2017-01-10 00:34:27 +01:00
|
|
|
###
|
|
|
|
|
### Ephemeral apps.
|
|
|
|
|
###
|
|
|
|
|
### This file defines the security policy for apps with the ephemeral
|
|
|
|
|
### feature.
|
|
|
|
|
###
|
|
|
|
|
### The ephemeral_app domain is a reduced permissions sandbox allowing
|
|
|
|
|
### ephemeral applications to be safely installed and run. Non ephemeral
|
|
|
|
|
### applications may also opt-in to ephemeral to take advantage of the
|
|
|
|
|
### additional security features.
|
|
|
|
|
###
|
|
|
|
|
### PackageManager flags an app as ephemeral at install time.
|
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
typeattribute ephemeral_app coredomain;
|
|
|
|
|
|
2017-01-10 00:34:27 +01:00
|
|
|
net_domain(ephemeral_app)
|
2017-01-17 22:28:24 +01:00
|
|
|
app_domain(ephemeral_app)
|
2017-01-10 00:34:27 +01:00
|
|
|
|
2017-01-19 19:42:40 +01:00
|
|
|
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
2021-06-23 10:21:49 +02:00
|
|
|
allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
|
2017-01-19 19:42:40 +01:00
|
|
|
|
2017-10-25 21:41:11 +02:00
|
|
|
# Some apps ship with shared libraries and binaries that they write out
|
|
|
|
|
# to their sandbox directory and then execute.
|
2018-12-12 18:06:05 +01:00
|
|
|
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
|
2018-12-21 19:03:50 +01:00
|
|
|
allow ephemeral_app app_data_file:file { r_file_perms execute };
|
2018-12-12 18:06:05 +01:00
|
|
|
|
2019-01-24 22:05:03 +01:00
|
|
|
# Follow priv-app symlinks. This is used for dynamite functionality.
|
|
|
|
|
allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
|
|
|
|
|
|
2018-12-12 18:06:05 +01:00
|
|
|
# Allow the renderscript compiler to be run.
|
|
|
|
|
domain_auto_trans(ephemeral_app, rs_exec, rs)
|
|
|
|
|
|
2019-01-11 18:37:46 +01:00
|
|
|
# Allow loading and deleting shared libraries created by trusted system
|
|
|
|
|
# components within an application home directory.
|
|
|
|
|
allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
|
2017-10-25 21:41:11 +02:00
|
|
|
|
2017-01-10 00:34:27 +01:00
|
|
|
# services
|
2017-03-29 23:53:09 +02:00
|
|
|
allow ephemeral_app audioserver_service:service_manager find;
|
|
|
|
|
allow ephemeral_app cameraserver_service:service_manager find;
|
|
|
|
|
allow ephemeral_app mediaserver_service:service_manager find;
|
|
|
|
|
allow ephemeral_app mediaextractor_service:service_manager find;
|
|
|
|
|
allow ephemeral_app mediametrics_service:service_manager find;
|
2017-05-30 19:17:34 +02:00
|
|
|
allow ephemeral_app mediadrmserver_service:service_manager find;
|
2017-10-05 01:18:27 +02:00
|
|
|
allow ephemeral_app drmserver_service:service_manager find;
|
2017-01-17 22:28:24 +01:00
|
|
|
allow ephemeral_app radio_service:service_manager find;
|
Start locking down access to services from ephemeral apps
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.
Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-02-28 22:59:06 +01:00
|
|
|
allow ephemeral_app ephemeral_app_api_service:service_manager find;
|
2017-01-10 00:34:27 +01:00
|
|
|
|
2017-12-21 03:51:15 +01:00
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
|
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
2019-10-08 17:15:14 +02:00
|
|
|
perfetto_producer(ephemeral_app)
|
2017-12-21 03:51:15 +01:00
|
|
|
|
2020-01-22 20:16:13 +01:00
|
|
|
# Allow profiling if the app opts in by being marked profileable/debuggable.
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
can_profile_heap(ephemeral_app)
|
2020-01-22 20:16:13 +01:00
|
|
|
can_profile_perf(ephemeral_app)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
|
2017-12-15 03:20:30 +01:00
|
|
|
# allow ephemeral apps to use UDP sockets provided by the system server but not
|
|
|
|
|
# modify them other than to connect
|
2018-03-27 15:34:54 +02:00
|
|
|
allow ephemeral_app system_server:udp_socket {
|
|
|
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
2017-12-15 03:20:30 +01:00
|
|
|
|
2019-04-09 20:48:35 +02:00
|
|
|
allow ephemeral_app ashmem_device:chr_file rw_file_perms;
|
2019-02-12 23:14:30 +01:00
|
|
|
|
2017-01-10 00:34:27 +01:00
|
|
|
###
|
|
|
|
|
### neverallow rules
|
|
|
|
|
###
|
|
|
|
|
|
2018-08-03 00:54:23 +02:00
|
|
|
neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
|
2017-01-10 00:34:27 +01:00
|
|
|
|
|
|
|
|
# Receive or send uevent messages.
|
|
|
|
|
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
|
|
|
|
|
|
|
|
|
|
# Receive or send generic netlink messages
|
|
|
|
|
neverallow ephemeral_app domain:netlink_socket *;
|
|
|
|
|
|
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
|
|
|
# best practice to ensure these files aren't readable.
|
|
|
|
|
neverallow ephemeral_app debugfs:file read;
|
|
|
|
|
|
|
|
|
|
# execute gpu_device
|
|
|
|
|
neverallow ephemeral_app gpu_device:chr_file execute;
|
|
|
|
|
|
|
|
|
|
# access files in /sys with the default sysfs label
|
|
|
|
|
neverallow ephemeral_app sysfs:file *;
|
|
|
|
|
|
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
|
|
|
# Create a more specific label if needed
|
|
|
|
|
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
2017-01-19 19:42:40 +01:00
|
|
|
|
|
|
|
|
# Directly access external storage
|
2021-06-23 10:21:49 +02:00
|
|
|
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
|
|
|
|
|
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
|
2017-03-15 22:26:18 +01:00
|
|
|
|
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
|
|
|
# ongoing connections.
|
|
|
|
|
neverallow ephemeral_app proc_net:file no_rw_file_perms;
|
