commit d9bf7b3fc008533a6552887a3451a311c3a2607a
author Stephen Smalley <sds@tycho.nsa.gov> Tue Jun 16 09:12:54 2015 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Tue Jun 16 09:25:47 2015 -0400
tree 197fda81507881998f6abafd5660382ae79f358c
parent 4b4c5645931a0e187d261c4db6caac67d09ab4e4

neverallow write access to /data/dalvik-cache directories.

Prohibit all but a specific set of whitelisted domains
from writing to /data/dalvik-cache.  This is to prevent
code injection into apps, zygote, or system_server.

Inspired by:
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/
which depended on system UID apps having write access to
/data/dalvik-cache (not allowed in AOSP policy but evidently
in those device policies).  Prevent this from recurring.

Change-Id: I282c7bf998421d794883e432b091ad1dcf9da67e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

domain.te

diff --git a/domain.te b/domain.te
index e544281..f787d4a 100644
--- a/domain.te
+++ b/domain.te
@@ -354,6 +354,14 @@
   -dex2oat
 } dalvikcache_data_file:file no_w_file_perms;
 
+neverallow {
+  domain
+  -init
+  -installd
+  -dex2oat
+  -zygote
+} dalvikcache_data_file:dir no_w_dir_perms;
+
 # Only system_server should be able to send commands via the zygote socket
 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
 neverallow { domain -system_server } zygote_socket:sock_file write;