From cfdea5f4f3574385d739c1269e6c25783c109857 Mon Sep 17 00:00:00 2001 From: Yuyang Huang Date: Wed, 18 Jan 2023 16:52:43 +0900 Subject: [PATCH] Blocks untrusted apps to access /dev/socket/mdnsd from U The untrusted apps should not directly access /dev/socket/mdnsd since API level 34 (U). Only adbd and netd should remain to have access to /dev/socket/mdnsd. For untrusted apps running with API level 33-, they still have access to /dev/socket/mdnsd for backward compatibility. Bug: 265364111 Test: Manual test Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525 --- private/adbd.te | 2 ++ private/app_neverallows.te | 23 +++++++++++++++++++++++ private/compat/33.0/33.0.cil | 5 ++++- private/seapp_contexts | 3 ++- private/untrusted_app.te | 4 ++-- private/untrusted_app_25.te | 7 +++++++ private/untrusted_app_27.te | 7 +++++++ private/untrusted_app_29.te | 6 ++++++ private/untrusted_app_30.te | 6 ++++++ private/untrusted_app_32.te | 30 ++++++++++++++++++++++++++++++ public/net.te | 3 --- public/netd.te | 2 ++ public/untrusted_app.te | 5 ++++- 13 files changed, 95 insertions(+), 8 deletions(-) create mode 100644 private/untrusted_app_32.te diff --git a/private/adbd.te b/private/adbd.te index 48fa849cd..d72d5b118 100644 --- a/private/adbd.te +++ b/private/adbd.te @@ -49,6 +49,8 @@ allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept }; # Create and use network sockets. net_domain(adbd) +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(adbd, mdnsd, mdnsd) # Access /dev/usb-ffs/adb/ep0 allow adbd functionfs:dir search; diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 6231623fc..0579740bd 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -265,3 +265,26 @@ neverallow { -mediaprovider -mediaprovider_app } { userdebug_or_eng_prop }:file read; + + +# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is +# used to communicate to the mdnsd responder. The mdnsd responder will be +# replaced by a java implementation which is integrated into the system server. +# For untrusted apps running with API level 33-, they still have access to +# /dev/socket/mdnsd for backward compatibility. +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 + -untrusted_app_30 + -untrusted_app_32 +} mdnsd_socket:sock_file write; +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 + -untrusted_app_30 + -untrusted_app_32 +} mdnsd:unix_stream_socket connectto; diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil index 2f8887bd3..d75b0fcf9 100644 --- a/private/compat/33.0/33.0.cil +++ b/private/compat/33.0/33.0.cil @@ -2489,7 +2489,10 @@ (typeattributeset untrusted_app_27_33_0 (untrusted_app_27)) (typeattributeset untrusted_app_29_33_0 (untrusted_app_29)) (typeattributeset untrusted_app_30_33_0 (untrusted_app_30)) -(typeattributeset untrusted_app_33_0 (untrusted_app)) +(typeattributeset untrusted_app_33_0 + ( untrusted_app + untrusted_app_32 +)) (typeattributeset update_engine_33_0 (update_engine)) (typeattributeset update_engine_data_file_33_0 (update_engine_data_file)) (typeattributeset update_engine_exec_33_0 (update_engine_exec)) diff --git a/private/seapp_contexts b/private/seapp_contexts index d3f065bff..d950c3dd1 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -170,7 +170,8 @@ user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=pri user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user -user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all diff --git a/private/untrusted_app.te b/private/untrusted_app.te index 56e44db0c..d0f9b2417 100644 --- a/private/untrusted_app.te +++ b/private/untrusted_app.te @@ -2,7 +2,7 @@ ### Untrusted apps. ### ### This file defines the rules for untrusted apps running with -### targetSdkVersion >= 32. +### targetSdkVersion >= 34. ### ### See public/untrusted_app.te for more information about which apps are ### placed in this selinux domain. @@ -20,4 +20,4 @@ bluetooth_domain(untrusted_app) allow untrusted_app sdk_sandbox_data_file:fd use; allow untrusted_app sdk_sandbox_data_file:file write; -neverallow untrusted_app sdk_sandbox_data_file:file { open create }; \ No newline at end of file +neverallow untrusted_app sdk_sandbox_data_file:file { open create }; diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te index 4235d7eba..2c0391f76 100644 --- a/private/untrusted_app_25.te +++ b/private/untrusted_app_25.te @@ -52,3 +52,10 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms; # allow sending RTM_GETNEIGH{TBL} messages. allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; + +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(untrusted_app_25, mdnsd, mdnsd) +userdebug_or_eng(` + auditallow untrusted_app_25 mdnsd_socket:sock_file write; + auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto; +') diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te index c747af1bb..163803ac6 100644 --- a/private/untrusted_app_27.te +++ b/private/untrusted_app_27.te @@ -40,3 +40,10 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms; # allow sending RTM_GETNEIGH{TBL} messages. allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh; + +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(untrusted_app_27, mdnsd, mdnsd) +userdebug_or_eng(` + auditallow untrusted_app_27 mdnsd_socket:sock_file write; + auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto; +') diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te index 03f333489..758ed2316 100644 --- a/private/untrusted_app_29.te +++ b/private/untrusted_app_29.te @@ -19,3 +19,9 @@ bluetooth_domain(untrusted_app_29) allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh; +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(untrusted_app_29, mdnsd, mdnsd) +userdebug_or_eng(` + auditallow untrusted_app_29 mdnsd_socket:sock_file write; + auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto; +') diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te index 569c300b5..830106d12 100644 --- a/private/untrusted_app_30.te +++ b/private/untrusted_app_30.te @@ -21,3 +21,9 @@ bluetooth_domain(untrusted_app_30) allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(untrusted_app_30, mdnsd, mdnsd) +userdebug_or_eng(` + auditallow untrusted_app_30 mdnsd_socket:sock_file write; + auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto; +') diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te new file mode 100644 index 000000000..643c12271 --- /dev/null +++ b/private/untrusted_app_32.te @@ -0,0 +1,30 @@ +### +### Untrusted apps. +### +### This file defines the rules for untrusted apps running with +### 31 < targetSdkVersion <= 33. +### +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. +### + +typeattribute untrusted_app_32 coredomain; + +app_domain(untrusted_app_32) +untrusted_app_domain(untrusted_app_32) +net_domain(untrusted_app_32) +bluetooth_domain(untrusted_app_32) + +# Allow webview to access fd shared by sdksandbox for experiments data +# TODO(b/229249719): Will not be supported in Android U +allow untrusted_app_32 sdk_sandbox_data_file:fd use; +allow untrusted_app_32 sdk_sandbox_data_file:file write; + +neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create }; + +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(untrusted_app_32, mdnsd, mdnsd) +userdebug_or_eng(` + auditallow untrusted_app_32 mdnsd_socket:sock_file write; + auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto; +') diff --git a/public/net.te b/public/net.te index 31c9c45bd..aa30b62d8 100644 --- a/public/net.te +++ b/public/net.te @@ -21,6 +21,3 @@ unix_socket_connect(netdomain, dnsproxyd, netd) # Talks to netd via fwmarkd socket. unix_socket_connect(netdomain, fwmarkd, netd) - -# Connect to mdnsd via mdnsd socket. -unix_socket_connect(netdomain, mdnsd, mdnsd) diff --git a/public/netd.te b/public/netd.te index 9b8fdb0f5..e3ea1cb08 100644 --- a/public/netd.te +++ b/public/netd.te @@ -3,6 +3,8 @@ type netd, domain, mlstrustedsubject; type netd_exec, system_file_type, exec_type, file_type; net_domain(netd) +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(netd, mdnsd, mdnsd) # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl priv_sock_ioctls; diff --git a/public/untrusted_app.te b/public/untrusted_app.te index 0a6761430..a4ee6f5fc 100644 --- a/public/untrusted_app.te +++ b/public/untrusted_app.te @@ -17,9 +17,12 @@ ### # This file defines the rules for untrusted apps running with -# targetSdkVersion >= 32. +# targetSdkVersion >= 34. type untrusted_app, domain; # This file defines the rules for untrusted apps running with +# 31 < targetSdkVersion <= 33. +type untrusted_app_32, domain; +# This file defines the rules for untrusted apps running with # 29 < targetSdkVersion <= 31. type untrusted_app_30, domain; # This file defines the rules for untrusted apps running with