tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/app_neverallows.te

320 lines
13 KiB
Text
Raw Normal View History

Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
###
### neverallow rules for untrusted app domains
###
Add untrusted_v2_app to all_untrusted_apps This was accidentally omitted from all_untrusted_app While I'm here, split across mutiple lines and alphabetize. Test: policy compiles. Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51
2017-04-27 01:14:40 +02:00
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
Share isolated properties across islolated apps Introduce isolated_app_all typeattribute to share policies between isolated_app and future similar apps that wish to be enforced with isolation properties. Bug: 255597123 Test: m && presubmit Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89
2023-01-20 04:34:19 +01:00
isolated_app_all
Add isolated_compute_app domain Provides a new domain to enable secure sensitive data processing. This allows processing of sensitive data, while enforcing necessary privacy restrictions to prevent the egress of data via network, IPC or file system. Bug: 255597123 Test: m && manual - sample app with IsolatedProcess=True can use camera service Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d
2023-01-17 09:16:44 +01:00
isolated_compute_app
Add untrusted_v2_app to all_untrusted_apps This was accidentally omitted from all_untrusted_app While I'm here, split across mutiple lines and alphabetize. Test: policy compiles. Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51
2017-04-27 01:14:40 +02:00
mediaprovider
Create new mediaprovider_app domain. This is a domain for the MediaProvider mainline module. The MediaProvider process is responsible for managing external storage, and as such should be able to have full read/write access to it. It also hosts a FUSE filesystem that allows other apps to access said storage in a safe way. Finally, it needs to call some ioctl's to set project quota on the lower filesystem correctly. Bug: 141595441 Test: builds, mediaprovider module gets the correct domain Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
2020-01-30 16:52:45 +01:00
mediaprovider_app
Add untrusted_v2_app to all_untrusted_apps This was accidentally omitted from all_untrusted_app While I'm here, split across mutiple lines and alphabetize. Test: policy compiles. Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51
2017-04-27 01:14:40 +02:00
untrusted_app
untrusted_app_25
Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339)
2018-04-03 20:22:38 +02:00
untrusted_app_27
reland: untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-20 10:14:48 +01:00
untrusted_app_29
untrusted_app_30: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=32 including: - No RTM_GETNEIGH on netlink route sockets. - No RTM_GETNEIGHTBL on netlink route sockets. Bug: 171572148 Test: atest NetworkInterfaceTest Test: atest bionic-unit-tests-static Test: atest CtsSelinuxTargetSdkCurrentTestCases Test: atest CtsSelinuxTargetSdk30TestCases Test: atest CtsSelinuxTargetSdk29TestCases Test: atest CtsSelinuxTargetSdk28TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CompatChangesSelinuxTest Test: atest NetlinkSocketTest Change-Id: I2167e6cd564854c2656ee06c2202cfff2b727af5
2021-05-12 14:19:24 +02:00
untrusted_app_30
Add untrusted_v2_app to all_untrusted_apps This was accidentally omitted from all_untrusted_app While I'm here, split across mutiple lines and alphabetize. Test: policy compiles. Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51
2017-04-27 01:14:40 +02:00
untrusted_app_all
}')
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Receive or send uevent messages.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Receive or send generic netlink messages
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
neverallow all_untrusted_apps domain:netlink_socket *;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
Make kmsg_device mlstrustedobject. Few domains are granted access to this, but they should have access from any user. Also add some neverallows to prevent misuse. Bug: 170622707 Test: presubmits Change-Id: Iacbe7b0525604f2339f8bf31c105af738bc3cd75
2020-10-27 12:28:00 +01:00
# Read or write kernel printk buffer
neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
SEPolicy changes to allow kcov access in userdebug. This includes the SELinux policy changes to allow for kcov access in userdebug builds for coverage-guided kernel fuzzing. Bug: 117990869 Test: Ran syzkaller with Android untrusted_app sandbox with coverage. Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
2018-11-29 19:37:18 +01:00
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
Neverallow executable files and symlink following Test: build Change-Id: Iec30d8a7642c34f12571c5654914ddbdc3d8355e
2019-02-04 19:07:15 +01:00
neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
neverallow all_untrusted_apps service_manager_type:service_manager add;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
Assert ban on framework <-> vendor comms over VndBinder This adds neverallow rules which enforce the prohibition on communication between framework and vendor components over VendorBinder. This prohibition is similar in spirit to the one for Binder communications. Most changes consist of adding neverallow rules, which do not affect runtime behavior. The only change which does affect runtime behavior is the change which takes away the right of servicemanager domain to transfer Binder tokens to hwservicemanager and vndservicemanager. This grant was there by accident (because it was overly broad) and is not expected to be needed: servicemanager, hwservicemanager, and vndservicemanager are not supposed to be communicating with each other. P. S. The new neverallow rules in app_neverallows.te are covered by the new rules in domain.te. The rules were nevertheless added to app_neverallows.te for consistency with other *Binder rules there. Test: mmm system/sepolicy Bug: 37663632 Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
2017-04-25 18:27:54 +02:00
# Do not allow untrusted apps to use VendorBinder
neverallow all_untrusted_apps vndbinder_device:chr_file *;
neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-11 01:57:48 +02:00
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
untrusted_app_25: remove access to net.dns properties Bug: 33308258 Test: build Test: atest CtsSelinuxTargetSdk25TestCases Change-Id: I0bd3dc60dd95e9fb621933f45115a42bbcbc2ccc
2019-10-15 21:00:22 +02:00
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
Improve neverallows on /proc and /sys Access to these files was removed in Oreo. Enforce that access is not granted by partners via neverallow rule. Also disallow most untrusted app access to net.dns.* properties. Bug: 77225170 Test: system/sepolicy/tools/build_policies.sh Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
2018-03-29 00:34:37 +02:00
make ril.cdma.inecmmode system property internal so that it cannot reveal a system api that requires READ_PRIVILEGED_PHONE_STATE Bug: 183410189 Test: adb shell getprop -Z Change-Id: I65f4121fc300447af7d516676166bc8b0b53b727
2021-04-30 06:52:42 +02:00
# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
rename rs_data_file to app_exec_data_file There are multiple trusted system components which may be responsible for creating executable code within an application's home directory. Renderscript is just one of those trusted components. Generalize rs_data_file to app_exec_data_file. This label is intended to be used for any executable code created by trusted components placed into an application's home directory. Introduce a typealias statement to ensure files with the previous label continue to be understood by policy. This change is effectively a no-op, as it just renames a type, but neither adds or removes any rules. Bug: 121375718 Bug: 112357170 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
2019-01-11 18:37:46 +01:00
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
# must never be writable to the app.
rename rs_data_file to app_exec_data_file There are multiple trusted system components which may be responsible for creating executable code within an application's home directory. Renderscript is just one of those trusted components. Generalize rs_data_file to app_exec_data_file. This label is intended to be used for any executable code created by trusted components placed into an application's home directory. Introduce a typealias statement to ensure files with the previous label continue to be understood by policy. This change is effectively a no-op, as it just renames a type, but neither adds or removes any rules. Bug: 121375718 Bug: 112357170 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
2019-01-11 18:37:46 +01:00
neverallow all_untrusted_apps app_exec_data_file:file
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
{ append create link relabelfrom relabelto rename setattr write };
Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots
2018-12-21 19:03:50 +01:00
# Block calling execve() on files in an apps home directory.
Revert "Revert "Enforce execve() restrictions for API > 28"" This reverts commit 15d1a12f7f57f589c2f1401f8e72813546fd8dda. Bug: 118737210 Bug: 112357170 Test: boot marlin Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca
2018-11-02 19:12:43 +01:00
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
Add runas_app domain to allow running app data file via run-as. Calling execve() on files in an app's home directory isn't allowed for targetApi >=29. But this is needed by simpleperf to profile a debuggable app via run-as. So workaround it by adding runas_app domain, which allows running app data file. And add a rule in seapp_contexts to use runas_app domain for setcontext requests from run-as. Bug: 118737210 Test: boot marlin and run CtsSimpleperfTestCases. Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
2018-11-02 22:34:06 +01:00
-runas_app
Revert "Revert "Enforce execve() restrictions for API > 28"" This reverts commit 15d1a12f7f57f589c2f1401f8e72813546fd8dda. Bug: 118737210 Bug: 112357170 Test: boot marlin Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca
2018-11-02 19:12:43 +01:00
} { app_data_file privapp_data_file }:file execute_no_trans;
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# block apps from executing files in their storage areas
# this is a stronger and more desirable guarantee than blocking execute_no_trans, but
# execute cannot be blocked on all of app_data_file without causing
# backwards compatibility issues (see b/237289679)
neverallow appdomain storage_area_content_file:file execute;
')
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# dont allow apps to modify their own directories of storage areas
neverallow appdomain storage_area_app_dir:dir_file_class_set {
create write setattr relabelfrom relabelto append unlink link rename
};
')
Remove 'dex2oat_exec' from untrusted_app Remove the permission to execute dex2oat from apps targetSdkVersion>28. This has been historically used by ART to compile secondary dex files but that functionality has been removed in Q and the permission is therefore not needed. Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for targetSdkVersion<= 28. Test: atest CtsSelinuxTargetSdk25TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Bug: 117606664 Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-20 00:02:49 +01:00
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} dex2oat_exec:file no_x_file_perms;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
neverallow all_untrusted_apps mlstrustedsubject:process fork;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
neverallow all_untrusted_apps file_type:file link;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Do not allow untrusted apps to access network MAC address file
Do not allow untrusted apps to read sysfs_net files (this includes /sys/class/net/*/address device mac addresses) Test: builds Bug: 137816564 Change-Id: I84268b2e0207559ed00baafb8a3f231c676f8df1 Signed-off-by: Maciej Żenczykowski <maze@google.com>
2019-07-18 09:04:54 +02:00
neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
Neverallow write access to /sys files for untrusted apps Test: build aosp_sailfish Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2
2017-10-04 22:12:25 +02:00
# Do not allow any write access to files in /sys
Improve neverallows on /proc and /sys Access to these files was removed in Oreo. Enforce that access is not granted by partners via neverallow rule. Also disallow most untrusted app access to net.dns.* properties. Bug: 77225170 Test: system/sepolicy/tools/build_policies.sh Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
2018-03-29 00:34:37 +02:00
neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
# Apps may never access the default sysfs label.
neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
Neverallow write access to /sys files for untrusted apps Test: build aosp_sailfish Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2
2017-10-04 22:12:25 +02:00
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
Update socket ioctl restrictions Grant access to icmp_socket to netdomain. This was previously labeled as rawip_socket which apps are allowed to use. Neverallow all other new socket types for apps. Kernels versions > 4.9 redefine ICMP sockets from rawip_socket to icmp_socket. To pass neverallow tests, we need to define which IOCTLs are allowed (and disallowed). Note that this does not change behavior on devices with kernel versions <=4.9. However, it is necessary (although not sufficient) to pass CTS on kernel version 4.14. Bug: 110520616 Test: Grant icmp_socket in net.te and build. Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
2018-06-22 01:57:58 +02:00
neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
socket netlink_socket packet_socket key_socket appletalk_socket
Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 20:14:58 +01:00
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
Update socket ioctl restrictions Grant access to icmp_socket to netdomain. This was previously labeled as rawip_socket which apps are allowed to use. Neverallow all other new socket types for apps. Kernels versions > 4.9 redefine ICMP sockets from rawip_socket to icmp_socket. To pass neverallow tests, we need to define which IOCTLs are allowed (and disallowed). Note that this does not change behavior on devices with kernel versions <=4.9. However, it is necessary (although not sufficient) to pass CTS on kernel version 4.14. Bug: 110520616 Test: Grant icmp_socket in net.te and build. Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
2018-06-22 01:57:58 +02:00
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
} *;
Restrict VM usage to platform_app. Remove access from untrusted apps and instead grant it to platform_app (but on user builds as well as debug). Also restrict any app from creating a vsock_socket; using an already created one is fine. Bug: 193373841 Test: Microdroid demo app now gets a denial Test: Rebuild demo with certifcate: platform, adb install, no denial Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d
2021-09-07 13:25:38 +02:00
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
Allow getopt to eliminate warnings in MicrodroidBenchmarks tests This CL allows getopt in sepolicy to eliminate getopt denied warnings in MicrodroidBenchmarks tests, e.g. $ atest MicrodroidBenchmarks W FinalizerDaemon: type=1400 audit(0.0:625): avc: denied { getopt } for scontext=u:r:untrusted_app:s0:c163,c256,c512, c768 tcontext=u:r:virtualizationservice:s0 tclass=vsock_socket permissive=0 app=com.android.microdroid.benchmark Bug: 236123069 Test: atest MicrodroidBenchmarks Change-Id: I2ed94ae6beab60176d9fac85a0b818089d563427
2022-08-30 16:10:48 +02:00
neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
reland: untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-20 10:14:48 +01:00
# Disallow sending RTM_GETLINK messages on netlink sockets.
Enforce RTM_GETLINK restrictions on all apps Extend existing restrictions targeting only apps with API level >= 30 to all apps. To be merged when automerge to sc-dev ends. Bug: 170188668 Test: atest bionic-unit-tests-static Test: atest NetworkInterfaceTest Test: Connect to Wi-Fi network Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdk28TestCases Test: atest CtsSelinuxTargetSdk29TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Change-Id: Ibd6b9f1e23f12320f3bec782cdd7a6837013597a
2021-04-30 15:48:09 +02:00
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
Enforce MAC address restrictions for priv apps. Bug: 230733237 Test: atest NetlinkSocketTest NetworkInterfaceTest bionic-unit-tests-static CtsSelinuxTargetSdkCurrentTestCases CtsSelinuxTargetSdk29TestCases CtsSelinuxTargetSdk27TestCases Change-Id: I1d66ae7849e950612f3b6693216ec8c84e942640
2022-05-17 14:22:02 +02:00
neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
reland: untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-20 10:14:48 +01:00
untrusted_app_30: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=32 including: - No RTM_GETNEIGH on netlink route sockets. - No RTM_GETNEIGHTBL on netlink route sockets. Bug: 171572148 Test: atest NetworkInterfaceTest Test: atest bionic-unit-tests-static Test: atest CtsSelinuxTargetSdkCurrentTestCases Test: atest CtsSelinuxTargetSdk30TestCases Test: atest CtsSelinuxTargetSdk29TestCases Test: atest CtsSelinuxTargetSdk28TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CompatChangesSelinuxTest Test: atest NetlinkSocketTest Change-Id: I2167e6cd564854c2656ee06c2202cfff2b727af5
2021-05-12 14:19:24 +02:00
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
} domain:netlink_route_socket nlmsg_getneigh;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Do not allow untrusted apps access to /cache
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-11 01:57:48 +02:00
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-11 01:57:48 +02:00
neverallow { all_untrusted_apps -mediaprovider } {
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
fs_type
Add exFAT support; unify behind "sdcard_type". We're adding support for OEMs to ship exFAT, which behaves identical to vfat. Some rules have been manually enumerating labels related to these "public" volumes, so unify them all behind "sdcard_type". Test: atest Bug: 67822822 Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
2018-03-30 20:22:54 +02:00
-sdcard_type
Add fusefs_type for FUSE filesystems Any FUSE filesystem will receive the 'fuse' type when mounted. It is possible to change this behaviour by specifying the "context=" or "fscontext=" option in mount(). Because 'fuse' has historically been used only for the emulated storage, it also received the 'sdcard_type' attribute. Replace the 'sdcard_type' attribute from 'fuse' with the new 'fusefs_type'. This attribute can be attached on derived types (such as app_fusefs). This change: - Remove the neverallow restriction on this new type. This means any custom FUSE implementation can be mounted/unmounted (if the correct allow rule is added). See domain.te. - Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'. See file.te. - Modify all references to 'sdcard_type' to explicitly include 'fuse' for compatibility reason. Bug: 177481425 Bug: 190804537 Test: Build and boot aosp_cf_x86_64_phone-userdebug Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-23 10:21:49 +02:00
-fuse
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
file_type
-app_data_file # The apps sandbox itself
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
-privapp_data_file
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `-storage_area_content_file')
rename rs_data_file to app_exec_data_file There are multiple trusted system components which may be responsible for creating executable code within an application's home directory. Renderscript is just one of those trusted components. Generalize rs_data_file to app_exec_data_file. This label is intended to be used for any executable code created by trusted components placed into an application's home directory. Introduce a typealias statement to ensure files with the previous label continue to be understood by policy. This change is effectively a no-op, as it just renames a type, but neither adds or removes any rules. Bug: 121375718 Bug: 112357170 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
2019-01-11 18:37:46 +01:00
-app_exec_data_file # stored within the app sandbox directory
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
}:dir_file_class_set { create unlink };
Create new mediaprovider_app domain. This is a domain for the MediaProvider mainline module. The MediaProvider process is responsible for managing external storage, and as such should be able to have full read/write access to it. It also hosts a FUSE filesystem that allows other apps to access said storage in a safe way. Finally, it needs to call some ioctl's to set project quota on the lower filesystem correctly. Bug: 141595441 Test: builds, mediaprovider module gets the correct domain Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
2020-01-30 16:52:45 +01:00
# No untrusted component except mediaprovider_app should be touching /dev/fuse
neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 20:40:48 +02:00
allow apps tun_device ioctl TUNGETIFF; Commit 619c1ef2ac581fe6a3d628ee013fc3ec36b8dc07 ("tun_device: enforce ioctl restrictions") completely removed the ability of untrusted apps to issue ioctl calls to tun_device. It turns out that this was too aggressive. Wireshark apparently uses the TUNGETIFF ioctl. Fixes the following denial: audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android Test: policy compiles. Change-Id: I71bb494036ea692781c00af37580748ab39d1332
2018-11-15 15:14:07 +01:00
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
tun_device: enforce ioctl restrictions Require all SELinux domains which have permission to perform ioctls on /dev/tun explicitly specify what ioctls they perform. Only allow the safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways to set and unset the O_CLOEXEC flag. Remove app's ability to issue *any* ioctls on /dev/tun, period. Add neverallow assertions (compile time assertion + CTS test) to prevent regressions. Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX, FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination shows that only TUNGETIFF and TUNSETIFF are used by system_server. The goal of this change is to put SELinux ioctl controls in place for /dev/tun, so we don't have to maintain the custom kernel patch at https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21 Delete the neverallow assertion in isolated_app.te. This is already covered by the assertion present in app_neverallows.te. Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests Test: cts-tradefed run cts -m CtsHostsideNetworkTests Test: cts-tradefed run cts -m CtsNetTestCases Bug: 111560739 Bug: 111560570 Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45
2018-10-31 04:12:41 +01:00
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
simplify neverallowxperm for tun_device Test: builds, atest Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ia92fc0b9a805763779a13cad6ad3137c9327ca61
2020-07-08 02:39:22 +02:00
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
neverallow all_untrusted_apps anr_data_file:dir ~search;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-28 00:53:38 +01:00
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
neverallow all_untrusted_apps {
proc
Extend access to proc/asound/* Renamed this type: proc_asound_cards -> proc_asound Labeled /proc/asound/devices as proc_asound. We now use proc_asound type to label files under /proc/asound which we want to expose to system components. Bug: 66988327 Test: Pixel 2 boots, can play sound with or without headphones, and selinux denials to proc_asound are not seen. Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0
2017-10-06 19:20:53 +02:00
proc_asound
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
proc_kmsg
proc_loadavg
proc_mounts
proc_pagetypeinfo
access to /proc/slabinfo init, dumpstate and shell Test: check avc for init is now gone Bug: 7232205 Bug: 109821005 Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5
2018-06-14 16:34:19 +02:00
proc_slabinfo
Improve neverallows on /proc and /sys Access to these files was removed in Oreo. Enforce that access is not granted by partners via neverallow rule. Also disallow most untrusted app access to net.dns.* properties. Bug: 77225170 Test: system/sepolicy/tools/build_policies.sh Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
2018-03-29 00:34:37 +02:00
proc_stat
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
proc_swaps
Improve neverallows on /proc and /sys Access to these files was removed in Oreo. Enforce that access is not granted by partners via neverallow rule. Also disallow most untrusted app access to net.dns.* properties. Bug: 77225170 Test: system/sepolicy/tools/build_policies.sh Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
2018-03-29 00:34:37 +02:00
proc_uptime
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
proc_version
proc_vmallocinfo
Improve neverallows on /proc and /sys Access to these files was removed in Oreo. Enforce that access is not granted by partners via neverallow rule. Also disallow most untrusted app access to net.dns.* properties. Bug: 77225170 Test: system/sepolicy/tools/build_policies.sh Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
2018-03-29 00:34:37 +02:00
proc_vmstat
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
}:file { no_rw_file_perms no_x_file_perms };
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 19:42:03 +01:00
Allow mediaprovider_app access to /proc/filesystems. It needs to be able to see supported filesystems to handle external storage correctly. Bug: 146419093 Test: no denials Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e
2020-02-19 17:10:43 +01:00
# /proc/filesystems is accessible to mediaprovider_app only since it handles
# external storage
neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
Do not allow untrusted apps any access to kernel configuration Bug: 37541374 Test: Build and boot sailfish Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-21 20:25:29 +02:00
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 19:42:03 +01:00
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
app.te: prevent locks of files on /system Prevent app domains (processes spawned by zygote) from acquiring locks on files in /system. In particular, /system/etc/xtables.lock must never be lockable by applications, as it will block future iptables commands from running. Test: device boots and no obvious problems. Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b
2017-03-22 18:35:24 +01:00
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-22 02:06:43 +02:00
Assert untrusted apps can't add or list hwservicemanager This adds a neverallow rules which checks that SELinux app domains which host arbitrary code are not allowed to access hwservicemanager operations other than "find" operation for which there already are strict neverallow rules in the policy. Test: mmm system/sepolicy -- neverallow-only change Bug: 34454312 Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7
2017-04-25 00:09:19 +02:00
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
untrusted_apps: AIDL vendor service parity w/ HIDL Before, we completely dissallowed any untrusted app to access a service operated by vendor. However, sometimes this is needed in order to implement platform APIs. So now, vendor services which aren't explicitly marked as 'protected_service' (like protected_hwservice in HIDL) are blocked from being used by apps. This gives everyone a mechanism for apps to directly access vendor services, when appropriate. For instance: VINTF | vendor.img/etc | system.img/etc | (vendor HAL) <----AIDL---|--> (public lib <-- loaded by app | or platform | component) | | Fixes: 163478173 Test: neverallow compiles Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
2020-10-21 23:47:00 +02:00
# Do not permit access from apps which host arbitrary code to the protected services
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-22 02:06:43 +02:00
# The two main reasons for this are:
untrusted_apps: AIDL vendor service parity w/ HIDL Before, we completely dissallowed any untrusted app to access a service operated by vendor. However, sometimes this is needed in order to implement platform APIs. So now, vendor services which aren't explicitly marked as 'protected_service' (like protected_hwservice in HIDL) are blocked from being used by apps. This gives everyone a mechanism for apps to directly access vendor services, when appropriate. For instance: VINTF | vendor.img/etc | system.img/etc | (vendor HAL) <----AIDL---|--> (public lib <-- loaded by app | or platform | component) | | Fixes: 163478173 Test: neverallow compiles Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
2020-10-21 23:47:00 +02:00
# 1. Protected HwBinder servers do not perform client authentication because
# vendor code does not have a way to understand apps or their relation to
# caller UID information and, even if it did, those services either operate
# at a level below that of apps (e.g., HALs) or must not rely on app identity
# for authorization. Thus, to be safe, the default assumption for all added
# vendor services is that they treat all their clients as equally authorized
# to perform operations offered by the service.
# 2. HAL servers contain code with higher incidence rate of security issues
# than system/core components and have access to lower layes of the stack
# (all the way down to hardware) thus increasing opportunities for bypassing
# the Android security model.
Access to HALs from untrusted apps is blacklist-based Before this change, access to HALs from untrusted apps was prohibited except for the whitelisted ones like the gralloc HAL, the renderscript HAL, etc. As a result, any HAL that is added by partners can't be accessed from apps. This sometimes is a big restriction for them when they want to access their own HALs in the same-process HALs running in apps. Although this is a vendor-to-vendor communication and thus is not a Treble violation, that was not allowed because their HALs are not in the whitelist in AOSP. This change fixes the problem by doing the access control in the opposite way; access to HALs are restricted only for the blacklisted ones. All the hwservice context that were not in the whitelist are now put to blacklist. This change also removes the neverallow rule for the binder access to the halserverdomain types. This is not needed as the protected hwservices living in the HAL processes are already not accessible; we have a neverallow rule for preventing hwservice_manager from finding those protected hwservices from untrusted apps. Bug: 139645938 Test: m Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585 (cherry picked from commit 580375c923d422ebf40264b0649a08488fde320c) Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
2019-08-21 17:04:50 +02:00
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
untrusted_apps: AIDL vendor service parity w/ HIDL Before, we completely dissallowed any untrusted app to access a service operated by vendor. However, sometimes this is needed in order to implement platform APIs. So now, vendor services which aren't explicitly marked as 'protected_service' (like protected_hwservice in HIDL) are blocked from being used by apps. This gives everyone a mechanism for apps to directly access vendor services, when appropriate. For instance: VINTF | vendor.img/etc | system.img/etc | (vendor HAL) <----AIDL---|--> (public lib <-- loaded by app | or platform | component) | | Fixes: 163478173 Test: neverallow compiles Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
2020-10-21 23:47:00 +02:00
neverallow all_untrusted_apps protected_service:service_manager find;
Reland "Re-open /dev/binder access to all." This reverts commit 6b2eaade8201e49a746173ff13f9bd89f024eb81. Reason for revert: reland original CL Separate runtime infrastructure now makes sure that only Stable AIDL interfaces are used system<->vendor. Bug: 136027762 Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6 Test: boot device, use /dev/binder from vendor
2019-08-21 00:42:58 +02:00
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
Disallow new untrusted_app access to /proc/tty/drivers Access is deprecated for apps with targetSdkVersion=26+. Test: build (neverallow rules are build time assertions) Change-Id: I36480c38d45cf6bfb75f4988ffcefefc6b62d4b1
2018-09-07 16:39:28 +02:00
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
Constrain cgroups access. What changed: - Removed cgroup access from untrusted and priv apps. - Settings app writes to /dev/stune/foreground/tasks, so system_app domain retains access to cgroup. - libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used abundantly in native code. So added a blanket allow rule for (coredomain - apps) to access cgroups. - For now, only audit cgroup access from vendor domains. Ultimately, we want to either constrain vendor access to individual domains or, even better, remove vendor access and have platform manage cgroups exclusively. Changes from original aosp/692189 which was reverted: - There seem to be spurious denials from vendor-specific apps. So added back access from { appdomain -all_untrusted_apps -priv_app } to cgroup. Audit this access with intent to write explicit per-domain rules for it. Bug: 110043362 Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates /dev/memcg on a per app basis on a device that supports that. Test: aosp_sailfish, wahoo boot without cgroup denials This reverts commit cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a. Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-11 00:48:15 +02:00
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
sepolicy: rules for uid/pid cgroups v2 hierarchy Bug: 168907513 Test: verified the correct working of the v2 uid/pid hierarchy in normal and recovery modes This reverts commit aa8bb3a29b92a342c42c802edac269da5984d1df. Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-12 00:18:11 +01:00
neverallow all_untrusted_apps cgroup_v2:file *;
sepolicy for ashmemd all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider are now expected to go to ashmemd for /dev/ashmem fds. Give coredomain access to ashmemd, because ashmemd is the default way for coredomain to get a /dev/ashmem fd. Bug: 113362644 Test: device boots, ashmemd running Test: Chrome app works Test: "lsof /system/lib64/libashmemd_client.so" shows libashmemd_client.so being loaded into apps. Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-01-27 22:39:19 +01:00
Deprecate /mnt/sdcard -> /storage/self/primary symlink. "This symlink was suppose to have been removed in the Gingerbread time frame, but lives on." https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/ Apps targeting R+ must NOT use that symlink. For older apps we allow core init.rc to create /mnt/sdcard -> /storage/self/primary symlink. Bug: 129497117 Test: boot device, /mnt/sdcard still around. Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
2019-04-12 00:23:24 +02:00
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} mnt_sdcard_file:lnk_file *;
incident_service: only disallow untrusted access Allow device-specific domains to access the incident_service. Test: build Bug: 156479626 Change-Id: I3b368c09087e2d3542b70be5aa22f8ef47392221
2020-05-13 14:40:49 +02:00
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
Disallow untrusted apps to read ro.debuggable and ro.secure ro.secure and ro.debuggable system properties are not intended to be visible via Android SDK. This change blocks untrusted apps from reading these properties. Test: android.security.SELinuxTargetSdkTest Bug: 193912100 Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
2022-07-14 13:52:21 +02:00
stats_service: only disallow untrusted access Allow device-specific domains to access stats_service. All access must be done over proper APIs (StatsManager, AStatsManager) instead of accessing the AIDL interfaces directly. Test: build Bug: 318788254 Change-Id: I98ddc1900350daf755372be7249f25a462e3242d
2024-02-14 08:27:00 +01:00
# Only privileged apps may find stats service
neverallow all_untrusted_apps stats_service:service_manager find;
Drop back-compatibility for hiding ro.debuggable and ro.secure Bug: 193912100 Test: back-compatibility change for android.security.SELinuxTargetSdkTest Change-Id: I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad
2022-08-18 15:09:36 +02:00
# Do not allow untrusted app to read hidden system proprerties.
# We do not include in the exclusions other normally untrusted applications such as mediaprovider
# due to the specific logging use cases.
Disallow untrusted apps to read ro.debuggable and ro.secure ro.secure and ro.debuggable system properties are not intended to be visible via Android SDK. This change blocks untrusted apps from reading these properties. Test: android.security.SELinuxTargetSdkTest Bug: 193912100 Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
2022-07-14 13:52:21 +02:00
# Context: b/193912100
neverallow {
Hide ro.debuggable and ro.secure from ephemeral and isolated applications Bug: 193912100 Test: N/A Change-Id: I916c9795d96e4a4a453f9aed5e380f11981804e9
2022-11-18 15:09:41 +01:00
all_untrusted_apps
-mediaprovider
-mediaprovider_app
Disallow untrusted apps to read ro.debuggable and ro.secure ro.secure and ro.debuggable system properties are not intended to be visible via Android SDK. This change blocks untrusted apps from reading these properties. Test: android.security.SELinuxTargetSdkTest Bug: 193912100 Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
2022-07-14 13:52:21 +02:00
} { userdebug_or_eng_prop }:file read;
Blocks untrusted apps to access /dev/socket/mdnsd from U The untrusted apps should not directly access /dev/socket/mdnsd since API level 34 (U). Only adbd and netd should remain to have access to /dev/socket/mdnsd. For untrusted apps running with API level 33-, they still have access to /dev/socket/mdnsd for backward compatibility. Bug: 265364111 Test: Manual test Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525
2023-01-18 08:52:43 +01:00
# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
# used to communicate to the mdnsd responder. The mdnsd responder will be
# replaced by a java implementation which is integrated into the system server.
# For untrusted apps running with API level 33-, they still have access to
# /dev/socket/mdnsd for backward compatibility.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} mdnsd_socket:sock_file write;
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} mdnsd:unix_stream_socket connectto;
Add SELinux Policy For io_uring Brings in the io_uring class and associated restrictions and adds a new macro, `io_uring_use`, to sepolicy. In more detail, this change: * Adds a new macro expands to ensure the domain it is passed can undergo a type transition to a new type, `<domain>_iouring`, when the anon_inode being accessed is labeled `[io_uring]`. It also allows the domain to create, read, write, and map the io_uring anon_inode. * Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag during `io_uring_setup` so that a syscall to `io_uring_enter` is not required by the caller each time it wishes to submit IO. This can be enabled securely as long as we don't enable sharing of io_uring file descriptors across domains. The kernel polling thread created by `SQPOLL` will inherit the credentials of the thread that created the io_uring [1]. * Removes the selinux policy that restricted all domains that make use of the `userfault_fd` macro from any `anon_inode` created by another domain. This is overly restrictive, as it prohibits the use of two different `anon_inode` use cases in a single domain e.g. userfaultfd and io_uring. This change also replaces existing sepolicy in fastbootd and snapuserd that enabled the use of io_uring. [1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/ Bug: 253385258 Test: m selinux_policy Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423 Test: Manually deliver OTAs (built with m dist) to a recent Pixel device and ensure snapuserd functions correctly (no io_uring failures) Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
2022-11-14 23:06:36 +01:00
# Do not allow untrusted apps to use anonymous inodes. At the moment,
# type transitions are the only way to distinguish between different
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *;
Allow system_server access to hidraw devices. This allows AccessibilityManagerService in system_server to interact with a HID-supported Braille Display. Bug: 303522222 Test: ls -z /dev/hidraw0 Test: plat_file_contexts_test Test: Open FileInputStream and FileOutputStream on this device path from AccessibilityManagerService (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db) Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c
2023-12-01 00:28:04 +01:00
# Do not allow untrusted app access to hidraw devices.
neverallow all_untrusted_apps hidraw_device:chr_file *;
Reference in a new issue Copy permalink