commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c
author Nick Kralevich <nnk@google.com> Thu Aug 02 15:54:23 2018 -0700
committer Nick Kralevich <nnk@google.com> Thu Aug 02 16:29:02 2018 -0700
tree 6940b557b6e7f2fcf698aa446f07f756f7066f3a
parent b5201698324fe7f8625b46a31a9fcdad862b2198

Start partitioning off privapp_data_file from app_data_file

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 01da377..8950240 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -446,7 +446,16 @@
 
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+allow system_server {
+  system_app_data_file
+  bluetooth_data_file
+  nfc_data_file
+  radio_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:dir { getattr read search };
+
 # Also permit for unlabeled /data/data subdirectories and
 # for unlabeled asec containers on upgrades from 4.2.
 allow system_server unlabeled:dir r_dir_perms;
@@ -459,7 +468,15 @@
 
 # Receive and use open app data files passed over binder IPC.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+allow system_server {
+  system_app_data_file
+  bluetooth_data_file
+  nfc_data_file
+  radio_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:file { getattr read write append };
 
 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };
@@ -821,7 +838,13 @@
 # file descriptor.
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+neverallow system_server {
+  bluetooth_data_file
+  nfc_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:file { open create unlink link };
 
 # Forking and execing is inherently dangerous and racy. See, for
 # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them