neverallow write access to /data/dalvik-cache directories.

Prohibit all but a specific set of whitelisted domains from writing to /data/dalvik-cache. This is to prevent code injection into apps, zygote, or system_server. Inspired by: https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/ which depended on system UID apps having write access to /data/dalvik-cache (not allowed in AOSP policy but evidently in those device policies). Prevent this from recurring. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit d9bf7b3f) Change-Id: I9219ddc3af44c909af90ba694e96565f99d8190c

neverallow write access to /data/dalvik-cache directories.
Prohibit all but a specific set of whitelisted domains from writing to /data/dalvik-cache. This is to prevent code injection into apps, zygote, or system_server. Inspired by: https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/ which depended on system UID apps having write access to /data/dalvik-cache (not allowed in AOSP policy but evidently in those device policies). Prevent this from recurring. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit d9bf7b3f) Change-Id: I9219ddc3af44c909af90ba694e96565f99d8190c
1bcff87c · Stephen Smalley · Nick Kralevich · 904099ca · 1bcff87c
Commit 1bcff87c authored 9 years ago by Stephen Smalley Committed by Nick Kralevich 9 years ago
--- a/domain.te
+++ b/domain.te
@@ -358,6 +358,14 @@ neverallow {
  -dex2oat
 } dalvikcache_data_file:file no_w_file_perms;
+neverallow {
+  domain
+  -init
+  -installd
+  -dex2oat
+  -zygote
+} dalvikcache_data_file:dir no_w_dir_perms;
 # Only system_server should be able to send commands via the zygote socket
 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
 neverallow { domain -system_server } zygote_socket:sock_file write;