Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 87e91237a43815016254e70a7b622ef448da54d7^! / . / private
commit87e91237a43815016254e70a7b622ef448da54d7[log] [tgz]
authorNick Kralevich <nnk@google.com>Thu Jan 24 13:05:03 2019 -0800
committerNick Kralevich <nnk@google.com>Thu Jan 24 13:08:10 2019 -0800
tree07ceee950bbbdcbbc25e243ea81430ce33baa973
parent31bd80439f6c4bb46f0b77b2df45deec23246551 [diff]
disallow priv-apps from following untrusted app symlinks.

Untrustworthy symlinks dereferenced by priv-apps could cause those apps
to access files they weren't intending to access. Trusted components
such as priv-apps should never trust untrustworthy symlinks from
untrusted apps.

Modify the rules and add a neverallow assertion to prevent regressions.

Bug: 123350324
Test: device boots and no obvious problems.
Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9a6a300..3d3433e 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -24,6 +24,9 @@
 allow ephemeral_app privapp_data_file:file { r_file_perms execute };
 allow ephemeral_app app_data_file:file     { r_file_perms execute };
 
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
+
 # Allow the renderscript compiler to be run.
 domain_auto_trans(ephemeral_app, rs_exec, rs)
 

diff --git a/private/priv_app.te b/private/priv_app.te
index 9232bd0..71e787f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -28,6 +28,8 @@
 # TODO: Tighten (b/112357170)
 allow priv_app privapp_data_file:file execute;
 
+allow priv_app privapp_data_file:lnk_file create_file_perms;
+
 allow priv_app app_api_service:service_manager find;
 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;
@@ -231,3 +233,6 @@
 # is dangerous and allows a full compromise of a privileged process
 # by an unprivileged process. b/112357170
 neverallow priv_app app_data_file:file no_x_file_perms;
+
+# Do not follow untrusted app provided symlinks
+neverallow priv_app app_data_file:lnk_file { open read getattr };

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 9b91806..712a360 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -25,6 +25,12 @@
 allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
 allow untrusted_app_all app_data_file:file     { r_file_perms execute };
 
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
+
+# Allow handling of less common filesystem objects
+allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
+
 # Allow loading and deleting executable shared libraries
 # within an application home directory. Such shared libraries would be
 # created by things like renderscript or via other mechanisms.