disallow priv-apps from following untrusted app symlinks. Untrustworthy symlinks dereferenced by priv-apps could cause those apps to access files they weren't intending to access. Trusted components such as priv-apps should never trust untrustworthy symlinks from untrusted apps. Modify the rules and add a neverallow assertion to prevent regressions. Bug: 123350324 Test: device boots and no obvious problems. Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0

commit: 87e91237a43815016254e70a7b622ef448da54d7 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Jan 24 13:05:03 2019 -0800
committer: Nick Kralevich <nnk@google.com> Thu Jan 24 13:08:10 2019 -0800
tree: 07ceee950bbbdcbbc25e243ea81430ce33baa973
parent: 31bd80439f6c4bb46f0b77b2df45deec23246551 [diff] [blame]
diff --git a/private/priv_app.te b/private/priv_app.te
index 9232bd0..71e787f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -28,6 +28,8 @@
 # TODO: Tighten (b/112357170)
 allow priv_app privapp_data_file:file execute;
 
+allow priv_app privapp_data_file:lnk_file create_file_perms;
+
 allow priv_app app_api_service:service_manager find;
 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;
@@ -231,3 +233,6 @@
 # is dangerous and allows a full compromise of a privileged process
 # by an unprivileged process. b/112357170
 neverallow priv_app app_data_file:file no_x_file_perms;
+
+# Do not follow untrusted app provided symlinks
+neverallow priv_app app_data_file:lnk_file { open read getattr };
commit	87e91237a43815016254e70a7b622ef448da54d7	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Jan 24 13:05:03 2019 -0800
committer	Nick Kralevich <nnk@google.com>	Thu Jan 24 13:08:10 2019 -0800
tree	07ceee950bbbdcbbc25e243ea81430ce33baa973
parent	31bd80439f6c4bb46f0b77b2df45deec23246551 [diff] [blame]