platform_system_sepolicy/private/untrusted_app_25.te

###
### Untrusted_app_25
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion <= 25.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_app_25 coredomain;

app_domain(untrusted_app_25)
untrusted_app_domain(untrusted_app_25)
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)

# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file r_file_perms;

# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;

# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;

# The ability to call exec() on files in the apps home directories
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };

# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')

# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_25 ashmem_device:chr_file open;

# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;

# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;

# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
userdebug_or_eng(`
  auditallow untrusted_app_25 mdnsd_socket:sock_file write;
  auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
')

# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
allow untrusted_app_25 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
  auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
  auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
')
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`###`
			`### Untrusted_app_25`
			`###`
			`### This file defines the rules for untrusted apps running with`
			`### targetSdkVersion <= 25.`
			`###`
reland: untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b 2020-01-20 10:14:48 +01:00			`### See public/untrusted_app.te for more information about which apps are`
			`### placed in this selinux domain.`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`###`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute untrusted_app_25 coredomain;`

untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`app_domain(untrusted_app_25)`
			`untrusted_app_domain(untrusted_app_25)`
			`net_domain(untrusted_app_25)`
			`bluetooth_domain(untrusted_app_25)`

Label /proc/misc Label /proc/misc and allow access to untrusted_apps targeting older API versions, as well as update_engine_common. /proc/misc is used by some banking apps to try to detect if they are running in an emulated environment. TODO: Remove access to proc:file from update_engine_common after more testing. Bug: 35917228 Test: Device boots and no new denials. Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75 2017-03-03 21:17:49 +01:00			`# b/35917228 - /proc/misc access`
			`# This will go away in a future Android release`
			`allow untrusted_app_25 proc_misc:file r_file_perms;`
Move /proc/tty/drivers access to untrusted_app_25 This should only be granted to legacy apps, not to newer API versions. Change-Id: Ia4b9b3a3cf33aa31bcad2fe15d8470c50132e2a9 Test: policy compiles. 2017-03-05 05:09:10 +01:00
			`# Access to /proc/tty/drivers, to allow apps to determine if they`
			`# are running in an emulated environment.`
			`# b/33214085 b/33814662 b/33791054 b/33211769`
			`# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java`
			`# This will go away in a future Android release`
			`allow untrusted_app_25 proc_tty_drivers:file r_file_perms;`
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e) 2018-04-10 21:47:48 +02:00
Allow execmod for apps with targetSdkVersion=26-28 Bug: 129760476 Test: build Change-Id: I239c16e8269b81c22738e7813c1d4ae46068aa53 2019-04-02 22:01:10 +02:00			`# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.`
Remove legacy execmod access from API >= 26. Text relocation support was removed from the linker for apps targeting API >= 23. See https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 However, the security policy was not updated to remove the execmod permission at that time, since we didn't have support for targeting SELinux policies to API versions. Remove execmod permissions for apps targeting API 26 or greater. The linker support was removed, so it's pointless to keep around the SELinux permissions. Retain execmod support for apps targeting API 25 or lower. While in theory we could remove support for API 23-25, that would involve the introduction of a new SELinux domain (and the associated rule explosion), which I would prefer to avoid. This change helps protect application executable code from modification, enforcing W^X properties on executable code pages loaded from files. https://en.wikipedia.org/wiki/W%5EX Test: auditallow rules were added and nothing triggered for apps targeting API >= 26. Code compiles and device boots. Bug: 111544476 Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41 2018-08-08 00:14:34 +02:00			`# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23`
			`allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;`
Revert "Revert "Enforce execve() restrictions for API > 28"" This reverts commit 15d1a12f7f57f589c2f1401f8e72813546fd8dda. Bug: 118737210 Bug: 112357170 Test: boot marlin Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca 2018-11-02 19:12:43 +01:00
Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots 2018-12-21 19:03:50 +01:00			`# The ability to call exec() on files in the apps home directories`
			`# for targetApi<=25. This is also allowed for targetAPIs 26, 27,`
			`# and 28 in untrusted_app_27.te.`
			`allow untrusted_app_25 app_data_file:file execute_no_trans;`
Audit native code loading on user builds. Extend the auditing of native code loading from non-priv app home directories to user builds. Only applies to apps targeting SDK <= 28. Bug: 111338677 Test: Builds Change-Id: I6fbbd80626a1c87dd7ece689f9fecd7c0a1a59d6 2019-01-28 11:33:08 +01:00			`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };`
Remove 'dex2oat_exec' from untrusted_app Remove the permission to execute dex2oat from apps targetSdkVersion>28. This has been historically used by ART to compile secondary dex files but that functionality has been removed in Q and the permission is therefore not needed. Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for targetSdkVersion<= 28. Test: atest CtsSelinuxTargetSdk25TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Bug: 117606664 Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5 2018-11-20 00:02:49 +01:00
			`# The ability to invoke dex2oat. Historically required by ART, now only`
			`# allowed for targetApi<=28 for compat reasons.`
			`allow untrusted_app_25 dex2oat_exec:file rx_file_perms;`
place dex2oat auditallow statements in userdebug_or_eng blocks By convention, auditallow statements are always placed in userdebug_or_eng() blocks. This ensures that we don't inadvertently ship audit rules on production devices, which could result in device logspam, and in pathological situations, impact device performance (generating audit messages is much more expensive than a standard SELinux check). Bug: 117606664 Test: policy compiles. Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490 2018-11-20 19:45:56 +01:00			userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
sepolicy for ashmemd all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider are now expected to go to ashmemd for /dev/ashmem fds. Give coredomain access to ashmemd, because ashmemd is the default way for coredomain to get a /dev/ashmem fd. Bug: 113362644 Test: device boots, ashmemd running Test: Chrome app works Test: "lsof /system/lib64/libashmemd_client.so" shows libashmemd_client.so being loaded into apps. Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a 2019-01-27 22:39:19 +01:00
			`# The ability to talk to /dev/ashmem directly. targetApi>=29 must use`
			`# ASharedMemory instead.`
			`allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;`
Neverallow app open access to /dev/ashmem Apps are no longer allowed open access to /dev/ashmem, unless they target API level < Q. Bug: 113362644 Test: device boots, Chrome, instant apps work Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42 2019-02-12 23:14:30 +01:00			`auditallow untrusted_app_25 ashmem_device:chr_file open;`
Deprecate /mnt/sdcard -> /storage/self/primary symlink. "This symlink was suppose to have been removed in the Gingerbread time frame, but lives on." https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/ Apps targeting R+ must NOT use that symlink. For older apps we allow core init.rc to create /mnt/sdcard -> /storage/self/primary symlink. Bug: 129497117 Test: boot device, /mnt/sdcard still around. Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d 2019-04-12 00:23:24 +02:00
			`# Read /mnt/sdcard symlink.`
			`allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;`
untrusted_app_30: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=32 including: - No RTM_GETNEIGH on netlink route sockets. - No RTM_GETNEIGHTBL on netlink route sockets. Bug: 171572148 Test: atest NetworkInterfaceTest Test: atest bionic-unit-tests-static Test: atest CtsSelinuxTargetSdkCurrentTestCases Test: atest CtsSelinuxTargetSdk30TestCases Test: atest CtsSelinuxTargetSdk29TestCases Test: atest CtsSelinuxTargetSdk28TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CompatChangesSelinuxTest Test: atest NetlinkSocketTest Change-Id: I2167e6cd564854c2656ee06c2202cfff2b727af5 2021-05-12 14:19:24 +02:00
			`# allow sending RTM_GETNEIGH{TBL} messages.`
			`allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;`
			`auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;`
Blocks untrusted apps to access /dev/socket/mdnsd from U The untrusted apps should not directly access /dev/socket/mdnsd since API level 34 (U). Only adbd and netd should remain to have access to /dev/socket/mdnsd. For untrusted apps running with API level 33-, they still have access to /dev/socket/mdnsd for backward compatibility. Bug: 265364111 Test: Manual test Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525 2023-01-18 08:52:43 +01:00
			`# Connect to mdnsd via mdnsd socket.`
			`unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)`
			userdebug_or_eng(`
			`auditallow untrusted_app_25 mdnsd_socket:sock_file write;`
			`auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;`
			`')`
Disallow watch and watch_reads on apk_data_file for apps This can be used as a side channel to observe when an application is launched. Gate this restriction on the application's targetSdkVersion to avoid breaking existing apps. Only apps targeting 34 and above will see the new restriction. Remove duplicate permissions from public/shell.te. Shell is already appdomain, so these permissions are already granted to it. Ignore-AOSP-First: Security fix Bug: 231587164 Test: boot device, install/uninstall apps. Observe no new denials. Test: Run researcher provided PoC. Observe audit messages. Change-Id: Ic7577884e9d994618a38286a42a8047516548782 2023-03-27 12:30:23 +02:00
			`# Allow calling inotify on APKs for backwards compatibility. This is disallowed`
			`# for targetSdkVersion>=34 to remove a sidechannel.`
			`allow untrusted_app_25 apk_data_file:dir { watch watch_reads };`
			`allow untrusted_app_25 apk_data_file:file { watch watch_reads };`
			userdebug_or_eng(`
			`auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };`
			`auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };`
			`')`