From 92c44a578cbcb6ec7cdf8b304f1738cc75074379 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 22 Mar 2017 10:35:24 -0700
Subject: [PATCH] app.te: prevent locks of files on /system

Prevent app domains (processes spawned by zygote) from acquiring
locks on files in /system. In particular, /system/etc/xtables.lock
must never be lockable by applications, as it will block future
iptables commands from running.

Test: device boots and no obvious problems.
Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b
---
 private/app.te             | 5 +++--
 private/app_neverallows.te | 4 ++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/private/app.te b/private/app.te
index f21887e92..ed2d8b608 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,11 +87,12 @@ allow appdomain oemfs:file rx_file_perms;
 
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
 
 # Renderscript needs the ability to read directories on /system
-r_dir_file(appdomain, system_file)
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
 
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 15ab764c4..5e47b68db 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,3 +100,7 @@ neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
 
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
-- 
GitLab