Commit graph

9 commits

Author SHA1 Message Date
Stephen Smalley
2dc4acf33b Isolate untrusted app ptys from other domains.
Add a create_pty() macro that allows a domain to
create and use its own ptys, isolated from the ptys
of any other domain, and use that macro for untrusted_app.
This permits the use of a pty by apps without opening up access
to ptys created by any other domain on the system.

Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 10:11:33 -04:00
Nick Kralevich
2f40a17a42 Revert "Add the ability to write shell files to the untrusted_app domain."
At this point, we still don't understand the root cause of
bug 10290009, or if it's even a real bug.  Rollback
29d0d40668 so we an get a device
in this state and figure out the root cause of this problem.

This reverts commit 29d0d40668.

Bug: 10290009
2013-09-04 16:12:33 -07:00
Geremy Condra
29d0d40668 Add the ability to write shell files to the untrusted_app domain.
Bug: 10290009
Change-Id: Ic794299261672b36a2b630893b65ab176c3eee6b
(cherry picked from commit eaa4e844e4c8549c9b4808a1272876a6995ca5a7)
2013-08-16 23:09:02 +00:00
Alex Klyubin
7cda86eb46 Permit apps to bind TCP/UDP sockets to a hostname
Change-Id: Ided2cf793e94bb58529789c3075f8480c0d0cf4e
2013-07-16 13:45:53 -07:00
Nick Kralevich
24617fc3b8 Move isolated_app.te / untrusted_app.te into permissive
OTAs aren't properly labeling /system, which is causing SELinux
breakage. Temporarily put isolated_app.te and untrusted_app.te
into permissive.

Bug: 9878561
Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c
2013-07-16 11:34:08 -07:00
Nick Kralevich
59faed058d Allow apps to create listening ports
Bug: 9872463
Change-Id: I47eabeace3387afd24c0fd4bee70e77c0a3586d5
2013-07-16 09:03:58 -07:00
Nick Kralevich
8a2ebe3477 Temporarily allow untrusted apps to read shell data files.
This is needed to support "Verify App" functionality.
During side loading, the Verify App functionality reads the APK
to determine if it's safe to install.

Bug: 9863154
Change-Id: I33f6b0fd012f6cb194e253d5d92cf6189d6aa222
2013-07-15 16:03:27 -07:00
Nick Kralevich
6634a1080e untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef349
with extensive modifications, some of which are included below.

* Allow communication with netd/dnsproxyd, to allow netd to handle
  dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
  the DAC allows access.

In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.

This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.

Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 18:46:03 -07:00
Nick Kralevich
748fdef626 Move *_app into their own file
app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.

Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.

No functional change.

Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
2013-07-12 18:18:41 -07:00