Commit graph

29 commits

Author SHA1 Message Date
Jeff Vander Stoep
28903d9829 untrusted_app_25: remove access to net.dns properties
Bug: 33308258
Test: build
Test: atest CtsSelinuxTargetSdk25TestCases
Change-Id: I0bd3dc60dd95e9fb621933f45115a42bbcbc2ccc
2019-10-15 21:17:29 +02:00
Tri Vo
8eff3e23d8 Deprecate /mnt/sdcard -> /storage/self/primary symlink.
"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/

Apps targeting R+ must NOT use that symlink.

For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.

Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
2019-04-12 03:15:52 +00:00
Jeff Vander Stoep
d5bf5c0e31 Revert "audit use of net.dns. property"
This is just causing unnecessary log spam. Remove.

This reverts commit ecb00a109c.
Test: build
2019-04-11 19:25:59 +00:00
Jeff Vander Stoep
c9aba12002 Allow execmod for apps with targetSdkVersion=26-28
Bug: 129760476
Test: build
Change-Id: I239c16e8269b81c22738e7813c1d4ae46068aa53
2019-04-02 13:07:27 -07:00
Tri Vo
8b12ff5f21 Neverallow app open access to /dev/ashmem
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.

Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
2019-02-27 21:17:25 +00:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Alan Stokes
3f63dbf372 Audit native code loading on user builds.
Extend the auditing of native code loading from non-priv app home
directories to user builds. Only applies to apps targeting SDK <= 28.

Bug: 111338677
Test: Builds
Change-Id: I6fbbd80626a1c87dd7ece689f9fecd7c0a1a59d6
2019-01-28 14:15:48 +00:00
Jeff Vander Stoep
ecb00a109c audit use of net.dns. property
Bug: 33308258
Test: atest CtsSelinuxTargetSdk25TestCases
Change-Id: Ifeceecec7b2f38ebd38b6693712b8f65ee24dc5d
2019-01-08 18:44:29 +00:00
Alan Stokes
c6cbeadb21 Un-revert "Audit execution of app_data_file native code."
This was originally implemented in commit
890414725f and reverted in commit
fa3eb773ce. This effectively reverts the
revert, with minimal changes to cope with the subsequent reversion of
commit b362474374.

Auditing is only enabled for apps targeting API <= 28.

Test: Compiles, audit messages are seen.
Bug: 121333210
Bug: 111338677
Change-Id: Ie38498a2b61f4b567902117f9ef293faa0e689dd
2019-01-07 14:08:11 +00:00
Nick Kralevich
65a89c1b2b Revert "remove app_data_file execute"
This reverts commit b362474374.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots
2018-12-21 10:03:50 -08:00
Nick Kralevich
fa3eb773ce Revert "Audit execution of app_data_file native code."
This reverts commit 890414725f.

Unittest failures of JvmtiHostTest1906#testJvmti. To do a clean revert
of b362474374, we need to also revert this
change.

Test: compiles
Bug: 121333210
Bug: 111338677
2018-12-21 09:59:53 -08:00
Alan Stokes
890414725f Audit execution of app_data_file native code.
On debug builds, introduce audit logging of apps targeting SDK <= 28
that execute native code from a non-priv app home directory via
execve() or dl_open().

Bug: 111338677
Test: Builds + boots.
Test: Launch app that uses private .so files, see granted logs.
Change-Id: I5880801d3a29cbf2c1cf4e0d72adc69a9d548952
2018-12-14 14:54:56 +00:00
Nick Kralevich
b362474374 remove app_data_file execute
Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4
2018-12-12 13:20:39 -08:00
Nick Kralevich
cfe1baea25 place dex2oat auditallow statements in userdebug_or_eng blocks
By convention, auditallow statements are always placed in
userdebug_or_eng() blocks. This ensures that we don't inadvertently ship
audit rules on production devices, which could result in device logspam,
and in pathological situations, impact device performance (generating
audit messages is much more expensive than a standard SELinux check).

Bug: 117606664
Test: policy compiles.
Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490
2018-11-20 10:50:22 -08:00
David Brazdil
535c5d2be0 Remove 'dex2oat_exec' from untrusted_app
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-19 23:47:39 +00:00
Yabin Cui
5dc2c8c740 Revert "Revert "Enforce execve() restrictions for API > 28""
This reverts commit 15d1a12f7f.

Bug: 118737210
Bug: 112357170
Test: boot marlin
Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca
2018-11-07 18:07:18 +00:00
Nick Kralevich
15d1a12f7f Revert "Enforce execve() restrictions for API > 28"
This reverts commit 0dd738d810.

Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.

Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b
2018-10-31 03:40:13 +00:00
Nick Kralevich
0dd738d810 Enforce execve() restrictions for API > 28
untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
2018-10-29 09:24:09 -07:00
Chenbo Feng
16dbe82eaf Block access to xt_qtaguid proc files
In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.

Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest

Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2
2018-09-28 01:33:02 +00:00
Nick Kralevich
f3eb985447 Remove legacy execmod access from API >= 26.
Text relocation support was removed from the linker for apps targeting
API >= 23. See
https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23

However, the security policy was not updated to remove the execmod
permission at that time, since we didn't have support for targeting
SELinux policies to API versions.

Remove execmod permissions for apps targeting API 26 or greater. The
linker support was removed, so it's pointless to keep around the SELinux
permissions.

Retain execmod support for apps targeting API 25 or lower. While in
theory we could remove support for API 23-25, that would involve the
introduction of a new SELinux domain (and the associated rule
explosion), which I would prefer to avoid.

This change helps protect application executable code from modification,
enforcing W^X properties on executable code pages loaded from files.
https://en.wikipedia.org/wiki/W%5EX

Test: auditallow rules were added and nothing triggered for apps
      targeting API >= 26. Code compiles and device boots.
Bug: 111544476

Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41
2018-08-08 01:39:09 +00:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Jeff Vander Stoep
3aa7ca56fd Add untrusted_app_27
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc)
2018-04-03 12:25:51 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Nick Kralevich
9be90fb6e1 Revert "Remove execmod support for newer API versions"
We need more time to investigate the effect that this change will
have on DRM solutions. Until the investigation is done, revert.

This reverts commit 38d3eca0d4.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16
Test: policy compiles.
2017-03-06 02:50:19 +00:00
Nick Kralevich
38d3eca0d4 Remove execmod support for newer API versions
Drop support for execmod (aka text relocations) for newer API versions.
Retain it for older app APIs versions.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Test: policy compiles.
Change-Id: Ie54fdb385e9c4bb997ad6fcb6cff74f7e32927bb
2017-03-05 07:17:03 +00:00
Nick Kralevich
b4f354fdd2 Move /proc/tty/drivers access to untrusted_app_25
This should only be granted to legacy apps, not to newer API versions.

Change-Id: Ia4b9b3a3cf33aa31bcad2fe15d8470c50132e2a9
Test: policy compiles.
2017-03-04 20:10:02 -08:00
Nick Kralevich
50bb7b5a67 Label /proc/misc
Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.

/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.

TODO: Remove access to proc:file from update_engine_common after more
testing.

Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75
2017-03-03 12:20:38 -08:00
Jeff Vander Stoep
d152425133 Allow all untrusted_apps to create ptys
Bug: 35632346
Test: build and boot aosp_marlin
Change-Id: Ia2d019b0160e9b512f3e3a70ded70504fe4fea0c
2017-02-21 22:17:16 -08:00
Jeff Vander Stoep
bacb6d7936 untrusted_app: policy versioning based on targetSdkVersion
Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.

Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-14 13:30:12 -08:00