Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-16 / . / private / mlstrustedsubject.te
blob: 8fcc1d4038aa59827257b9d161f10c09c5890bd2 [file] [log] [blame]
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]1# MLS override can't be used to access private app data.
2
3# Apps should not normally be mlstrustedsubject, but if they must be
4# they cannot use this to access app private data files; their own app
5# data files must use a different label.
6
7neverallow {
8 mlstrustedsubject
Jiakai Zhang2ffeca72022-10-21 17:03:56 +0100[diff] [blame]9 -artd # compile secondary dex files
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]10 -installd
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]11} {
12 app_data_file
13 privapp_data_file
14 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
15}:file ~{ read write map getattr ioctl lock append };
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]16
17neverallow {
18 mlstrustedsubject
Jiakai Zhang2ffeca72022-10-21 17:03:56 +0100[diff] [blame]19 -artd # compile secondary dex files
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]20 -installd
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]21} {
22 app_data_file
23 privapp_data_file
24 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
25}:dir ~{ read getattr search };
26
27is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
28 neverallow {
29 mlstrustedsubject
30 -artd # compile secondary dex files
31 -installd
32 -vold # encryption of storage areas
33 -vold_prepare_subdirs # creation of storage area directories
34 } { storage_area_dir storage_area_app_dir }:dir ~{ read getattr search };
35')
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]36
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]37neverallow {
38 mlstrustedsubject
Jiakai Zhang2ffeca72022-10-21 17:03:56 +0100[diff] [blame]39 -artd # compile secondary dex files
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]40 -installd
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]41 -system_server
42 -adbd
43 -runas
Alan Stokes81e4e872020-02-11 14:43:05 +0000[diff] [blame]44 -zygote
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]45} {
46 app_data_file
47 privapp_data_file
48 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
49}:dir { read getattr search };
50
51is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
52 neverallow {
53 mlstrustedsubject
54 -artd # compile secondary dex files
55 -installd
56 -system_server
57 -adbd
58 -runas
59 -vold # encryption of storage area directories
60 -vold_prepare_subdirs # creation of storage area directories
61 -zygote
62 } { storage_area_dir storage_area_app_dir }:dir { read getattr search };
63')