commit f04db5bef7d0b449d9d0edee85b73a2bba709302
author Nick Kralevich <nnk@google.com> Wed Sep 11 14:15:44 2024 -0700
committer Nick Kralevich <nnk@google.com> Wed Sep 11 14:23:25 2024 -0700
tree 41ccaf3b207b328b26f7b4d289bfb52e53d47601
parent 9110b67fa753f1c38286c7e413de500817848ccd

app.te: Delete apk_private_tmp_file neverallow

Commit a910a287d81bf5e9885af9e5be60ed444964a86a initially
added a neverallow restriction only allowing priv_app to access
APK staging files. However, in commit
bdac15aa887933f13fcdfff3669323d7a1717fb0, this restriction was so
watered down as to be effectively useless, as untrusted code
is now allowed to access these staging files.

Delete this ineffective neverallow assertion, as it no longer
accomplishes any security goal. Additionally, it forces
anyone wanting to implement an APK verifier to use one
of these catch-all domains, instead of creating their own
custom app domain.

While were here, move an related neverallow assertion
to its proper location.

Fixes: 366044388
Test: Code compiles. neverallow assertion change only.
Change-Id: I6de1fcd386ca4f570f0000a34867413dd6f3236e

private/app.te

diff --git a/private/app.te b/private/app.te
index cc69e5e..c51ba8b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -641,12 +641,6 @@
     apk_tmp_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
-    { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
-
 # Access to factory files.
 neverallow appdomain efs_file:dir_file_class_set write;
 neverallow { appdomain -shell } efs_file:dir_file_class_set read;

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bf723c5..0e2b01c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -45,6 +45,10 @@
 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
 
+# Do not allow untrusted apps to modify temporarily staged APKs.
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
+
 # net.dns properties are not a public API. Disallow untrusted apps from reading this property.
 neverallow { all_untrusted_apps } net_dns_prop:file read;