Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 23c9d91b46352bd91cdc58f33d55378e5567dc1c^! / . / private / dexoptanalyzer.te
commit23c9d91b46352bd91cdc58f33d55378e5567dc1c[log] [tgz]
authorNick Kralevich <nnk@google.com>Thu Aug 02 15:54:23 2018 -0700
committerNick Kralevich <nnk@google.com>Thu Aug 02 16:29:02 2018 -0700
tree6940b557b6e7f2fcf698aa446f07f756f7066f3a
parentb5201698324fe7f8625b46a31a9fcdad862b2198 [diff] [blame]
Start partitioning off privapp_data_file from app_data_file

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index dfc81b8..7d01ef5 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te

@@ -19,12 +19,12 @@
 
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.
-dontaudit dexoptanalyzer app_data_file:dir audit_access;
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
 
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };