Disallow watch and watch_reads on apk_data_file for apps am: f9a774f1ae
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22283654 Change-Id: Id80c1e04d7aabee35cb92713a9435b2951cd24b5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Jeff Vander Stoep
Automerger Merge Worker
commit
7a3ffd8b50
14 changed files with 130 additions and 18 deletions
|
|
@ -427,13 +427,6 @@ allow appdomain shared_relro_file:file r_file_perms;
|
|||
# Allow apps to read/execute installed binaries
|
||||
allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
|
||||
allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
|
||||
# Allow watch & watch_reads for now, but audit to see if they're actually used.
|
||||
allow appdomain apk_data_file:dir { watch watch_reads };
|
||||
allow appdomain apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow appdomain apk_data_file:dir { watch watch_reads };
|
||||
auditallow appdomain apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
||||
# /data/resource-cache
|
||||
allow appdomain resourcecache_data_file:file r_file_perms;
|
||||
|
|
@ -535,3 +528,23 @@ neverallow {
|
|||
appdomain
|
||||
-device_as_webcam
|
||||
} video_device:chr_file { read write };
|
||||
|
||||
# Prevent calling inotify on APKs. This can be used as a side channel
|
||||
# to observer app launches, so it must be disallowed. b/231587164
|
||||
# Gate by targetSdkVersion to avoid breaking existing apps.
|
||||
neverallow {
|
||||
appdomain
|
||||
-untrusted_app_25
|
||||
-untrusted_app_27
|
||||
-untrusted_app_29
|
||||
-untrusted_app_30
|
||||
-untrusted_app_32
|
||||
} apk_data_file:dir { watch watch_reads };
|
||||
neverallow {
|
||||
appdomain
|
||||
-untrusted_app_25
|
||||
-untrusted_app_27
|
||||
-untrusted_app_29
|
||||
-untrusted_app_30
|
||||
-untrusted_app_32
|
||||
} apk_data_file:file { watch watch_reads };
|
||||
|
|
|
|||
|
|
@ -59,3 +59,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_25 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_25 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -47,3 +47,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_27 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_27 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -25,3 +25,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_29 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_29 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -27,3 +27,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_30 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_30 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -28,3 +28,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_32 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_32 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -63,8 +63,6 @@ allow shell toolbox_exec:file rx_file_perms;
|
|||
allow shell shell_exec:file rx_file_perms;
|
||||
allow shell zygote_exec:file rx_file_perms;
|
||||
|
||||
r_dir_file(shell, apk_data_file)
|
||||
|
||||
userdebug_or_eng(`
|
||||
# "systrace --boot" support - allow boottrace service to run
|
||||
allow shell boottrace_data_file:dir rw_dir_perms;
|
||||
|
|
|
|||
|
|
@ -427,13 +427,6 @@ allow appdomain shared_relro_file:file r_file_perms;
|
|||
# Allow apps to read/execute installed binaries
|
||||
allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
|
||||
allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
|
||||
# Allow watch & watch_reads for now, but audit to see if they're actually used.
|
||||
allow appdomain apk_data_file:dir { watch watch_reads };
|
||||
allow appdomain apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow appdomain apk_data_file:dir { watch watch_reads };
|
||||
auditallow appdomain apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
||||
# /data/resource-cache
|
||||
allow appdomain resourcecache_data_file:file r_file_perms;
|
||||
|
|
@ -535,3 +528,23 @@ neverallow {
|
|||
appdomain
|
||||
-device_as_webcam
|
||||
} video_device:chr_file { read write };
|
||||
|
||||
# Prevent calling inotify on APKs. This can be used as a side channel
|
||||
# to observer app launches, so it must be disallowed. b/231587164
|
||||
# Gate by targetSdkVersion to avoid breaking existing apps.
|
||||
neverallow {
|
||||
appdomain
|
||||
-untrusted_app_25
|
||||
-untrusted_app_27
|
||||
-untrusted_app_29
|
||||
-untrusted_app_30
|
||||
-untrusted_app_32
|
||||
} apk_data_file:dir { watch watch_reads };
|
||||
neverallow {
|
||||
appdomain
|
||||
-untrusted_app_25
|
||||
-untrusted_app_27
|
||||
-untrusted_app_29
|
||||
-untrusted_app_30
|
||||
-untrusted_app_32
|
||||
} apk_data_file:file { watch watch_reads };
|
||||
|
|
|
|||
|
|
@ -59,3 +59,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_25 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_25 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -47,3 +47,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_27 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_27 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -25,3 +25,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_29 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_29 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -27,3 +27,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_30 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_30 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -28,3 +28,12 @@ userdebug_or_eng(`
|
|||
auditallow untrusted_app_32 mdnsd_socket:sock_file write;
|
||||
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
|
||||
# for targetSdkVersion>=34 to remove a sidechannel.
|
||||
allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
|
||||
allow untrusted_app_32 apk_data_file:file { watch watch_reads };
|
||||
userdebug_or_eng(`
|
||||
auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
|
||||
auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -63,8 +63,6 @@ allow shell toolbox_exec:file rx_file_perms;
|
|||
allow shell shell_exec:file rx_file_perms;
|
||||
allow shell zygote_exec:file rx_file_perms;
|
||||
|
||||
r_dir_file(shell, apk_data_file)
|
||||
|
||||
userdebug_or_eng(`
|
||||
# "systrace --boot" support - allow boottrace service to run
|
||||
allow shell boottrace_data_file:dir rw_dir_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue