2017-02-13 22:33:27 +01:00
|
|
|
###
|
|
|
|
### Untrusted_app_all.
|
|
|
|
###
|
2017-03-29 23:53:09 +02:00
|
|
|
### This file defines the rules shared by all untrusted app domains except
|
2018-08-06 21:36:20 +02:00
|
|
|
### ephemeral_app for instant apps.
|
2017-02-13 22:33:27 +01:00
|
|
|
### Apps are labeled based on mac_permissions.xml (maps signer and
|
|
|
|
### optionally package name to seinfo value) and seapp_contexts (maps UID
|
|
|
|
### and optionally seinfo value to domain for process and type for data
|
|
|
|
### directory). The untrusted_app_all attribute is assigned to all default
|
|
|
|
### seapp_contexts for any app with UID between APP_AID (10000)
|
|
|
|
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
|
|
|
|
### value as determined from mac_permissions.xml. In current AOSP, this
|
|
|
|
### attribute is assigned to all non-system apps as well as to any system apps
|
|
|
|
### that are not signed by the platform key. To move
|
|
|
|
### a system app into a specific domain, add a signer entry for it to
|
|
|
|
### mac_permissions.xml and assign it one of the pre-existing seinfo values
|
|
|
|
### or define and use a new seinfo value in both mac_permissions.xml and
|
|
|
|
### seapp_contexts.
|
|
|
|
###
|
2017-04-26 21:32:51 +02:00
|
|
|
### Note that rules that should apply to all untrusted apps must be in app.te or also
|
2018-08-06 21:36:20 +02:00
|
|
|
### added to ephemeral_app.te.
|
2017-02-13 22:33:27 +01:00
|
|
|
|
|
|
|
# Some apps ship with shared libraries and binaries that they write out
|
|
|
|
# to their sandbox directory and then execute.
|
2018-12-12 18:06:05 +01:00
|
|
|
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
|
2018-12-21 19:03:50 +01:00
|
|
|
allow untrusted_app_all app_data_file:file { r_file_perms execute };
|
2019-02-27 19:07:09 +01:00
|
|
|
auditallow untrusted_app_all app_data_file:file execute;
|
2018-12-12 18:06:05 +01:00
|
|
|
|
2019-02-06 22:19:19 +01:00
|
|
|
# Chrome Crashpad uses the the dynamic linker to load native executables
|
|
|
|
# from an APK (b/112050209, crbug.com/928422)
|
|
|
|
allow untrusted_app_all system_linker_exec:file execute_no_trans;
|
|
|
|
|
2019-01-24 22:05:03 +01:00
|
|
|
# Follow priv-app symlinks. This is used for dynamite functionality.
|
|
|
|
allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
|
|
|
|
|
|
|
|
# Allow handling of less common filesystem objects
|
|
|
|
allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
|
|
|
|
|
2019-01-11 18:37:46 +01:00
|
|
|
# Allow loading and deleting executable shared libraries
|
|
|
|
# within an application home directory. Such shared libraries would be
|
|
|
|
# created by things like renderscript or via other mechanisms.
|
|
|
|
allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
|
2017-02-13 22:33:27 +01:00
|
|
|
|
|
|
|
# ASEC
|
|
|
|
allow untrusted_app_all asec_apk_file:file r_file_perms;
|
|
|
|
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
|
|
|
|
# Execute libs in asec containers.
|
2018-08-08 00:14:34 +02:00
|
|
|
allow untrusted_app_all asec_public_file:file { execute };
|
2017-02-13 22:33:27 +01:00
|
|
|
|
|
|
|
# Used by Finsky / Android "Verify Apps" functionality when
|
|
|
|
# running "adb install foo.apk".
|
|
|
|
# TODO: Long term, we don't want apps probing into shell data files.
|
|
|
|
# Figure out a way to remove these rules.
|
|
|
|
allow untrusted_app_all shell_data_file:file r_file_perms;
|
|
|
|
allow untrusted_app_all shell_data_file:dir r_dir_perms;
|
|
|
|
|
2018-01-23 21:32:55 +01:00
|
|
|
# Allow traceur to pass file descriptors through a content provider to untrusted apps
|
|
|
|
# for the purpose of sharing files through e.g. gmail
|
|
|
|
allow untrusted_app_all trace_data_file:file { getattr read };
|
|
|
|
|
|
|
|
# untrusted apps should not be able to open trace data files, they should depend
|
|
|
|
# upon traceur to pass a file descriptor
|
|
|
|
neverallow untrusted_app_all trace_data_file:dir *;
|
|
|
|
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# Allow to read staged apks.
|
|
|
|
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
|
|
|
|
|
2017-02-13 22:33:27 +01:00
|
|
|
# Read and write system app data files passed over Binder.
|
|
|
|
# Motivating case was /data/data/com.android.settings/cache/*.jpg for
|
|
|
|
# cropping or taking user photos.
|
|
|
|
allow untrusted_app_all system_app_data_file:file { read write getattr };
|
|
|
|
|
|
|
|
#
|
|
|
|
# Rules migrated from old app domains coalesced into untrusted_app.
|
|
|
|
# This includes what used to be media_app, shared_app, and release_app.
|
|
|
|
#
|
|
|
|
|
|
|
|
# Access to /data/media.
|
|
|
|
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
|
|
|
|
allow untrusted_app_all media_rw_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Traverse into /mnt/media_rw for bypassing FUSE daemon
|
|
|
|
# TODO: narrow this to just MediaProvider
|
|
|
|
allow untrusted_app_all mnt_media_rw_file:dir search;
|
|
|
|
|
|
|
|
# allow cts to query all services
|
|
|
|
allow untrusted_app_all servicemanager:service_manager list;
|
|
|
|
|
|
|
|
allow untrusted_app_all audioserver_service:service_manager find;
|
|
|
|
allow untrusted_app_all cameraserver_service:service_manager find;
|
|
|
|
allow untrusted_app_all drmserver_service:service_manager find;
|
|
|
|
allow untrusted_app_all mediaserver_service:service_manager find;
|
|
|
|
allow untrusted_app_all mediaextractor_service:service_manager find;
|
|
|
|
allow untrusted_app_all mediametrics_service:service_manager find;
|
|
|
|
allow untrusted_app_all mediadrmserver_service:service_manager find;
|
|
|
|
allow untrusted_app_all nfc_service:service_manager find;
|
|
|
|
allow untrusted_app_all radio_service:service_manager find;
|
|
|
|
allow untrusted_app_all app_api_service:service_manager find;
|
|
|
|
allow untrusted_app_all vr_manager_service:service_manager find;
|
2019-02-08 00:00:55 +01:00
|
|
|
allow untrusted_app_all gpu_service:service_manager find;
|
|
|
|
|
|
|
|
# Allow untrusted apps to interact with gpuservice
|
|
|
|
binder_call(untrusted_app_all, gpuservice)
|
2017-02-13 22:33:27 +01:00
|
|
|
|
|
|
|
# gdbserver for ndk-gdb ptrace attaches to app process.
|
|
|
|
allow untrusted_app_all self:process ptrace;
|
|
|
|
|
2019-01-23 23:39:43 +01:00
|
|
|
# Android Studio Instant Run has the application connect to a
|
|
|
|
# runas_app socket listening in the abstract namespace.
|
|
|
|
# https://developer.android.com/studio/run/
|
|
|
|
# b/123297648
|
|
|
|
allow untrusted_app_all runas_app:unix_stream_socket connectto;
|
|
|
|
|
Allow permissions needed for gdb debugging
system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b
introduced the runas_app SELinux domain, which changed how we perform
debugging of Android applications. This broke Android Studio's lldb.
From bugreport:
Debugging an app containing native code using ndk-gdb or Android
Studio's lldb currently fails. There is an selinux error in logcat
about a sigchld denial. Studio can still debug Java-only apps.
In Android Studio, starting the debugger on an app with native
code produces this selinux denial:
01-30 06:58:02.089 13449 13449 W lldb-server: type=1400 audit(0.0:831): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tcontext=u:r:runas_app:s0:c167,c256,c512,c768 tclass=process permissive=0 app=com.android.ndktestapp
With "set enforce 0", I also see a sigstop denial:
01-30 07:31:12.209 15672 15672 I lldb-server: type=1400 audit(0.0:1290): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c167,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tclass=process permissive=1 app=com.android.ndktestapp
In gdb-server.log, Studio reports this error while trying to start lldb-server:
1548831482.091491938 GDBRemoteCommunicationServerLLGS::Handle_vAttach attempting to attach to pid 13379
1548831482.091519117 GDBRemoteCommunicationServerLLGS::AttachToProcess pid 13379
1548831482.092242956 GDBRemoteCommunicationServerLLGS::Handle_vAttach failed to attach to pid 13379: Permission denied
Using ndk-gdb (e.g. on the NdkGdbSample) produces the same sort
of selinux denial:
01-30 07:11:26.742 13926 13926 W arm64-gdbserver: type=1400 audit(0.0:833): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tcontext=u:r:runas_app:s0:c166,c256,c512,c768 tclass=process permissive=0 app=com.android.developer.ndkgdbsample
If I use "setenforce 0", I see more denials logged (signal and
sigstop):
01-30 07:30:23.346 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1287): avc: denied { signal } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample
01-30 07:30:23.349 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1288): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample
ndk-gdb times out and prints an error:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ /x/android-ndk-r19/ndk-gdb --launch
Redirecting gdbserver output to /tmp/gdbclient.log
...
Error: unable to connect to device.
Remote communication error. Target disconnected.: Connection reset by peer.
gdbclient.log shows that gdbserver hasn't started listening to its Unix socket yet:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log
Attached; pid = 14232
Normal output looks like this:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log
Attached; pid = 27799
Listening on Unix domain socket '/data/data/com.android.developer.ndkgdbsample/debug_socket'
Remote debugging from host 127.0.0.0
Test: compiles and builds
Bug: 123612207
Change-Id: Ia9a711cc54cc044c0817a7c17eb4506015adb393
2019-01-30 22:19:36 +01:00
|
|
|
# Untrusted apps need to be able to send a SIGCHLD to runas_app
|
|
|
|
# when running under a debugger (b/123612207)
|
|
|
|
allow untrusted_app_all runas_app:process sigchld;
|
|
|
|
|
2017-02-13 22:33:27 +01:00
|
|
|
# Cts: HwRngTest
|
|
|
|
allow untrusted_app_all sysfs_hwrandom:dir search;
|
|
|
|
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
|
|
|
|
|
2017-03-14 19:42:03 +01:00
|
|
|
# Allow apps to view preloaded media content
|
|
|
|
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
|
|
|
|
allow untrusted_app_all preloads_media_file:file r_file_perms;
|
|
|
|
allow untrusted_app_all preloads_data_file:dir search;
|
2017-04-28 22:17:26 +02:00
|
|
|
|
|
|
|
# Allow untrusted apps read / execute access to /vendor/app for there can
|
|
|
|
# be pre-installed vendor apps that package a library within themselves.
|
|
|
|
# TODO (b/37784178) Consider creating a special type for /vendor/app installed
|
|
|
|
# apps.
|
|
|
|
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
|
2018-10-26 22:11:52 +02:00
|
|
|
allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
|
2017-04-28 22:17:26 +02:00
|
|
|
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
|
2017-12-21 03:51:15 +01:00
|
|
|
|
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
2019-10-08 17:15:14 +02:00
|
|
|
perfetto_producer(untrusted_app_all)
|
2017-12-15 03:20:30 +01:00
|
|
|
|
2020-01-22 20:16:13 +01:00
|
|
|
# Allow profiling if the app opts in by being marked profileable/debuggable.
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
can_profile_heap(untrusted_app_all)
|
2020-01-22 20:16:13 +01:00
|
|
|
can_profile_perf(untrusted_app_all)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
|
2017-12-15 03:20:30 +01:00
|
|
|
# allow untrusted apps to use UDP sockets provided by the system server but not
|
|
|
|
# modify them other than to connect
|
2018-03-27 15:34:54 +02:00
|
|
|
allow untrusted_app_all system_server:udp_socket {
|
|
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
2018-03-27 01:37:42 +02:00
|
|
|
|
2018-12-12 18:06:05 +01:00
|
|
|
# Allow the renderscript compiler to be run.
|
|
|
|
domain_auto_trans(untrusted_app_all, rs_exec, rs)
|
|
|
|
|
2018-03-27 01:37:42 +02:00
|
|
|
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
|
|
|
|
dontaudit untrusted_app_all net_dns_prop:file read;
|
|
|
|
|
|
|
|
# These have been disallowed since Android O.
|
|
|
|
# For P, we assume that apps are safely handling the denial.
|
|
|
|
dontaudit untrusted_app_all proc_stat:file read;
|
|
|
|
dontaudit untrusted_app_all proc_vmstat:file read;
|
|
|
|
dontaudit untrusted_app_all proc_uptime:file read;
|
2018-04-03 20:22:38 +02:00
|
|
|
|
|
|
|
# Allow the allocation and use of ptys
|
|
|
|
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
|
|
|
|
create_pty(untrusted_app_all)
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
|
2018-11-29 19:37:18 +01:00
|
|
|
# Allow access to kcov via its ioctl interface for coverage
|
|
|
|
# guided kernel fuzzing.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
|
|
|
|
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
|
|
|
')
|
2020-01-10 20:02:43 +01:00
|
|
|
|
|
|
|
# Allow signalling simpleperf domain, which is the domain that the simpleperf
|
|
|
|
# profiler runs as when executed by the app. The signals are used to control
|
|
|
|
# the profiler (which would be profiling the app that is sending the signal).
|
|
|
|
allow untrusted_app_all simpleperf:process signal;
|