Do not allow isolated_app to directly open app data files.
Only allow it to read/write/stat already open app data files received via Binder or local socket IPC. Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
Nick Kralevich
parent
6963655194
commit
7d7151647f
2 changed files with 8 additions and 2 deletions
4
app.te
4
app.te
|
|
@ -46,8 +46,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
|
|||
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
|
||||
|
||||
# App sandbox file accesses.
|
||||
allow appdomain app_data_file:dir create_dir_perms;
|
||||
allow appdomain app_data_file:notdevfile_class_set create_file_perms;
|
||||
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
# lib subdirectory of /data/data dir is system-owned.
|
||||
allow appdomain system_data_file:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,12 @@
|
|||
type isolated_app, domain;
|
||||
app_domain(isolated_app)
|
||||
|
||||
# Access already open app data files received over Binder or local socket IPC.
|
||||
allow isolated_app app_data_file:file { read write getattr };
|
||||
|
||||
# Isolated apps should not directly open app data files themselves.
|
||||
neverallow isolated_app app_data_file:file open;
|
||||
|
||||
# Isolated apps shouldn't be able to access the driver directly.
|
||||
neverallow isolated_app gpu_device:file { rw_file_perms execute };
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue