Label app data directories for system UID apps with a different type.
We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files. However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.
This resolves the following denial when cropping or taking a user photo
for secondary users:
avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>diff --git a/system_app.te b/system_app.te
index 25da88a..b03ccb4 100644
--- a/system_app.te
+++ b/system_app.te
@@ -9,10 +9,9 @@
net_domain(system_app)
binder_service(system_app)
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:file create_file_perms;
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;