From 0e61a7a96d76ea46c65286d64474bb7ba301d1d6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 25 Mar 2016 12:22:32 -0700
Subject: [PATCH] neverallow /data/anr access for isolated/untrusted apps

Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.

Bug: 18340553
Bug: 27853304

(cherry picked from commit 369cf8cde5f69e6d6b752e250edfba80289b9c83)

Change-Id: Ib33e7ea0342ad28e5a89dfffdd9bc16fe54d8b3d
---
 isolated_app.te  | 6 ++++++
 untrusted_app.te | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/isolated_app.te b/isolated_app.te
index 6497cf162..05c4ac50a 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -40,6 +40,12 @@ neverallow isolated_app property_type:property_service set;
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;
 
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
 # b/17487348
 # Isolated apps can only access three services,
 # activity_service, display_service and webviewupdate_service.
diff --git a/untrusted_app.te b/untrusted_app.te
index d4d90ccf6..7e5d39357 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -185,3 +185,7 @@ neverallow untrusted_app {
 
 # Do not allow untrusted_app to directly open tun_device
 neverallow untrusted_app tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow untrusted_app anr_data_file:file ~{ open append };
+neverallow untrusted_app anr_data_file:dir ~search;
-- 
GitLab