From b93f26fd899ba19d77af9444c9f60e4a4478070d Mon Sep 17 00:00:00 2001 From: Bram Bonne Date: Tue, 15 Mar 2022 18:28:02 +0100 Subject: [PATCH] Move sdk_sandbox sepolicy to AOSP. Bug: 224796470 Bug: 203670791 Bug: 204989872 Bug: 211761016 Bug: 217543371 Bug: 217559719 Bug: 215105355 Bug: 220320098 Test: make, ensure device boots Change-Id: Ia96ae5407f5a83390ce1b610da0d49264e90d7e2 Merged-In: Ib085c49f29dab47268e479fe5266490a66adaa87 Merged-In: I2215ffe74e0fa19ff936e90c08c4ebfd177e5258 Merged-In: I478c9a16032dc1f1286f5295fc080cbe574f09c9 Merged-In: Ibf478466e5d6ab0ee08fca4da3b4bae974a82db0 Merged-In: I5d519605d9fbe80c7b4c9fb6572bc72425f6e90a Merged-In: I05d2071e023d0de8a93dcd111674f8d8102a21ce Merged-In: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145 Merged-In: I1b6d1a778cb658bdfd930b684e4ba0640031b226 Merged-In: I9fb98e0caee75bdaaa35d11d174004505f236799 --- mac_permissions.mk | 2 +- private/app.te | 80 ++++++++++++++------------ private/compat/31.0/31.0.ignore.cil | 1 + private/compat/32.0/32.0.ignore.cil | 2 +- private/domain.te | 19 +++++++ private/file.te | 3 + private/isolated_app.te | 2 +- private/keys.conf | 3 + private/mac_permissions.xml | 5 ++ private/net.te | 17 ++++++ private/sdk_sandbox.te | 87 +++++++++++++++++++++++++++++ private/seapp_contexts | 5 ++ private/service_contexts | 1 + private/vold_prepare_subdirs.te | 2 + public/domain.te | 18 ------ public/net.te | 15 ----- public/service.te | 1 + 17 files changed, 190 insertions(+), 73 deletions(-) create mode 100644 private/net.te create mode 100644 private/sdk_sandbox.te diff --git a/mac_permissions.mk b/mac_permissions.mk index 7c478b46a..43c98c99c 100644 --- a/mac_permissions.mk +++ b/mac_permissions.mk @@ -22,7 +22,7 @@ $(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4) $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@ # Should be synced with keys.conf. -all_plat_keys := platform media networkstack shared testkey +all_plat_keys := platform media networkstack sdk_sandbox shared testkey all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem) $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files) diff --git a/private/app.te b/private/app.te index e1525919c..436af5a73 100644 --- a/private/app.te +++ b/private/app.te @@ -42,7 +42,7 @@ dontaudit appdomain system_data_file:dir write; dontaudit appdomain vendor_default_prop:file read; # Access to /mnt/media_rw/ (limited by DAC to apps with external_storage gid) -allow appdomain mnt_media_rw_file:dir search; +allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search; neverallow appdomain system_server:udp_socket { accept append bind create ioctl listen lock name_bind @@ -111,11 +111,11 @@ allow appdomain dalvikcache_data_file:dir { search getattr }; allow appdomain dalvikcache_data_file:file r_file_perms; # Read the /sdcard and /mnt/sdcard symlinks -allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms; -allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms; +allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms; +allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms; # Search /storage/emulated tmpfs mount. -allow appdomain tmpfs:dir r_dir_perms; +allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms; # Notify zygote of the wrapped process PID when using --invoke-with. allow appdomain zygote:fifo_file write; @@ -149,11 +149,11 @@ allow appdomain appdomain:fifo_file rw_file_perms; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; # App sandbox file accesses. -allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms; -allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms; +allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms; +allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms; # Access via already open fds is ok even for mlstrustedsubject. -allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; +allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; # Traverse into expanded storage allow appdomain mnt_expand_file:dir r_dir_perms; @@ -171,10 +171,10 @@ allow appdomain oemfs:dir r_dir_perms; allow appdomain oemfs:file rx_file_perms; # Execute the shell or other system executables. -allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms; -allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms; +allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms; +allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms; allow appdomain system_file:file x_file_perms; -not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;') +not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;') # Renderscript needs the ability to read directories on /system allow appdomain system_file:dir r_dir_perms; @@ -192,8 +192,11 @@ full_treble_only(` # Allow apps access to /vendor/app except for privileged # apps which cannot be in /vendor. -r_dir_file({ appdomain -ephemeral_app }, vendor_app_file) -allow { appdomain -ephemeral_app } vendor_app_file:file execute; +r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file) +allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute; + +# Perform binder IPC to sdk sandbox. +binder_call(appdomain, sdk_sandbox) # Allow apps access to /vendor/overlay r_dir_file(appdomain, vendor_overlay_file) @@ -275,6 +278,7 @@ r_dir_file({ -isolated_app -platform_app -priv_app + -sdk_sandbox -shell -system_app -untrusted_app_all @@ -287,6 +291,7 @@ userdebug_or_eng(` -isolated_app -platform_app -priv_app + -sdk_sandbox -shell -su -system_app @@ -328,33 +333,33 @@ allow appdomain system_data_file:lnk_file r_file_perms; allow appdomain system_data_file:file { getattr read map }; # Allow read/stat of /data/media files passed by Binder or local socket IPC. -allow { appdomain -isolated_app } media_rw_data_file:file { read getattr }; +allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr }; # Read and write /data/data/com.android.providers.telephony files passed over Binder. allow { appdomain -isolated_app } radio_data_file:file { read write getattr }; # Allow access to external storage; we have several visible mount points under /storage # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary -allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms; -allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms; -allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms; -allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms; # Read/write visible storage -allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms; -allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms; # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. -allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms; -allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html # # USB devices are first opened by the system server (USBDeviceManagerService) # and the file descriptor is passed to the right Activity via binder. -allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl }; -allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr }; # For art. allow appdomain dalvikcache_data_file:file execute; @@ -374,19 +379,19 @@ allow appdomain resourcecache_data_file:dir r_dir_perms; # logd access read_logd(appdomain) -control_logd({ appdomain -ephemeral_app }) +control_logd({ appdomain -ephemeral_app -sdk_sandbox }) # application inherit logd write socket (urge is to deprecate this long term) allow appdomain zygote:unix_dgram_socket write; -allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; -allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update }; -allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find; -allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state; -use_keystore({ appdomain -isolated_app -ephemeral_app }) +use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }) -use_credstore({ appdomain -isolated_app -ephemeral_app }) +use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }) allow appdomain console_device:chr_file { read write }; @@ -417,12 +422,12 @@ allow appdomain proc_meminfo:file r_file_perms; # For app fuse. allow appdomain app_fuse_file:file { getattr read append write map }; -pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client) -pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager) -pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync) -pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client) # Apps do not directly open the IPC socket for bufferhubd. -pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client) +pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client) ### ### CTS-specific rules @@ -435,8 +440,8 @@ allow appdomain runas_exec:file getattr; # Apps receive an open tun fd from the framework for # device traffic. Do not allow untrusted app to directly open tun_device -allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl }; -allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl }; +allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF; # Connect to adbd and use a socket transferred from it. # This is used for e.g. adb backup/restore. @@ -465,6 +470,7 @@ neverallow { isolated_app nfc radio + sdk_sandbox shared_relro system_app } { diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil index 29378d4bf..22381b5d1 100644 --- a/private/compat/31.0/31.0.ignore.cil +++ b/private/compat/31.0/31.0.ignore.cil @@ -41,6 +41,7 @@ proc_watermark_scale_factor untrusted_app_30 proc_vendor_sched + sdk_sandbox_service sysfs_fs_fuse_bpf sysfs_vendor_sched tv_iapp_service diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil index d29417d52..8c77cd5da 100644 --- a/private/compat/32.0/32.0.ignore.cil +++ b/private/compat/32.0/32.0.ignore.cil @@ -57,9 +57,9 @@ remotelyprovisionedkeypool_service resources_manager_service rootdisk_sysdev + sdk_sandbox_service selection_toolbar_service snapuserd_proxy_socket - supplemental_process_service sysfs_fs_fuse_bpf system_dlkm_file tare_service diff --git a/private/domain.te b/private/domain.te index ef9d03616..f95df3434 100644 --- a/private/domain.te +++ b/private/domain.te @@ -612,3 +612,22 @@ neverallow { userdebug_or_eng(`-virtualizationservice') userdebug_or_eng(`-crosvm') } shell_data_file:file open; + +# respect system_app sandboxes +neverallow { + domain + -appdomain # finer-grained rules for appdomain are listed below + -system_server #populate com.android.providers.settings/databases/settings.db. + -installd # creation of app sandbox + -iorap_inode2filename + -traced_probes # resolve inodes for i/o tracing. + # only needs open and read, the rest is neverallow in + # traced_probes.te. +} system_app_data_file:dir_file_class_set { create unlink open }; +neverallow { + isolated_app + untrusted_app_all # finer-grained rules for appdomain are listed below + ephemeral_app + priv_app + sdk_sandbox +} system_app_data_file:dir_file_class_set { create unlink open }; diff --git a/private/file.te b/private/file.te index ec3944ef3..54d6df632 100644 --- a/private/file.te +++ b/private/file.te @@ -19,6 +19,9 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f # /data/misc/perfetto-configs for perfetto configs type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; +# /data/misc_{ce/de}//sdksandbox//* subdirectory for sdk sandbox processes +type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; + # /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds. type debugfs_kcov, fs_type, debugfs_type; diff --git a/private/isolated_app.te b/private/isolated_app.te index 800775b9d..0d9075623 100644 --- a/private/isolated_app.te +++ b/private/isolated_app.te @@ -136,7 +136,7 @@ neverallow isolated_app { # excluding unix_stream_socket and unix_dgram_socket. # Many of these are socket families which have never and will never # be compiled into the Android kernel. -neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{ +neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket diff --git a/private/keys.conf b/private/keys.conf index 362e73df7..30739f9d3 100644 --- a/private/keys.conf +++ b/private/keys.conf @@ -11,6 +11,9 @@ [@PLATFORM] ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem +[@SDK_SANDBOX] +ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem + [@MEDIA] ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml index 7fc37c13e..ec3df0f74 100644 --- a/private/mac_permissions.xml +++ b/private/mac_permissions.xml @@ -51,6 +51,11 @@ + + + + + diff --git a/private/net.te b/private/net.te new file mode 100644 index 000000000..25bd538b9 --- /dev/null +++ b/private/net.te @@ -0,0 +1,17 @@ +# Bind to ports. +allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; +allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind; +allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind; + +# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from +# untrusted_apps. +# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from +# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere +# to avoid app-compat breakage. +allow { + netdomain + -ephemeral_app + -mediaprovider + -sdk_sandbox + -untrusted_app_all +} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te new file mode 100644 index 000000000..782bb468d --- /dev/null +++ b/private/sdk_sandbox.te @@ -0,0 +1,87 @@ +### +### SDK Sandbox process. +### +### This file defines the security policy for the sdk sandbox processes. + +type sdk_sandbox, domain; + +typeattribute sdk_sandbox coredomain; + +net_domain(sdk_sandbox) +app_domain(sdk_sandbox) + +# Allow finding services. This is different from ephemeral_app policy. +# Adding services manually to the allowlist is preferred hence app_api_service is not used. +allow sdk_sandbox activity_service:service_manager find; +allow sdk_sandbox activity_task_service:service_manager find; +allow sdk_sandbox audio_service:service_manager find; +# Audit the access to signal that we are still investigating whether sdk_sandbox +# should have access to audio_service +# TODO(b/211632068): remove this line +auditallow sdk_sandbox audio_service:service_manager find; +allow sdk_sandbox hint_service:service_manager find; +allow sdk_sandbox surfaceflinger_service:service_manager find; +allow sdk_sandbox trust_service:service_manager find; +allow sdk_sandbox uimode_service:service_manager find; +allow sdk_sandbox webviewupdate_service:service_manager find; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(sdk_sandbox) + +# Allow profiling if the app opts in by being marked profileable/debuggable. +can_profile_heap(sdk_sandbox) +can_profile_perf(sdk_sandbox) + +# allow sdk sandbox to use UDP sockets provided by the system server but not +# modify them other than to connect +allow sdk_sandbox system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# allow access to sdksandbox data directory +allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms; +allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms; + +### +### neverallow rules +### + +neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans }; + +# Receive or send uevent messages. +neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow sdk_sandbox domain:netlink_socket *; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow sdk_sandbox debugfs:file read; + +# execute gpu_device +neverallow sdk_sandbox gpu_device:chr_file execute; + +# access files in /sys with the default sysfs label +neverallow sdk_sandbox sysfs:file *; + +# Avoid reads from generically labeled /proc files +# Create a more specific label if needed +neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms }; + +# Directly access external storage +neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create}; +neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search; + +# Avoid reads to proc_net, it contains too much device wide information about +# ongoing connections. +neverallow sdk_sandbox proc_net:file no_rw_file_perms; + +# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file +neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms; +neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms; + +# SDK sandbox processes don't have any access to external storage +neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms; +neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms; + +neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms; diff --git a/private/seapp_contexts b/private/seapp_contexts index 5cf07119d..78a98e115 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -26,6 +26,7 @@ # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral # user=_app will match any regular app process. # user=_isolated will match any isolated service process. +# user=_sdksandbox will match sdk sandbox process for an app. # Other values of user are matched against the name associated with the process # UID. # seinfo= matches aginst the seinfo tag for the app, determined from @@ -137,6 +138,9 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* isSystemServer=true domain=system_server_startup +# sdksandbox must run in the sdksandbox domain +neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)* + user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all user=system seinfo=platform domain=system_app type=system_app_data_file @@ -149,6 +153,7 @@ user=shared_relro domain=shared_relro levelFrom=all user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file user=webview_zygote seinfo=webview_zygote domain=webview_zygote user=_isolated domain=isolated_app levelFrom=user +user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all user=_app seinfo=app_zygote domain=app_zygote levelFrom=user user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user diff --git a/private/service_contexts b/private/service_contexts index 4fb4b2972..c7f881136 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -294,6 +294,7 @@ runtime u:object_r:runtime_service:s0 safety_center u:object_r:safety_center_service:s0 samplingprofiler u:object_r:samplingprofiler_service:s0 scheduling_policy u:object_r:scheduling_policy_service:s0 +sdk_sandbox u:object_r:sdk_sandbox_service:s0 search u:object_r:search_service:s0 search_ui u:object_r:search_ui_service:s0 secure_element u:object_r:secure_element_service:s0 diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te index e4004e44a..3171ee0ff 100644 --- a/private/vold_prepare_subdirs.te +++ b/private/vold_prepare_subdirs.te @@ -25,6 +25,7 @@ allow vold_prepare_subdirs { fingerprint_vendor_data_file iris_vendor_data_file rollback_data_file + sdk_sandbox_data_file storaged_data_file system_data_file vold_data_file @@ -40,6 +41,7 @@ allow vold_prepare_subdirs { fingerprint_vendor_data_file iris_vendor_data_file rollback_data_file + sdk_sandbox_data_file storaged_data_file system_data_file vold_data_file diff --git a/public/domain.te b/public/domain.te index 705c13ae0..a98e3690d 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1131,24 +1131,6 @@ neverallow { # to installd neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; -# respect system_app sandboxes -neverallow { - domain - -appdomain # finer-grained rules for appdomain are listed below - -system_server #populate com.android.providers.settings/databases/settings.db. - -installd # creation of app sandbox - -iorap_inode2filename - -traced_probes # resolve inodes for i/o tracing. - # only needs open and read, the rest is neverallow in - # traced_probes.te. -} system_app_data_file:dir_file_class_set { create unlink open }; -neverallow { - isolated_app - untrusted_app_all # finer-grained rules for appdomain are listed below - ephemeral_app - priv_app -} system_app_data_file:dir_file_class_set { create unlink open }; - # # Only these domains should transition to shell domain. This domain is # permissible for the "shell user". If you need a process to exec a shell diff --git a/public/net.te b/public/net.te index 714bcde7e..31c9c45bd 100644 --- a/public/net.te +++ b/public/net.te @@ -13,23 +13,8 @@ allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms # Connect to ports. allow netdomain port_type:tcp_socket name_connect; -# Bind to ports. -allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; -allow {netdomain -ephemeral_app} port_type:udp_socket name_bind; -allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind; # See changes to the routing table. allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read }; -# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from -# untrusted_apps. -# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from -# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere -# to avoid app-compat breakage. -allow { - netdomain - -ephemeral_app - -mediaprovider - -untrusted_app_all -} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; # Talks to netd via dnsproxyd socket. unix_socket_connect(netdomain, dnsproxyd, netd) diff --git a/public/service.te b/public/service.te index b5197a9e8..458318602 100644 --- a/public/service.te +++ b/public/service.te @@ -197,6 +197,7 @@ type runtime_service, system_server_service, service_manager_type; type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type; type scheduling_policy_service, system_server_service, service_manager_type; +type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type; type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type search_ui_service, app_api_service, system_server_service, service_manager_type; type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;