Commits

Stephen Smalley committed 0e4b2bb

Do not allow system_server to access SDcard files.

As per:
https://android-review.googlesource.com/#/c/84130/3/system_server.te@240
it is unsafe to allow such access.

Add a neverallow rule to prohibit any rules on sdcard_type in the
future.

Change-Id: Ife714b65b07144eb6228a048a55ba82181595213
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits b08a5ec
  • Branches seandroid-4.4.2

Comments (0)

Files changed (1)

 # LocalTransport creates and relabels /cache/backup
 allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
 
-# Access SDcard files passed via binder or sockets.
-allow system_server sdcard_type:file { read write getattr };
-
 # Allow system to talk to usb device
 allow system_server usb_device:chr_file rw_file_perms;
 allow system_server usb_device:dir r_dir_perms;
 # /sys/module/lowmemorykiller/parameters/adj
 # /sys/module/lowmemorykiller/parameters/minfree
 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+
+###
+### Neverallow rules
+###
+### system_server should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the system_server.
+neverallow system_server sdcard_type:file rw_file_perms;