From 91a4f8d4fdab7df8474c2ffaa996c879166d8a4c Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 7 May 2014 13:10:02 -0400
Subject: [PATCH] Label app data directories for system UID apps with a
 different type.

We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te         | 5 +++++
 file.te        | 2 ++
 installd.te    | 6 ++++--
 seapp_contexts | 2 +-
 system_app.te  | 7 +++----
 5 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/app.te b/app.te
index ba99e55b0..81c6a5343 100644
--- a/app.te
+++ b/app.te
@@ -109,6 +109,11 @@ allow appdomain media_rw_data_file:file { read getattr };
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow appdomain radio_data_file:file { read write getattr };
 
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app system_app_data_file:file { read write getattr };
+
 # Access SDcard.
 allow appdomain sdcard_type:dir create_dir_perms;
 allow appdomain sdcard_type:file create_file_perms;
diff --git a/file.te b/file.te
index f42585a11..b1a1e24e9 100644
--- a/file.te
+++ b/file.te
@@ -81,6 +81,8 @@ type zoneinfo_data_file, file_type, data_file_type;
 typealias audio_data_file alias audio_firmware_file;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type;
 # Compatibility with type name used in Android 4.3 and 4.4.
 typealias app_data_file alias platform_app_data_file;
 typealias app_data_file alias download_file;
diff --git a/installd.te b/installd.te
index 9712881f8..5ff68f3de 100644
--- a/installd.te
+++ b/installd.te
@@ -34,8 +34,10 @@ allow installd shell_data_file:lnk_file { create setattr };
 # restorecon /data/data
 allow installd unlabeled:dir relabelfrom;
 allow installd unlabeled:notdevfile_class_set relabelfrom;
-allow installd system_data_file:dir { relabelfrom relabelto };
-allow installd system_data_file:notdevfile_class_set { relabelfrom relabelto };
+allow installd system_data_file:dir relabelfrom;
+allow installd system_data_file:notdevfile_class_set relabelfrom;
+allow installd system_app_data_file:dir { relabelfrom relabelto };
+allow installd system_app_data_file:notdevfile_class_set { relabelfrom relabelto };
 allow installd bluetooth_data_file:dir { relabelfrom relabelto };
 allow installd bluetooth_data_file:notdevfile_class_set { relabelfrom relabelto };
 allow installd nfc_data_file:dir { relabelfrom relabelto };
diff --git a/seapp_contexts b/seapp_contexts
index 7b217fbf0..91cfe72af 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -35,7 +35,7 @@
 # level may be used to specify a fixed level for any UID. 
 #
 isSystemServer=true domain=system_server
-user=system domain=system_app type=system_data_file
+user=system domain=system_app type=system_app_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
diff --git a/system_app.te b/system_app.te
index 25da88a39..b03ccb422 100644
--- a/system_app.te
+++ b/system_app.te
@@ -9,10 +9,9 @@ app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
 
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:file create_file_perms;
 
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
-- 
GitLab