From 0099148ee4c69d0eabb3f73735a6e94f72842dbc Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 12 May 2014 11:55:20 -0400
Subject: [PATCH] Audit zygote create/write access to system_data_file.

Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.

Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 zygote.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/zygote.te b/zygote.te
index 199f16554..a1b6068b7 100644
--- a/zygote.te
+++ b/zygote.te
@@ -20,6 +20,8 @@ allow zygote appdomain:process { getpgid setpgid };
 # Write to system data.
 allow zygote system_data_file:dir rw_dir_perms;
 allow zygote system_data_file:file create_file_perms;
+auditallow zygote system_data_file:dir { write add_name remove_name };
+auditallow zygote system_data_file:file { create setattr write append link unlink rename };
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
 # For art.
-- 
GitLab