Commits

Stephen Smalley committed 3e0e6fe

Only allow PROT_EXEC for ashmem where required.

tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions. execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains. Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits f0ac7a7
  • Branches seandroid, seandroid-4.4

Comments (0)

Files changed (3)

 
 # Dalvik Compiler JIT Mapping.
 allow appdomain self:process execmem;
+allow appdomain ashmem_device:chr_file execute;
 
 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)

File system_server.te

 #
 type system_server, domain, mlstrustedsubject;
 
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
 # Dalvik Compiler JIT Mapping.
 allow system_server self:process execmem;
+allow system_server ashmem_device:chr_file execute;
+allow system_server system_server_tmpfs:file execute;
 
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 
 # Perform Binder IPC.
-tmpfs_domain(system_server)
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
 define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file { read write execute execmod };
+allow $1 $1_tmpfs:file { read write };
 ')
 
 #####################################
 typeattribute $1 appdomain;
 # Label ashmem objects with our own unique type.
 tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
 ')
 
 #####################################
 define(`binder_use', `
 # Call the servicemanager and transfer references to it.
 allow $1 servicemanager:binder { call transfer };
-# Map /dev/ashmem with PROT_EXEC.
-allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
 # all domains in domain.te.
 ')