Merge "system_app: neverallow /data/local/tmp access"

commit: e0ecf49c38b2de8f86bc9a01adc60e701ddd3541 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Thu Sep 05 18:38:00 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Sep 05 18:38:00 2019 +0000
tree: 583425481870748679563820529b3e45c48d5795
parent: b40c2adaad3ef9e917660bcb3332b1e9df219e12 [diff]
parent: 6e893ec1fec4bf868ed51f117be94c509ab4e527 [diff]
diff --git a/private/system_app.te b/private/system_app.te
index 9ed1d36..ee18ab2 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -149,3 +149,10 @@
 
 # app domains which access /dev/fuse should not run as system_app
 neverallow system_app fuse_device:chr_file *;
+
+# Apps which run as UID=system should not rely on any attacker controlled
+# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
+# allow writes to files passed by file descriptor to support dumpstate and
+# bug reports, but not reads.
+neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
+neverallow system_app shell_data_file:file { open read ioctl lock };
commit	e0ecf49c38b2de8f86bc9a01adc60e701ddd3541	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Thu Sep 05 18:38:00 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Sep 05 18:38:00 2019 +0000
tree	583425481870748679563820529b3e45c48d5795
parent	b40c2adaad3ef9e917660bcb3332b1e9df219e12 [diff]
parent	6e893ec1fec4bf868ed51f117be94c509ab4e527 [diff]