system_app: remove perms to write to system_data_file

Strengthen neverallow rule to enforce that no apps may write to system_data_file - the default label for /data/ Change-Id: I886e4340f300551754c9e33e9c1764fb730b6b14
2016-01-20 14:36:45 -08:00 · 2016-01-20 14:36:45 -08:00 · 024dc1ce3c
commit 024dc1ce3c
parent 589ffaf617
2 changed files with 2 additions and 11 deletions
--- a/app.te
+++ b/app.te
@ -321,9 +321,7 @@ neverallow appdomain exec_type:file
 # This is the default type for anything under /data not otherwise
 # specified in file_contexts.  Define a different type for portions
 # that should be writable by apps.
-# Exception for system_app for Settings.
-neverallow { appdomain -system_app }
-    system_data_file:dir_file_class_set
+neverallow appdomain system_data_file:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };

 # Write to various other parts of /data.
--- a/system_app.te
+++ b/system_app.te
@ -16,16 +16,9 @@ allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
 allow system_app keychain_data_file:dir r_dir_perms;
 allow system_app keychain_data_file:file r_file_perms;

-# Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/user.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write to /data/misc/user.
 allow system_app misc_user_data_file:dir create_dir_perms;
 allow system_app misc_user_data_file:file create_file_perms;
-# Audit writes to these directories and files so we can identify
-# and possibly move these directories into their own type in the future.
-auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
-auditallow system_app system_data_file:file { create setattr append write link unlink rename };

 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;