Merge "Further protect app private data files"

This commit is contained in:
Treehugger Robot 2018-11-16 15:50:59 +00:00 committed by Gerrit Code Review
commit 6567cc2653
2 changed files with 10 additions and 7 deletions

View file

@ -48,7 +48,6 @@ neverallow {
-adbd -adbd
-appdomain -appdomain
-dexoptanalyzer -dexoptanalyzer
-init
-installd -installd
userdebug_or_eng(`-perfprofd') userdebug_or_eng(`-perfprofd')
-profman -profman
@ -56,12 +55,11 @@ neverallow {
-system_server -system_server
} { privapp_data_file app_data_file }:dir *; } { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. init and installd are exempted for # Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall. # restorecon and package install/uninstall.
neverallow { neverallow {
domain domain
-appdomain -appdomain
-init
-installd -installd
} { privapp_data_file app_data_file }:dir ~r_dir_perms; } { privapp_data_file app_data_file }:dir ~r_dir_perms;
@ -80,7 +78,6 @@ neverallow {
neverallow { neverallow {
domain domain
-init
-installd -installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

View file

@ -223,9 +223,15 @@ allow init {
allow init cache_file:lnk_file r_file_perms; allow init cache_file:lnk_file r_file_perms;
allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto; allow init {
# does init really need to relabel app data? file_type
userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;') -system_file_type
-vendor_file_type
-exec_type
-app_data_file
-privapp_data_file
}:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr }; allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms; allow init dev_type:dir create_dir_perms;