platform_system_sepolicy/private/untrusted_app.te

###
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion >= 34.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_app coredomain;

app_domain(untrusted_app)
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)

# Allow webview to access fd shared by sdksandbox for experiments data
# TODO(b/229249719): Will not be supported in Android U
allow untrusted_app sdk_sandbox_data_file:fd use;
allow untrusted_app sdk_sandbox_data_file:file write;

neverallow untrusted_app sdk_sandbox_data_file:file { open create };
Move untrusted_app policy to private This leaves only the existence of untrusted_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from untrusted_domain_current attribute (as expected). Bug: 31364497 Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92 2017-01-05 21:27:10 +01:00			`###`
			`### Untrusted apps.`
			`###`
reland: untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b 2020-01-20 10:14:48 +01:00			`### This file defines the rules for untrusted apps running with`
Blocks untrusted apps to access /dev/socket/mdnsd from U The untrusted apps should not directly access /dev/socket/mdnsd since API level 34 (U). Only adbd and netd should remain to have access to /dev/socket/mdnsd. For untrusted apps running with API level 33-, they still have access to /dev/socket/mdnsd for backward compatibility. Bug: 265364111 Test: Manual test Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525 2023-01-18 08:52:43 +01:00			`### targetSdkVersion >= 34.`
reland: untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b 2020-01-20 10:14:48 +01:00			`###`
			`### See public/untrusted_app.te for more information about which apps are`
			`### placed in this selinux domain.`
Move untrusted_app policy to private This leaves only the existence of untrusted_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from untrusted_domain_current attribute (as expected). Bug: 31364497 Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92 2017-01-05 21:27:10 +01:00			`###`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute untrusted_app coredomain;`

Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665 2016-12-08 20:23:34 +01:00			`app_domain(untrusted_app)`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`untrusted_app_domain(untrusted_app)`
Move untrusted_app policy to private This leaves only the existence of untrusted_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from untrusted_domain_current attribute (as expected). Bug: 31364497 Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92 2017-01-05 21:27:10 +01:00			`net_domain(untrusted_app)`
			`bluetooth_domain(untrusted_app)`
Allow app to write to sdk_sandbox Change-Id: I2e308ca9ce58e71ac9d7d9b0fa515bdf2f5dfa1f Bug: b/229251344 Test: Manual 2022-05-05 16:03:47 +02:00
			`# Allow webview to access fd shared by sdksandbox for experiments data`
			`# TODO(b/229249719): Will not be supported in Android U`
			`allow untrusted_app sdk_sandbox_data_file:fd use;`
			`allow untrusted_app sdk_sandbox_data_file:file write;`

Blocks untrusted apps to access /dev/socket/mdnsd from U The untrusted apps should not directly access /dev/socket/mdnsd since API level 34 (U). Only adbd and netd should remain to have access to /dev/socket/mdnsd. For untrusted apps running with API level 33-, they still have access to /dev/socket/mdnsd for backward compatibility. Bug: 265364111 Test: Manual test Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525 2023-01-18 08:52:43 +01:00			`neverallow untrusted_app sdk_sandbox_data_file:file { open create };`