From 024dc1ce3cb590612e1179a053b3e6ab835ca48e Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 20 Jan 2016 14:36:45 -0800
Subject: [PATCH] system_app: remove perms to write to system_data_file

Strengthen neverallow rule to enforce that no apps may write to
system_data_file - the default label for /data/

Change-Id: I886e4340f300551754c9e33e9c1764fb730b6b14
---
 app.te        | 4 +---
 system_app.te | 9 +--------
 2 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/app.te b/app.te
index 324039238..b03355f9e 100644
--- a/app.te
+++ b/app.te
@@ -321,9 +321,7 @@ neverallow appdomain exec_type:file
 # This is the default type for anything under /data not otherwise
 # specified in file_contexts.  Define a different type for portions
 # that should be writable by apps.
-# Exception for system_app for Settings.
-neverallow { appdomain -system_app }
-    system_data_file:dir_file_class_set
+neverallow appdomain system_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to various other parts of /data.
diff --git a/system_app.te b/system_app.te
index 36c5cfc2f..8589a9d14 100644
--- a/system_app.te
+++ b/system_app.te
@@ -16,16 +16,9 @@ allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
 allow system_app keychain_data_file:dir r_dir_perms;
 allow system_app keychain_data_file:file r_file_perms;
 
-# Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/user.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write to /data/misc/user.
 allow system_app misc_user_data_file:dir create_dir_perms;
 allow system_app misc_user_data_file:file create_file_perms;
-# Audit writes to these directories and files so we can identify
-# and possibly move these directories into their own type in the future.
-auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
-auditallow system_app system_data_file:file { create setattr append write link unlink rename };
 
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
-- 
GitLab