diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2013-12-11 09:08:09 -0500 |
|---|---|---|
| committer | Steve Kondik <shade@chemlab.org> | 2014-05-16 02:25:33 -0700 |
| commit | 008e80aff67d13f74fb69db10a4b50a7aed151ec (patch) | |
| tree | f0fde2e883cde6d6ece4343c7ce7dcfbcdfea6f1 | |
| parent | 19a1792d701868e625de9493119cf7d458b4f210 (diff) | |
| download | android_external_sepolicy-008e80aff67d13f74fb69db10a4b50a7aed151ec.tar.gz android_external_sepolicy-008e80aff67d13f74fb69db10a4b50a7aed151ec.tar.bz2 android_external_sepolicy-008e80aff67d13f74fb69db10a4b50a7aed151ec.zip | |
Allow untrusted apps to execute binaries from their sandbox directories.
Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file
While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.
Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.
Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.
Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
| -rw-r--r-- | app.te | 2 | ||||
| -rw-r--r-- | untrusted_app.te | 4 |
2 files changed, 5 insertions, 1 deletions
@@ -30,7 +30,7 @@ binder_call(appdomain, surfaceflinger) # App sandbox file accesses. allow appdomain app_data_file:dir create_dir_perms; -allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute }; +allow appdomain app_data_file:notdevfile_class_set create_file_perms; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; diff --git a/untrusted_app.te b/untrusted_app.te index bdc9417..d7c053d 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -15,6 +15,10 @@ app_domain(untrusted_app) net_domain(untrusted_app) bluetooth_domain(untrusted_app) +# Some apps ship with shared libraries and binaries that they write out +# to their sandbox directory and then execute. +allow untrusted_app app_data_file:file rx_file_perms; + allow untrusted_app tun_device:chr_file rw_file_perms; # Internal SDCard rw access. |