app.te: prevent locks of files on /system Prevent app domains (processes spawned by zygote) from acquiring locks on files in /system. In particular, /system/etc/xtables.lock must never be lockable by applications, as it will block future iptables commands from running. Test: device boots and no obvious problems. Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b

commit: 92c44a578cbcb6ec7cdf8b304f1738cc75074379 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Mar 22 10:35:24 2017 -0700
committer: Nick Kralevich <nnk@google.com> Wed Mar 22 10:35:24 2017 -0700
tree: ff3f17e933b44ea7974b9b2a5bcaf65a6a25725d
parent: 9d5f97b381a18eeff1d627515f721f696c1a781e [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 15ab764..5e47b68 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -100,3 +100,7 @@
 
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
commit	92c44a578cbcb6ec7cdf8b304f1738cc75074379	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Mar 22 10:35:24 2017 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Mar 22 10:35:24 2017 -0700
tree	ff3f17e933b44ea7974b9b2a5bcaf65a6a25725d
parent	9d5f97b381a18eeff1d627515f721f696c1a781e [diff] [blame]