8f75f76fbd
odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
480 lines
14 KiB
Text
480 lines
14 KiB
Text
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
# This occurs when the process crashes.
|
|
# We do not apply this to the su domain to avoid interfering with
|
|
# tests (b/114136122)
|
|
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
# Allow every process to check the heapprofd.enable properties to determine
|
|
# whether to load the heap profiling library. This does not necessarily enable
|
|
# heap profiling, as initialization will fail if it does not have the
|
|
# necessary SELinux permissions.
|
|
get_prop(domain, heapprofd_prop);
|
|
# Allow heap profiling on debug builds.
|
|
userdebug_or_eng(`can_profile_heap({
|
|
domain
|
|
-bpfloader
|
|
-init
|
|
-kernel
|
|
-keystore
|
|
-llkd
|
|
-logd
|
|
-logpersist
|
|
-recovery
|
|
-recovery_persist
|
|
-recovery_refresh
|
|
-ueventd
|
|
-vendor_init
|
|
-vold
|
|
})')
|
|
|
|
# As above, allow perf profiling most processes on debug builds.
|
|
# zygote is excluded as system-wide profiling could end up with it
|
|
# (unexpectedly) holding an open fd across a fork.
|
|
userdebug_or_eng(`can_profile_perf({
|
|
domain
|
|
-bpfloader
|
|
-init
|
|
-kernel
|
|
-keystore
|
|
-llkd
|
|
-logd
|
|
-logpersist
|
|
-recovery
|
|
-recovery_persist
|
|
-recovery_refresh
|
|
-ueventd
|
|
-vendor_init
|
|
-vold
|
|
-zygote
|
|
})')
|
|
|
|
# Path resolution access in cgroups.
|
|
allow domain cgroup:dir search;
|
|
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
|
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
|
|
|
allow domain cgroup_rc_file:dir search;
|
|
allow domain cgroup_rc_file:file r_file_perms;
|
|
allow domain task_profiles_file:file r_file_perms;
|
|
allow domain task_profiles_api_file:file r_file_perms;
|
|
allow domain vendor_task_profiles_file:file r_file_perms;
|
|
|
|
# Allow all domains to read sys.use_memfd to determine
|
|
# if memfd support can be used if device supports it
|
|
get_prop(domain, use_memfd_prop);
|
|
|
|
# Read access to sdkextensions props
|
|
get_prop(domain, module_sdkextensions_prop)
|
|
|
|
# Read access to bq configuration values
|
|
get_prop(domain, bq_config_prop);
|
|
|
|
# For now, everyone can access core property files
|
|
# Device specific properties are not granted by default
|
|
not_compatible_property(`
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
get_prop(domain, core_property_type)
|
|
get_prop(domain, exported3_system_prop)
|
|
get_prop(domain, vendor_default_prop)
|
|
')
|
|
compatible_property_only(`
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
get_prop({coredomain appdomain shell}, core_property_type)
|
|
get_prop({coredomain appdomain shell}, exported3_system_prop)
|
|
get_prop({coredomain appdomain shell}, exported_camera_prop)
|
|
get_prop({coredomain shell}, userspace_reboot_exported_prop)
|
|
get_prop({coredomain shell}, userspace_reboot_log_prop)
|
|
get_prop({coredomain shell}, userspace_reboot_test_prop)
|
|
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
|
|
')
|
|
|
|
# Allow access to fsverity keyring.
|
|
allow domain kernel:key search;
|
|
# Allow access to keys in the fsverity keyring that were installed at boot.
|
|
allow domain fsverity_init:key search;
|
|
# For testing purposes, allow access to keys installed with su.
|
|
userdebug_or_eng(`
|
|
allow domain su:key search;
|
|
')
|
|
|
|
# Allow access to linkerconfig file
|
|
allow domain linkerconfig_file:dir search;
|
|
allow domain linkerconfig_file:file r_file_perms;
|
|
|
|
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
|
|
allow domain boringssl_self_test_marker:dir search;
|
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
|
# with other UIDs to these allowlisted domains.
|
|
neverallow {
|
|
domain
|
|
-vold
|
|
userdebug_or_eng(`-llkd')
|
|
-dumpstate
|
|
userdebug_or_eng(`-incidentd')
|
|
userdebug_or_eng(`-profcollectd')
|
|
-storaged
|
|
-system_server
|
|
} self:global_capability_class_set sys_ptrace;
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
|
|
neverallow { domain -system_server } *:keystore2_key use_dev_id;
|
|
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
userdebug_or_eng(`-domain')
|
|
} debugfs_tracing_debug:file no_rw_file_perms;
|
|
|
|
# System_server owns dropbox data, and init creates/restorecons the directory
|
|
# Disallow direct access by other processes.
|
|
neverallow { domain -init -system_server } dropbox_data_file:dir *;
|
|
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
|
|
|
|
###
|
|
# Services should respect app sandboxes
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-installd # creation of sandbox
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
|
|
|
# Only the following processes should be directly accessing private app
|
|
# directories.
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-appdomain
|
|
-app_zygote
|
|
-dexoptanalyzer
|
|
-installd
|
|
-iorap_inode2filename
|
|
-iorap_prefetcherd
|
|
-profman
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-runas
|
|
-system_server
|
|
-viewcompiler
|
|
-zygote
|
|
} { privapp_data_file app_data_file }:dir *;
|
|
|
|
# Only apps should be modifying app data. installd is exempted for
|
|
# restorecon and package install/uninstall.
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-app_zygote
|
|
-installd
|
|
-iorap_prefetcherd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
} { privapp_data_file app_data_file }:file_class_set open;
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-installd # creation of sandbox
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
|
|
|
neverallow {
|
|
domain
|
|
-installd
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
|
|
|
|
# The staging directory contains APEX and APK files. It is important to ensure
|
|
# that these files cannot be accessed by other domains to ensure that the files
|
|
# do not change between system_server staging the files and apexd processing
|
|
# the files.
|
|
neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
|
|
neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
|
|
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
|
|
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
|
|
# except for `link` and `unlink`.
|
|
neverallow { domain -init -system_server } staging_data_file:file
|
|
{ append create relabelfrom rename setattr write no_x_file_perms };
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain # for oemfs
|
|
-bootanim # for oemfs
|
|
-recovery # for /tmp/update_binary in tmpfs
|
|
} { fs_type -rootfs }:file execute;
|
|
|
|
#
|
|
# Assert that, to the extent possible, we're not loading executable content from
|
|
# outside the rootfs or /system partition except for a few allowlisted domains.
|
|
# Executable files loaded from /data is a persistence vector
|
|
# we want to avoid. See
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
|
#
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
with_asan(`-asan_extract')
|
|
-iorap_prefetcherd
|
|
-shell
|
|
userdebug_or_eng(`-su')
|
|
-system_server_startup # for memfd backed executable regions
|
|
-app_zygote
|
|
-webview_zygote
|
|
-zygote
|
|
userdebug_or_eng(`-mediaextractor')
|
|
userdebug_or_eng(`-mediaswcodec')
|
|
} {
|
|
file_type
|
|
-system_file_type
|
|
-system_lib_file
|
|
-system_linker_exec
|
|
-vendor_file_type
|
|
-exec_type
|
|
-postinstall_file
|
|
}:file execute;
|
|
|
|
# Only init is allowed to write cgroup.rc file
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
} cgroup_rc_file:file no_w_file_perms;
|
|
|
|
# Only authorized processes should be writing to files in /data/dalvik-cache
|
|
neverallow {
|
|
domain
|
|
-init # TODO: limit init to relabelfrom for files
|
|
-zygote
|
|
-installd
|
|
-postinstall_dexopt
|
|
-cppreopts
|
|
-dex2oat
|
|
-otapreopt_slot
|
|
} dalvikcache_data_file:file no_w_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-installd
|
|
-postinstall_dexopt
|
|
-cppreopts
|
|
-dex2oat
|
|
-zygote
|
|
-otapreopt_slot
|
|
} dalvikcache_data_file:dir no_w_dir_perms;
|
|
|
|
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
|
|
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
|
|
neverallow {
|
|
domain
|
|
# art processes
|
|
-odrefresh
|
|
# others
|
|
-apexd
|
|
-init
|
|
-vold_prepare_subdirs
|
|
} apex_art_data_file:file no_w_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
# art processes
|
|
-odrefresh
|
|
# others
|
|
-apexd
|
|
-init
|
|
-vold_prepare_subdirs
|
|
} apex_art_data_file:dir no_w_dir_perms;
|
|
|
|
# Protect most domains from executing arbitrary content from /data.
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
} {
|
|
data_file_type
|
|
-apex_art_data_file
|
|
-dalvikcache_data_file
|
|
-system_data_file # shared libs in apks
|
|
-apk_data_file
|
|
}:file no_x_file_perms;
|
|
|
|
# Minimize dac_override and dac_read_search.
|
|
# Instead of granting them it is usually better to add the domain to
|
|
# a Unix group or change the permissions of a file.
|
|
define(`dac_override_allowed', `{
|
|
apexd
|
|
dnsmasq
|
|
dumpstate
|
|
init
|
|
installd
|
|
userdebug_or_eng(`llkd')
|
|
lmkd
|
|
migrate_legacy_obb_data
|
|
netd
|
|
postinstall_dexopt
|
|
recovery
|
|
rss_hwm_reset
|
|
sdcardd
|
|
tee
|
|
ueventd
|
|
uncrypt
|
|
vendor_init
|
|
vold
|
|
vold_prepare_subdirs
|
|
zygote
|
|
}')
|
|
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
|
|
# Since the kernel checks dac_read_search before dac_override, domains that
|
|
# have dac_override should also have dac_read_search to eliminate spurious
|
|
# denials. Some domains have dac_read_search without having dac_override, so
|
|
# this list should be a superset of the one above.
|
|
neverallow ~{
|
|
dac_override_allowed
|
|
iorap_inode2filename
|
|
iorap_prefetcherd
|
|
traced_perf
|
|
traced_probes
|
|
heapprofd
|
|
} self:global_capability_class_set dac_read_search;
|
|
|
|
# Limit what domains can mount filesystems or change their mount flags.
|
|
# sdcard_type / vfat is exempt as a larger set of domains need
|
|
# this capability, including device-specific domains.
|
|
neverallow {
|
|
domain
|
|
-apexd
|
|
recovery_only(`userdebug_or_eng(`-fastbootd')')
|
|
-init
|
|
-kernel
|
|
-otapreopt_chroot
|
|
-recovery
|
|
-update_engine
|
|
-vold
|
|
-zygote
|
|
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
|
|
|
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
|
neverallow {
|
|
domain
|
|
userdebug_or_eng(`-domain')
|
|
-kernel
|
|
-gsid
|
|
-init
|
|
-recovery
|
|
-ueventd
|
|
-healthd
|
|
-uncrypt
|
|
-tee
|
|
-hal_bootctl_server
|
|
-fastbootd
|
|
} self:global_capability_class_set sys_rawio;
|
|
|
|
# Limit directory operations that doesn't need to do app data isolation.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-installd
|
|
-zygote
|
|
} mirror_data_file:dir *;
|
|
|
|
# This property is being removed. Remove remaining access.
|
|
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
|
|
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
|
|
|
|
# Only core domains are allowed to access package_manager properties
|
|
neverallow { domain -init -system_server } pm_prop:property_service set;
|
|
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
|
|
|
|
# Do not allow reading the last boot timestamp from system properties
|
|
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
|
|
|
|
# Kprobes should only be used by adb root
|
|
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
|
|
|
|
# On TREBLE devices, most coredomains should not access vendor_files.
|
|
# TODO(b/71553434): Remove exceptions here.
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-bootanim
|
|
-crash_dump
|
|
-heapprofd
|
|
userdebug_or_eng(`-profcollectd')
|
|
-init
|
|
-iorap_inode2filename
|
|
-iorap_prefetcherd
|
|
-kernel
|
|
-traced_perf
|
|
-ueventd
|
|
} vendor_file:file { no_w_file_perms no_x_file_perms open };
|
|
')
|
|
|
|
# Vendor domains are not permitted to initiate communications to core domain sockets
|
|
full_treble_only(`
|
|
neverallow_establish_socket_comms({
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-socket_between_core_and_vendor_violators
|
|
}, {
|
|
coredomain
|
|
-logd # Logging by writing to logd Unix domain socket is public API
|
|
-netd # netdomain needs this
|
|
-mdnsd # netdomain needs this
|
|
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
|
|
-init
|
|
-tombstoned # linker to tombstoned
|
|
userdebug_or_eng(`-heapprofd')
|
|
userdebug_or_eng(`-traced_perf')
|
|
});
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Do not allow system components access to /vendor files except for the
|
|
# ones allowed here.
|
|
neverallow {
|
|
coredomain
|
|
# TODO(b/37168747): clean up fwk access to /vendor
|
|
-crash_dump
|
|
-init # starts vendor executables
|
|
-iorap_inode2filename
|
|
-iorap_prefetcherd
|
|
-kernel # loads /vendor/firmware
|
|
-heapprofd
|
|
userdebug_or_eng(`-profcollectd')
|
|
-shell
|
|
-system_executes_vendor_violators
|
|
-traced_perf # library/binary access for symbolization
|
|
-ueventd # reads /vendor/ueventd.rc
|
|
-vold # loads incremental fs driver
|
|
} {
|
|
vendor_file_type
|
|
-same_process_hal_file
|
|
-vendor_app_file
|
|
-vendor_apex_file
|
|
-vendor_configs_file
|
|
-vendor_service_contexts_file
|
|
-vendor_framework_file
|
|
-vendor_idc_file
|
|
-vendor_keychars_file
|
|
-vendor_keylayout_file
|
|
-vendor_overlay_file
|
|
-vendor_public_lib_file
|
|
-vendor_task_profiles_file
|
|
-vndk_sp_file
|
|
}:file *;
|
|
')
|
|
|
|
# mlsvendorcompat is only for compatibility support for older vendor
|
|
# images, and should not be granted to any domain in current policy.
|
|
# (Every domain is allowed self:fork, so this will trigger if the
|
|
# intsersection of domain & mlsvendorcompat is not empty.)
|
|
neverallow domain mlsvendorcompat:process fork;
|