diff options
author | Chad Brubaker | 2017-10-25 14:41:11 -0500 |
---|---|---|
committer | android-build-team Robot | 2017-10-27 09:48:11 -0500 |
commit | d36de78b378cb94910acba34df408518ef79729d (patch) | |
tree | 669a18dc4d04ae329ee906e12ee91f2bc5f1bdcb | |
parent | 75ab1aa92556a1689af0c194abf283a5b097a635 (diff) | |
download | system-sepolicy-d36de78b378cb94910acba34df408518ef79729d.tar.gz system-sepolicy-d36de78b378cb94910acba34df408518ef79729d.tar.xz system-sepolicy-d36de78b378cb94910acba34df408518ef79729d.zip |
Allow Instant/V2 apps to load code from /data/data
This restriction causes issues with dynamite.
Since untrusted_v2_app was about enforcing this constraint put installed
v2 applications back into the normal untrusted_app domain.
Bug: 64806320
Test: Manual test with app using dynamite module
Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7
(cherry picked from commit fe836817942f21eaf6a33f137ea56eb1329d29fe)
-rw-r--r-- | private/ephemeral_app.te | 7 | ||||
-rw-r--r-- | private/seapp_contexts | 1 |
2 files changed, 5 insertions, 3 deletions
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te index de5c53c4..872892b7 100644 --- a/private/ephemeral_app.te +++ b/private/ephemeral_app.te | |||
@@ -19,6 +19,10 @@ app_domain(ephemeral_app) | |||
19 | # Allow ephemeral apps to read/write files in visible storage if provided fds | 19 | # Allow ephemeral apps to read/write files in visible storage if provided fds |
20 | allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; | 20 | allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; |
21 | 21 | ||
22 | # Some apps ship with shared libraries and binaries that they write out | ||
23 | # to their sandbox directory and then execute. | ||
24 | allow ephemeral_app app_data_file:file {r_file_perms execute}; | ||
25 | |||
22 | # services | 26 | # services |
23 | allow ephemeral_app audioserver_service:service_manager find; | 27 | allow ephemeral_app audioserver_service:service_manager find; |
24 | allow ephemeral_app cameraserver_service:service_manager find; | 28 | allow ephemeral_app cameraserver_service:service_manager find; |
@@ -35,8 +39,7 @@ allow ephemeral_app ephemeral_app_api_service:service_manager find; | |||
35 | ### neverallow rules | 39 | ### neverallow rules |
36 | ### | 40 | ### |
37 | 41 | ||
38 | # Executable content should never be loaded from an ephemeral app home directory. | 42 | neverallow ephemeral_app app_data_file:file execute_no_trans; |
39 | neverallow ephemeral_app app_data_file:file { execute execute_no_trans }; | ||
40 | 43 | ||
41 | # Receive or send uevent messages. | 44 | # Receive or send uevent messages. |
42 | neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; | 45 | neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; |
diff --git a/private/seapp_contexts b/private/seapp_contexts index dc7e3893..a97fc705 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts | |||
@@ -105,7 +105,6 @@ user=_isolated domain=isolated_app levelFrom=user | |||
105 | user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user | 105 | user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user |
106 | user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user | 106 | user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user |
107 | user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user | 107 | user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user |
108 | user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user | ||
109 | user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user | 108 | user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user |
110 | user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user | 109 | user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user |
111 | user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user | 110 | user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user |