From 0792d8a0f22ed444d2dc49e5bffa3c0e436c6ac5 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 20 Mar 2016 20:29:09 -0700
Subject: [PATCH] system_server.te: expand app_data_file neverallow rule

Block other operations which involve non-file descriptor
operations.

Change-Id: I5d813781c201a732aa1ee6ff6fd3d82f2af32ec7
---
 system_server.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system_server.te b/system_server.te
index be4bac10e..5a3573a91 100644
--- a/system_server.te
+++ b/system_server.te
@@ -458,12 +458,12 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh
 neverallow system_server sdcard_type:dir { open read write };
 neverallow system_server sdcard_type:file rw_file_perms;
 
-# system server should never be opening zygote spawned app data
+# system server should never be operating on zygote spawned app data
 # files directly. Rather, they should always be passed via a
 # file descriptor.
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
 
 # system_server should never be executing dex2oat. This is either
 # a bug (for example, bug 16317188), or represents an attempt by
-- 
GitLab