platform_system_sepolicy/private/untrusted_app.te

###
### Untrusted apps.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory).  The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml.  In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key.  To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

typeattribute untrusted_app coredomain;

app_domain(untrusted_app)
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)

# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };

# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)

neverallow untrusted_app system_server:udp_socket {
        accept append bind create getopt ioctl listen lock name_bind
        relabelfrom relabelto setattr setopt shutdown };
Move untrusted_app policy to private This leaves only the existence of untrusted_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from untrusted_domain_current attribute (as expected). Bug: 31364497 Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92 2017-01-05 21:27:10 +01:00			`###`
			`### Untrusted apps.`
			`###`
			`### This file defines the rules for untrusted apps.`
			`### Apps are labeled based on mac_permissions.xml (maps signer and`
			`### optionally package name to seinfo value) and seapp_contexts (maps UID`
			`### and optionally seinfo value to domain for process and type for data`
			`### directory). The untrusted_app domain is the default assignment in`
			`### seapp_contexts for any app with UID between APP_AID (10000)`
			`### and AID_ISOLATED_START (99000) if the app has no specific seinfo`
			`### value as determined from mac_permissions.xml. In current AOSP, this`
			`### domain is assigned to all non-system apps as well as to any system apps`
			`### that are not signed by the platform key. To move`
			`### a system app into a specific domain, add a signer entry for it to`
			`### mac_permissions.xml and assign it one of the pre-existing seinfo values`
			`### or define and use a new seinfo value in both mac_permissions.xml and`
			`### seapp_contexts.`
			`###`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute untrusted_app coredomain;`

Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665 2016-12-08 20:23:34 +01:00			`app_domain(untrusted_app)`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 22:33:27 +01:00			`untrusted_app_domain(untrusted_app)`
Move untrusted_app policy to private This leaves only the existence of untrusted_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from untrusted_domain_current attribute (as expected). Bug: 31364497 Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92 2017-01-05 21:27:10 +01:00			`net_domain(untrusted_app)`
			`bluetooth_domain(untrusted_app)`
Allow all untrusted_apps to create ptys Bug: 35632346 Test: build and boot aosp_marlin Change-Id: Ia2d019b0160e9b512f3e3a70ded70504fe4fea0c 2017-02-22 05:13:15 +01:00
Allow UDP Sockets to be returned from IpSecService These permissions allow the system server to create and bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK. (ref: af_inet.c - inet_bind()) This prevents the user from disconnecting the socket, which would create a security vulnerability. The user may then use the provided socket, which is always IPv4/UDP, for IKE negotiation. Thus, an un-trusted user app must be able to use the socket for communication. -ALLOW: read, write, connect, sendto, and recvfrom. -NEVERALLOW: anything else Bug: 30984788 Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0 2017-04-06 04:37:58 +02:00			`# allow untrusted apps to use UDP sockets provided by the system server but not`
			`# modify them other than to connect`
			`allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };`

Allow all untrusted_apps to create ptys Bug: 35632346 Test: build and boot aosp_marlin Change-Id: Ia2d019b0160e9b512f3e3a70ded70504fe4fea0c 2017-02-22 05:13:15 +01:00			`# Allow the allocation and use of ptys`
			`# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm`
			`create_pty(untrusted_app)`
Allow UDP Sockets to be returned from IpSecService These permissions allow the system server to create and bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK. (ref: af_inet.c - inet_bind()) This prevents the user from disconnecting the socket, which would create a security vulnerability. The user may then use the provided socket, which is always IPv4/UDP, for IKE negotiation. Thus, an un-trusted user app must be able to use the socket for communication. -ALLOW: read, write, connect, sendto, and recvfrom. -NEVERALLOW: anything else Bug: 30984788 Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0 2017-04-06 04:37:58 +02:00
			`neverallow untrusted_app system_server:udp_socket {`
			`accept append bind create getopt ioctl listen lock name_bind`
			`relabelfrom relabelto setattr setopt shutdown };`