Merge "Improve tests protecting private app data"

db459a1b · Treehugger Robot · Gerrit Code Review · a5db154e · ab82125f · db459a1b
Commit db459a1b authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/private/domain.te
+++ b/private/domain.te
@@ -121,3 +121,58 @@ full_treble_only(`
 # Disallow direct access by other processes.
 neverallow { domain -init -system_server } dropbox_data_file:dir *;
 neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
+###
+# Services should respect app sandboxes
+neverallow {
+  domain
+  -appdomain
+  -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+# Only the following processes should be directly accessing private app
+# directories.
+neverallow {
+  domain
+  -adbd
+  -appdomain
+  -dexoptanalyzer
+  -init
+  -installd
+  -mediaserver # b/80300620
+  userdebug_or_eng(`-perfprofd')
+  -profman
+  -runas
+  -system_server
+  -vold
+} app_data_file:dir *;
+# Only apps should be modifying app data. init and installd are exempted for
+# restorecon and package install/uninstall.
+neverallow {
+  domain
+  -appdomain
+  -init
+  -installd
+} app_data_file:dir ~r_dir_perms;
+neverallow {
+  domain
+  -appdomain
+  -installd
+  -mediaserver # b/80300620
+  userdebug_or_eng(`-perfprofd')
+  -vold # b/80418809
+} app_data_file:file_class_set open;
+neverallow {
+  domain
+  -appdomain
+  -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+neverallow {
+  domain
+  -init
+  -installd
+} app_data_file:dir_file_class_set { relabelfrom relabelto };
--- a/public/domain.te
+++ b/public/domain.te
@@ -1182,20 +1182,6 @@ neverallow {
  priv_app
 } system_app_data_file:dir_file_class_set { create unlink open };
-# Services should respect app sandboxes
-neverallow {
-  domain
-  -appdomain
-  -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
-neverallow {
-  domain
-  -init
-  -installd
-} app_data_file:dir_file_class_set { relabelfrom relabelto };
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell

--- a/public/init.te
+++ b/public/init.te
@@ -210,6 +210,8 @@ allow init {
 allow init cache_file:lnk_file r_file_perms;
 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+# does init really need to relabel app data?
+userdebug_or_eng(`auditallow init app_data_file:dir_file_class_set relabelto;')
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;

--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -30,7 +30,10 @@ binder_service(mediaserver)
 allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
+# TODO(b/80190017, b/80300620): remove direct access to private app data
+userdebug_or_eng(`auditallow mediaserver app_data_file:dir search;')
 allow mediaserver app_data_file:dir search;
+userdebug_or_eng(`auditallow mediaserver app_data_file:file open;')
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver sdcard_type:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;

--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -4,9 +4,6 @@ type uncrypt_exec, exec_type, file_type;
 allow uncrypt self:global_capability_class_set dac_override;
-# Read OTA zip file from /data/data/com.google.android.gsf/app_download
-r_dir_file(uncrypt, app_data_file)
 userdebug_or_eng(`
  # For debugging, allow /data/local/tmp access
  r_dir_file(uncrypt, shell_data_file)

--- a/public/vold.te
+++ b/public/vold.te
@@ -81,7 +81,10 @@ allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
 allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+# TODO(b/80418809): remove direct access to private app data
+userdebug_or_eng(`auditallow vold app_data_file:dir search;')
 allow vold app_data_file:dir search;
+userdebug_or_eng(`auditallow vold app_data_file:file rw_file_perms;')
 allow vold app_data_file:file rw_file_perms;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };