commit f3722d5a715992c74b567efd71179955b41c9157
author Steven Moreland <smoreland@google.com> Mon May 22 23:45:40 2023 +0000
committer Steven Moreland <smoreland@google.com> Tue May 23 00:01:27 2023 +0000
tree a0df365a9592651fcbfbc557ff4bc175aa9f1c6d
parent b56bf68763bcb2a47fae192b57c8b67d9fcd25c3

strengthen app_data_file neverallows

There are more types of apps now.

Bug: 281877578
Test: boot
Change-Id: I1918de8610070f6fac0e933d75c656e4ee0cfbdd

private/dex2oat.te

diff --git a/private/dex2oat.te b/private/dex2oat.te
index ea9ab9c..23f7444 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -110,4 +110,4 @@
 # Neverallow #
 ##############
 
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow dex2oat app_data_file_type:notdevfile_class_set open;

private/ephemeral_app.te

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 0491a33..4e1417b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -56,7 +56,7 @@
 ### neverallow rules
 ###
 
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
+neverallow ephemeral_app app_data_file_type:file execute_no_trans;
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

private/isolated_app_all.te

diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 0617a57..189d064 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -37,7 +37,7 @@
 #####
 
 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+neverallow isolated_app_all app_data_file_type:file open;
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index b455732..52077ef 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -262,10 +262,10 @@
 # application home directories. Code loading across a security boundary
 # is dangerous and allows a full compromise of a privileged process
 # by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
+neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
 
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
+# Do not follow any app provided symlinks
+neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
 
 # Do not allow getting permission-protected network information from sysfs.
 neverallow priv_app sysfs_net:file *;

private/rs.te

diff --git a/private/rs.te b/private/rs.te
index 268f040..a9b2edd 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -35,6 +35,6 @@
 neverallow rs rs:capability_class_set *;
 neverallow { domain -appdomain } rs:process { dyntransition transition };
 neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
+neverallow rs app_data_file_type:file_class_set ~r_file_perms;
 # rs should never use network sockets
 neverallow rs *:network_socket_class_set *;

private/sdk_sandbox_all.te

diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 8e46ca3..b4c655b 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -35,7 +35,7 @@
 ### neverallow rules
 ###
 
-neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@@ -66,8 +66,9 @@
 neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
 
 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+# TODO(b/280514080): shell_data_file shouldn't be allowed here
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
 
 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;

private/traced_perf.te

diff --git a/private/traced_perf.te b/private/traced_perf.te
index 640b054..c7e81cd 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -58,7 +58,7 @@
 dontaudit traced_perf domain:process signal;
 
 # Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+neverallow traced_perf app_data_file_type:file *;
 
 # Never allow profiling privileged or otherwise incompatible domains.
 # Corresponding allow-rule is in private/domain.te.