From db664c9ed37f933753bc29c335b70cee7e707caa Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 8 Feb 2016 16:20:50 -0800
Subject: [PATCH] untrusted_app: confine filesystem creation to sandbox

untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.

Keep untrusted_app file creation to sandbox, sdcard and media
locations.

Signed-off-by: William Roberts <william.c.roberts@intel.com>

(cherry picked from commit bd0768cc93e6c934ccec62e521228fecddb5d61b)

Change-Id: Ideb275f696606882d8a5d8fdedb48545a34de887
---
 untrusted_app.te | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index d864424b9..89dbfdda2 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -154,3 +154,21 @@ neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr
 # Do not allow untrusted_app to set system properties.
 neverallow untrusted_app property_socket:sock_file write;
 neverallow untrusted_app property_type:property_service set;
+
+# Do not allow untrusted_app to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow untrusted_app {
+  fs_type
+  -fuse                     # sdcard
+  file_type
+  -app_data_file            # The apps sandbox itself
+  -media_rw_data_file       # Internal storage. Known that apps can
+                            # leave artfacts here after uninstall.
+  userdebug_or_eng(`
+    -method_trace_data_file # only on ro.debuggable=1
+    -coredump_file          # userdebug/eng only
+  ')
+}:dir_file_class_set { create unlink };
-- 
GitLab