commit 143987073f30f8ee74cc1fb559582b0291d81e36
author Nikita Ioffe <ioffe@google.com> Fri Jan 14 23:24:09 2022 +0000
committer Nikita Ioffe <ioffe@google.com> Fri Jan 14 23:24:09 2022 +0000
tree c4b642453bc31948bdc988f2e680b928c49d8e53
parent c3ef5c12d038396af78af45ede7ea8e46aa61900

Don't allow supplemental_process to access internal and external storage

Ignore-AOSP-First: feature developed internally
Bug: 211761016
Test: builds
Test: manually checked sp can't write to external storage
Change-Id: I05d2071e023d0de8a93dcd111674f8d8102a21ce

private/app.te

diff --git a/private/app.te b/private/app.te
index cec5ffe..3049491 100644
--- a/private/app.te
+++ b/private/app.te
@@ -72,7 +72,7 @@
 dontaudit appdomain vendor_default_prop:file read;
 
 # Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow appdomain mnt_media_rw_file:dir search;
+allow { appdomain -supplemental_process } mnt_media_rw_file:dir search;
 
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
@@ -205,11 +205,11 @@
 allow appdomain dalvikcache_data_file:file r_file_perms;
 
 # Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -supplemental_process } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -supplemental_process } tmpfs:lnk_file r_file_perms;
 
 # Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
+allow { appdomain -supplemental_process } tmpfs:dir r_dir_perms;
 
 # Notify zygote of the wrapped process PID when using --invoke-with.
 allow appdomain zygote:fifo_file write;
@@ -243,11 +243,11 @@
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:file create_file_perms;
 
 # Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app -supplemental_process } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
 
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -384,7 +384,7 @@
 allow appdomain system_data_file:file { getattr read map };
 
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app -supplemental_process } media_rw_data_file:file { read getattr };
 
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow { appdomain -isolated_app } radio_data_file:file { read write getattr };