Prevent appdomain from creating globally readable symlinks. Change-Id: I34db8855a55426f6a590a89cc6c157e1ccd50ff9

commit: 354710e44058e38abcf2dc0fd81e63153900da98 [log] [tgz]
author: dcashman <dcashman@google.com> Tue Jul 14 16:23:12 2015 -0700
committer: dcashman <dcashman@google.com> Wed Jul 15 11:18:09 2015 -0700
tree: dbba6fbc5f0496042c5ea2272a87ab1418a34a6d
parent: 8e16deb94d4e05727b89bf782c2640022746081a [diff]
diff --git a/app.te b/app.te
index 40de074..a78fad1 100644
--- a/app.te
+++ b/app.te

@@ -367,3 +367,14 @@
 # Ability to set system properties.
 neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
     property_type:property_service set;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+  apk_data_file
+  cache_file
+  dev_type
+  rootfs
+  system_file
+  security_file
+  tmpfs
+}:lnk_file no_w_file_perms;
commit	354710e44058e38abcf2dc0fd81e63153900da98	[log] [tgz]
author	dcashman <dcashman@google.com>	Tue Jul 14 16:23:12 2015 -0700
committer	dcashman <dcashman@google.com>	Wed Jul 15 11:18:09 2015 -0700
tree	dbba6fbc5f0496042c5ea2272a87ab1418a34a6d
parent	8e16deb94d4e05727b89bf782c2640022746081a [diff]