From 529a8634e1d31967db2600ba27e55fc35b7d0195 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@linux.intel.com>
Date: Tue, 12 May 2015 20:32:29 -0700
Subject: [PATCH] neverallow "write ops" on system_data_file from "others"

Only a few system level components should be creating and writing
these files, force a type transition for shared files.

Change-Id: Ieb8aa8a36859c9873ac8063bc5999e9468ca7533
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
---
 domain.te | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/domain.te b/domain.te
index 60f2baae1..3192ace52 100644
--- a/domain.te
+++ b/domain.te
@@ -410,3 +410,22 @@ neverallow { domain -init } proc:{ file dir } mounton;
 # from a domain to a non-domain type and vice versa.
 neverallow domain ~domain:process { transition dyntransition };
 neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+  domain
+  -system_server
+  -system_app
+  -init
+  -installd # for relabelfrom and unlink, check for this in explicit neverallow
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-- 
GitLab