commit 0ac2eece90af1428b328ecaab6dc0cd4a15e05bd
author Jeff Vander Stoep <jeffv@google.com> Mon Feb 04 10:07:15 2019 -0800
committer Jeffrey Vander Stoep <jeffv@google.com> Mon Feb 04 18:38:05 2019 +0000
tree d1512f6c1c9b3f98b739b0d734121d13aa262ba1
parent 5c8f9398d975bbc7c3737bc513885513716e8b46

Neverallow executable files and symlink following

Test: build
Change-Id: Iec30d8a7642c34f12571c5654914ddbdc3d8355e

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c96f19..4ecb355 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -20,7 +20,7 @@
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
 
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index e086ace..bc50d60 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1308,7 +1308,10 @@
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
 # TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
 
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.