system_app: neverallow /data/local/tmp access
/data/local/tmp is an attacker controlled location which system_apps
should not be depending on. system_apps should only depend on files in
their home directory and files passed to them by file descriptor. To
support this best practice, neverallow access to /data/local/tmp. This
adds a compile time assertion and CTS test to assert that this rule is
never present.
This is conceptually a tightening of already defined neverallow rules in
domain.te. The existing neverallow assertions exclude appdomain, which
is too broad:
neverallow {
domain
-adbd
-appdomain
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
# to be passed around by file descriptor, but not directly opened.
neverallow {
domain
-adbd
-appdomain
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
Test: compiles
Change-Id: Ib7178e2b9d5a41c03837a535f7db5eaf10319aac
diff --git a/private/system_app.te b/private/system_app.te
index 9ed1d36..ee18ab2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -149,3 +149,10 @@
# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;
+
+# Apps which run as UID=system should not rely on any attacker controlled
+# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
+# allow writes to files passed by file descriptor to support dumpstate and
+# bug reports, but not reads.
+neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
+neverallow system_app shell_data_file:file { open read ioctl lock };