strengthen app_data_file neverallows
There are more types of apps now.
Bug: 281877578
Test: boot
Change-Id: I1918de8610070f6fac0e933d75c656e4ee0cfbdd
diff --git a/private/dex2oat.te b/private/dex2oat.te
index ea9ab9c..23f7444 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -110,4 +110,4 @@
# Neverallow #
##############
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow dex2oat app_data_file_type:notdevfile_class_set open;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 0491a33..4e1417b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -56,7 +56,7 @@
### neverallow rules
###
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
+neverallow ephemeral_app app_data_file_type:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 0617a57..189d064 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -37,7 +37,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+neverallow isolated_app_all app_data_file_type:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/priv_app.te b/private/priv_app.te
index b455732..52077ef 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -262,10 +262,10 @@
# application home directories. Code loading across a security boundary
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
+neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
+# Do not follow any app provided symlinks
+neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
# Do not allow getting permission-protected network information from sysfs.
neverallow priv_app sysfs_net:file *;
diff --git a/private/rs.te b/private/rs.te
index 268f040..a9b2edd 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -35,6 +35,6 @@
neverallow rs rs:capability_class_set *;
neverallow { domain -appdomain } rs:process { dyntransition transition };
neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
+neverallow rs app_data_file_type:file_class_set ~r_file_perms;
# rs should never use network sockets
neverallow rs *:network_socket_class_set *;
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 8e46ca3..b4c655b 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -35,7 +35,7 @@
### neverallow rules
###
-neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@@ -66,8 +66,9 @@
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+# TODO(b/280514080): shell_data_file shouldn't be allowed here
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 640b054..c7e81cd 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -58,7 +58,7 @@
dontaudit traced_perf domain:process signal;
# Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+neverallow traced_perf app_data_file_type:file *;
# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.
diff --git a/public/init.te b/public/init.te
index a399b3a..c01dc93 100644
--- a/public/init.te
+++ b/public/init.te
@@ -660,7 +660,7 @@
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
+neverallow init app_data_file_type:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
diff --git a/public/logd.te b/public/logd.te
index 8187179..ff39075 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -60,7 +60,12 @@
neverallow logd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
+neverallow logd {
+ app_data_file_type
+ system_data_file
+ packages_list_file
+ -shell_data_file # for bugreports
+}:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
diff --git a/public/logpersist.te b/public/logpersist.te
index c8e6af4..6c1c404 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -17,7 +17,7 @@
neverallow logpersist domain:process ptrace;
# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
# Only init should be allowed to enter the logpersist domain via exec()
# Following is a list of debug domains we know that transition to logpersist
diff --git a/public/profman.te b/public/profman.te
index 727daee..85cdc1e 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -28,4 +28,4 @@
### neverallow rules
###
-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow profman app_data_file_type:notdevfile_class_set open;
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index d4b4562..7007322 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -28,5 +28,5 @@
neverallow recovery_persist system_file:dir_file_class_set write;
# Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index d6870dc..9f8140e 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -21,4 +21,4 @@
neverallow recovery_refresh system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3942c27..38c7699 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -301,7 +301,7 @@
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
+neverallow vendor_init app_data_file_type:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };