Skip to content
Snippets Groups Projects
Commit 0792d8a0 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

system_server.te: expand app_data_file neverallow rule

Block other operations which involve non-file descriptor
operations.

Change-Id: I5d813781c201a732aa1ee6ff6fd3d82f2af32ec7
parent 610f461e
No related branches found
No related tags found
No related merge requests found
......@@ -458,12 +458,12 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh
neverallow system_server sdcard_type:dir { open read write };
neverallow system_server sdcard_type:file rw_file_perms;
# system server should never be opening zygote spawned app data
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
# Types extracted from seapp_contexts type= fields, excluding
# those types that system_server needs to open directly.
neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment