platform_system_sepolicy/private/untrusted_app_27.te

###
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
### 25 < targetSdkVersion <= 28.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory).  The untrusted_app_27 domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml.  In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key.  To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

typeattribute untrusted_app_27 coredomain;

app_domain(untrusted_app_27)
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)

# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')

# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`###`
Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339) 2018-04-03 20:22:38 +02:00			`### Untrusted_27.`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`###`
Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339) 2018-04-03 20:22:38 +02:00			`### This file defines the rules for untrusted apps running with`
Revert "Revert "Enforce execve() restrictions for API > 28"" This reverts commit 15d1a12f7f57f589c2f1401f8e72813546fd8dda. Bug: 118737210 Bug: 112357170 Test: boot marlin Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca 2018-11-02 19:12:43 +01:00			`### 25 < targetSdkVersion <= 28.`
Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339) 2018-04-03 20:22:38 +02:00			`###`
			`### This file defines the rules for untrusted apps.`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`### Apps are labeled based on mac_permissions.xml (maps signer and`
			`### optionally package name to seinfo value) and seapp_contexts (maps UID`
			`### and optionally seinfo value to domain for process and type for data`
Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339) 2018-04-03 20:22:38 +02:00			`### directory). The untrusted_app_27 domain is the default assignment in`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`### seapp_contexts for any app with UID between APP_AID (10000)`
			`### and AID_ISOLATED_START (99000) if the app has no specific seinfo`
			`### value as determined from mac_permissions.xml. In current AOSP, this`
			`### domain is assigned to all non-system apps as well as to any system apps`
			`### that are not signed by the platform key. To move`
			`### a system app into a specific domain, add a signer entry for it to`
			`### mac_permissions.xml and assign it one of the pre-existing seinfo values`
			`### or define and use a new seinfo value in both mac_permissions.xml and`
			`### seapp_contexts.`
			`###`

Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339) 2018-04-03 20:22:38 +02:00			`typeattribute untrusted_app_27 coredomain;`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00
Add untrusted_app_27 This is a partial cherry pick of commit 6231b4d9 'Enforce per-app data protections for targetSdk 28+'. Untrusted_app_27 remains unreachable, but it's existence prevents future merge conflicts. Bug: 63897054 Test: build/boot aosp_walleye-userdebug Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0 (cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339) 2018-04-03 20:22:38 +02:00			`app_domain(untrusted_app_27)`
			`untrusted_app_domain(untrusted_app_27)`
			`net_domain(untrusted_app_27)`
			`bluetooth_domain(untrusted_app_27)`
Revert "Revert "Enforce execve() restrictions for API > 28"" This reverts commit 15d1a12f7f57f589c2f1401f8e72813546fd8dda. Bug: 118737210 Bug: 112357170 Test: boot marlin Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca 2018-11-02 19:12:43 +01:00
Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots 2018-12-21 19:03:50 +01:00			`# The ability to call exec() on files in the apps home directories`
			`# for targetApi 26, 27, and 28.`
			`allow untrusted_app_27 app_data_file:file execute_no_trans;`
Un-revert "Audit execution of app_data_file native code." This was originally implemented in commit 890414725f35fae61a3f16532724c8f6365599f9 and reverted in commit fa3eb773ce45c9c1a38a579f31799ffc00b85952. This effectively reverts the revert, with minimal changes to cope with the subsequent reversion of commit b362474374afc402f65695252d30a008326c0eba. Auditing is only enabled for apps targeting API <= 28. Test: Compiles, audit messages are seen. Bug: 121333210 Bug: 111338677 Change-Id: Ie38498a2b61f4b567902117f9ef293faa0e689dd 2019-01-07 15:08:11 +01:00			userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
Remove 'dex2oat_exec' from untrusted_app Remove the permission to execute dex2oat from apps targetSdkVersion>28. This has been historically used by ART to compile secondary dex files but that functionality has been removed in Q and the permission is therefore not needed. Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for targetSdkVersion<= 28. Test: atest CtsSelinuxTargetSdk25TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Bug: 117606664 Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5 2018-11-20 00:02:49 +01:00
			`# The ability to invoke dex2oat. Historically required by ART, now only`
			`# allowed for targetApi<=28 for compat reasons.`
			`allow untrusted_app_27 dex2oat_exec:file rx_file_perms;`
place dex2oat auditallow statements in userdebug_or_eng blocks By convention, auditallow statements are always placed in userdebug_or_eng() blocks. This ensures that we don't inadvertently ship audit rules on production devices, which could result in device logspam, and in pathological situations, impact device performance (generating audit messages is much more expensive than a standard SELinux check). Bug: 117606664 Test: policy compiles. Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490 2018-11-20 19:45:56 +01:00			userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')