Blocks untrusted apps to access /dev/socket/mdnsd from U

The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.

Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525

private/adbd.te

@@ -49,6 +49,8 @@ allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
 # Create and use network sockets.
 net_domain(adbd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(adbd, mdnsd, mdnsd)
 
 # Access /dev/usb-ffs/adb/ep0
 allow adbd functionfs:dir search;

private/app_neverallows.te

@@ -265,3 +265,26 @@ neverallow {
   -mediaprovider
   -mediaprovider_app
 } { userdebug_or_eng_prop }:file read;
+
+
+# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
+# used to communicate to the mdnsd responder. The mdnsd responder will be
+# replaced by a java implementation which is integrated into the system server.
+# For untrusted apps running with API level 33-, they still have access to
+# /dev/socket/mdnsd for backward compatibility.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+  -untrusted_app_32
+} mdnsd_socket:sock_file write;
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+  -untrusted_app_32
+} mdnsd:unix_stream_socket connectto;

private/compat/33.0/33.0.cil

@@ -2489,7 +2489,10 @@
 (typeattributeset untrusted_app_27_33_0 (untrusted_app_27))
 (typeattributeset untrusted_app_29_33_0 (untrusted_app_29))
 (typeattributeset untrusted_app_30_33_0 (untrusted_app_30))
-(typeattributeset untrusted_app_33_0 (untrusted_app))
+(typeattributeset untrusted_app_33_0
+  ( untrusted_app
+    untrusted_app_32
+))
 (typeattributeset update_engine_33_0 (update_engine))
 (typeattributeset update_engine_data_file_33_0 (update_engine_data_file))
 (typeattributeset update_engine_exec_33_0 (update_engine_exec))

private/seapp_contexts

@@ -170,7 +170,8 @@ user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=pri
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all

private/untrusted_app.te

@@ -2,7 +2,7 @@
 ### Untrusted apps.
 ###
 ### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 32.
+### targetSdkVersion >= 34.
 ###
 ### See public/untrusted_app.te for more information about which apps are
 ### placed in this selinux domain.
@@ -20,4 +20,4 @@ bluetooth_domain(untrusted_app)
 allow untrusted_app sdk_sandbox_data_file:fd use;
 allow untrusted_app sdk_sandbox_data_file:file write;
 
-neverallow untrusted_app sdk_sandbox_data_file:file { open create };
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };

private/untrusted_app_25.te

@@ -52,3 +52,10 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_25 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
+')

private/untrusted_app_27.te

@@ -40,3 +40,10 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_27, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_27 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
+')

private/untrusted_app_29.te

@@ -19,3 +19,9 @@ bluetooth_domain(untrusted_app_29)
 allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_29, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_29 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
+')

private/untrusted_app_30.te

@@ -21,3 +21,9 @@ bluetooth_domain(untrusted_app_30)
 allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_30 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
+')

private/untrusted_app_32.te

@@ -0,0 +1,30 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 31 < targetSdkVersion <= 33.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_32 coredomain;
+
+app_domain(untrusted_app_32)
+untrusted_app_domain(untrusted_app_32)
+net_domain(untrusted_app_32)
+bluetooth_domain(untrusted_app_32)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app_32 sdk_sandbox_data_file:fd use;
+allow untrusted_app_32 sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_32, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_32 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
+')

public/net.te

@@ -21,6 +21,3 @@ unix_socket_connect(netdomain, dnsproxyd, netd)
 
 # Talks to netd via fwmarkd socket.
 unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)

public/netd.te

@@ -3,6 +3,8 @@ type netd, domain, mlstrustedsubject;
 type netd_exec, system_file_type, exec_type, file_type;
 
 net_domain(netd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netd, mdnsd, mdnsd)
 # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
 

public/untrusted_app.te

@@ -17,9 +17,12 @@
 ###
 
 # This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 32.
+# targetSdkVersion >= 34.
 type untrusted_app, domain;
 # This file defines the rules for untrusted apps running with
+# 31 < targetSdkVersion <= 33.
+type untrusted_app_32, domain;
+# This file defines the rules for untrusted apps running with
 # 29 < targetSdkVersion <= 31.
 type untrusted_app_30, domain;
 # This file defines the rules for untrusted apps running with