e8f95b363a
Addresses the following denial encountered when sharing photos between personal
and managed profiles:
Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5
112 lines
4 KiB
Text
112 lines
4 KiB
Text
#########################################
|
|
# MLS declarations
|
|
#
|
|
|
|
# Generate the desired number of sensitivities and categories.
|
|
gen_sens(mls_num_sens)
|
|
gen_cats(mls_num_cats)
|
|
|
|
# Generate level definitions for each sensitivity and category.
|
|
gen_levels(mls_num_sens,mls_num_cats)
|
|
|
|
|
|
#################################################
|
|
# MLS policy constraints
|
|
#
|
|
|
|
#
|
|
# Process constraints
|
|
#
|
|
|
|
# Process transition: Require equivalence unless the subject is trusted.
|
|
mlsconstrain process { transition dyntransition }
|
|
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
|
|
|
|
# Process read operations: No read up unless trusted.
|
|
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
|
|
(l1 dom l2 or t1 == mlstrustedsubject);
|
|
|
|
# Process write operations: No write down unless trusted.
|
|
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
|
|
(l1 domby l2 or t1 == mlstrustedsubject);
|
|
|
|
#
|
|
# Socket constraints
|
|
#
|
|
|
|
# Create/relabel operations: Subject must be equivalent to object unless
|
|
# the subject is trusted. Sockets inherit the range of their creator.
|
|
mlsconstrain socket_class_set { create relabelfrom relabelto }
|
|
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
|
|
|
|
# Datagram send: Sender must be dominated by receiver unless one of them is
|
|
# trusted.
|
|
mlsconstrain unix_dgram_socket { sendto }
|
|
(l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
|
|
|
# Stream connect: Client must be equivalent to server unless one of them
|
|
# is trusted.
|
|
mlsconstrain unix_stream_socket { connectto }
|
|
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
|
|
|
#
|
|
# Directory/file constraints
|
|
#
|
|
|
|
# Create/relabel operations: Subject must be equivalent to object unless
|
|
# the subject is trusted. Also, files should always be single-level.
|
|
# Do NOT exempt mlstrustedobject types from this constraint.
|
|
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
|
|
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
|
|
|
|
# Read operations: Subject must dominate object unless the subject
|
|
# or the object is trusted.
|
|
mlsconstrain dir { read getattr search }
|
|
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
|
|
|
mlsconstrain { file lnk_file sock_file chr_file blk_file } { open execute }
|
|
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
|
|
|
# Write operations: Subject must be dominated by the object unless the
|
|
# subject or the object is trusted.
|
|
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
|
|
(l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
|
|
|
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
|
|
(l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
|
|
|
# Special case for FIFOs.
|
|
# These can be unnamed pipes, in which case they will be labeled with the
|
|
# creating process' label. Thus we also have an exemption when the "object"
|
|
# is a domain type, so that processes can communicate via unnamed pipes
|
|
# passed by binder or local socket IPC.
|
|
mlsconstrain fifo_file { read getattr }
|
|
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
|
|
|
|
mlsconstrain fifo_file { write setattr append unlink link rename }
|
|
(l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
|
|
|
|
#
|
|
# IPC constraints
|
|
#
|
|
|
|
# Create/destroy: equivalence or trusted.
|
|
mlsconstrain ipc_class_set { create destroy }
|
|
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
|
|
|
|
# Read ops: No read up unless trusted.
|
|
mlsconstrain ipc_class_set r_ipc_perms
|
|
(l1 dom l2 or t1 == mlstrustedsubject);
|
|
|
|
# Write ops: No write down unless trusted.
|
|
mlsconstrain ipc_class_set w_ipc_perms
|
|
(l1 domby l2 or t1 == mlstrustedsubject);
|
|
|
|
#
|
|
# Binder IPC constraints
|
|
#
|
|
# Presently commented out, as apps are expected to call one another.
|
|
# This would only make sense if apps were assigned categories
|
|
# based on allowable communications rather than per-app categories.
|
|
#mlsconstrain binder call
|
|
# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|