tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/app_zygote.te
Martijn Coenen 1bbda7e662 Initial sepolicy for app_zygote. 
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00

135 lines
4.7 KiB
Text
Raw Blame History

typeattribute app_zygote coredomain;
######
###### Policy below is different from regular zygote-spawned apps
######
# The app_zygote needs to be able to transition domains.
typeattribute app_zygote mlstrustedsubject;
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
# Set the UID/GID of the process.
# This will be further limited to a range of isolated UIDs with seccomp.
allow app_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
allow app_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to isolated app domain.
allow app_zygote self:process setcurrent;
allow app_zygote isolated_app:process dyntransition;
# For JIT
allow app_zygote self:process execmem;
# Allow app_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow app_zygote debugfs_trace_marker:file getattr;
# get system_server process group
allow app_zygote system_server:process getpgid;
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
# Get seapp_contexts
allow app_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(app_zygote)
# Check SELinux permissions.
selinux_check_access(app_zygote)
######
###### Policy below is shared with regular zygote-spawned apps
######
# Child of zygote.
allow app_zygote zygote:fd use;
allow app_zygote zygote:process sigchld;
# For ART (read /data/dalvik-cache).
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir r_dir_perms;
allow app_zygote apk_data_file:file { r_file_perms execute };
# Allow app_zygote access to /vendor/overlay
r_dir_file(app_zygote, vendor_overlay_file)
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
#####
##### Neverallow
#####
# Only permit transition to isolated_app.
neverallow app_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow app_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow app_zygote *:file execute_no_trans;
# The only way to enter this domain is for the zygote to fork a new
# app_zygote child.
neverallow { domain -zygote } app_zygote:process dyntransition;
# Disallow write access to properties.
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
# Should not have any access to non-app data files.
neverallow app_zygote {
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
}:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
-activity_service
-webviewupdate_service
}:service_manager find;
# Isolated apps should not be able to access the driver directly.
neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
# Do not allow app_zygote access to /cache.
neverallow app_zygote cache_file:dir ~{ r_dir_perms };
neverallow app_zygote cache_file:file ~{ read getattr };
# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow app_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
appletalk_socket netlink_route_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
bluetooth_a2dp_offload_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
Reference in a new issue View git blame Copy permalink