Merge "untrusted_app_30: add new targetSdk domain"

private/access_vectors

@@ -395,6 +395,7 @@ inherits socket
 	nlmsg_read
 	nlmsg_write
 	nlmsg_readpriv
+	nlmsg_getneigh
 }
 
 class netlink_tcpdiag_socket

private/app_neverallows.te

@@ -11,6 +11,7 @@ define(`all_untrusted_apps',`{
   untrusted_app_25
   untrusted_app_27
   untrusted_app_29
+  untrusted_app_30
   untrusted_app_all
 }')
 # Receive or send uevent messages.
@@ -119,6 +120,15 @@ neverallow all_untrusted_apps *:{
 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
 
+# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+} domain:netlink_route_socket nlmsg_getneigh;
+
 # Do not allow untrusted apps access to /cache
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };

private/compat/31.0/31.0.ignore.cil

@@ -10,4 +10,5 @@
     power_stats_service
     transformer_service
     proc_watermark_boost_factor
+    untrusted_app_30
   ))

private/seapp_contexts

@@ -161,7 +161,8 @@ user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=pri
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user

private/untrusted_app.te

@@ -2,7 +2,7 @@
 ### Untrusted apps.
 ###
 ### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
+### targetSdkVersion >= 32.
 ###
 ### See public/untrusted_app.te for more information about which apps are
 ### placed in this selinux domain.

private/untrusted_app_25.te

@@ -48,3 +48,7 @@ auditallow untrusted_app_25 ashmem_device:chr_file open;
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;

private/untrusted_app_27.te

@@ -36,3 +36,7 @@ auditallow untrusted_app_27 ashmem_device:chr_file open;
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;

private/untrusted_app_29.te

@@ -14,3 +14,7 @@ app_domain(untrusted_app_29)
 untrusted_app_domain(untrusted_app_29)
 net_domain(untrusted_app_29)
 bluetooth_domain(untrusted_app_29)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;

private/untrusted_app_30.te

@@ -0,0 +1,22 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 29 < targetSdkVersion <= 31.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
+###
+
+typeattribute untrusted_app_30 coredomain;
+
+app_domain(untrusted_app_30)
+untrusted_app_domain(untrusted_app_30)
+net_domain(untrusted_app_30)
+bluetooth_domain(untrusted_app_30)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;

public/net.te

@@ -20,14 +20,16 @@ allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
 allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
 # b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
 # to avoid app-compat breakage.
 allow {
   netdomain
   -ephemeral_app
   -mediaprovider
   -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)

public/untrusted_app.te

@@ -17,9 +17,12 @@
 ###
 
 # This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
+# targetSdkVersion >= 32.
 type untrusted_app, domain;
 # This file defines the rules for untrusted apps running with
+# 29 < targetSdkVersion <= 31.
+type untrusted_app_30, domain;
+# This file defines the rules for untrusted apps running with
 # targetSdkVersion = 29.
 type untrusted_app_29, domain;
 # This file defines the rules for untrusted apps running with