tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/untrusted_app_all.te

188 lines
8.3 KiB
Text
Raw Normal View History

untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
###
### Untrusted_app_all.
###
Add media services to ephemeral_app Test: denials go away Change-Id: I103cf3ad8d86b461bcba8edce02f6202fd2bcbe8
2017-03-29 23:53:09 +02:00
### This file defines the rules shared by all untrusted app domains except
Clarify comments on 3rd party app attributes. Certain classes of 3rd party apps aren't untrusted_app_domain, but some comments surrounding this are either outdated or wrong. Bug: 168753404 Test: N/A Change-Id: I019c16e26a3778536132f22c37fbea5ae7781af4
2020-09-17 19:15:26 +02:00
### ephemeral_app for instant apps and isolated_app (which has a reduced
### permission set).
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app_all attribute is assigned to all default
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### attribute is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
Correct documentation in untrusted_app_all Rules defined in utrusted_app_all do not apply to all untrusted apps, update the comments to reflect that. Test: builds Change-Id: I6f064bd93c13d8341128d941be34fdfaa0bec5da
2017-04-26 21:32:51 +02:00
### Note that rules that should apply to all untrusted apps must be in app.te or also
Delete untrusted_v2_app As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 , the untrusted_v2_app domain is no longer used. Bug: 112233317 Test: policy compiles, device boots, and no problems Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6
2018-08-06 21:36:20 +02:00
### added to ephemeral_app.te.
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots
2018-12-21 19:03:50 +01:00
allow untrusted_app_all app_data_file:file { r_file_perms execute };
Audit execution of app_data_file by untrusted_app. Test: Builds Bug: 126536482 Change-Id: I9fe7623353cbb980db3853a8979f03ba033c7f45
2019-02-27 19:07:09 +01:00
auditallow untrusted_app_all app_data_file:file execute;
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
allow untrusted_app_all system_linker_exec:file execute_no_trans Chrome Crashpad uses the the dynamic linker to load native executables from an APK (b/112050209, crbug.com/928422) Addresses the following denial: avc: denied { execute_no_trans } for comm="Chrome_IOThread" path="/bionic/bin/linker" dev="loop5" ino=24 scontext=u:r:untrusted_app_27:s0:c106,c256,c512,c768 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0 app=com.android.chrome Test: compiles and builds. Change-Id: I14f80592a74c36754c28313e94399258b2c42170
2019-02-06 22:19:19 +01:00
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
allow untrusted_app_all system_linker_exec:file execute_no_trans;
disallow priv-apps from following untrusted app symlinks. Untrustworthy symlinks dereferenced by priv-apps could cause those apps to access files they weren't intending to access. Trusted components such as priv-apps should never trust untrustworthy symlinks from untrusted apps. Modify the rules and add a neverallow assertion to prevent regressions. Bug: 123350324 Test: device boots and no obvious problems. Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
2019-01-24 22:05:03 +01:00
# Follow priv-app symlinks. This is used for dynamite functionality.
allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
# Allow handling of less common filesystem objects
allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
rename rs_data_file to app_exec_data_file There are multiple trusted system components which may be responsible for creating executable code within an application's home directory. Renderscript is just one of those trusted components. Generalize rs_data_file to app_exec_data_file. This label is intended to be used for any executable code created by trusted components placed into an application's home directory. Introduce a typealias statement to ensure files with the previous label continue to be understood by policy. This change is effectively a no-op, as it just renames a type, but neither adds or removes any rules. Bug: 121375718 Bug: 112357170 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
2019-01-11 18:37:46 +01:00
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
# Execute libs in asec containers.
Remove legacy execmod access from API >= 26. Text relocation support was removed from the linker for apps targeting API >= 23. See https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 However, the security policy was not updated to remove the execmod permission at that time, since we didn't have support for targeting SELinux policies to API versions. Remove execmod permissions for apps targeting API 26 or greater. The linker support was removed, so it's pointless to keep around the SELinux permissions. Retain execmod support for apps targeting API 25 or lower. While in theory we could remove support for API 23-25, that would involve the introduction of a new SELinux domain (and the associated rule explosion), which I would prefer to avoid. This change helps protect application executable code from modification, enforcing W^X properties on executable code pages loaded from files. https://en.wikipedia.org/wiki/W%5EX Test: auditallow rules were added and nothing triggered for apps targeting API >= 26. Code compiles and device boots. Bug: 111544476 Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41
2018-08-08 00:14:34 +02:00
allow untrusted_app_all asec_public_file:file { execute };
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
# TODO: Long term, we don't want apps probing into shell data files.
# Figure out a way to remove these rules.
allow untrusted_app_all shell_data_file:file r_file_perms;
allow untrusted_app_all shell_data_file:dir r_dir_perms;
Adding permission for traceur to use content provider This change will allow traceur to pass a file descriptor to another app in order to allow that app to process trace data files. E.g. in the use case that someone would like to email the traces they collected and pass the trace data files to gmail, this will now be permitted. Bug:68126425 Test: Traceur can pass fd's to untrusted apps for processing Change-Id: If0507b5d1f06fd8400e04bd60e06a44153dc59b7
2018-01-23 21:32:55 +01:00
# Allow traceur to pass file descriptors through a content provider to untrusted apps
# for the purpose of sharing files through e.g. gmail
allow untrusted_app_all trace_data_file:file { getattr read };
# untrusted apps should not be able to open trace data files, they should depend
# upon traceur to pass a file descriptor
neverallow untrusted_app_all trace_data_file:dir *;
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
never allow untrusted apps accessing debugfs_tracing debugfs_tracing can only be accessed by tracing tools provided by the platform. Bug: 172028429 Test: boot with no relevant log showing up Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
2020-12-07 09:30:29 +01:00
# neverallow untrusted apps accessing debugfs_tracing
neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
# Read and write system app data files passed over Binder.
# Motivating case was /data/data/com.android.settings/cache/*.jpg for
# cropping or taking user photos.
allow untrusted_app_all system_app_data_file:file { read write getattr };
#
# Rules migrated from old app domains coalesced into untrusted_app.
# This includes what used to be media_app, shared_app, and release_app.
#
# Access to /data/media.
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
allow untrusted_app_all media_rw_data_file:file create_file_perms;
# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;
allow untrusted_app_all audioserver_service:service_manager find;
allow untrusted_app_all cameraserver_service:service_manager find;
allow untrusted_app_all drmserver_service:service_manager find;
allow untrusted_app_all mediaserver_service:service_manager find;
allow untrusted_app_all mediaextractor_service:service_manager find;
allow untrusted_app_all mediametrics_service:service_manager find;
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
Make Android Studio Instant Run work again system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b made run-as spawned processes run in the runas_app SELinux domain, instead of the untrusted_app domain. https://android-review.googlesource.com/q/topic:%22runas_exec%22+(status:open%20OR%20status:merged) This broke unix socket connections from untrusted_app* to runas_app. This functionality is used by Android Studio for the Instant Run feature. See https://developer.android.com/studio/run/ Allow untrusted_apps to connect to listening abstract sockets hosted by runas_app. Addresses the following denial: 01-23 11:11:56.084 16272 16272 W e.myapplication: type=1400 audit(0.0:68): avc: denied { connectto } for path=006972736F636B6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=u:r:untrusted_app_27:s0:c169,c256,c512,c768 tcontext=u:r:runas_app:s0:c169,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.myapplication 01-23 11:11:56.086 16272 16272 V SwapperAgent: Prior agent invocations in this VM: 1 01-23 11:11:56.088 16272 16272 E SwapperAgent: Could not connect to socket Change-Id: Ia1203f44aebcbec0ff858b8316e147cba7a048a2 Fixes: 123297648 Test: acleung manual testing
2019-01-23 23:39:43 +01:00
# Android Studio Instant Run has the application connect to a
# runas_app socket listening in the abstract namespace.
# https://developer.android.com/studio/run/
# b/123297648
allow untrusted_app_all runas_app:unix_stream_socket connectto;
Allow permissions needed for gdb debugging system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b introduced the runas_app SELinux domain, which changed how we perform debugging of Android applications. This broke Android Studio's lldb. From bugreport: Debugging an app containing native code using ndk-gdb or Android Studio's lldb currently fails. There is an selinux error in logcat about a sigchld denial. Studio can still debug Java-only apps. In Android Studio, starting the debugger on an app with native code produces this selinux denial: 01-30 06:58:02.089 13449 13449 W lldb-server: type=1400 audit(0.0:831): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tcontext=u:r:runas_app:s0:c167,c256,c512,c768 tclass=process permissive=0 app=com.android.ndktestapp With "set enforce 0", I also see a sigstop denial: 01-30 07:31:12.209 15672 15672 I lldb-server: type=1400 audit(0.0:1290): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c167,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tclass=process permissive=1 app=com.android.ndktestapp In gdb-server.log, Studio reports this error while trying to start lldb-server: 1548831482.091491938 GDBRemoteCommunicationServerLLGS::Handle_vAttach attempting to attach to pid 13379 1548831482.091519117 GDBRemoteCommunicationServerLLGS::AttachToProcess pid 13379 1548831482.092242956 GDBRemoteCommunicationServerLLGS::Handle_vAttach failed to attach to pid 13379: Permission denied Using ndk-gdb (e.g. on the NdkGdbSample) produces the same sort of selinux denial: 01-30 07:11:26.742 13926 13926 W arm64-gdbserver: type=1400 audit(0.0:833): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tcontext=u:r:runas_app:s0:c166,c256,c512,c768 tclass=process permissive=0 app=com.android.developer.ndkgdbsample If I use "setenforce 0", I see more denials logged (signal and sigstop): 01-30 07:30:23.346 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1287): avc: denied { signal } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample 01-30 07:30:23.349 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1288): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample ndk-gdb times out and prints an error: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ /x/android-ndk-r19/ndk-gdb --launch Redirecting gdbserver output to /tmp/gdbclient.log ... Error: unable to connect to device. Remote communication error. Target disconnected.: Connection reset by peer. gdbclient.log shows that gdbserver hasn't started listening to its Unix socket yet: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log Attached; pid = 14232 Normal output looks like this: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log Attached; pid = 27799 Listening on Unix domain socket '/data/data/com.android.developer.ndkgdbsample/debug_socket' Remote debugging from host 127.0.0.0 Test: compiles and builds Bug: 123612207 Change-Id: Ia9a711cc54cc044c0817a7c17eb4506015adb393
2019-01-30 22:19:36 +01:00
# Untrusted apps need to be able to send a SIGCHLD to runas_app
# when running under a debugger (b/123612207)
allow untrusted_app_all runas_app:process sigchld;
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
# Cts: HwRngTest
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 19:42:03 +01:00
# Allow apps to view preloaded media content
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
allow untrusted_app_all preloads_media_file:file r_file_perms;
allow untrusted_app_all preloads_data_file:dir search;
untrusted_apps: allow untrusted_apps to execute from /vendor/app The typical use case is where vendor apps which run as untrusted apps use libraries that are packaged withing the apk Bug: 37753883 Test: Tested by runnig pre-installed app that packages a library from /vendor/app Change-Id: I445144e37e49e531f4f43b13f34d6f2e78d7a3cf Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-28 22:17:26 +02:00
# Allow untrusted apps read / execute access to /vendor/app for there can
# be pre-installed vendor apps that package a library within themselves.
# TODO (b/37784178) Consider creating a special type for /vendor/app installed
# apps.
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
Switch to r_file_perms The current rule is missing mmap. r_file_perm implicitly adds mmap, so we should just use that instead. Test: policy compiles. Change-Id: I4051d1eb4c36a2b6ff2b5f26ce53355287cbe2b4
2018-10-26 22:11:52 +02:00
allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
untrusted_apps: allow untrusted_apps to execute from /vendor/app The typical use case is where vendor apps which run as untrusted apps use libraries that are packaged withing the apk Bug: 37753883 Test: Tested by runnig pre-installed app that packages a library from /vendor/app Change-Id: I445144e37e49e531f4f43b13f34d6f2e78d7a3cf Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-28 22:17:26 +02:00
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
Allow Java domains to be Perfetto producers. This is needed to get Java heap graphs. Test: flash aosp; profile system_server with setenforce 1 Bug: 136210868 Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-08 17:15:14 +02:00
perfetto_producer(untrusted_app_all)
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-15 03:20:30 +01:00
initial policy for traced_perf daemon (perf profiler) The steps involved in setting up profiling and stack unwinding are described in detail at go/perfetto-perf-android. To summarize the interesting case: the daemon uses cpu-wide perf_event_open, with userspace stack and register sampling on. For each sample, it identifies whether the process is profileable, and obtains the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the bionic signal handler handing over the FDs over a dedicated socket). It then uses libunwindstack to unwind & symbolize the stacks, sending the results to the central tracing daemon (traced). This patch covers the app profiling use-cases. Splitting out the "profile most things on debug builds" into a separate patch for easier review. Most of the exceptions in domain.te & coredomain.te come from the "vendor_file_type" allow-rule. We want a subset of that (effectively all libraries/executables), but I believe that in practice it's hard to use just the specific subtypes, and we're better off allowing access to all vendor_file_type files. Bug: 137092007 Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 20:16:13 +01:00
# Allow profiling if the app opts in by being marked profileable/debuggable.
Allow heap profiling of certain app domains on user builds This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
can_profile_heap(untrusted_app_all)
initial policy for traced_perf daemon (perf profiler) The steps involved in setting up profiling and stack unwinding are described in detail at go/perfetto-perf-android. To summarize the interesting case: the daemon uses cpu-wide perf_event_open, with userspace stack and register sampling on. For each sample, it identifies whether the process is profileable, and obtains the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the bionic signal handler handing over the FDs over a dedicated socket). It then uses libunwindstack to unwind & symbolize the stacks, sending the results to the central tracing daemon (traced). This patch covers the app profiling use-cases. Splitting out the "profile most things on debug builds" into a separate patch for easier review. Most of the exceptions in domain.te & coredomain.te come from the "vendor_file_type" allow-rule. We want a subset of that (effectively all libraries/executables), but I believe that in practice it's hard to use just the specific subtypes, and we're better off allowing access to all vendor_file_type files. Bug: 137092007 Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 20:16:13 +01:00
can_profile_perf(untrusted_app_all)
Allow heap profiling of certain app domains on user builds This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-15 03:20:30 +01:00
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
Allow getsockopt and setsockopt for Encap Sockets Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-03-27 15:34:54 +02:00
allow untrusted_app_all system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
Hide some denials. These denials occur fairly often, causing some logspam. Bug: 77225170 Test: Boot device. Merged-In: Icd73a992aee44007d0873743f706758f9a19a112 Change-Id: Icd73a992aee44007d0873743f706758f9a19a112 (cherry picked from commit a66d1a4543fc6d43fe2e798bb81347d1097227cf)
2018-03-27 01:37:42 +02:00
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
# Allow the renderscript compiler to be run.
domain_auto_trans(untrusted_app_all, rs_exec, rs)
never allow untrusted apps accessing debugfs_tracing debugfs_tracing can only be accessed by tracing tools provided by the platform. Bug: 172028429 Test: boot with no relevant log showing up Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
2020-12-07 09:30:29 +01:00
# suppress denials caused by debugfs_tracing
dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
Hide some denials. These denials occur fairly often, causing some logspam. Bug: 77225170 Test: Boot device. Merged-In: Icd73a992aee44007d0873743f706758f9a19a112 Change-Id: Icd73a992aee44007d0873743f706758f9a19a112 (cherry picked from commit a66d1a4543fc6d43fe2e798bb81347d1097227cf)
2018-03-27 01:37:42 +02:00
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;
# These have been disallowed since Android O.
# For P, we assume that apps are safely handling the denial.
dontaudit untrusted_app_all proc_stat:file read;
dontaudit untrusted_app_all proc_vmstat:file read;
dontaudit untrusted_app_all proc_uptime:file read;
Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339)
2018-04-03 20:22:38 +02:00
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
SEPolicy changes to allow kcov access in userdebug. This includes the SELinux policy changes to allow for kcov access in userdebug builds for coverage-guided kernel fuzzing. Bug: 117990869 Test: Ran syzkaller with Android untrusted_app sandbox with coverage. Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
2018-11-29 19:37:18 +01:00
# Allow access to kcov via its ioctl interface for coverage
# guided kernel fuzzing.
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
Add SELinux lockdown policy The lockdown hook defines 2 modes: integrity and confidentiality [1]. The integrity mode ensures that the kernel integrity cannot be corrupted by directly modifying memory (i.e. using /dev/mem), accessing PCI devices, interacting with debugfs, etc. While some of these methods overlap with the current policy definition, there is value in enforcing this mode for Android to ensure that no permission has been overly granted. Some of these detection methods use arbitrary heuristic to characterize the access [2]. Adapt part of the policy to match this constraint. The confidentiality mode further restricts the use of other kernel facilities such as tracefs. Android already defines a fine-grained policy for these. Furthermore, access to part of tracefs is required in all domains (see debugfs_trace_marker). Allow any access related to this mode. [1] https://lore.kernel.org/linux-api/20190820001805.241928-4-matthewgarrett@google.com/ [2] https://lore.kernel.org/linux-api/20190820001805.241928-27-matthewgarrett@google.com/ Bug: 148822198 Test: boot cuttlefish with patched kernel; check logcat for denials. Test: run simpleperf monitor to exercise tracefs; check logcat for denials. Change-Id: Ib826a0c153771a61aae963678394b75faa6ca1fe
2021-03-17 07:57:19 +01:00
# The use of debugfs kcov is considered a breach of the kernel integrity
# according to the heuristic of lockdown.
allow untrusted_app_all self:lockdown integrity;
SEPolicy changes to allow kcov access in userdebug. This includes the SELinux policy changes to allow for kcov access in userdebug builds for coverage-guided kernel fuzzing. Bug: 117990869 Test: Ran syzkaller with Android untrusted_app sandbox with coverage. Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
2018-11-29 19:37:18 +01:00
')
SEPolicy for compos_verify_key. Remove some allow rules for odsign, since it no longer directly modifies CompOs files. Instead allow it to run compos_verify_key in its own domain. Grant compos_verify_key what it needs to access the CompOs files and start up the VM. Currently we directly connect to the CompOs VM; that will change once some in-flight CLs have landed. As part of this I moved the virtualizationservice_use macro to te_macros so I can use it here. I also expanded it to include additional grants needed by any VM client that were previously done for individual domains (and then deleted those rules as now redundant). I also removed the grant of VM access to all apps; instead we allow it for untrusted apps, on userdebug or eng builds only. (Temporarily at least.) Bug: 193603140 Test: Manual - odsign successfully runs the VM at boot when needed. Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-02 12:10:59 +02:00
Allow test apps to use the virtualizationservice The existing host-side tests for virtualizationservice will be migrated to device tests. In order for the self-instrumented test apks be able to talk to the service, re-introduce the allow rule only for the non-production builds. Note that the access to the service is still guarded with the app permission whose protection level now has the 'development' bit. So, ordinary apks that are not testing-purpose (i.e. no android:testOnly="true") can't use the service. Bug: 203483081 Test: run MicrodroidDemoApp Change-Id: Ia441fc5ca0a1f076d2e267a26e0df7c11730ec94
2021-10-19 06:09:49 +02:00
# Allow running a VM for test/demo purposes. Note that access the service is
# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
# permission. The protection level of the permission is `signature|development`
# so that it can only be granted to either platform-key signed apps or
# test-only apps having `android:testOnly="true"` in its manifest.
userdebug_or_eng(`
virtualizationservice_use(untrusted_app_all)
')
Allow access to trace_data_file from untrusted_app context Bug: http://b/170257616 This allows native code in CTS tests to write their coverage profiles. Like other cases of this pattern, this is only enabled with the NATIVE_COVERAGE build parameter, and shouldn't affect release build configurations. Test: atest -a CtsNdkBinderTestCases and verify non-zero coverage in cts/tests/tests/binder_ndk/libbinder_ndk_test/ Change-Id: Id78aa67750f33c4a8ec6e7fcf8418ff23fc27ac7
2021-09-04 00:11:07 +02:00
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
allow domain method_trace_data_file:dir create_dir_perms;
allow domain method_trace_data_file:file create_file_perms;
')
Reference in a new issue Copy permalink