platform_system_sepolicy/private/untrusted_app_32.te

###
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
### 31 < targetSdkVersion <= 33.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_app_32 coredomain;

app_domain(untrusted_app_32)
untrusted_app_domain(untrusted_app_32)
net_domain(untrusted_app_32)
bluetooth_domain(untrusted_app_32)

# Allow webview to access fd shared by sdksandbox for experiments data
# TODO(b/229249719): Will not be supported in Android U
allow untrusted_app_32 sdk_sandbox_data_file:fd use;
allow untrusted_app_32 sdk_sandbox_data_file:file write;

neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };

# Connect to mdnsd via mdnsd socket.
unix_socket_connect(untrusted_app_32, mdnsd, mdnsd)
userdebug_or_eng(`
  auditallow untrusted_app_32 mdnsd_socket:sock_file write;
  auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
')

# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
allow untrusted_app_32 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
  auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
  auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
')
Blocks untrusted apps to access /dev/socket/mdnsd from U The untrusted apps should not directly access /dev/socket/mdnsd since API level 34 (U). Only adbd and netd should remain to have access to /dev/socket/mdnsd. For untrusted apps running with API level 33-, they still have access to /dev/socket/mdnsd for backward compatibility. Bug: 265364111 Test: Manual test Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525 2023-01-18 08:52:43 +01:00			`###`
			`### Untrusted apps.`
			`###`
			`### This file defines the rules for untrusted apps running with`
			`### 31 < targetSdkVersion <= 33.`
			`###`
			`### See public/untrusted_app.te for more information about which apps are`
			`### placed in this selinux domain.`
			`###`

			`typeattribute untrusted_app_32 coredomain;`

			`app_domain(untrusted_app_32)`
			`untrusted_app_domain(untrusted_app_32)`
			`net_domain(untrusted_app_32)`
			`bluetooth_domain(untrusted_app_32)`

			`# Allow webview to access fd shared by sdksandbox for experiments data`
			`# TODO(b/229249719): Will not be supported in Android U`
			`allow untrusted_app_32 sdk_sandbox_data_file:fd use;`
			`allow untrusted_app_32 sdk_sandbox_data_file:file write;`

			`neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };`

			`# Connect to mdnsd via mdnsd socket.`
			`unix_socket_connect(untrusted_app_32, mdnsd, mdnsd)`
			userdebug_or_eng(`
			`auditallow untrusted_app_32 mdnsd_socket:sock_file write;`
			`auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;`
			`')`
Disallow watch and watch_reads on apk_data_file for apps This can be used as a side channel to observe when an application is launched. Gate this restriction on the application's targetSdkVersion to avoid breaking existing apps. Only apps targeting 34 and above will see the new restriction. Remove duplicate permissions from public/shell.te. Shell is already appdomain, so these permissions are already granted to it. Ignore-AOSP-First: Security fix Bug: 231587164 Test: boot device, install/uninstall apps. Observe no new denials. Test: Run researcher provided PoC. Observe audit messages. Change-Id: Ic7577884e9d994618a38286a42a8047516548782 2023-03-27 12:30:23 +02:00
			`# Allow calling inotify on APKs for backwards compatibility. This is disallowed`
			`# for targetSdkVersion>=34 to remove a sidechannel.`
			`allow untrusted_app_32 apk_data_file:dir { watch watch_reads };`
			`allow untrusted_app_32 apk_data_file:file { watch watch_reads };`
			userdebug_or_eng(`
			`auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };`
			`auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };`
			`')`