Skip to content
Snippets Groups Projects
Commit 0b67bb88 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

Further lock down app data

Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
parent 7087bf12
No related branches found
No related tags found
No related merge requests found
......@@ -142,12 +142,10 @@ neverallow {
-dexoptanalyzer
-init
-installd
-mediaserver # b/80300620
userdebug_or_eng(`-perfprofd')
-profman
-runas
-system_server
-vold
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. init and installd are exempted for
......@@ -163,9 +161,7 @@ neverallow {
domain
-appdomain
-installd
-mediaserver # b/80300620
userdebug_or_eng(`-perfprofd')
-vold # b/80418809
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
......
......@@ -1280,7 +1280,6 @@ neverallow {
domain
-appdomain
-installd
-uncrypt # TODO: see if we can remove
} { app_data_file privapp_data_file }:lnk_file read;
neverallow {
......
......@@ -27,11 +27,7 @@ binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
# TODO(b/80190017, b/80300620): remove direct access to private app data
userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:dir search;')
allow mediaserver { app_data_file privapp_data_file }:dir search;
userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:file open;')
allow mediaserver { app_data_file privapp_data_file }:file rw_file_perms;
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver sdcard_type:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
......
......@@ -81,11 +81,6 @@ allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# TODO(b/80418809): remove direct access to private app data
userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
allow vold { app_data_file privapp_data_file }:dir search;
userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:file rw_file_perms;')
allow vold { app_data_file privapp_data_file }:file rw_file_perms;
allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment