81e4e877f3
We have various apps which inherently work across all users, configured in seapp_contexts with levelFrom=None (usually implicitly). This change marks those apps, where they have private data files, as mlstrustedsubject, to allow us to increase restrictions on cross-user access without breaking them. Currently these apps are granted full access to [priv_]app__data_file via TE rules, but are blocked from calling open (etc) by mls rules (they don't have a matching level). This CL changes things round so they are granted access by mls, but blocked from calling open by TE rules; the overall effect is thus the same - they do not have access. A neverallow rule is added to ensure this remains true. Note that there are various vendor apps which are appdomain, levelFrom=None; they will also need modified policy. Test: builds, boots, no new denials. Bug: 141677108 Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
32 lines
855 B
Text
32 lines
855 B
Text
# MLS override can't be used to access private app data.
|
|
|
|
# Apps should not normally be mlstrustedsubject, but if they must be
|
|
# they cannot use this to access app private data files; their own app
|
|
# data files must use a different label.
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-installd
|
|
-iorap_prefetcherd
|
|
-iorap_inode2filename
|
|
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-installd
|
|
-iorap_prefetcherd
|
|
-iorap_inode2filename
|
|
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
|
|
|
|
# TODO(b/141677108): See if we can remove any of these.
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-installd
|
|
-iorap_prefetcherd
|
|
-iorap_inode2filename
|
|
-system_server
|
|
-adbd
|
|
-runas
|
|
-dexoptanalyzer
|
|
-zygote
|
|
} { app_data_file privapp_data_file }:dir { read getattr search };
|