neverallow read to shell- and app-writable symlinks.

To reduce the likelihood of malicious symlink attacks, neverallow read access to shell- and app-writable symlinks. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 9d439d3d) Bug: 21924438 Change-Id: Icf1ccca71ef4395de8be8503359f76f89cc9e1a5

neverallow read to shell- and app-writable symlinks.
To reduce the likelihood of malicious symlink attacks, neverallow read access to shell- and app-writable symlinks. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 9d439d3d) Bug: 21924438 Change-Id: Icf1ccca71ef4395de8be8503359f76f89cc9e1a5
16873c10 · Stephen Smalley · Nick Kralevich · 64620270 · 16873c10
Commit 16873c10 authored 9 years ago by Stephen Smalley Committed by Nick Kralevich 9 years ago
--- a/domain.te
+++ b/domain.te
@@ -456,3 +456,20 @@ neverallow {
  -runas
  -zygote
 } shell:process { transition dyntransition };
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+  domain
+  -appdomain
+  -installd
+  -uncrypt  # TODO: see if we can remove
+} app_data_file:lnk_file read;
+neverallow {
+  domain
+  -shell
+  userdebug_or_eng(`-uncrypt')
+  -installd
+  -surfaceflinger # TODO: see if we can remove from mako sepolicy
+} shell_data_file:lnk_file read;