platform_system_sepolicy/private/app.te

# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)

get_prop(appdomain, boot_status_prop)
get_prop(appdomain, dalvik_config_prop)
get_prop(appdomain, media_config_prop)
get_prop(appdomain, packagemanager_config_prop)
get_prop(appdomain, surfaceflinger_color_prop)
get_prop(appdomain, systemsound_config_prop)
get_prop(appdomain, telephony_config_prop)
get_prop(appdomain, userspace_reboot_config_prop)
get_prop(appdomain, vold_config_prop)

userdebug_or_eng(`perfetto_producer({ appdomain })')

# Prevent apps from causing presubmit failures.
# Apps can cause selinux denials by accessing CE storage
# and/or external storage. In either case, the selinux denial is
# not the cause of the failure, but just a symptom that
# storage isn't ready. Many apps handle the failure appropriately.
#
# Apps cannot access external storage before it becomes available.
dontaudit appdomain storage_stub_file:dir getattr;
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
# allowed to write to CE storage before it's available.
# Attempting to do so will be blocked by both selinux and unix
# permissions.
dontaudit appdomain system_data_file:dir write;
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;

neverallow appdomain system_server:udp_socket {
        accept append bind create ioctl listen lock name_bind
        relabelfrom relabelto setattr shutdown };

# Transition to a non-app domain.
# Exception for the shell and su domains, can transition to runas, etc.
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
    { domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
    { domain -appdomain }:process { dyntransition };

# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;

# Allow to read sendbug.preferred.domain
get_prop(appdomain, sendbug_config_prop)

# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
Add the testharness service to sepolicy rules The testharness service will manage Test Harness Mode and provide a command-line interface for users to enable Test Harness Mode; however it does not directly provide a public API. Bug: 80137798 Test: make Test: flash crosshatch Change-Id: Ie396e40fcea8914b4dd2247f2314e029b66ad84e 2019-01-15 22:39:30 +01:00			`# Allow apps to read the Test Harness Mode property. This property is used in`
			`# the implementation of ActivityManager.isDeviceInTestHarnessMode()`
			`get_prop(appdomain, test_harness_prop)`

Take new types out of compatible_property_only compatible_property_only is meaningless to new types introduced after Android P because the macro is for types which should have different accessibilities depending on the device's launching API level. Bug: N/A Test: system/sepolicy/tools/build_policies.sh Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4 2020-05-21 13:12:55 +02:00			`get_prop(appdomain, boot_status_prop)`
			`get_prop(appdomain, dalvik_config_prop)`
Relabel media.recorder.show_manufacturer_and_model To remove exported*_default_prop Bug: 155844385 Test: capture video Test: atest writerTest Change-Id: I74223c8daa44acf0aba33bff31cfe21f6242f941 2020-07-06 15:24:11 +02:00			`get_prop(appdomain, media_config_prop)`
Allow apps to read packagemanager_config_prop To fix regression of CTS privappPermissionsMustBeEnforced Bug: 159647344 Test: atest PrivappPermissionsTest#privappPermissionsMustBeEnforced Change-Id: I88af05305f9aef6e813d0a72adad63b6b8f99487 Merged-In: I88af05305f9aef6e813d0a72adad63b6b8f99487 2020-06-30 18:27:49 +02:00			`get_prop(appdomain, packagemanager_config_prop)`
Take new types out of compatible_property_only compatible_property_only is meaningless to new types introduced after Android P because the macro is for types which should have different accessibilities depending on the device's launching API level. Bug: N/A Test: system/sepolicy/tools/build_policies.sh Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4 2020-05-21 13:12:55 +02:00			`get_prop(appdomain, surfaceflinger_color_prop)`
			`get_prop(appdomain, systemsound_config_prop)`
Grant app and hal access to telephony_config_prop To resolve regression. Bug: 158254452 Test: m selinux_policy Change-Id: If0db9b9a4af6c34a007d0549aa7a5dd465e4ed63 2020-06-05 03:40:16 +02:00			`get_prop(appdomain, telephony_config_prop)`
Take new types out of compatible_property_only compatible_property_only is meaningless to new types introduced after Android P because the macro is for types which should have different accessibilities depending on the device's launching API level. Bug: N/A Test: system/sepolicy/tools/build_policies.sh Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4 2020-05-21 13:12:55 +02:00			`get_prop(appdomain, userspace_reboot_config_prop)`
			`get_prop(appdomain, vold_config_prop)`

Allow Java domains to be Perfetto producers. This is needed to get Java heap graphs. Test: flash aosp; profile system_server with setenforce 1 Bug: 136210868 Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3 2019-10-08 17:15:14 +02:00			userdebug_or_eng(`perfetto_producer({ appdomain })')

Prevent apps from causing presubmit failures Apps can cause selinux denials by accessing CE storage and/or external storage. In either case, the selinux denial is not the cause of the failure, but just a symptom that storage isn't ready. Many apps handle the failure appropriately. These denials are not helpful, are not the cause of a problem, spam the logs, and cause presubmit flakes. Suppress them. Bug: 145267097 Test: build Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124 2019-12-16 10:59:03 +01:00			`# Prevent apps from causing presubmit failures.`
			`# Apps can cause selinux denials by accessing CE storage`
			`# and/or external storage. In either case, the selinux denial is`
			`# not the cause of the failure, but just a symptom that`
			`# storage isn't ready. Many apps handle the failure appropriately.`
			`#`
			`# Apps cannot access external storage before it becomes available.`
			`dontaudit appdomain storage_stub_file:dir getattr;`
			`# Attempts to write to system_data_file is generally a sign`
			`# that apps are attempting to access encrypted storage before`
			`# the ACTION_USER_UNLOCKED intent is delivered. Apps are not`
			`# allowed to write to CE storage before it's available.`
			`# Attempting to do so will be blocked by both selinux and unix`
			`# permissions.`
			`dontaudit appdomain system_data_file:dir write;`
Reduce graphics logspam There is no change in behavior. These denials were already being blocked. Bug: 79617173 Test: build Change-Id: Iffd1e5ba42854615eeea9490fe9150678ac98796 2020-04-02 13:36:17 +02:00			`# Apps should not be reading vendor-defined properties.`
			`dontaudit appdomain vendor_default_prop:file read;`
Prevent apps from causing presubmit failures Apps can cause selinux denials by accessing CE storage and/or external storage. In either case, the selinux denial is not the cause of the failure, but just a symptom that storage isn't ready. Many apps handle the failure appropriately. These denials are not helpful, are not the cause of a problem, spam the logs, and cause presubmit flakes. Suppress them. Bug: 145267097 Test: build Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124 2019-12-16 10:59:03 +01:00
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31 2017-12-15 03:20:30 +01:00			`neverallow appdomain system_server:udp_socket {`
Allow getsockopt and setsockopt for Encap Sockets Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c 2018-03-27 15:34:54 +02:00			`accept append bind create ioctl listen lock name_bind`
			`relabelfrom relabelto setattr shutdown };`
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5 2018-11-29 02:50:24 +01:00
			`# Transition to a non-app domain.`
			`# Exception for the shell and su domains, can transition to runas, etc.`
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3 2018-12-12 18:06:05 +01:00			`# Exception for crash_dump to allow for app crash reporting.`
			`# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)`
			`# to allow renderscript to create privileged executable files.`
			neverallow { appdomain -shell userdebug_or_eng(`-su') }
			`{ domain -appdomain -crash_dump -rs }:process { transition };`
			neverallow { appdomain -shell userdebug_or_eng(`-su') }
			`{ domain -appdomain }:process { dyntransition };`
Add sdcardfs variable to storage_config_props This property allows us to disable sdcardfs if it is present. The old property ended up getting repurposed, so a new one was needed. Mediaprovider will also need to access this to determine what actions it needs to take. Test: builds Bug: 155222498 Change-Id: I66ac106613cbb374f54659601e4ba3f61eaecd2f 2020-05-12 07:50:40 +02:00
			`# Don't allow regular apps access to storage configuration properties.`
			`neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;`
Update sepolicy for GPU profiling properties. A device must indicate whether GPU profiling is supported or not through setting these two properties properly. CTS needs to read these two properties in order to run corresponding compliance tests. Hence need to update sepolicy for these two properties. Bug: b/157832445 Test: Test on Pixel 4 Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3 Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3 2020-06-03 21:20:41 +02:00
Relabel various exported3_default_prop This removes bad context names "exported*_prop". Property contexts of following properties are changed. All properties are settable only by vendor-init. - ro.config.per_app_memcg This becomes lmkd_config_prop. - ro.zygote This becomes dalvik_config_prop. - ro.oem_unlock_supported This becomes oem_unlock_prop. It's readable by system_app which includes Settings apps. - ro.storage_manager.enabled This becomes storagemanagr_config_prop. It's readable by coredomain. Various domains in coredomain seem to read it. - sendbug.preferred.domain This bcomes sendbug_config_prop. It's readable by appdomain. There are still 3 more exported3_default_prop, which are going to be tracked individually. Bug: 155844385 Test: selinux denial check on Pixel devices Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05 2020-07-16 15:25:47 +02:00			`# Allow to read sendbug.preferred.domain`
			`get_prop(appdomain, sendbug_config_prop)`

Update sepolicy for GPU profiling properties. A device must indicate whether GPU profiling is supported or not through setting these two properties properly. CTS needs to read these two properties in order to run corresponding compliance tests. Hence need to update sepolicy for these two properties. Bug: b/157832445 Test: Test on Pixel 4 Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3 Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3 2020-06-03 21:20:41 +02:00			`# Allow to read graphics related properties.`
			`get_prop(appdomain, graphics_config_prop)`