Prevent isolated_app from searching system_data_file. There should be no need for this, and it allows probing for file existence. Access to /data and more specifically labeled directories under it (e.g. /data/app) is not affected. Bug: 158088415 Test: Builds Change-Id: Iac39629b1c7322dc2fd9a57c9f034cb2ba73793f

commit: 8dea7318056e4af3cf308aa9263de5e920d29f18 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Jun 04 14:51:15 2020 +0100
committer: Alan Stokes <alanstokes@google.com> Thu Jun 04 14:51:15 2020 +0100
tree: 2145299245d56456dcb81ccd5532ae59c4ed483b
parent: 19b3a4408df8250bebd35894d85b8c396c82ed55 [diff] [blame]
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 4c6c5aa..33b5219 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -74,6 +74,9 @@
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app { app_data_file privapp_data_file }:file open;
 
+# Isolated aps should not be directly accessing system directories
+neverallow isolated_app system_data_file:dir search;
+
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
 # TODO: should we tighten these restrictions further?
commit	8dea7318056e4af3cf308aa9263de5e920d29f18	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Jun 04 14:51:15 2020 +0100
committer	Alan Stokes <alanstokes@google.com>	Thu Jun 04 14:51:15 2020 +0100
tree	2145299245d56456dcb81ccd5532ae59c4ed483b
parent	19b3a4408df8250bebd35894d85b8c396c82ed55 [diff] [blame]