remove system_server_startup domain

APEX isn't used for out-of-band updates by GrapheneOS, so this extra attack surface is not required.
GrapheneOS · Sep 10, 2020 · 53ec5c3 · 53ec5c3
1 parent f73af4d
commit 53ec5c3
Show file tree

Hide file tree

Showing 10 changed files with 8 additions and 66 deletions.
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
@@ -196,7 +196,6 @@ neverallow {
     with_asan(`-asan_extract')
     -shell
     userdebug_or_eng(`-su')
-    -system_server_startup # for memfd backed executable regions
     -app_zygote
     -webview_zygote
     -zygote

diff --git a/prebuilts/api/29.0/private/seapp_contexts b/prebuilts/api/29.0/private/seapp_contexts
@@ -138,7 +138,7 @@ neverallow user=shell name=((?!com\.android\.shell).)*
 # Ephemeral Apps must run in the ephemeral_app domain
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
-isSystemServer=true domain=system_server_startup
+isSystemServer=true domain=system_server
 
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file

diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
@@ -992,11 +992,6 @@ neverallow system_server ashmem_device:chr_file execute;
 # TODO: deal with tmpfs_domain pub/priv split properly
 neverallow system_server system_server_tmpfs:file execute;
 
-# Resources handed off by system_server_startup
-allow system_server system_server_startup:fd use;
-allow system_server system_server_startup_tmpfs:file { read write map };
-allow system_server system_server_startup:unix_dgram_socket write;
-
 # Allow system server to communicate to apexd
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;

diff --git a/prebuilts/api/29.0/private/system_server_startup.te b/prebuilts/api/29.0/private/system_server_startup.te
diff --git a/prebuilts/api/29.0/private/zygote.te b/prebuilts/api/29.0/private/zygote.te
@@ -14,7 +14,7 @@ allow zygote self:global_capability_class_set setpcap;
 
 # Switch SELinux context to app domains.
 allow zygote self:process setcurrent;
-allow zygote system_server_startup:process dyntransition;
+allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
 allow zygote webview_zygote:process dyntransition;
 allow zygote app_zygote:process dyntransition;
@@ -149,11 +149,11 @@ dontaudit zygote self:global_capability_class_set sys_resource;
 # written on appdomain are applied to all app processes.
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup, webview_zygote and
+# with appdomain plus system_server, webview_zygote and
 # app_zygote.
 neverallow zygote ~{
   appdomain
-  system_server_startup
+  system_server
   webview_zygote
   app_zygote
 }:process dyntransition;

diff --git a/private/domain.te b/private/domain.te
@@ -196,7 +196,6 @@ neverallow {
     with_asan(`-asan_extract')
     -shell
     userdebug_or_eng(`-su')
-    -system_server_startup # for memfd backed executable regions
     -app_zygote
     -webview_zygote
     -zygote

diff --git a/private/seapp_contexts b/private/seapp_contexts
@@ -138,7 +138,7 @@ neverallow user=shell name=((?!com\.android\.shell).)*
 # Ephemeral Apps must run in the ephemeral_app domain
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
-isSystemServer=true domain=system_server_startup
+isSystemServer=true domain=system_server
 
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file

diff --git a/private/system_server.te b/private/system_server.te
@@ -992,11 +992,6 @@ neverallow system_server ashmem_device:chr_file execute;
 # TODO: deal with tmpfs_domain pub/priv split properly
 neverallow system_server system_server_tmpfs:file execute;
 
-# Resources handed off by system_server_startup
-allow system_server system_server_startup:fd use;
-allow system_server system_server_startup_tmpfs:file { read write map };
-allow system_server system_server_startup:unix_dgram_socket write;
-
 # Allow system server to communicate to apexd
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;

diff --git a/private/system_server_startup.te b/private/system_server_startup.te
diff --git a/private/zygote.te b/private/zygote.te
@@ -14,7 +14,7 @@ allow zygote self:global_capability_class_set setpcap;
 
 # Switch SELinux context to app domains.
 allow zygote self:process setcurrent;
-allow zygote system_server_startup:process dyntransition;
+allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
 allow zygote webview_zygote:process dyntransition;
 allow zygote app_zygote:process dyntransition;
@@ -149,11 +149,11 @@ dontaudit zygote self:global_capability_class_set sys_resource;
 # written on appdomain are applied to all app processes.
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup, webview_zygote and
+# with appdomain plus system_server, webview_zygote and
 # app_zygote.
 neverallow zygote ~{
   appdomain
-  system_server_startup
+  system_server
   webview_zygote
   app_zygote
 }:process dyntransition;