am 4d4e7472: am 354710e4: Prevent appdomain from creating globally readable symlinks.

* commit '4d4e7472': Prevent appdomain from creating globally readable symlinks.

am 4d4e7472: am 354710e4: Prevent appdomain from creating globally readable symlinks.
408f9ddd · dcashman · Android Git Automerger · e1f39a0c · 4d4e7472 · 408f9ddd
Commit 408f9ddd authored Jul 15, 2015 by dcashman Committed by Android Git Automerger Jul 15, 2015
--- a/app.te
+++ b/app.te
@@ -367,3 +367,14 @@ neverallow appdomain fs_type:filesystem ~getattr;
 # Ability to set system properties.
 neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
    property_type:property_service set;
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+  apk_data_file
+  cache_file
+  dev_type
+  rootfs
+  system_file
+  security_file
+  tmpfs
+}:lnk_file no_w_file_perms;