Disallow untrusted apps to read ro.debuggable and ro.secure am: 0d68fc3525

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399372 Change-Id: I3a4319a2431fab9ae492a606d431370674bf44a6 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-01-25 18:46:51 +00:00 · 2023-01-25 18:46:51 +00:00 · ea182aa198
commit ea182aa198
parent 46731e9f22 0d68fc3525
16 changed files with 55 additions and 4 deletions
--- a/prebuilts/api/33.0/private/app_neverallows.te
+++ b/prebuilts/api/33.0/private/app_neverallows.te
@ -254,3 +254,15 @@ neverallow {

 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
+
+# Do not allow untrusted app to read hidden system proprerties
+# We exclude older application for compatibility and we do not include in the exclusions other normally
+# untrusted applications such as mediaprovider due to the specific logging use cases.
+# Context: b/193912100
+neverallow {
+  untrusted_app_all
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+} { userdebug_or_eng_prop }:file read;
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
@ -1378,6 +1378,7 @@
 (typeattributeset build_config_prop_32_0 (build_config_prop))
 (typeattributeset build_odm_prop_32_0 (build_odm_prop))
 (typeattributeset build_prop_32_0 (build_prop))
+(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
 (typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
 (typeattributeset cache_backup_file_32_0 (cache_backup_file))
 (typeattributeset cache_block_device_32_0 (cache_block_device))
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@ -807,7 +807,7 @@ ro.build.version.security_patch           u:object_r:build_prop:s0 exact string

 ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool

-ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool

 ro.treble.enabled u:object_r:build_prop:s0 exact bool

@ -834,7 +834,7 @@ ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact strin
 ro.system.build.version.sdk                 u:object_r:build_prop:s0 exact int

 ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure     u:object_r:build_prop:s0 exact int
+ro.secure     u:object_r:userdebug_or_eng_prop:s0 exact int

 ro.product.system_ext.brand        u:object_r:build_prop:s0 exact string
 ro.product.system_ext.device       u:object_r:build_prop:s0 exact string
--- a/prebuilts/api/33.0/private/untrusted_app_29.te
+++ b/prebuilts/api/33.0/private/untrusted_app_29.te
@ -18,3 +18,6 @@ bluetooth_domain(untrusted_app_29)
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_29, userdebug_or_eng_prop)
--- a/prebuilts/api/33.0/private/untrusted_app_30.te
+++ b/prebuilts/api/33.0/private/untrusted_app_30.te
@ -20,3 +20,6 @@ bluetooth_domain(untrusted_app_30)
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_30, userdebug_or_eng_prop)
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@ -129,6 +129,7 @@ get_prop(domain, soc_prop)
 get_prop(domain, socket_hook_prop)
 get_prop(domain, surfaceflinger_prop)
 get_prop(domain, telephony_status_prop)
+get_prop({domain - untrusted_app_all },  userdebug_or_eng_prop)
 get_prop(domain, vendor_socket_hook_prop)
 get_prop(domain, vndk_prop)
 get_prop(domain, vold_status_prop)
@ -564,6 +565,7 @@ compatible_property_only(`

 neverallow { domain -init } aac_drc_prop:property_service set;
 neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;

 # Do not allow reading device's serial number from system properties except form
 # a few allowed domains.
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@ -71,6 +71,7 @@ system_restricted_prop(device_config_vendor_system_native_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(userdebug_or_eng_prop)
 system_restricted_prop(hypervisor_prop)
 system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -254,3 +254,15 @@ neverallow {

 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
+
+# Do not allow untrusted app to read hidden system proprerties
+# We exclude older application for compatibility and we do not include in the exclusions other normally
+# untrusted applications such as mediaprovider due to the specific logging use cases.
+# Context: b/193912100
+neverallow {
+  untrusted_app_all
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+} { userdebug_or_eng_prop }:file read;
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@ -1378,6 +1378,7 @@
 (typeattributeset build_config_prop_32_0 (build_config_prop))
 (typeattributeset build_odm_prop_32_0 (build_odm_prop))
 (typeattributeset build_prop_32_0 (build_prop))
+(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
 (typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
 (typeattributeset cache_backup_file_32_0 (cache_backup_file))
 (typeattributeset cache_block_device_32_0 (cache_block_device))
--- a/private/property_contexts
+++ b/private/property_contexts
@ -807,7 +807,7 @@ ro.build.version.security_patch           u:object_r:build_prop:s0 exact string

 ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool

-ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool

 ro.treble.enabled u:object_r:build_prop:s0 exact bool

@ -834,7 +834,7 @@ ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact strin
 ro.system.build.version.sdk                 u:object_r:build_prop:s0 exact int

 ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure     u:object_r:build_prop:s0 exact int
+ro.secure     u:object_r:userdebug_or_eng_prop:s0 exact int

 ro.product.system_ext.brand        u:object_r:build_prop:s0 exact string
 ro.product.system_ext.device       u:object_r:build_prop:s0 exact string
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@ -52,3 +52,7 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+
+# Allow hidden build props
+get_prop(untrusted_app_25, userdebug_or_eng_prop)
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@ -40,3 +40,6 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_27, userdebug_or_eng_prop)
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@ -18,3 +18,6 @@ bluetooth_domain(untrusted_app_29)
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_29, userdebug_or_eng_prop)
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@ -20,3 +20,6 @@ bluetooth_domain(untrusted_app_30)
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_30, userdebug_or_eng_prop)
--- a/public/domain.te
+++ b/public/domain.te
@ -129,6 +129,7 @@ get_prop(domain, soc_prop)
 get_prop(domain, socket_hook_prop)
 get_prop(domain, surfaceflinger_prop)
 get_prop(domain, telephony_status_prop)
+get_prop({domain - untrusted_app_all },  userdebug_or_eng_prop)
 get_prop(domain, vendor_socket_hook_prop)
 get_prop(domain, vndk_prop)
 get_prop(domain, vold_status_prop)
@ -564,6 +565,7 @@ compatible_property_only(`

 neverallow { domain -init } aac_drc_prop:property_service set;
 neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;

 # Do not allow reading device's serial number from system properties except form
 # a few allowed domains.
--- a/public/property.te
+++ b/public/property.te
@ -71,6 +71,7 @@ system_restricted_prop(device_config_vendor_system_native_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(userdebug_or_eng_prop)
 system_restricted_prop(hypervisor_prop)
 system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)