Add /data/local/tmp neverallow rules
Add a neverallow rule (compile time assertion) for /data/local/tmp
access. /data/local/tmp is intended entirely for the shell user, and
it's dangerous for other SELinux domains to access it. See, for example,
this commit from 2012:
https://android.googlesource.com/platform/system/core/+/f3ef1271f225d9f00bb4ebb0573eb3e03829f9a8
Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe
diff --git a/domain.te b/domain.te
index 07bc0ae..e7e0d7d 100644
--- a/domain.te
+++ b/domain.te
@@ -496,6 +496,42 @@
-surfaceflinger # TODO: see if we can remove from mako sepolicy
} shell_data_file:lnk_file read;
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-whitelisted domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -init
+ -installd
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir { open search };
+
+# Same as above for /data/local/tmp files. We allow shell files
+# to be passed around by file descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt -procrank')
+} shell_data_file:file open;
+
# servicemanager is the only process which handles list request
neverallow domain ~servicemanager:service_manager list;
diff --git a/init.te b/init.te
index e81a612..437066a 100644
--- a/init.te
+++ b/init.te
@@ -286,3 +286,6 @@
# Init never adds or uses services via service_manager.
neverallow init service_manager_type:service_manager { add find };
neverallow init servicemanager:service_manager list;
+
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow init shell_data_file:dir { write add_name remove_name };
