0eb0a16fbd
When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
25 lines
1.1 KiB
Text
25 lines
1.1 KiB
Text
# TODO: deal with tmpfs_domain pub/priv split properly
|
|
# Read system properties managed by zygote.
|
|
allow appdomain zygote_tmpfs:file read;
|
|
|
|
# Read from (but not create) system_server buffers transferred through
|
|
# ashmem, e.g. battery stats.
|
|
allow appdomain system_server_tmpfs:file read;
|
|
|
|
# Get info from priv_app through ashmem, such as contact
|
|
# info etc.
|
|
allow appdomain priv_app_tmpfs:file read;
|
|
|
|
neverallow appdomain system_server:udp_socket {
|
|
accept append bind create ioctl listen lock name_bind
|
|
relabelfrom relabelto setattr shutdown };
|
|
|
|
# Transition to a non-app domain.
|
|
# Exception for the shell and su domains, can transition to runas, etc.
|
|
# Exception for crash_dump to allow for app crash reporting.
|
|
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
|
|
# to allow renderscript to create privileged executable files.
|
|
neverallow { appdomain -shell userdebug_or_eng(`-su') }
|
|
{ domain -appdomain -crash_dump -rs }:process { transition };
|
|
neverallow { appdomain -shell userdebug_or_eng(`-su') }
|
|
{ domain -appdomain }:process { dyntransition };
|