From 7d7151647f41f562dd324a5def86ee10c234f870 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 21 Nov 2014 09:28:42 -0800
Subject: [PATCH] Do not allow isolated_app to directly open app data files.

Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.

Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te          | 4 ++--
 isolated_app.te | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/app.te b/app.te
index 574243196..47c05aca1 100644
--- a/app.te
+++ b/app.te
@@ -46,8 +46,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
diff --git a/isolated_app.te b/isolated_app.te
index f17372aec..6fc7a99ab 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,6 +12,12 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app app_data_file:file { read write getattr };
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:file { rw_file_perms execute };
 
-- 
GitLab