tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Disallow watch and watch_reads on apk_data_file for apps

Browse source 
This can be used as a side channel to observe when an application
is launched.

Gate this restriction on the application's targetSdkVersion to
avoid breaking existing apps. Only apps targeting 34 and above will
see the new restriction.

Remove duplicate permissions from public/shell.te. Shell is
already appdomain, so these permissions are already granted to it.

Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: Ic7577884e9d994618a38286a42a8047516548782
This commit is contained in:
Jeff Vander Stoep 2023-03-27 12:30:23 +02:00
parent 9c6c988bad
commit f9a774f1ae
14 changed files with 130 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
prebuilts/api/34.0/private/app.te
View file

@ -427,13 +427,6 @@ allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries # Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir { open getattr read search ioctl lock }; allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms }; allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
# Allow watch & watch_reads for now, but audit to see if they're actually used.
allow appdomain apk_data_file:dir { watch watch_reads };
allow appdomain apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow appdomain apk_data_file:dir { watch watch_reads };
auditallow appdomain apk_data_file:file { watch watch_reads };
')
# /data/resource-cache # /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms; allow appdomain resourcecache_data_file:file r_file_perms;
@ -535,3 +528,23 @@ neverallow {
appdomain appdomain
-device_as_webcam -device_as_webcam
} video_device:chr_file { read write }; } video_device:chr_file { read write };
# Prevent calling inotify on APKs. This can be used as a side channel
# to observer app launches, so it must be disallowed. b/231587164
# Gate by targetSdkVersion to avoid breaking existing apps.
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:dir { watch watch_reads };
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:file { watch watch_reads };

9
prebuilts/api/34.0/private/untrusted_app_25.te
View file

@ -59,3 +59,12 @@ userdebug_or_eng(`
auditallow untrusted_app_25 mdnsd_socket:sock_file write; auditallow untrusted_app_25 mdnsd_socket:sock_file write;
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
allow untrusted_app_25 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
')

9
prebuilts/api/34.0/private/untrusted_app_27.te
View file

@ -47,3 +47,12 @@ userdebug_or_eng(`
auditallow untrusted_app_27 mdnsd_socket:sock_file write; auditallow untrusted_app_27 mdnsd_socket:sock_file write;
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
allow untrusted_app_27 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
')

9
prebuilts/api/34.0/private/untrusted_app_29.te
View file

@ -25,3 +25,12 @@ userdebug_or_eng(`
auditallow untrusted_app_29 mdnsd_socket:sock_file write; auditallow untrusted_app_29 mdnsd_socket:sock_file write;
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
allow untrusted_app_29 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
')

9
prebuilts/api/34.0/private/untrusted_app_30.te
View file

@ -27,3 +27,12 @@ userdebug_or_eng(`
auditallow untrusted_app_30 mdnsd_socket:sock_file write; auditallow untrusted_app_30 mdnsd_socket:sock_file write;
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
allow untrusted_app_30 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
')

9
prebuilts/api/34.0/private/untrusted_app_32.te
View file

@ -28,3 +28,12 @@ userdebug_or_eng(`
auditallow untrusted_app_32 mdnsd_socket:sock_file write; auditallow untrusted_app_32 mdnsd_socket:sock_file write;
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
allow untrusted_app_32 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
')

2
prebuilts/api/34.0/public/shell.te
View file

@ -63,8 +63,6 @@ allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms; allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms; allow shell zygote_exec:file rx_file_perms;
r_dir_file(shell, apk_data_file)
userdebug_or_eng(` userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run # "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms; allow shell boottrace_data_file:dir rw_dir_perms;

27
private/app.te
View file

@ -427,13 +427,6 @@ allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries # Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir { open getattr read search ioctl lock }; allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms }; allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
# Allow watch & watch_reads for now, but audit to see if they're actually used.
allow appdomain apk_data_file:dir { watch watch_reads };
allow appdomain apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow appdomain apk_data_file:dir { watch watch_reads };
auditallow appdomain apk_data_file:file { watch watch_reads };
')
# /data/resource-cache # /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms; allow appdomain resourcecache_data_file:file r_file_perms;
@ -535,3 +528,23 @@ neverallow {
appdomain appdomain
-device_as_webcam -device_as_webcam
} video_device:chr_file { read write }; } video_device:chr_file { read write };
# Prevent calling inotify on APKs. This can be used as a side channel
# to observer app launches, so it must be disallowed. b/231587164
# Gate by targetSdkVersion to avoid breaking existing apps.
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:dir { watch watch_reads };
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:file { watch watch_reads };

9
private/untrusted_app_25.te
View file

@ -59,3 +59,12 @@ userdebug_or_eng(`
auditallow untrusted_app_25 mdnsd_socket:sock_file write; auditallow untrusted_app_25 mdnsd_socket:sock_file write;
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
allow untrusted_app_25 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
')

9
private/untrusted_app_27.te
View file

@ -47,3 +47,12 @@ userdebug_or_eng(`
auditallow untrusted_app_27 mdnsd_socket:sock_file write; auditallow untrusted_app_27 mdnsd_socket:sock_file write;
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
allow untrusted_app_27 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
')

9
private/untrusted_app_29.te
View file

@ -25,3 +25,12 @@ userdebug_or_eng(`
auditallow untrusted_app_29 mdnsd_socket:sock_file write; auditallow untrusted_app_29 mdnsd_socket:sock_file write;
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
allow untrusted_app_29 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
')

9
private/untrusted_app_30.te
View file

@ -27,3 +27,12 @@ userdebug_or_eng(`
auditallow untrusted_app_30 mdnsd_socket:sock_file write; auditallow untrusted_app_30 mdnsd_socket:sock_file write;
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
allow untrusted_app_30 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
')

9
private/untrusted_app_32.te
View file

@ -28,3 +28,12 @@ userdebug_or_eng(`
auditallow untrusted_app_32 mdnsd_socket:sock_file write; auditallow untrusted_app_32 mdnsd_socket:sock_file write;
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto; auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
') ')
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
allow untrusted_app_32 apk_data_file:file { watch watch_reads };
userdebug_or_eng(`
auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
')

2
public/shell.te
View file

@ -63,8 +63,6 @@ allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms; allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms; allow shell zygote_exec:file rx_file_perms;
r_dir_file(shell, apk_data_file)
userdebug_or_eng(` userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run # "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms; allow shell boottrace_data_file:dir rw_dir_perms;