Merge "Improve tests protecting private app data"
am: db459a1b71
Change-Id: I78cd3a591da64050399517c4146dbf99bc924aff
This commit is contained in:
Jeff Vander Stoep
android-build-merger
commit
c4b2a88b9b
6 changed files with 63 additions and 17 deletions
|
|
@ -121,3 +121,58 @@ full_treble_only(`
|
|||
# Disallow direct access by other processes.
|
||||
neverallow { domain -init -system_server } dropbox_data_file:dir *;
|
||||
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
|
||||
|
||||
###
|
||||
# Services should respect app sandboxes
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
-installd # creation of sandbox
|
||||
} app_data_file:dir_file_class_set { create unlink };
|
||||
|
||||
# Only the following processes should be directly accessing private app
|
||||
# directories.
|
||||
neverallow {
|
||||
domain
|
||||
-adbd
|
||||
-appdomain
|
||||
-dexoptanalyzer
|
||||
-init
|
||||
-installd
|
||||
-mediaserver # b/80300620
|
||||
userdebug_or_eng(`-perfprofd')
|
||||
-profman
|
||||
-runas
|
||||
-system_server
|
||||
-vold
|
||||
} app_data_file:dir *;
|
||||
|
||||
# Only apps should be modifying app data. init and installd are exempted for
|
||||
# restorecon and package install/uninstall.
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
-init
|
||||
-installd
|
||||
} app_data_file:dir ~r_dir_perms;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
-installd
|
||||
-mediaserver # b/80300620
|
||||
userdebug_or_eng(`-perfprofd')
|
||||
-vold # b/80418809
|
||||
} app_data_file:file_class_set open;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
-installd # creation of sandbox
|
||||
} app_data_file:dir_file_class_set { create unlink };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
} app_data_file:dir_file_class_set { relabelfrom relabelto };
|
||||
|
|
|
|||
|
|
@ -1182,20 +1182,6 @@ neverallow {
|
|||
priv_app
|
||||
} system_app_data_file:dir_file_class_set { create unlink open };
|
||||
|
||||
|
||||
# Services should respect app sandboxes
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
-installd # creation of sandbox
|
||||
} app_data_file:dir_file_class_set { create unlink };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
} app_data_file:dir_file_class_set { relabelfrom relabelto };
|
||||
|
||||
#
|
||||
# Only these domains should transition to shell domain. This domain is
|
||||
# permissible for the "shell user". If you need a process to exec a shell
|
||||
|
|
|
|||
|
|
@ -210,6 +210,8 @@ allow init {
|
|||
allow init cache_file:lnk_file r_file_perms;
|
||||
|
||||
allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
|
||||
# does init really need to relabel app data?
|
||||
userdebug_or_eng(`auditallow init app_data_file:dir_file_class_set relabelto;')
|
||||
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
|
||||
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
|
||||
allow init dev_type:dir create_dir_perms;
|
||||
|
|
|
|||
|
|
@ -30,7 +30,10 @@ binder_service(mediaserver)
|
|||
|
||||
allow mediaserver media_data_file:dir create_dir_perms;
|
||||
allow mediaserver media_data_file:file create_file_perms;
|
||||
# TODO(b/80190017, b/80300620): remove direct access to private app data
|
||||
userdebug_or_eng(`auditallow mediaserver app_data_file:dir search;')
|
||||
allow mediaserver app_data_file:dir search;
|
||||
userdebug_or_eng(`auditallow mediaserver app_data_file:file open;')
|
||||
allow mediaserver app_data_file:file rw_file_perms;
|
||||
allow mediaserver sdcard_type:file write;
|
||||
allow mediaserver gpu_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -4,9 +4,6 @@ type uncrypt_exec, exec_type, file_type;
|
|||
|
||||
allow uncrypt self:global_capability_class_set dac_override;
|
||||
|
||||
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
|
||||
r_dir_file(uncrypt, app_data_file)
|
||||
|
||||
userdebug_or_eng(`
|
||||
# For debugging, allow /data/local/tmp access
|
||||
r_dir_file(uncrypt, shell_data_file)
|
||||
|
|
|
|||
|
|
@ -81,7 +81,10 @@ allow vold tmpfs:dir create_dir_perms;
|
|||
allow vold tmpfs:dir mounton;
|
||||
allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
||||
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
# TODO(b/80418809): remove direct access to private app data
|
||||
userdebug_or_eng(`auditallow vold app_data_file:dir search;')
|
||||
allow vold app_data_file:dir search;
|
||||
userdebug_or_eng(`auditallow vold app_data_file:file rw_file_perms;')
|
||||
allow vold app_data_file:file rw_file_perms;
|
||||
allow vold loop_control_device:chr_file rw_file_perms;
|
||||
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
|
||||
|
|
|
|||
Loading…
Reference in a new issue