platform_system_sepolicy/untrusted_app.te

###
### Untrusted apps.
###
### This file defines the rules for untrusted apps. An "untrusted
### app" is an APP with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000).
###
### untrusted_app includes all the appdomain rules, plus the
### additional following rules:
###

type untrusted_app, domain;
permissive_or_unconfined(untrusted_app)
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)

# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app app_data_file:file rx_file_perms;

allow untrusted_app tun_device:chr_file rw_file_perms;

# Internal SDCard rw access.
allow untrusted_app sdcard_internal:dir create_dir_perms;
allow untrusted_app sdcard_internal:file create_file_perms;

# External SDCard rw access.
allow untrusted_app sdcard_external:dir create_dir_perms;
allow untrusted_app sdcard_external:file create_file_perms;

# ASEC
allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms;
# Execute libs in asec containers.
allow untrusted_app asec_public_file:file execute;

# Create tcp/udp sockets
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
allow untrusted_app self:{ tcp_socket udp_socket } { create_socket_perms accept listen };
# Bind to a particular hostname/address/interface (e.g., localhost) instead of
# ANY. Normally, apps should not be listening on all interfaces.
allow untrusted_app port:{ tcp_socket udp_socket } name_bind;

# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)

# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
# TODO: Long term, we don't want apps probing into shell data files.
# Figure out a way to remove these rules.
allow untrusted_app shell_data_file:file r_file_perms;
allow untrusted_app shell_data_file:dir r_dir_perms;
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f 2013-07-13 01:33:29 +02:00			`###`
			`### Untrusted apps.`
			`###`
			`### This file defines the rules for untrusted apps. An "untrusted`
			`### app" is an APP with UID between APP_AID (10000)`
			`### and AID_ISOLATED_START (99000).`
			`###`
			`### untrusted_app includes all the appdomain rules, plus the`
			`### additional following rules:`
			`###`

			`type untrusted_app, domain;`
Support forcing permissive domains to unconfined. Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858 2014-01-11 10:31:03 +01:00			`permissive_or_unconfined(untrusted_app)`
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f 2013-07-13 01:33:29 +02:00			`app_domain(untrusted_app)`
			`net_domain(untrusted_app)`
			`bluetooth_domain(untrusted_app)`
untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35 2013-07-13 03:45:56 +02:00
Allow untrusted apps to execute binaries from their sandbox directories. Various third party apps come with their own binaries that they write out to their sandbox directories and then execute, e.g.: audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file While this is not ideal from a security POV, it seems necessary to support for compatibility with Android today. Split out the execute-related permissions to a separate allow rule as it only makes sense for regular files (class file) not other kinds of files (e.g. fifos, sockets, symlinks), and use the rx_file_perms macro. Move the rule to untrusted_app only so that we do not permit system apps to execute files written by untrusted apps. Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-11 15:08:09 +01:00			`# Some apps ship with shared libraries and binaries that they write out`
			`# to their sandbox directory and then execute.`
			`allow untrusted_app app_data_file:file rx_file_perms;`

untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35 2013-07-13 03:45:56 +02:00			`allow untrusted_app tun_device:chr_file rw_file_perms;`

			`# Internal SDCard rw access.`
			`allow untrusted_app sdcard_internal:dir create_dir_perms;`
			`allow untrusted_app sdcard_internal:file create_file_perms;`

			`# External SDCard rw access.`
			`allow untrusted_app sdcard_external:dir create_dir_perms;`
			`allow untrusted_app sdcard_external:file create_file_perms;`

			`# ASEC`
			`allow untrusted_app asec_apk_file:dir { getattr };`
			`allow untrusted_app asec_apk_file:file r_file_perms;`
Introduce asec_public_file type. This new type will allow us to write finer-grained policy concerning asec containers. Some files of these containers need to be world readable. Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> 2014-02-04 17:36:41 +01:00			`# Execute libs in asec containers.`
			`allow untrusted_app asec_public_file:file execute;`
untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35 2013-07-13 03:45:56 +02:00
Allow apps to create listening ports Bug: 9872463 Change-Id: I47eabeace3387afd24c0fd4bee70e77c0a3586d5 2013-07-16 18:03:58 +02:00			`# Create tcp/udp sockets`
untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35 2013-07-13 03:45:56 +02:00			`allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;`
Allow apps to create listening ports Bug: 9872463 Change-Id: I47eabeace3387afd24c0fd4bee70e77c0a3586d5 2013-07-16 18:03:58 +02:00			`allow untrusted_app self:{ tcp_socket udp_socket } { create_socket_perms accept listen };`
Permit apps to bind TCP/UDP sockets to a hostname Change-Id: Ided2cf793e94bb58529789c3075f8480c0d0cf4e 2013-07-16 18:45:39 +02:00			`# Bind to a particular hostname/address/interface (e.g., localhost) instead of`
			`# ANY. Normally, apps should not be listening on all interfaces.`
			`allow untrusted_app port:{ tcp_socket udp_socket } name_bind;`
untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35 2013-07-13 03:45:56 +02:00
			`# Allow the allocation and use of ptys`
			`# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm`
Isolate untrusted app ptys from other domains. Add a create_pty() macro that allows a domain to create and use its own ptys, isolated from the ptys of any other domain, and use that macro for untrusted_app. This permits the use of a pty by apps without opening up access to ptys created by any other domain on the system. Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-09-27 15:44:32 +02:00			`create_pty(untrusted_app)`
Temporarily allow untrusted apps to read shell data files. This is needed to support "Verify App" functionality. During side loading, the Verify App functionality reads the APK to determine if it's safe to install. Bug: 9863154 Change-Id: I33f6b0fd012f6cb194e253d5d92cf6189d6aa222 2013-07-16 00:48:34 +02:00
			`# Used by Finsky / Android "Verify Apps" functionality when`
			`# running "adb install foo.apk".`
			`# TODO: Long term, we don't want apps probing into shell data files.`
			`# Figure out a way to remove these rules.`
Revert "Add the ability to write shell files to the untrusted_app domain." At this point, we still don't understand the root cause of bug 10290009, or if it's even a real bug. Rollback 29d0d40668e686adc91cdfbf0d083e71ed82bac6 so we an get a device in this state and figure out the root cause of this problem. This reverts commit 29d0d40668e686adc91cdfbf0d083e71ed82bac6. Bug: 10290009 2013-09-05 01:12:33 +02:00			`allow untrusted_app shell_data_file:file r_file_perms;`
Temporarily allow untrusted apps to read shell data files. This is needed to support "Verify App" functionality. During side loading, the Verify App functionality reads the APK to determine if it's safe to install. Bug: 9863154 Change-Id: I33f6b0fd012f6cb194e253d5d92cf6189d6aa222 2013-07-16 00:48:34 +02:00			`allow untrusted_app shell_data_file:dir r_dir_perms;`