Audit zygote create/write access to system_data_file.

Report any attempts by zygote to create/write files in system_data_file so that we can ultimately move any such cases to their own type and reduce this to read-only access. Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Audit zygote create/write access to system_data_file.
Report any attempts by zygote to create/write files in system_data_file so that we can ultimately move any such cases to their own type and reduce this to read-only access. Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
0099148e · Stephen Smalley · 41e14c7f · 0099148e
Commit 0099148e authored 10 years ago by Stephen Smalley
--- a/zygote.te
+++ b/zygote.te
@@ -20,6 +20,8 @@ allow zygote appdomain:process { getpgid setpgid };
 # Write to system data.
 allow zygote system_data_file:dir rw_dir_perms;
 allow zygote system_data_file:file create_file_perms;
+auditallow zygote system_data_file:dir { write add_name remove_name };
+auditallow zygote system_data_file:file { create setattr write append link unlink rename };
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
 # For art.