strengthen app_data_file neverallows There are more types of apps now. Bug: 281877578 Test: boot Change-Id: I1918de8610070f6fac0e933d75c656e4ee0cfbdd

commit: f3722d5a715992c74b567efd71179955b41c9157 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Mon May 22 23:45:40 2023 +0000
committer: Steven Moreland <smoreland@google.com> Tue May 23 00:01:27 2023 +0000
tree: a0df365a9592651fcbfbc557ff4bc175aa9f1c6d
parent: b56bf68763bcb2a47fae192b57c8b67d9fcd25c3 [diff] [blame]
diff --git a/private/priv_app.te b/private/priv_app.te
index b455732..52077ef 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -262,10 +262,10 @@
 # application home directories. Code loading across a security boundary
 # is dangerous and allows a full compromise of a privileged process
 # by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
+neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
 
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
+# Do not follow any app provided symlinks
+neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
 
 # Do not allow getting permission-protected network information from sysfs.
 neverallow priv_app sysfs_net:file *;
commit	f3722d5a715992c74b567efd71179955b41c9157	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Mon May 22 23:45:40 2023 +0000
committer	Steven Moreland <smoreland@google.com>	Tue May 23 00:01:27 2023 +0000
tree	a0df365a9592651fcbfbc557ff4bc175aa9f1c6d
parent	b56bf68763bcb2a47fae192b57c8b67d9fcd25c3 [diff] [blame]