91a4f8d4fd
We were using system_data_file for the /data/data directories of system UID apps to match the DAC ownership of system UID shared with other system files. However, we are seeing cases where files created in these directories must be writable by other apps, and we would like to avoid allowing write to system data files outside of these directories. So introduce a separate system_app_data_file type and assign it. This should also help protect against arbitrary writes by system UID apps to other system data directories. This resolves the following denial when cropping or taking a user photo for secondary users: avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 14604553 Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
45 lines
1.9 KiB
Text
45 lines
1.9 KiB
Text
# Input selectors:
|
|
# isSystemServer (boolean)
|
|
# user (string)
|
|
# seinfo (string)
|
|
# name (string)
|
|
# path (string)
|
|
# sebool (string)
|
|
# isSystemServer=true can only be used once.
|
|
# An unspecified isSystemServer defaults to false.
|
|
# An unspecified string selector will match any value.
|
|
# A user string selector that ends in * will perform a prefix match.
|
|
# user=_app will match any regular app UID.
|
|
# user=_isolated will match any isolated service UID.
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
# Matching is case-insensitive.
|
|
# Precedence rules:
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
|
# (2) Specified user= string before unspecified user= string.
|
|
# (3) Fixed user= string before user= prefix (i.e. ending in *).
|
|
# (4) Longer user= prefix before shorter user= prefix.
|
|
# (5) Specified seinfo= string before unspecified seinfo= string.
|
|
# (6) Specified name= string before unspecified name= string.
|
|
# (7) Specified path= string before unspecified path= string.
|
|
# (8) Specified sebool= string before unspecified sebool= string.
|
|
#
|
|
# Outputs:
|
|
# domain (string)
|
|
# type (string)
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
# level (string)
|
|
# Only entries that specify domain= will be used for app process labeling.
|
|
# Only entries that specify type= will be used for app directory labeling.
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
|
# level may be used to specify a fixed level for any UID.
|
|
#
|
|
isSystemServer=true domain=system_server
|
|
user=system domain=system_app type=system_app_data_file
|
|
user=bluetooth domain=bluetooth type=bluetooth_data_file
|
|
user=nfc domain=nfc type=nfc_data_file
|
|
user=radio domain=radio type=radio_data_file
|
|
user=shell domain=shell type=shell_data_file
|
|
user=_isolated domain=isolated_app
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file
|
|
user=_app domain=untrusted_app type=app_data_file
|