platform_system_sepolicy/private/app_neverallows.te

###
### neverallow rules for untrusted app domains
###

# Only allow domains in AOSP to use the untrusted_app_all attribute.
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;

define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app mediaprovider }')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;

# Receive or send generic netlink messages
neverallow all_untrusted_apps domain:netlink_socket *;

# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps debugfs_type:file read;

# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;

# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;

# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints.  As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
neverallow all_untrusted_apps mlstrustedsubject:process fork;

# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
neverallow all_untrusted_apps file_type:file link;

# Do not allow untrusted apps to access network MAC address file
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;

# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
  socket netlink_socket packet_socket key_socket appletalk_socket
  netlink_tcpdiag_socket netlink_nflog_socket
  netlink_xfrm_socket netlink_audit_socket
  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
  netlink_rdma_socket netlink_crypto_socket
} *;

# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };

# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
  fs_type
  -fuse                     # sdcard
  -sdcardfs                 # sdcard
  -vfat
  file_type
  -app_data_file            # The apps sandbox itself
  -media_rw_data_file       # Internal storage. Known that apps can
                            # leave artfacts here after uninstall.
  -user_profile_data_file   # Access to profile files
  userdebug_or_eng(`
    -method_trace_data_file # only on ro.debuggable=1
    -coredump_file          # userdebug/eng only
  ')
}:dir_file_class_set { create unlink };

# Do not allow untrusted apps to directly open tun_device
neverallow all_untrusted_apps tun_device:chr_file open;

# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
neverallow all_untrusted_apps anr_data_file:dir ~search;

# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };

# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;

# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00			`###`
			`### neverallow rules for untrusted app domains`
			`###`

untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`# Only allow domains in AOSP to use the untrusted_app_all attribute.`
			`neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;`

Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9 2017-04-11 01:57:48 +02:00			define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app mediaprovider }')
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00			`# Receive or send uevent messages.`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Receive or send generic netlink messages`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps domain:netlink_socket *;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Too much leaky information in debugfs. It's a security`
			`# best practice to ensure these files aren't readable.`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps debugfs_type:file read;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Do not allow untrusted apps to register services.`
			`# Only trusted components of Android should be registering`
			`# services.`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps service_manager_type:service_manager add;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Do not allow untrusted apps to connect to the property service`
			`# or set properties. b/10243159`
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9 2017-04-11 01:57:48 +02:00			`neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;`
			`neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;`
			`neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Do not allow untrusted apps to be assigned mlstrustedsubject.`
			`# This would undermine the per-user isolation model being`
			`# enforced via levelFrom=user in seapp_contexts and the mls`
			`# constraints. As there is no direct way to specify a neverallow`
			`# on attribute assignment, this relies on the fact that fork`
			`# permission only makes sense within a domain (hence should`
			`# never be granted to any other domain within mlstrustedsubject)`
			`# and an untrusted app is allowed fork permission to itself.`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps mlstrustedsubject:process fork;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Do not allow untrusted apps to hard link to any files.`
			`# In particular, if an untrusted app links to other app data`
			`# files, installd will not be able to guarantee the deletion`
			`# of the linked to file. Hard links also contribute to security`
			`# bugs, so we want to ensure untrusted apps never have this`
			`# capability.`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps file_type:file link;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Do not allow untrusted apps to access network MAC address file`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the`
			`# ioctl permission, or 3. disallow the socket class.`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;`
			`neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;`
			`neverallow all_untrusted_apps *:{`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00			`socket netlink_socket packet_socket key_socket appletalk_socket`
Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2017-02-06 20:14:58 +01:00			`netlink_tcpdiag_socket netlink_nflog_socket`
			`netlink_xfrm_socket netlink_audit_socket`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00			`netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket`
			`netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket`
			`netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket`
			`netlink_rdma_socket netlink_crypto_socket`
			`} *;`

			`# Do not allow untrusted apps access to /cache`
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9 2017-04-11 01:57:48 +02:00			`neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };`
			`neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Do not allow untrusted apps to create/unlink files outside of its sandbox,`
			`# internal storage or sdcard.`
			`# World accessible data locations allow application to fill the device`
			`# with unaccounted for data. This data will not get removed during`
			`# application un-installation.`
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9 2017-04-11 01:57:48 +02:00			`neverallow { all_untrusted_apps -mediaprovider } {`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00			`fs_type`
			`-fuse # sdcard`
			`-sdcardfs # sdcard`
			`-vfat`
			`file_type`
			`-app_data_file # The apps sandbox itself`
			`-media_rw_data_file # Internal storage. Known that apps can`
			`# leave artfacts here after uninstall.`
			`-user_profile_data_file # Access to profile files`
			userdebug_or_eng(`
			`-method_trace_data_file # only on ro.debuggable=1`
			`-coredump_file # userdebug/eng only`
			`')`
			`}:dir_file_class_set { create unlink };`

			`# Do not allow untrusted apps to directly open tun_device`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps tun_device:chr_file open;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps anr_data_file:file ~{ open append };`
			`neverallow all_untrusted_apps anr_data_file:dir ~search;`
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b 2017-01-28 00:53:38 +01:00
			`# Avoid reads from generically labeled /proc files`
			`# Create a more specific label if needed`
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 2017-02-06 19:31:45 +01:00			`neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };`
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446 2017-03-14 19:42:03 +01:00
			`# Do not allow untrusted apps access to preloads data files`
			`neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;`
app.te: prevent locks of files on /system Prevent app domains (processes spawned by zygote) from acquiring locks on files in /system. In particular, /system/etc/xtables.lock must never be lockable by applications, as it will block future iptables commands from running. Test: device boots and no obvious problems. Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b 2017-03-22 18:35:24 +01:00
			`# Locking of files on /system could lead to denial of service attacks`
			`# against privileged system components`
			`neverallow all_untrusted_apps system_file:file lock;`