platform_system_sepolicy/private/untrusted_app_all.te

###
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
### apps which target the v2 security sandbox (ephemeral_app for instant apps,
### untrusted_v2_app for fully installed v2 apps).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory).  The untrusted_app_all attribute is assigned to all default
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml.  In current AOSP, this
### attribute is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key.  To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
### Note that rules that should apply to all untrusted apps must be in app.te or also
### added to untrusted_v2_app.te and ephemeral_app.te.

# Legacy text relocations
allow untrusted_app_all apk_data_file:file execmod;

# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app_all app_data_file:file { rx_file_perms execmod };

# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
# Execute libs in asec containers.
allow untrusted_app_all asec_public_file:file { execute execmod };

# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
# TODO: Long term, we don't want apps probing into shell data files.
# Figure out a way to remove these rules.
allow untrusted_app_all shell_data_file:file r_file_perms;
allow untrusted_app_all shell_data_file:dir r_dir_perms;

# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};

# Read and write system app data files passed over Binder.
# Motivating case was /data/data/com.android.settings/cache/*.jpg for
# cropping or taking user photos.
allow untrusted_app_all system_app_data_file:file { read write getattr };

#
# Rules migrated from old app domains coalesced into untrusted_app.
# This includes what used to be media_app, shared_app, and release_app.
#

# Access to /data/media.
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
allow untrusted_app_all media_rw_data_file:file create_file_perms;

# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
allow untrusted_app_all mnt_media_rw_file:dir search;

# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;

allow untrusted_app_all audioserver_service:service_manager find;
allow untrusted_app_all cameraserver_service:service_manager find;
allow untrusted_app_all drmserver_service:service_manager find;
allow untrusted_app_all mediaserver_service:service_manager find;
allow untrusted_app_all mediaextractor_service:service_manager find;
allow untrusted_app_all mediacodec_service:service_manager find;
allow untrusted_app_all mediametrics_service:service_manager find;
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;

# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
# data stored in that directory to process them one by one.
userdebug_or_eng(`
  allow untrusted_app_all perfprofd_data_file:file r_file_perms;
  allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
')

# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;

# Cts: HwRngTest
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;

# Allow apps to view preloaded media content
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
allow untrusted_app_all preloads_media_file:file r_file_perms;
allow untrusted_app_all preloads_data_file:dir search;

# Allow untrusted apps read / execute access to /vendor/app for there can
# be pre-installed vendor apps that package a library within themselves.
# TODO (b/37784178) Consider creating  a special type for /vendor/app installed
# apps.
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
allow untrusted_app_all vendor_app_file:file { open getattr read execute };
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`###`
			`### Untrusted_app_all.`
			`###`
Add media services to ephemeral_app Test: denials go away Change-Id: I103cf3ad8d86b461bcba8edce02f6202fd2bcbe8 2017-03-29 23:53:09 +02:00			`### This file defines the rules shared by all untrusted app domains except`
Correct documentation in untrusted_app_all Rules defined in utrusted_app_all do not apply to all untrusted apps, update the comments to reflect that. Test: builds Change-Id: I6f064bd93c13d8341128d941be34fdfaa0bec5da 2017-04-26 21:32:51 +02:00			`### apps which target the v2 security sandbox (ephemeral_app for instant apps,`
			`### untrusted_v2_app for fully installed v2 apps).`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`### Apps are labeled based on mac_permissions.xml (maps signer and`
			`### optionally package name to seinfo value) and seapp_contexts (maps UID`
			`### and optionally seinfo value to domain for process and type for data`
			`### directory). The untrusted_app_all attribute is assigned to all default`
			`### seapp_contexts for any app with UID between APP_AID (10000)`
			`### and AID_ISOLATED_START (99000) if the app has no specific seinfo`
			`### value as determined from mac_permissions.xml. In current AOSP, this`
			`### attribute is assigned to all non-system apps as well as to any system apps`
			`### that are not signed by the platform key. To move`
			`### a system app into a specific domain, add a signer entry for it to`
			`### mac_permissions.xml and assign it one of the pre-existing seinfo values`
			`### or define and use a new seinfo value in both mac_permissions.xml and`
			`### seapp_contexts.`
			`###`
Correct documentation in untrusted_app_all Rules defined in utrusted_app_all do not apply to all untrusted apps, update the comments to reflect that. Test: builds Change-Id: I6f064bd93c13d8341128d941be34fdfaa0bec5da 2017-04-26 21:32:51 +02:00			`### Note that rules that should apply to all untrusted apps must be in app.te or also`
			`### added to untrusted_v2_app.te and ephemeral_app.te.`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00
Revert "Remove execmod support for newer API versions" We need more time to investigate the effect that this change will have on DRM solutions. Until the investigation is done, revert. This reverts commit 38d3eca0d40811fed4b01947bc4b65dd0a375ce1. Bug: 30146890 Bug: 20013628 Bug: 35323421 Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16 Test: policy compiles. 2017-03-06 03:49:50 +01:00			`# Legacy text relocations`
			`allow untrusted_app_all apk_data_file:file execmod;`

untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`# Some apps ship with shared libraries and binaries that they write out`
			`# to their sandbox directory and then execute.`
Revert "Remove execmod support for newer API versions" We need more time to investigate the effect that this change will have on DRM solutions. Until the investigation is done, revert. This reverts commit 38d3eca0d40811fed4b01947bc4b65dd0a375ce1. Bug: 30146890 Bug: 20013628 Bug: 35323421 Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16 Test: policy compiles. 2017-03-06 03:49:50 +01:00			`allow untrusted_app_all app_data_file:file { rx_file_perms execmod };`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00
			`# ASEC`
			`allow untrusted_app_all asec_apk_file:file r_file_perms;`
			`allow untrusted_app_all asec_apk_file:dir r_dir_perms;`
			`# Execute libs in asec containers.`
Revert "Remove execmod support for newer API versions" We need more time to investigate the effect that this change will have on DRM solutions. Until the investigation is done, revert. This reverts commit 38d3eca0d40811fed4b01947bc4b65dd0a375ce1. Bug: 30146890 Bug: 20013628 Bug: 35323421 Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16 Test: policy compiles. 2017-03-06 03:49:50 +01:00			`allow untrusted_app_all asec_public_file:file { execute execmod };`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00
			`# Used by Finsky / Android "Verify Apps" functionality when`
			`# running "adb install foo.apk".`
			`# TODO: Long term, we don't want apps probing into shell data files.`
			`# Figure out a way to remove these rules.`
			`allow untrusted_app_all shell_data_file:file r_file_perms;`
			`allow untrusted_app_all shell_data_file:dir r_dir_perms;`

Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`# Allow to read staged apks.`
			`allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};`

untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`# Read and write system app data files passed over Binder.`
			`# Motivating case was /data/data/com.android.settings/cache/*.jpg for`
			`# cropping or taking user photos.`
			`allow untrusted_app_all system_app_data_file:file { read write getattr };`

			`#`
			`# Rules migrated from old app domains coalesced into untrusted_app.`
			`# This includes what used to be media_app, shared_app, and release_app.`
			`#`

			`# Access to /data/media.`
			`allow untrusted_app_all media_rw_data_file:dir create_dir_perms;`
			`allow untrusted_app_all media_rw_data_file:file create_file_perms;`

			`# Traverse into /mnt/media_rw for bypassing FUSE daemon`
			`# TODO: narrow this to just MediaProvider`
			`allow untrusted_app_all mnt_media_rw_file:dir search;`

			`# allow cts to query all services`
			`allow untrusted_app_all servicemanager:service_manager list;`

			`allow untrusted_app_all audioserver_service:service_manager find;`
			`allow untrusted_app_all cameraserver_service:service_manager find;`
			`allow untrusted_app_all drmserver_service:service_manager find;`
			`allow untrusted_app_all mediaserver_service:service_manager find;`
			`allow untrusted_app_all mediaextractor_service:service_manager find;`
			`allow untrusted_app_all mediacodec_service:service_manager find;`
			`allow untrusted_app_all mediametrics_service:service_manager find;`
			`allow untrusted_app_all mediadrmserver_service:service_manager find;`
			`allow untrusted_app_all nfc_service:service_manager find;`
			`allow untrusted_app_all radio_service:service_manager find;`
			`allow untrusted_app_all app_api_service:service_manager find;`
			`allow untrusted_app_all vr_manager_service:service_manager find;`

			`# Allow GMS core to access perfprofd output, which is stored`
			`# in /data/misc/perfprofd/. GMS core will need to list all`
			`# data stored in that directory to process them one by one.`
			userdebug_or_eng(`
			`allow untrusted_app_all perfprofd_data_file:file r_file_perms;`
			`allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;`
			`')`

			`# gdbserver for ndk-gdb ptrace attaches to app process.`
			`allow untrusted_app_all self:process ptrace;`

			`# Cts: HwRngTest`
			`allow untrusted_app_all sysfs_hwrandom:dir search;`
			`allow untrusted_app_all sysfs_hwrandom:file r_file_perms;`

Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446 2017-03-14 19:42:03 +01:00			`# Allow apps to view preloaded media content`
			`allow untrusted_app_all preloads_media_file:dir r_dir_perms;`
			`allow untrusted_app_all preloads_media_file:file r_file_perms;`
			`allow untrusted_app_all preloads_data_file:dir search;`
untrusted_apps: allow untrusted_apps to execute from /vendor/app The typical use case is where vendor apps which run as untrusted apps use libraries that are packaged withing the apk Bug: 37753883 Test: Tested by runnig pre-installed app that packages a library from /vendor/app Change-Id: I445144e37e49e531f4f43b13f34d6f2e78d7a3cf Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-28 22:17:26 +02:00
			`# Allow untrusted apps read / execute access to /vendor/app for there can`
			`# be pre-installed vendor apps that package a library within themselves.`
			`# TODO (b/37784178) Consider creating a special type for /vendor/app installed`
			`# apps.`
			`allow untrusted_app_all vendor_app_file:dir { open getattr read search };`
			`allow untrusted_app_all vendor_app_file:file { open getattr read execute };`
			`allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };`