Rework neverallow for /data execute permission
Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.
This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.
Bug: 26906711
(cherry picked from commit c5266df925169b959977d3fa03b4b369253db837)
Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924
diff --git a/app.te b/app.te
index f2adf37..f96f3ba 100644
--- a/app.te
+++ b/app.te
@@ -438,6 +438,22 @@
tmpfs
}:lnk_file no_w_file_perms;
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ platform_app
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
diff --git a/domain.te b/domain.te
index 1ac33f1..332db94 100644
--- a/domain.te
+++ b/domain.te
@@ -292,9 +292,7 @@
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
- -untrusted_app
- -priv_app
- -shell
+ -appdomain
} {
data_file_type
-dalvikcache_data_file
@@ -485,6 +483,11 @@
-zygote
} shell:process { transition dyntransition };
+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -zygote } {
+ appdomain -shell userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
# Minimize read access to shell- or app-writable symlinks.
# This is to prevent malicious symlink attacks.
neverallow {
