Coalesce shared_app, media_app, release_app into untrusted_app.

This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

app.te

@@ -95,6 +95,7 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
 # to any app that has backup ability. Hence, no open permissions here.
 allow appdomain backup_data_file:file { read write getattr };
 allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain cache_backup_file:dir getattr;
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file getattr;
 

attributes

@@ -65,8 +65,5 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 
-# Allow domains used for platform (signed by build key) apps.
-attribute platformappdomain;
-
 # All domains which are allowed the "relabelto" permission
 attribute relabeltodomain;

mac_permissions.xml

@@ -26,21 +26,6 @@
       <seinfo value="platform" />
     </signer>
 
-    <!-- Media dev key in AOSP -->
-    <signer signature="@MEDIA" >
-      <seinfo value="media" />
-    </signer>
-
-    <!-- shared dev key in AOSP -->
-    <signer signature="@SHARED" >
-      <seinfo value="shared" />
-    </signer>
-
-    <!-- release dev key in AOSP -->
-    <signer signature="@RELEASE" >
-      <seinfo value="release" />
-    </signer>
-
     <!-- All other keys -->
     <default>
       <seinfo value="default" />

media_app.te

@@ -1,17 +0,0 @@
-###
-### Apps signed with the media key.
-###
-
-type media_app, domain;
-app_domain(media_app)
-platform_app_domain(media_app)
-binder_service(media_app)
-# Access the network.
-net_domain(media_app)
-# Access /dev/mtp_usb.
-allow media_app mtp_device:chr_file rw_file_perms;
-# Stat /cache/backup
-allow media_app cache_backup_file:file getattr;
-allow media_app cache_backup_file:dir getattr;
-
-# inherits from platformappdomain.te

platform_app.te

@@ -5,7 +5,6 @@
 type platform_app, domain;
 permissive_or_unconfined(platform_app)
 app_domain(platform_app)
-platform_app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
@@ -22,4 +21,10 @@ allow platform_app apk_private_data_file:dir search;
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
 
-# inherits from platformappdomain.te
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;

platformappdomain.te

@@ -1,16 +0,0 @@
-#
-# Rules for all platform app domains.
-# These rules are inherited by any domain that includes platform_app_domain().
-# Presently this consists of the four app domains corresponding to apps
-# signed by one of the four build keys: platform_app, shared_app, media_app,
-# release_app.  These app domains have greater permissions to specific
-# directories owned by groups that are restricted to apps with
-# Android permissions that are signature|system.
-
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platformappdomain cache_file:dir create_dir_perms;
-allow platformappdomain cache_file:file create_file_perms;

release_app.te

@@ -1,14 +0,0 @@
-###
-### Apps signed with the release key (testkey in AOSP).
-###
-
-type release_app, domain;
-permissive_or_unconfined(release_app)
-app_domain(release_app)
-platform_app_domain(release_app)
-# Access the network.
-net_domain(release_app)
-# Access bluetooth.
-bluetooth_domain(release_app)
-
-# inherits from platformappdomain.te

seapp_contexts

@@ -40,9 +40,6 @@ user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=shell domain=shell type=shell_data_file
-user=_app domain=untrusted_app type=app_data_file
-user=_app seinfo=platform domain=platform_app type=app_data_file
-user=_app seinfo=shared domain=shared_app type=app_data_file
-user=_app seinfo=media domain=media_app type=app_data_file
-user=_app seinfo=release domain=release_app type=app_data_file
 user=_isolated domain=isolated_app
+user=_app seinfo=platform domain=platform_app type=app_data_file
+user=_app domain=untrusted_app type=app_data_file

shared_app.te

@@ -1,14 +0,0 @@
-###
-### Apps signed with the shared key.
-###
-
-type shared_app, domain;
-permissive_or_unconfined(shared_app)
-app_domain(shared_app)
-platform_app_domain(shared_app)
-# Access the network.
-net_domain(shared_app)
-# Access bluetooth.
-bluetooth_domain(shared_app)
-
-# inherits from platformappdomain.te

te_macros

@@ -118,14 +118,6 @@ define(`relabelto_domain', `
 typeattribute $1 relabeltodomain;
 ')
 
-#####################################
-# platform_app_domain(domain)
-# Allow permissions specific to platform apps.
-define(`platform_app_domain', `
-typeattribute $1 platformappdomain;
-typeattribute $1 mlstrustedsubject;
-')
-
 #####################################
 # net_domain(domain)
 # Allow a base set of permissions required for network access.

untrusted_app.te

@@ -10,7 +10,7 @@
 ### and AID_ISOLATED_START (99000) if the app has no specific seinfo
 ### value as determined from mac_permissions.xml.  In current AOSP, this
 ### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by one of the four platform keys.  To move
+### that are not signed by the platform key.  To move
 ### a system app into a specific domain, add a signer entry for it to
 ### mac_permissions.xml and assign it one of the pre-existing seinfo values
 ### or define and use a new seinfo value in both mac_permissions.xml and
@@ -48,3 +48,19 @@ create_pty(untrusted_app)
 # Figure out a way to remove these rules.
 allow untrusted_app shell_data_file:file r_file_perms;
 allow untrusted_app shell_data_file:dir r_dir_perms;
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access /dev/mtp_usb.
+allow untrusted_app mtp_device:chr_file rw_file_perms;
+
+# Access to /data/media.
+allow untrusted_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow untrusted_app cache_file:dir create_dir_perms;
+allow untrusted_app cache_file:file create_file_perms;