From 008e80aff67d13f74fb69db10a4b50a7aed151ec Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 11 Dec 2013 09:08:09 -0500 Subject: Allow untrusted apps to execute binaries from their sandbox directories. Various third party apps come with their own binaries that they write out to their sandbox directories and then execute, e.g.: audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file While this is not ideal from a security POV, it seems necessary to support for compatibility with Android today. Split out the execute-related permissions to a separate allow rule as it only makes sense for regular files (class file) not other kinds of files (e.g. fifos, sockets, symlinks), and use the rx_file_perms macro. Move the rule to untrusted_app only so that we do not permit system apps to execute files written by untrusted apps. Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c Signed-off-by: Stephen Smalley --- app.te | 2 +- untrusted_app.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app.te b/app.te index 4f07f47..a5bbc45 100644 --- a/app.te +++ b/app.te @@ -30,7 +30,7 @@ binder_call(appdomain, surfaceflinger) # App sandbox file accesses. allow appdomain app_data_file:dir create_dir_perms; -allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute }; +allow appdomain app_data_file:notdevfile_class_set create_file_perms; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; diff --git a/untrusted_app.te b/untrusted_app.te index bdc9417..d7c053d 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -15,6 +15,10 @@ app_domain(untrusted_app) net_domain(untrusted_app) bluetooth_domain(untrusted_app) +# Some apps ship with shared libraries and binaries that they write out +# to their sandbox directory and then execute. +allow untrusted_app app_data_file:file rx_file_perms; + allow untrusted_app tun_device:chr_file rw_file_perms; # Internal SDCard rw access. -- cgit v1.2.3