Neverallow isolated and untrusted apps to write system properties
and as a consequence open up for other appdomains (e.g. platform_app) to write system properties. Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7
This commit is contained in:
parent
29f2e33efa
commit
0d8e9adf49
6
app.te
6
app.te
@ -278,8 +278,6 @@ neverallow appdomain socket_device:sock_file write;
|
|||||||
# Unix domain sockets.
|
# Unix domain sockets.
|
||||||
neverallow appdomain adbd_socket:sock_file write;
|
neverallow appdomain adbd_socket:sock_file write;
|
||||||
neverallow appdomain installd_socket:sock_file write;
|
neverallow appdomain installd_socket:sock_file write;
|
||||||
neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
|
|
||||||
property_socket:sock_file write;
|
|
||||||
neverallow { appdomain -radio } rild_socket:sock_file write;
|
neverallow { appdomain -radio } rild_socket:sock_file write;
|
||||||
neverallow appdomain vold_socket:sock_file write;
|
neverallow appdomain vold_socket:sock_file write;
|
||||||
neverallow appdomain zygote_socket:sock_file write;
|
neverallow appdomain zygote_socket:sock_file write;
|
||||||
@ -385,10 +383,6 @@ neverallow { appdomain -system_app -shell }
|
|||||||
# i.e. no mount(2), unmount(2), etc.
|
# i.e. no mount(2), unmount(2), etc.
|
||||||
neverallow appdomain fs_type:filesystem ~getattr;
|
neverallow appdomain fs_type:filesystem ~getattr;
|
||||||
|
|
||||||
# Ability to set system properties.
|
|
||||||
neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
|
|
||||||
property_type:property_service set;
|
|
||||||
|
|
||||||
# prevent creation/manipulation of globally readable symlinks
|
# prevent creation/manipulation of globally readable symlinks
|
||||||
neverallow appdomain {
|
neverallow appdomain {
|
||||||
apk_data_file
|
apk_data_file
|
||||||
|
@ -29,6 +29,10 @@ allow isolated_app self:process ptrace;
|
|||||||
##### Neverallow
|
##### Neverallow
|
||||||
#####
|
#####
|
||||||
|
|
||||||
|
# Do not allow isolated_app to set system properties.
|
||||||
|
neverallow isolated_app property_socket:sock_file write;
|
||||||
|
neverallow isolated_app property_type:property_service set;
|
||||||
|
|
||||||
# Isolated apps should not directly open app data files themselves.
|
# Isolated apps should not directly open app data files themselves.
|
||||||
neverallow isolated_app app_data_file:file open;
|
neverallow isolated_app app_data_file:file open;
|
||||||
|
|
||||||
|
@ -142,3 +142,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
|
|||||||
# Do not allow untrusted_app access to /cache
|
# Do not allow untrusted_app access to /cache
|
||||||
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
|
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
|
||||||
neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
|
neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
|
||||||
|
|
||||||
|
# Do not allow untrusted_app to set system properties.
|
||||||
|
neverallow untrusted_app property_socket:sock_file write;
|
||||||
|
neverallow untrusted_app property_type:property_service set;
|
||||||
|
Loading…
Reference in New Issue
Block a user