From 3fbb177016005dcf7bbf797297ffd3c315cbcd02 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 27 Mar 2023 10:03:46 +0200
Subject: [PATCH] Audit use of watch and watch_reads on apk_data_file

This can be used as a side channel observe when an application
is launched.

Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: I8434d9e3093ddc3109ac67d0870b7f664fb6f08e
---
 private/app.te | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/private/app.te b/private/app.te
index b6b47149c..6cb782d32 100644
--- a/private/app.te
+++ b/private/app.te
@@ -424,8 +424,15 @@ allow appdomain shared_relro_file:dir search;
 allow appdomain shared_relro_file:file r_file_perms;
 
 # Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
+allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
+allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
+# Allow watch & watch_reads for now, but audit to see if they're actually used.
+allow appdomain apk_data_file:dir { watch watch_reads };
+allow appdomain apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+  auditallow appdomain apk_data_file:dir { watch watch_reads };
+  auditallow appdomain apk_data_file:file { watch watch_reads };
+')
 
 # /data/resource-cache
 allow appdomain resourcecache_data_file:file r_file_perms;