From 9ba844fea12a0b08770e870d63f3d3c375c7c9b5 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 4 Apr 2014 09:09:25 -0400
Subject: [PATCH] Coalesce shared_app, media_app, release_app into
 untrusted_app.

This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te               |  1 +
 attributes           |  3 ---
 mac_permissions.xml  | 15 ---------------
 media_app.te         | 17 -----------------
 platform_app.te      |  9 +++++++--
 platformappdomain.te | 16 ----------------
 release_app.te       | 14 --------------
 seapp_contexts       |  7 ++-----
 shared_app.te        | 14 --------------
 te_macros            |  8 --------
 untrusted_app.te     | 18 +++++++++++++++++-
 11 files changed, 27 insertions(+), 95 deletions(-)
 delete mode 100644 media_app.te
 delete mode 100644 platformappdomain.te
 delete mode 100644 release_app.te
 delete mode 100644 shared_app.te

diff --git a/app.te b/app.te
index cd1d7752d..b8833dbf1 100644
--- a/app.te
+++ b/app.te
@@ -95,6 +95,7 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
 # to any app that has backup ability. Hence, no open permissions here.
 allow appdomain backup_data_file:file { read write getattr };
 allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain cache_backup_file:dir getattr;
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file getattr;
 
diff --git a/attributes b/attributes
index bbc3d922b..69654e32b 100644
--- a/attributes
+++ b/attributes
@@ -65,8 +65,5 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 
-# Allow domains used for platform (signed by build key) apps.
-attribute platformappdomain;
-
 # All domains which are allowed the "relabelto" permission
 attribute relabeltodomain;
diff --git a/mac_permissions.xml b/mac_permissions.xml
index f9f631bac..baaaf324c 100644
--- a/mac_permissions.xml
+++ b/mac_permissions.xml
@@ -26,21 +26,6 @@
       <seinfo value="platform" />
     </signer>
 
-    <!-- Media dev key in AOSP -->
-    <signer signature="@MEDIA" >
-      <seinfo value="media" />
-    </signer>
-
-    <!-- shared dev key in AOSP -->
-    <signer signature="@SHARED" >
-      <seinfo value="shared" />
-    </signer>
-
-    <!-- release dev key in AOSP -->
-    <signer signature="@RELEASE" >
-      <seinfo value="release" />
-    </signer>
-
     <!-- All other keys -->
     <default>
       <seinfo value="default" />
diff --git a/media_app.te b/media_app.te
deleted file mode 100644
index 5075cdfb2..000000000
--- a/media_app.te
+++ /dev/null
@@ -1,17 +0,0 @@
-###
-### Apps signed with the media key.
-###
-
-type media_app, domain;
-app_domain(media_app)
-platform_app_domain(media_app)
-binder_service(media_app)
-# Access the network.
-net_domain(media_app)
-# Access /dev/mtp_usb.
-allow media_app mtp_device:chr_file rw_file_perms;
-# Stat /cache/backup
-allow media_app cache_backup_file:file getattr;
-allow media_app cache_backup_file:dir getattr;
-
-# inherits from platformappdomain.te
diff --git a/platform_app.te b/platform_app.te
index ba8ed4b21..6cac4ee30 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -5,7 +5,6 @@
 type platform_app, domain;
 permissive_or_unconfined(platform_app)
 app_domain(platform_app)
-platform_app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
@@ -22,4 +21,10 @@ allow platform_app apk_private_data_file:dir search;
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
 
-# inherits from platformappdomain.te
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
diff --git a/platformappdomain.te b/platformappdomain.te
deleted file mode 100644
index 5ba86017b..000000000
--- a/platformappdomain.te
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# Rules for all platform app domains.
-# These rules are inherited by any domain that includes platform_app_domain().
-# Presently this consists of the four app domains corresponding to apps
-# signed by one of the four build keys: platform_app, shared_app, media_app,
-# release_app.  These app domains have greater permissions to specific
-# directories owned by groups that are restricted to apps with
-# Android permissions that are signature|system.
-
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platformappdomain cache_file:dir create_dir_perms;
-allow platformappdomain cache_file:file create_file_perms;
diff --git a/release_app.te b/release_app.te
deleted file mode 100644
index 4dc78e738..000000000
--- a/release_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Apps signed with the release key (testkey in AOSP).
-###
-
-type release_app, domain;
-permissive_or_unconfined(release_app)
-app_domain(release_app)
-platform_app_domain(release_app)
-# Access the network.
-net_domain(release_app)
-# Access bluetooth.
-bluetooth_domain(release_app)
-
-# inherits from platformappdomain.te
diff --git a/seapp_contexts b/seapp_contexts
index ff0964a28..7b217fbf0 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -40,9 +40,6 @@ user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=shell domain=shell type=shell_data_file
-user=_app domain=untrusted_app type=app_data_file
-user=_app seinfo=platform domain=platform_app type=app_data_file
-user=_app seinfo=shared domain=shared_app type=app_data_file
-user=_app seinfo=media domain=media_app type=app_data_file
-user=_app seinfo=release domain=release_app type=app_data_file
 user=_isolated domain=isolated_app
+user=_app seinfo=platform domain=platform_app type=app_data_file
+user=_app domain=untrusted_app type=app_data_file
diff --git a/shared_app.te b/shared_app.te
deleted file mode 100644
index ef7273529..000000000
--- a/shared_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Apps signed with the shared key.
-###
-
-type shared_app, domain;
-permissive_or_unconfined(shared_app)
-app_domain(shared_app)
-platform_app_domain(shared_app)
-# Access the network.
-net_domain(shared_app)
-# Access bluetooth.
-bluetooth_domain(shared_app)
-
-# inherits from platformappdomain.te
diff --git a/te_macros b/te_macros
index 3d170f4fb..ddae3dff2 100644
--- a/te_macros
+++ b/te_macros
@@ -118,14 +118,6 @@ define(`relabelto_domain', `
 typeattribute $1 relabeltodomain;
 ')
 
-#####################################
-# platform_app_domain(domain)
-# Allow permissions specific to platform apps.
-define(`platform_app_domain', `
-typeattribute $1 platformappdomain;
-typeattribute $1 mlstrustedsubject;
-')
-
 #####################################
 # net_domain(domain)
 # Allow a base set of permissions required for network access.
diff --git a/untrusted_app.te b/untrusted_app.te
index e60bfff57..ebde0eb82 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -10,7 +10,7 @@
 ### and AID_ISOLATED_START (99000) if the app has no specific seinfo
 ### value as determined from mac_permissions.xml.  In current AOSP, this
 ### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by one of the four platform keys.  To move
+### that are not signed by the platform key.  To move
 ### a system app into a specific domain, add a signer entry for it to
 ### mac_permissions.xml and assign it one of the pre-existing seinfo values
 ### or define and use a new seinfo value in both mac_permissions.xml and
@@ -48,3 +48,19 @@ create_pty(untrusted_app)
 # Figure out a way to remove these rules.
 allow untrusted_app shell_data_file:file r_file_perms;
 allow untrusted_app shell_data_file:dir r_dir_perms;
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access /dev/mtp_usb.
+allow untrusted_app mtp_device:chr_file rw_file_perms;
+
+# Access to /data/media.
+allow untrusted_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow untrusted_app cache_file:dir create_dir_perms;
+allow untrusted_app cache_file:file create_file_perms;