diff options
author | Nick Kralevich <nnk@google.com> | 2014-10-23 10:29:10 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-10-23 10:33:54 -0700 |
commit | b519949df150ebe4fc9bf3db52542bb5d9238d4e (patch) | |
tree | e6161200703cc134aa5e933f393bab53f7b54821 /system_server.te | |
parent | 46f3ce87d9a130924c763a245639331c6e1a5b28 (diff) | |
download | android_external_sepolicy-b519949df150ebe4fc9bf3db52542bb5d9238d4e.tar.gz android_external_sepolicy-b519949df150ebe4fc9bf3db52542bb5d9238d4e.tar.bz2 android_external_sepolicy-b519949df150ebe4fc9bf3db52542bb5d9238d4e.zip |
system_server: assert app data files never opened directly
Add a compile time assertion that app data files are never
directly opened by system_server. Instead, system_server always
expects files to be passed via file descriptors.
This neverallow rule will help prevent accidental regressions and
allow us to perform other security tightening, for example
bug 7208882 - Make an application's home directory 700
Bug: 7208882
Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d
Diffstat (limited to 'system_server.te')
-rw-r--r-- | system_server.te | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/system_server.te b/system_server.te index 020f2ab..e1528f9 100644 --- a/system_server.te +++ b/system_server.te @@ -405,3 +405,10 @@ allow system_server oemfs:dir search; # Do not allow accessing SDcard files as unsafe ejection could # cause the kernel to kill the system_server. neverallow system_server sdcard_type:file rw_file_perms; + +# system server should never be opening zygote spawned app data +# files directly. Rather, they should always be passed via a +# file descriptor. +# Types extracted from seapp_contexts type= fields, excluding +# those types that system_server needs to open directly. +neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open; |