From a1aa2210a939aebc752ea410d9d434104bc4b5d6 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Mon, 20 Jan 2020 10:14:48 +0100 Subject: [PATCH] untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No bind() on netlink route sockets. - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc --- private/app_neverallows.te | 9 +++++++++ private/compat/29.0/29.0.ignore.cil | 1 + private/seapp_contexts | 3 ++- private/untrusted_app.te | 19 +++++-------------- private/untrusted_app_25.te | 18 +++++------------- private/untrusted_app_27.te | 19 +++++-------------- private/untrusted_app_29.te | 19 +++++++++++++++++++ public/net.te | 14 ++++++++++---- public/untrusted_app.te | 9 +++++++++ 9 files changed, 65 insertions(+), 46 deletions(-) create mode 100644 private/untrusted_app_29.te diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 6248cabb3..3747a52e3 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -9,6 +9,7 @@ define(`all_untrusted_apps',`{ untrusted_app untrusted_app_25 untrusted_app_27 + untrusted_app_29 untrusted_app_all }') # Receive or send uevent messages. @@ -111,6 +112,14 @@ neverallow all_untrusted_apps *:{ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } *; +# Disallow calling bind() and sending RTM_GETLINK messages on netlink sockets. +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 +} domain:netlink_route_socket { bind nlmsg_readpriv }; + # Do not allow untrusted apps access to /cache neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr }; diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 3a5be19d0..9c9cc12e5 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -69,6 +69,7 @@ system_unsolzygote_socket tethering_service timezonedetector_service + untrusted_app_29 usb_serial_device userspace_reboot_prop userspace_reboot_config_prop diff --git a/private/seapp_contexts b/private/seapp_contexts index 383857866..fed43258a 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -163,7 +163,8 @@ user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user -user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user diff --git a/private/untrusted_app.te b/private/untrusted_app.te index c15fa2244..6e7a99cd8 100644 --- a/private/untrusted_app.te +++ b/private/untrusted_app.te @@ -1,20 +1,11 @@ ### ### Untrusted apps. ### -### This file defines the rules for untrusted apps. -### Apps are labeled based on mac_permissions.xml (maps signer and -### optionally package name to seinfo value) and seapp_contexts (maps UID -### and optionally seinfo value to domain for process and type for data -### directory). The untrusted_app domain is the default assignment in -### seapp_contexts for any app with UID between APP_AID (10000) -### and AID_ISOLATED_START (99000) if the app has no specific seinfo -### value as determined from mac_permissions.xml. In current AOSP, this -### domain is assigned to all non-system apps as well as to any system apps -### that are not signed by the platform key. To move -### a system app into a specific domain, add a signer entry for it to -### mac_permissions.xml and assign it one of the pre-existing seinfo values -### or define and use a new seinfo value in both mac_permissions.xml and -### seapp_contexts. +### This file defines the rules for untrusted apps running with +### targetSdkVersion >= 30. +### +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. ### typeattribute untrusted_app coredomain; diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te index 2091f2ee8..a1abc416b 100644 --- a/private/untrusted_app_25.te +++ b/private/untrusted_app_25.te @@ -4,19 +4,8 @@ ### This file defines the rules for untrusted apps running with ### targetSdkVersion <= 25. ### -### Apps are labeled based on mac_permissions.xml (maps signer and -### optionally package name to seinfo value) and seapp_contexts (maps UID -### and optionally seinfo value to domain for process and type for data -### directory). The untrusted_app domain is the default assignment in -### seapp_contexts for any app with UID between APP_AID (10000) -### and AID_ISOLATED_START (99000) if the app has no specific seinfo -### value as determined from mac_permissions.xml. In current AOSP, this -### domain is assigned to all non-system apps as well as to any system apps -### that are not signed by the platform key. To move -### a system app into a specific domain, add a signer entry for it to -### mac_permissions.xml and assign it one of the pre-existing seinfo values -### or define and use a new seinfo value in both mac_permissions.xml and -### seapp_contexts. +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. ### typeattribute untrusted_app_25 coredomain; @@ -59,3 +48,6 @@ auditallow untrusted_app_25 ashmem_device:chr_file open; # Read /mnt/sdcard symlink. allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms; + +# allow binding to netlink route sockets and sending RTM_GETLINK messages. +allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv }; diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te index 03b30130c..b7b6d7213 100644 --- a/private/untrusted_app_27.te +++ b/private/untrusted_app_27.te @@ -4,20 +4,8 @@ ### This file defines the rules for untrusted apps running with ### 25 < targetSdkVersion <= 28. ### -### This file defines the rules for untrusted apps. -### Apps are labeled based on mac_permissions.xml (maps signer and -### optionally package name to seinfo value) and seapp_contexts (maps UID -### and optionally seinfo value to domain for process and type for data -### directory). The untrusted_app_27 domain is the default assignment in -### seapp_contexts for any app with UID between APP_AID (10000) -### and AID_ISOLATED_START (99000) if the app has no specific seinfo -### value as determined from mac_permissions.xml. In current AOSP, this -### domain is assigned to all non-system apps as well as to any system apps -### that are not signed by the platform key. To move -### a system app into a specific domain, add a signer entry for it to -### mac_permissions.xml and assign it one of the pre-existing seinfo values -### or define and use a new seinfo value in both mac_permissions.xml and -### seapp_contexts. +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. ### typeattribute untrusted_app_27 coredomain; @@ -48,3 +36,6 @@ auditallow untrusted_app_27 ashmem_device:chr_file open; # Read /mnt/sdcard symlink. allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms; + +# allow binding to netlink route sockets and sending RTM_GETLINK messages. +allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv }; diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te new file mode 100644 index 000000000..344ae89bd --- /dev/null +++ b/private/untrusted_app_29.te @@ -0,0 +1,19 @@ +### +### Untrusted_29. +### +### This file defines the rules for untrusted apps running with +### targetSdkVersion = 29. +### +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. +### + +typeattribute untrusted_app_29 coredomain; + +app_domain(untrusted_app_29) +untrusted_app_domain(untrusted_app_29) +net_domain(untrusted_app_29) +bluetooth_domain(untrusted_app_29) + +# allow binding to netlink route sockets and sending RTM_GETLINK messages. +allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv }; diff --git a/public/net.te b/public/net.te index bdef07215..e90715e66 100644 --- a/public/net.te +++ b/public/net.te @@ -18,10 +18,16 @@ allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket allow {netdomain -ephemeral_app} port_type:udp_socket name_bind; allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind; # See changes to the routing table. -allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read }; -# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant -# this permission to everything that previously had the nlmsg_read permission. -allow netdomain self:netlink_route_socket nlmsg_readpriv; +allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read }; +# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from +# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere +# to avoid app-compat breakage. +allow { + netdomain + -ephemeral_app + -mediaprovider + -untrusted_app_all +} self:netlink_route_socket { bind nlmsg_readpriv }; # Talks to netd via dnsproxyd socket. unix_socket_connect(netdomain, dnsproxyd, netd) diff --git a/public/untrusted_app.te b/public/untrusted_app.te index 5289bf96b..43fe19a03 100644 --- a/public/untrusted_app.te +++ b/public/untrusted_app.te @@ -16,6 +16,15 @@ ### seapp_contexts. ### +# This file defines the rules for untrusted apps running with +# targetSdkVersion >= 30. type untrusted_app, domain; +# This file defines the rules for untrusted apps running with +# targetSdkVersion = 29. +type untrusted_app_29, domain; +# This file defines the rules for untrusted apps running with +# 25 < targetSdkVersion <= 28. type untrusted_app_27, domain; +# This file defines the rules for untrusted apps running with +# targetSdkVersion <= 25. type untrusted_app_25, domain;