From f9a774f1ae91849e1ea7d6dbbbf7b143b3617e83 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Mon, 27 Mar 2023 12:30:23 +0200 Subject: [PATCH] Disallow watch and watch_reads on apk_data_file for apps This can be used as a side channel to observe when an application is launched. Gate this restriction on the application's targetSdkVersion to avoid breaking existing apps. Only apps targeting 34 and above will see the new restriction. Remove duplicate permissions from public/shell.te. Shell is already appdomain, so these permissions are already granted to it. Ignore-AOSP-First: Security fix Bug: 231587164 Test: boot device, install/uninstall apps. Observe no new denials. Test: Run researcher provided PoC. Observe audit messages. Change-Id: Ic7577884e9d994618a38286a42a8047516548782 --- prebuilts/api/34.0/private/app.te | 27 ++++++++++++++----- .../api/34.0/private/untrusted_app_25.te | 9 +++++++ .../api/34.0/private/untrusted_app_27.te | 9 +++++++ .../api/34.0/private/untrusted_app_29.te | 9 +++++++ .../api/34.0/private/untrusted_app_30.te | 9 +++++++ .../api/34.0/private/untrusted_app_32.te | 9 +++++++ prebuilts/api/34.0/public/shell.te | 2 -- private/app.te | 27 ++++++++++++++----- private/untrusted_app_25.te | 9 +++++++ private/untrusted_app_27.te | 9 +++++++ private/untrusted_app_29.te | 9 +++++++ private/untrusted_app_30.te | 9 +++++++ private/untrusted_app_32.te | 9 +++++++ public/shell.te | 2 -- 14 files changed, 130 insertions(+), 18 deletions(-) diff --git a/prebuilts/api/34.0/private/app.te b/prebuilts/api/34.0/private/app.te index e763a09c6..05332d718 100644 --- a/prebuilts/api/34.0/private/app.te +++ b/prebuilts/api/34.0/private/app.te @@ -427,13 +427,6 @@ allow appdomain shared_relro_file:file r_file_perms; # Allow apps to read/execute installed binaries allow appdomain apk_data_file:dir { open getattr read search ioctl lock }; allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms }; -# Allow watch & watch_reads for now, but audit to see if they're actually used. -allow appdomain apk_data_file:dir { watch watch_reads }; -allow appdomain apk_data_file:file { watch watch_reads }; -userdebug_or_eng(` - auditallow appdomain apk_data_file:dir { watch watch_reads }; - auditallow appdomain apk_data_file:file { watch watch_reads }; -') # /data/resource-cache allow appdomain resourcecache_data_file:file r_file_perms; @@ -535,3 +528,23 @@ neverallow { appdomain -device_as_webcam } video_device:chr_file { read write }; + +# Prevent calling inotify on APKs. This can be used as a side channel +# to observer app launches, so it must be disallowed. b/231587164 +# Gate by targetSdkVersion to avoid breaking existing apps. +neverallow { + appdomain + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 + -untrusted_app_30 + -untrusted_app_32 +} apk_data_file:dir { watch watch_reads }; +neverallow { + appdomain + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 + -untrusted_app_30 + -untrusted_app_32 +} apk_data_file:file { watch watch_reads }; diff --git a/prebuilts/api/34.0/private/untrusted_app_25.te b/prebuilts/api/34.0/private/untrusted_app_25.te index 2c0391f76..d59245c3d 100644 --- a/prebuilts/api/34.0/private/untrusted_app_25.te +++ b/prebuilts/api/34.0/private/untrusted_app_25.te @@ -59,3 +59,12 @@ userdebug_or_eng(` auditallow untrusted_app_25 mdnsd_socket:sock_file write; auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_25 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_25 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_25 apk_data_file:file { watch watch_reads }; +') diff --git a/prebuilts/api/34.0/private/untrusted_app_27.te b/prebuilts/api/34.0/private/untrusted_app_27.te index 163803ac6..8c970d860 100644 --- a/prebuilts/api/34.0/private/untrusted_app_27.te +++ b/prebuilts/api/34.0/private/untrusted_app_27.te @@ -47,3 +47,12 @@ userdebug_or_eng(` auditallow untrusted_app_27 mdnsd_socket:sock_file write; auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_27 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_27 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_27 apk_data_file:file { watch watch_reads }; +') diff --git a/prebuilts/api/34.0/private/untrusted_app_29.te b/prebuilts/api/34.0/private/untrusted_app_29.te index 758ed2316..ed0bbfc7e 100644 --- a/prebuilts/api/34.0/private/untrusted_app_29.te +++ b/prebuilts/api/34.0/private/untrusted_app_29.te @@ -25,3 +25,12 @@ userdebug_or_eng(` auditallow untrusted_app_29 mdnsd_socket:sock_file write; auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_29 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_29 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_29 apk_data_file:file { watch watch_reads }; +') diff --git a/prebuilts/api/34.0/private/untrusted_app_30.te b/prebuilts/api/34.0/private/untrusted_app_30.te index 830106d12..c87548ef2 100644 --- a/prebuilts/api/34.0/private/untrusted_app_30.te +++ b/prebuilts/api/34.0/private/untrusted_app_30.te @@ -27,3 +27,12 @@ userdebug_or_eng(` auditallow untrusted_app_30 mdnsd_socket:sock_file write; auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_30 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_30 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_30 apk_data_file:file { watch watch_reads }; +') diff --git a/prebuilts/api/34.0/private/untrusted_app_32.te b/prebuilts/api/34.0/private/untrusted_app_32.te index 643c12271..6e95fd117 100644 --- a/prebuilts/api/34.0/private/untrusted_app_32.te +++ b/prebuilts/api/34.0/private/untrusted_app_32.te @@ -28,3 +28,12 @@ userdebug_or_eng(` auditallow untrusted_app_32 mdnsd_socket:sock_file write; auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_32 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_32 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_32 apk_data_file:file { watch watch_reads }; +') diff --git a/prebuilts/api/34.0/public/shell.te b/prebuilts/api/34.0/public/shell.te index 6c67ceaa2..d4d13e347 100644 --- a/prebuilts/api/34.0/public/shell.te +++ b/prebuilts/api/34.0/public/shell.te @@ -63,8 +63,6 @@ allow shell toolbox_exec:file rx_file_perms; allow shell shell_exec:file rx_file_perms; allow shell zygote_exec:file rx_file_perms; -r_dir_file(shell, apk_data_file) - userdebug_or_eng(` # "systrace --boot" support - allow boottrace service to run allow shell boottrace_data_file:dir rw_dir_perms; diff --git a/private/app.te b/private/app.te index e763a09c6..05332d718 100644 --- a/private/app.te +++ b/private/app.te @@ -427,13 +427,6 @@ allow appdomain shared_relro_file:file r_file_perms; # Allow apps to read/execute installed binaries allow appdomain apk_data_file:dir { open getattr read search ioctl lock }; allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms }; -# Allow watch & watch_reads for now, but audit to see if they're actually used. -allow appdomain apk_data_file:dir { watch watch_reads }; -allow appdomain apk_data_file:file { watch watch_reads }; -userdebug_or_eng(` - auditallow appdomain apk_data_file:dir { watch watch_reads }; - auditallow appdomain apk_data_file:file { watch watch_reads }; -') # /data/resource-cache allow appdomain resourcecache_data_file:file r_file_perms; @@ -535,3 +528,23 @@ neverallow { appdomain -device_as_webcam } video_device:chr_file { read write }; + +# Prevent calling inotify on APKs. This can be used as a side channel +# to observer app launches, so it must be disallowed. b/231587164 +# Gate by targetSdkVersion to avoid breaking existing apps. +neverallow { + appdomain + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 + -untrusted_app_30 + -untrusted_app_32 +} apk_data_file:dir { watch watch_reads }; +neverallow { + appdomain + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 + -untrusted_app_30 + -untrusted_app_32 +} apk_data_file:file { watch watch_reads }; diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te index 2c0391f76..d59245c3d 100644 --- a/private/untrusted_app_25.te +++ b/private/untrusted_app_25.te @@ -59,3 +59,12 @@ userdebug_or_eng(` auditallow untrusted_app_25 mdnsd_socket:sock_file write; auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_25 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_25 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_25 apk_data_file:file { watch watch_reads }; +') diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te index 163803ac6..8c970d860 100644 --- a/private/untrusted_app_27.te +++ b/private/untrusted_app_27.te @@ -47,3 +47,12 @@ userdebug_or_eng(` auditallow untrusted_app_27 mdnsd_socket:sock_file write; auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_27 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_27 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_27 apk_data_file:file { watch watch_reads }; +') diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te index 758ed2316..ed0bbfc7e 100644 --- a/private/untrusted_app_29.te +++ b/private/untrusted_app_29.te @@ -25,3 +25,12 @@ userdebug_or_eng(` auditallow untrusted_app_29 mdnsd_socket:sock_file write; auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_29 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_29 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_29 apk_data_file:file { watch watch_reads }; +') diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te index 830106d12..c87548ef2 100644 --- a/private/untrusted_app_30.te +++ b/private/untrusted_app_30.te @@ -27,3 +27,12 @@ userdebug_or_eng(` auditallow untrusted_app_30 mdnsd_socket:sock_file write; auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_30 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_30 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_30 apk_data_file:file { watch watch_reads }; +') diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te index 643c12271..6e95fd117 100644 --- a/private/untrusted_app_32.te +++ b/private/untrusted_app_32.te @@ -28,3 +28,12 @@ userdebug_or_eng(` auditallow untrusted_app_32 mdnsd_socket:sock_file write; auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto; ') + +# Allow calling inotify on APKs for backwards compatibility. This is disallowed +# for targetSdkVersion>=34 to remove a sidechannel. +allow untrusted_app_32 apk_data_file:dir { watch watch_reads }; +allow untrusted_app_32 apk_data_file:file { watch watch_reads }; +userdebug_or_eng(` + auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads }; + auditallow untrusted_app_32 apk_data_file:file { watch watch_reads }; +') diff --git a/public/shell.te b/public/shell.te index 6c67ceaa2..d4d13e347 100644 --- a/public/shell.te +++ b/public/shell.te @@ -63,8 +63,6 @@ allow shell toolbox_exec:file rx_file_perms; allow shell shell_exec:file rx_file_perms; allow shell zygote_exec:file rx_file_perms; -r_dir_file(shell, apk_data_file) - userdebug_or_eng(` # "systrace --boot" support - allow boottrace service to run allow shell boottrace_data_file:dir rw_dir_perms;