ef1698a878
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Ignore-AOSP-First: Test is missing in AOSP. Will cherry-pick to AOSP
once merged here.
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
68 lines
2.3 KiB
Text
68 lines
2.3 KiB
Text
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
|
|
|
|
typeattribute vold_prepare_subdirs mlstrustedsubject;
|
|
|
|
allow vold_prepare_subdirs system_file:file execute_no_trans;
|
|
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
|
|
allow vold_prepare_subdirs vold:fd use;
|
|
allow vold_prepare_subdirs vold:fifo_file { read write };
|
|
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
|
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
|
|
allow vold_prepare_subdirs self:process setfscreate;
|
|
allow vold_prepare_subdirs {
|
|
sdk_sandbox_system_data_file
|
|
system_data_file
|
|
vendor_data_file
|
|
}:dir { open read write add_name remove_name rmdir relabelfrom };
|
|
allow vold_prepare_subdirs {
|
|
apex_data_file_type
|
|
apex_module_data_file
|
|
apex_rollback_data_file
|
|
backup_data_file
|
|
checkin_data_file
|
|
face_vendor_data_file
|
|
fingerprint_vendor_data_file
|
|
iris_vendor_data_file
|
|
rollback_data_file
|
|
storaged_data_file
|
|
sdk_sandbox_data_file
|
|
sdk_sandbox_system_data_file
|
|
system_data_file
|
|
vold_data_file
|
|
}:dir { create_dir_perms relabelto };
|
|
allow vold_prepare_subdirs {
|
|
apex_data_file_type
|
|
apex_art_staging_data_file
|
|
apex_module_data_file
|
|
apex_rollback_data_file
|
|
backup_data_file
|
|
checkin_data_file
|
|
face_vendor_data_file
|
|
fingerprint_vendor_data_file
|
|
iris_vendor_data_file
|
|
rollback_data_file
|
|
storaged_data_file
|
|
sdk_sandbox_data_file
|
|
system_data_file
|
|
vold_data_file
|
|
}:file { getattr unlink };
|
|
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
|
|
allow vold_prepare_subdirs mnt_expand_file:dir search;
|
|
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
|
|
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
|
|
|
|
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
|
|
allow vold_prepare_subdirs {
|
|
apex_appsearch_data_file
|
|
apex_permission_data_file
|
|
apex_scheduling_data_file
|
|
apex_tethering_data_file
|
|
apex_wifi_data_file
|
|
}:dir relabelfrom;
|
|
|
|
# /data/misc is unlabeled during early boot.
|
|
allow vold_prepare_subdirs unlabeled:dir search;
|
|
|
|
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
|