_file_perms execute unlink };
 
 # services
 allow ephemeral_app audioserver_service:service_manager find;

private/file.te

@@ -13,3 +13,5 @@ type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
 # /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
 type debugfs_kcov, fs_type, debugfs_type;
 
+# renderscript created files in /data/data directories
+type rs_data_file, file_type, data_file_type, core_data_file_type;

private/file_contexts

@@ -176,6 +176,7 @@
 /system(/.*)?		u:object_r:system_file:s0
 /system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
+/system/bin/bcc                 u:object_r:rs_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
@@ -189,6 +190,7 @@
 /system/bin/tune2fs	--	u:object_r:fsck_exec:s0
 /system/bin/toolbox	--	u:object_r:toolbox_exec:s0
 /system/bin/toybox	--	u:object_r:toolbox_exec:s0
+/system/bin/ld\.mc              u:object_r:rs_exec:s0
 /system/bin/logcat	--	u:object_r:logcat_exec:s0
 /system/bin/logcatd	--	u:object_r:logcat_exec:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0

private/installd.te

@@ -20,3 +20,6 @@ type_transition installd system_data_file:file install_data_file;
 # For collecting bugreports.
 allow installd dumpstate:fd use;
 allow installd dumpstate:fifo_file r_file_perms;
+
+# Delete /system/bin/bcc generated artifacts
+allow installd rs_data_file:file unlink;

private/rs.te

@@ -0,0 +1,42 @@
+type rs, domain, coredomain;
+type rs_exec, system_file_type, exec_type, file_type;
+
+# Any files which would have been created as app_data_file
+# will be created as rs_data_file instead.
+allow rs app_data_file:dir ra_dir_perms;
+allow rs rs_data_file:file create_file_perms;
+type_transition rs app_data_file:file rs_data_file;
+
+# Read files from the app home directory.
+allow rs app_data_file:file r_file_perms;
+allow rs app_data_file:dir r_dir_perms;
+
+# Cleanup rs_data_file files in the app home directory.
+allow rs app_data_file:dir remove_name;
+
+# Use vendor resources
+allow rs vendor_file:dir r_dir_perms;
+r_dir_file(rs, vendor_overlay_file)
+r_dir_file(rs, vendor_app_file)
+
+# Read contents of app apks
+r_dir_file(rs, apk_data_file)
+
+allow rs gpu_device:chr_file rw_file_perms;
+allow rs ion_device:chr_file r_file_perms;
+allow rs same_process_hal_file:file { r_file_perms execute };
+
+# File descriptors passed from app to renderscript
+allow rs untrusted_app_all:fd use;
+
+# TODO: Explain why these dontaudits are needed. Most likely
+# these are file descriptors leaking across an exec() boundary
+# due to a missing O_CLOEXEC / SOCK_CLOEXEC
+dontaudit rs untrusted_app_all:unix_stream_socket { read write };
+dontaudit rs untrusted_app_all:fifo_file { read write };
+
+# TODO: Explain why this is necessary. I think this is a zygote
+# created logging socket and system server parceled file descriptor
+# which is not using the O_CLOEXEC flag.
+dontaudit rs zygote:fd use;
+dontaudit rs system_server:fd use;

private/untrusted_app_all.te

@@ -22,7 +22,12 @@
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };
+allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_all app_data_file:file     { r_file_perms execute };
+
+# Allow loading and deleting renderscript created shared libraries
+# within an application home directory.
+allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
@@ -122,6 +127,9 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)
 allow untrusted_app_all system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
+# Allow the renderscript compiler to be run.
+domain_auto_trans(untrusted_app_all, rs_exec, rs)
+
 # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
 dontaudit untrusted_app_all net_dns_prop:file read;