PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Neverallow isolated and untrusted apps to write system properties

Browse Source 
and as a consequence open up for other appdomains (e.g. platform_app)
to write system properties.

Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7
This commit is contained in:
Johan Redestig 2016-01-08 19:35:19 +01:00 committed by Nick Kralevich
parent 29f2e33efa
commit 0d8e9adf49
3 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app.te
View File

@ -278,8 +278,6 @@ neverallow appdomain socket_device:sock_file write;
# Unix domain sockets. # Unix domain sockets.
neverallow appdomain adbd_socket:sock_file write; neverallow appdomain adbd_socket:sock_file write;
neverallow appdomain installd_socket:sock_file write; neverallow appdomain installd_socket:sock_file write;
neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
property_socket:sock_file write;
neverallow { appdomain -radio } rild_socket:sock_file write; neverallow { appdomain -radio } rild_socket:sock_file write;
neverallow appdomain vold_socket:sock_file write; neverallow appdomain vold_socket:sock_file write;
neverallow appdomain zygote_socket:sock_file write; neverallow appdomain zygote_socket:sock_file write;
@ -385,10 +383,6 @@ neverallow { appdomain -system_app -shell }
# i.e. no mount(2), unmount(2), etc. # i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr; neverallow appdomain fs_type:filesystem ~getattr;
# Ability to set system properties.
neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
property_type:property_service set;
# prevent creation/manipulation of globally readable symlinks # prevent creation/manipulation of globally readable symlinks
neverallow appdomain { neverallow appdomain {
apk_data_file apk_data_file

4
isolated_app.te
View File

@ -29,6 +29,10 @@ allow isolated_app self:process ptrace;
##### Neverallow ##### Neverallow
##### #####
# Do not allow isolated_app to set system properties.
neverallow isolated_app property_socket:sock_file write;
neverallow isolated_app property_type:property_service set;
# Isolated apps should not directly open app data files themselves. # Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open; neverallow isolated_app app_data_file:file open;

4
untrusted_app.te
View File

@ -142,3 +142,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
# Do not allow untrusted_app access to /cache # Do not allow untrusted_app access to /cache
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted_app to set system properties.
neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app property_type:property_service set;