nehemiah-zb/lineage_patches_unified
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lineage_patches_unified/patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch
AndyCGYan b71d406ba3 Initial commit, syncing up to v115
2019-08-08 02:52:03 +00:00

92 lines
4.6 KiB
Diff
Raw Blame History

From ea98326c1e263dabcef91bb63e3a0c43f57c3e59 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 31 Oct 2018 12:47:27 -0700
Subject: [PATCH 15/26] isolated_app: add mmaps
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f08288890ef397697b4d6dbff596bdca14c8 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.
Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.
Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
---
prebuilts/api/28.0/private/isolated_app.te | 6 +++---
private/isolated_app.te | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
index a6276b38..0348a3ee 100644
--- a/prebuilts/api/28.0/private/isolated_app.te
+++ b/prebuilts/api/28.0/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app app_data_file:file { append read write getattr lock map };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index a6276b38..0348a3ee 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app app_data_file:file { append read write getattr lock map };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
--
2.17.1
Reference in New Issue View Git Blame Copy Permalink