From b519949df150ebe4fc9bf3db52542bb5d9238d4e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 23 Oct 2014 10:29:10 -0700
Subject: [PATCH] system_server: assert app data files never opened directly

Add a compile time assertion that app data files are never
directly opened by system_server. Instead, system_server always
expects files to be passed via file descriptors.

This neverallow rule will help prevent accidental regressions and
allow us to perform other security tightening, for example
bug 7208882 - Make an application's home directory 700

Bug: 7208882
Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d
---
 system_server.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system_server.te b/system_server.te
index 020f2ab0c..e1528f900 100644
--- a/system_server.te
+++ b/system_server.te
@@ -405,3 +405,10 @@ allow system_server oemfs:dir search;
 # Do not allow accessing SDcard files as unsafe ejection could
 # cause the kernel to kill the system_server.
 neverallow system_server sdcard_type:file rw_file_perms;
+
+# system server should never be opening zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
-- 
GitLab