27b515e70a
We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
63 lines
1.7 KiB
Text
63 lines
1.7 KiB
Text
# MLS override can't be used to access private app data.
|
|
|
|
# Apps should not normally be mlstrustedsubject, but if they must be
|
|
# they cannot use this to access app private data files; their own app
|
|
# data files must use a different label.
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
} {
|
|
app_data_file
|
|
privapp_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:file ~{ read write map getattr ioctl lock append };
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
} {
|
|
app_data_file
|
|
privapp_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:dir ~{ read getattr search };
|
|
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-vold # encryption of storage areas
|
|
-vold_prepare_subdirs # creation of storage area directories
|
|
} { storage_area_dir storage_area_app_dir }:dir ~{ read getattr search };
|
|
')
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-system_server
|
|
-adbd
|
|
-runas
|
|
-zygote
|
|
} {
|
|
app_data_file
|
|
privapp_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:dir { read getattr search };
|
|
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-system_server
|
|
-adbd
|
|
-runas
|
|
-vold # encryption of storage area directories
|
|
-vold_prepare_subdirs # creation of storage area directories
|
|
-zygote
|
|
} { storage_area_dir storage_area_app_dir }:dir { read getattr search };
|
|
')
|