Prevent isolated_app from searching system_data_file.
There should be no need for this, and it allows probing for file existence.
Access to /data and more specifically labeled directories under it
(e.g. /data/app) is not affected.
Bug: 158088415
Test: Builds
Change-Id: Iac39629b1c7322dc2fd9a57c9f034cb2ba73793f
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 4c6c5aa..33b5219 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -74,6 +74,9 @@
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app { app_data_file privapp_data_file }:file open;
+# Isolated aps should not be directly accessing system directories
+neverallow isolated_app system_data_file:dir search;
+
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
diff --git a/public/domain.te b/public/domain.te
index 3adfcb5..b0cf207 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -229,10 +229,12 @@
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
+# /data has the label system_data_root_file. Many components need search
+# permission on system_data_root_file for path traversal.
allow domain system_data_root_file:dir { search getattr } ;
-allow domain system_data_file:dir search;
+# Isolated apps have no need to traverse system_data_file dirs
+allow { domain -isolated_app } system_data_file:dir search;
+# Vendor components need access to /dara/vendor
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };