Further lock down app data
Assert that only apps and installd may open private app files.
Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.
Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
diff --git a/private/domain.te b/private/domain.te
index 5fcc1fd..7945d89 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -142,12 +142,10 @@
-dexoptanalyzer
-init
-installd
- -mediaserver # b/80300620
userdebug_or_eng(`-perfprofd')
-profman
-runas
-system_server
- -vold
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. init and installd are exempted for
@@ -163,9 +161,7 @@
domain
-appdomain
-installd
- -mediaserver # b/80300620
userdebug_or_eng(`-perfprofd')
- -vold # b/80418809
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
diff --git a/public/domain.te b/public/domain.te
index 2396d4a..032c27c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1280,7 +1280,6 @@
domain
-appdomain
-installd
- -uncrypt # TODO: see if we can remove
} { app_data_file privapp_data_file }:lnk_file read;
neverallow {
diff --git a/public/mediaserver.te b/public/mediaserver.te
index c0d4e70..a197a44 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -27,11 +27,7 @@
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
-# TODO(b/80190017, b/80300620): remove direct access to private app data
-userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:dir search;')
-allow mediaserver { app_data_file privapp_data_file }:dir search;
-userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:file open;')
-allow mediaserver { app_data_file privapp_data_file }:file rw_file_perms;
+allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver sdcard_type:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index 2097392..73d3b6d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -81,11 +81,6 @@
allow vold tmpfs:dir mounton;
allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-# TODO(b/80418809): remove direct access to private app data
-userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
-allow vold { app_data_file privapp_data_file }:dir search;
-userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:file rw_file_perms;')
-allow vold { app_data_file privapp_data_file }:file rw_file_perms;
allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };