Make cross-user apps mlstrustedsubject.
We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).
This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.
Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).
This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.
A neverallow rule is added to ensure this remains true.
Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.
Test: builds, boots, no new denials.
Bug: 141677108
Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
new file mode 100644
index 0000000..b803dbc
--- /dev/null
+++ b/private/mlstrustedsubject.te
@@ -0,0 +1,32 @@
+# MLS override can't be used to access private app data.
+
+# Apps should not normally be mlstrustedsubject, but if they must be
+# they cannot use this to access app private data files; their own app
+# data files must use a different label.
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:dir ~{ read getattr search };
+
+# TODO(b/141677108): See if we can remove any of these.
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+ -system_server
+ -adbd
+ -runas
+ -dexoptanalyzer
+ -zygote
+} { app_data_file privapp_data_file }:dir { read getattr search };