private/mlstrustedsubject.te - platform/system/sepolicy - Git at Google

 # MLS override can't be used to access private app data.

 # Apps should not normally be mlstrustedsubject, but if they must be
 # they cannot use this to access app private data files; their own app
 # data files must use a different label.

 neverallow {
   mlstrustedsubject
   -artd # compile secondary dex files
   -installd
 } {
   app_data_file
   privapp_data_file
   is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
 }:file ~{ read write map getattr ioctl lock append };

 neverallow {
   mlstrustedsubject
   -artd # compile secondary dex files
   -installd
 } {
   app_data_file
   privapp_data_file
   is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
 }:dir ~{ read getattr search };

 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
   neverallow {
     mlstrustedsubject
     -artd # compile secondary dex files
     -installd
     -vold # encryption of storage areas
     -vold_prepare_subdirs # creation of storage area directories
   } { storage_area_dir storage_area_app_dir }:dir ~{ read getattr search };
 ')

 neverallow {
   mlstrustedsubject
   -artd # compile secondary dex files
   -installd
   -system_server
   -adbd
   -runas
   -zygote
 } {
   app_data_file
   privapp_data_file
   is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
 }:dir { read getattr search };

 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
   neverallow {
     mlstrustedsubject
     -artd # compile secondary dex files
     -installd
     -system_server
     -adbd
     -runas
     -vold # encryption of storage area directories
     -vold_prepare_subdirs # creation of storage area directories
     -zygote
   } { storage_area_dir storage_area_app_dir }:dir { read getattr search };
 ')
	# MLS override can't be used to access private app data.

	# Apps should not normally be mlstrustedsubject, but if they must be
	# they cannot use this to access app private data files; their own app
	# data files must use a different label.

	neverallow {
	mlstrustedsubject
	-artd # compile secondary dex files
	-installd
	} {
	app_data_file
	privapp_data_file
	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
	}:file ~{ read write map getattr ioctl lock append };

	neverallow {
	mlstrustedsubject
	-artd # compile secondary dex files
	-installd
	} {
	app_data_file
	privapp_data_file
	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
	}:dir ~{ read getattr search };

	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
	neverallow {
	mlstrustedsubject
	-artd # compile secondary dex files
	-installd
	-vold # encryption of storage areas
	-vold_prepare_subdirs # creation of storage area directories
	} { storage_area_dir storage_area_app_dir }:dir ~{ read getattr search };
	')

	neverallow {
	mlstrustedsubject
	-artd # compile secondary dex files
	-installd
	-system_server
	-adbd
	-runas
	-zygote
	} {
	app_data_file
	privapp_data_file
	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
	}:dir { read getattr search };

	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
	neverallow {
	mlstrustedsubject
	-artd # compile secondary dex files
	-installd
	-system_server
	-adbd
	-runas
	-vold # encryption of storage area directories
	-vold_prepare_subdirs # creation of storage area directories
	-zygote
	} { storage_area_dir storage_area_app_dir }:dir { read getattr search };
	')