Audit use of watch and watch_reads on apk_data_file
This can be used as a side channel observe when an application
is launched.
Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: I8434d9e3093ddc3109ac67d0870b7f664fb6f08e
diff --git a/private/app.te b/private/app.te
index b6b4714..6cb782d 100644
--- a/private/app.te
+++ b/private/app.te
@@ -424,8 +424,15 @@
allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
+allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
+allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
+# Allow watch & watch_reads for now, but audit to see if they're actually used.
+allow appdomain apk_data_file:dir { watch watch_reads };
+allow appdomain apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow appdomain apk_data_file:dir { watch watch_reads };
+ auditallow appdomain apk_data_file:file { watch watch_reads };
+')
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;