Merge "strengthen app_data_file neverallows" am: 46288c6b97
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599511 Change-Id: I9588b6ca25d90b6faf2e7c6f994e1d0f13423011 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
5b0dad1c2a
14 changed files with 24 additions and 18 deletions
|
@ -110,4 +110,4 @@ allow dex2oat apexd:fd use;
|
|||
# Neverallow #
|
||||
##############
|
||||
|
||||
neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
|
||||
neverallow dex2oat app_data_file_type:notdevfile_class_set open;
|
||||
|
|
|
@ -56,7 +56,7 @@ allow ephemeral_app ashmem_device:chr_file rw_file_perms;
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
|
||||
neverallow ephemeral_app app_data_file_type:file execute_no_trans;
|
||||
|
||||
# Receive or send uevent messages.
|
||||
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
|
||||
|
|
|
@ -37,7 +37,7 @@ dontaudit isolated_app_all shell_data_file:dir search;
|
|||
#####
|
||||
|
||||
# Isolated apps should not directly open app data files themselves.
|
||||
neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
|
||||
neverallow isolated_app_all app_data_file_type:file open;
|
||||
|
||||
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
|
||||
# TODO: are there situations where isolated_apps write to this file?
|
||||
|
|
|
@ -262,10 +262,10 @@ neverallow priv_app cgroup_v2:file *;
|
|||
# application home directories. Code loading across a security boundary
|
||||
# is dangerous and allows a full compromise of a privileged process
|
||||
# by an unprivileged process. b/112357170
|
||||
neverallow priv_app app_data_file:file no_x_file_perms;
|
||||
neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
|
||||
|
||||
# Do not follow untrusted app provided symlinks
|
||||
neverallow priv_app app_data_file:lnk_file { open read getattr };
|
||||
# Do not follow any app provided symlinks
|
||||
neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
|
||||
|
||||
# Do not allow getting permission-protected network information from sysfs.
|
||||
neverallow priv_app sysfs_net:file *;
|
||||
|
|
|
@ -35,6 +35,6 @@ allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
|
|||
neverallow rs rs:capability_class_set *;
|
||||
neverallow { domain -appdomain } rs:process { dyntransition transition };
|
||||
neverallow rs { domain -crash_dump }:process { dyntransition transition };
|
||||
neverallow rs app_data_file:file_class_set ~r_file_perms;
|
||||
neverallow rs app_data_file_type:file_class_set ~r_file_perms;
|
||||
# rs should never use network sockets
|
||||
neverallow rs *:network_socket_class_set *;
|
||||
|
|
|
@ -35,7 +35,7 @@ allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
|
||||
neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
|
||||
|
||||
# Receive or send uevent messages.
|
||||
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
|
||||
|
@ -66,8 +66,9 @@ neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
|
|||
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
|
||||
|
||||
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
|
||||
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
|
||||
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
|
||||
# TODO(b/280514080): shell_data_file shouldn't be allowed here
|
||||
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
|
||||
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
|
||||
|
||||
# SDK sandbox processes don't have any access to external storage
|
||||
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
|
||||
|
|
|
@ -58,7 +58,7 @@ dontaudit traced_perf domain:dir { search getattr open };
|
|||
dontaudit traced_perf domain:process signal;
|
||||
|
||||
# Never allow access to app data files
|
||||
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
|
||||
neverallow traced_perf app_data_file_type:file *;
|
||||
|
||||
# Never allow profiling privileged or otherwise incompatible domains.
|
||||
# Corresponding allow-rule is in private/domain.te.
|
||||
|
|
|
@ -660,7 +660,7 @@ neverallow init { file_type fs_type -init_exec }:file entrypoint;
|
|||
|
||||
# Never read/follow symlinks created by shell or untrusted apps.
|
||||
neverallow init shell_data_file:lnk_file read;
|
||||
neverallow init { app_data_file privapp_data_file }:lnk_file read;
|
||||
neverallow init app_data_file_type:lnk_file read;
|
||||
|
||||
# init should never execute a program without changing to another domain.
|
||||
neverallow init { file_type fs_type }:file execute_no_trans;
|
||||
|
|
|
@ -60,7 +60,12 @@ neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
|
|||
neverallow logd system_file_type:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data or system files on /data
|
||||
neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
|
||||
neverallow logd {
|
||||
app_data_file_type
|
||||
system_data_file
|
||||
packages_list_file
|
||||
-shell_data_file # for bugreports
|
||||
}:dir_file_class_set write;
|
||||
|
||||
# Only init is allowed to enter the logd domain via exec()
|
||||
neverallow { domain -init } logd:process transition;
|
||||
|
|
|
@ -17,7 +17,7 @@ neverallow logpersist dev_type:blk_file { read write };
|
|||
neverallow logpersist domain:process ptrace;
|
||||
|
||||
# Write to files in /data/data or system files on /data except misc_logd_file
|
||||
neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
|
||||
neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
|
||||
|
||||
# Only init should be allowed to enter the logpersist domain via exec()
|
||||
# Following is a list of debug domains we know that transition to logpersist
|
||||
|
|
|
@ -28,4 +28,4 @@ get_prop(profman, device_config_runtime_native_boot_prop)
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
|
||||
neverallow profman app_data_file_type:notdevfile_class_set open;
|
||||
|
|
|
@ -28,5 +28,5 @@ neverallow recovery_persist domain:process ptrace;
|
|||
neverallow recovery_persist system_file_type:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data
|
||||
neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
|
||||
neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
|
||||
|
||||
|
|
|
@ -21,4 +21,4 @@ neverallow recovery_refresh domain:process ptrace;
|
|||
neverallow recovery_refresh system_file_type:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data or system files on /data
|
||||
neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
|
||||
neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
|
||||
|
|
|
@ -301,7 +301,7 @@ neverallow { domain -init } vendor_init:process transition;
|
|||
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
|
||||
|
||||
# Never read/follow symlinks created by shell or untrusted apps.
|
||||
neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
|
||||
neverallow vendor_init app_data_file_type:lnk_file read;
|
||||
neverallow vendor_init shell_data_file:lnk_file read;
|
||||
# Init should not be creating subdirectories in /data/local/tmp
|
||||
neverallow vendor_init shell_data_file:dir { write add_name remove_name };
|
||||
|
|
Loading…
Reference in a new issue