Label app data directories for system UID apps with a different type.
We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files. However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.
This resolves the following denial when cropping or taking a user photo
for secondary users:
avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>diff --git a/app.te b/app.te
index ba99e55..81c6a53 100644
--- a/app.te
+++ b/app.te
@@ -109,6 +109,11 @@
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow appdomain radio_data_file:file { read write getattr };
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app system_app_data_file:file { read write getattr };
+
# Access SDcard.
allow appdomain sdcard_type:dir create_dir_perms;
allow appdomain sdcard_type:file create_file_perms;
diff --git a/file.te b/file.te
index f42585a..b1a1e24 100644
--- a/file.te
+++ b/file.te
@@ -81,6 +81,8 @@
typealias audio_data_file alias audio_firmware_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type;
# Compatibility with type name used in Android 4.3 and 4.4.
typealias app_data_file alias platform_app_data_file;
typealias app_data_file alias download_file;
diff --git a/installd.te b/installd.te
index 9712881..5ff68f3 100644
--- a/installd.te
+++ b/installd.te
@@ -34,8 +34,10 @@
# restorecon /data/data
allow installd unlabeled:dir relabelfrom;
allow installd unlabeled:notdevfile_class_set relabelfrom;
-allow installd system_data_file:dir { relabelfrom relabelto };
-allow installd system_data_file:notdevfile_class_set { relabelfrom relabelto };
+allow installd system_data_file:dir relabelfrom;
+allow installd system_data_file:notdevfile_class_set relabelfrom;
+allow installd system_app_data_file:dir { relabelfrom relabelto };
+allow installd system_app_data_file:notdevfile_class_set { relabelfrom relabelto };
allow installd bluetooth_data_file:dir { relabelfrom relabelto };
allow installd bluetooth_data_file:notdevfile_class_set { relabelfrom relabelto };
allow installd nfc_data_file:dir { relabelfrom relabelto };
diff --git a/seapp_contexts b/seapp_contexts
index 7b217fb..91cfe72 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -35,7 +35,7 @@
# level may be used to specify a fixed level for any UID.
#
isSystemServer=true domain=system_server
-user=system domain=system_app type=system_data_file
+user=system domain=system_app type=system_app_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
diff --git a/system_app.te b/system_app.te
index 25da88a..b03ccb4 100644
--- a/system_app.te
+++ b/system_app.te
@@ -9,10 +9,9 @@
net_domain(system_app)
binder_service(system_app)
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:file create_file_perms;
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;