From 354710e44058e38abcf2dc0fd81e63153900da98 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 14 Jul 2015 16:23:12 -0700
Subject: [PATCH] Prevent appdomain from creating globally readable symlinks.

Change-Id: I34db8855a55426f6a590a89cc6c157e1ccd50ff9
---
 app.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/app.te b/app.te
index 40de074db..a78fad16a 100644
--- a/app.te
+++ b/app.te
@@ -367,3 +367,14 @@ neverallow appdomain fs_type:filesystem ~getattr;
 # Ability to set system properties.
 neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
     property_type:property_service set;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+  apk_data_file
+  cache_file
+  dev_type
+  rootfs
+  system_file
+  security_file
+  tmpfs
+}:lnk_file no_w_file_perms;
-- 
GitLab