Commit graph

26 commits

Author SHA1 Message Date
Jeff Vander Stoep
2eaa33d95e Untrusted_app: audit NETLINK_ROUTE bind and RTM_GETLINK
Test: build
Bug: 170188668
Bug: 170214442
Change-Id: I79384318ad4031b4bf14ae243e41f01469288e55
2020-12-11 14:10:19 +01:00
Bram Bonné
80b8e3cba3 Revert^3 "Enforce RTM_GETLINK restrictions on all 3p apps"
18ccf9725e

Revert submission 1498525-revert-1499099-revert-1450615-mac-address-restrictions-MNRMVNXRJM-OSETMCLBXY

Reason for revert: b/173384499#comment21
Reverted Changes:
I320d3bcf8:Revert^2 "Enforce RTM_GETLINK restrictions on all ...
I51c83733c:Revert^2 "Return anonymized MAC for apps targeting...
I0e8280c74:Revert "Revert "Updates tests for untrusted app MA...
Ia9f61819f:Revert^2 "Soft-enables new MAC address restriction...

Change-Id: I35a00e187f1b39f6aaa777709fb948f840565a82
2020-12-01 10:04:23 +00:00
Bram Bonné
18ccf9725e Revert^2 "Enforce RTM_GETLINK restrictions on all 3p apps"
f48d1f8e46

The original change was reverted due to InterfaceParamsTest failing.
This test has now been fixed in r.android.com/1498525.
The original change message is below.

This restriction was previously targetSdk gated for apps
with targetSdkVersion>=30.

This change is being posted for app-compat analysis and testing.

Bug: 170188668
Test: build

Change-Id: I320d3bcf8bb64badc39688b19902d532c802dc75
2020-11-16 12:55:39 +00:00
Tej Singh
f48d1f8e46 Revert "Enforce RTM_GETLINK restrictions on all 3p apps"
Revert "Updates tests for untrusted app MAC address restrictions"

Revert submission 1450615-mac-address-restrictions

Reason for revert: DroidMonitor: Potential culprit for Bug 173243616 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted

Reverted Changes:
I08c709b2b:Enforce RTM_GETLINK restrictions on all 3p apps
I95d124ae8:Soft-enables new MAC address restrictions.
I5392f8339:Updates tests for untrusted app MAC address restri...
I9d214c5d0:Return anonymized MAC for apps targeting SDK < 30

Change-Id: I987dfc86dfba56a2d2a45075dc19885ca6f0a4ad
2020-11-13 22:27:15 +00:00
Jeff Vander Stoep
03fb6ee903 Enforce RTM_GETLINK restrictions on all 3p apps
This restriction was previously targetSdk gated for apps
with targetSdkVersion>=30.

This change is being posted for app-compat analysis and testing.

Bug: 170188668
Test: build
Change-Id: I08c709b2bb9a67157d0daf921e8ac7717a3bdf6f
2020-10-16 11:04:42 +02:00
Jeff Vander Stoep
1f7ae8ee3f reland: untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-22 09:47:53 +00:00
Santiago Seifert
1d241db7e5 Revert "untrusted_app_29: add new targetSdk domain"
This reverts commit a1aa2210a9.

Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission

Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
2020-01-21 11:35:24 +00:00
Jeff Vander Stoep
a1aa2210a9 untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
2020-01-20 15:31:52 +01:00
Tri Vo
8eff3e23d8 Deprecate /mnt/sdcard -> /storage/self/primary symlink.
"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/

Apps targeting R+ must NOT use that symlink.

For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.

Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
2019-04-12 03:15:52 +00:00
Jeff Vander Stoep
c9aba12002 Allow execmod for apps with targetSdkVersion=26-28
Bug: 129760476
Test: build
Change-Id: I239c16e8269b81c22738e7813c1d4ae46068aa53
2019-04-02 13:07:27 -07:00
Tri Vo
8b12ff5f21 Neverallow app open access to /dev/ashmem
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.

Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
2019-02-27 21:17:25 +00:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Alan Stokes
3f63dbf372 Audit native code loading on user builds.
Extend the auditing of native code loading from non-priv app home
directories to user builds. Only applies to apps targeting SDK <= 28.

Bug: 111338677
Test: Builds
Change-Id: I6fbbd80626a1c87dd7ece689f9fecd7c0a1a59d6
2019-01-28 14:15:48 +00:00
Alan Stokes
c6cbeadb21 Un-revert "Audit execution of app_data_file native code."
This was originally implemented in commit
890414725f and reverted in commit
fa3eb773ce. This effectively reverts the
revert, with minimal changes to cope with the subsequent reversion of
commit b362474374.

Auditing is only enabled for apps targeting API <= 28.

Test: Compiles, audit messages are seen.
Bug: 121333210
Bug: 111338677
Change-Id: Ie38498a2b61f4b567902117f9ef293faa0e689dd
2019-01-07 14:08:11 +00:00
Nick Kralevich
65a89c1b2b Revert "remove app_data_file execute"
This reverts commit b362474374.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots
2018-12-21 10:03:50 -08:00
Nick Kralevich
fa3eb773ce Revert "Audit execution of app_data_file native code."
This reverts commit 890414725f.

Unittest failures of JvmtiHostTest1906#testJvmti. To do a clean revert
of b362474374, we need to also revert this
change.

Test: compiles
Bug: 121333210
Bug: 111338677
2018-12-21 09:59:53 -08:00
Alan Stokes
890414725f Audit execution of app_data_file native code.
On debug builds, introduce audit logging of apps targeting SDK <= 28
that execute native code from a non-priv app home directory via
execve() or dl_open().

Bug: 111338677
Test: Builds + boots.
Test: Launch app that uses private .so files, see granted logs.
Change-Id: I5880801d3a29cbf2c1cf4e0d72adc69a9d548952
2018-12-14 14:54:56 +00:00
Nick Kralevich
b362474374 remove app_data_file execute
Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4
2018-12-12 13:20:39 -08:00
Nick Kralevich
cfe1baea25 place dex2oat auditallow statements in userdebug_or_eng blocks
By convention, auditallow statements are always placed in
userdebug_or_eng() blocks. This ensures that we don't inadvertently ship
audit rules on production devices, which could result in device logspam,
and in pathological situations, impact device performance (generating
audit messages is much more expensive than a standard SELinux check).

Bug: 117606664
Test: policy compiles.
Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490
2018-11-20 10:50:22 -08:00
David Brazdil
535c5d2be0 Remove 'dex2oat_exec' from untrusted_app
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-19 23:47:39 +00:00
Yabin Cui
5dc2c8c740 Revert "Revert "Enforce execve() restrictions for API > 28""
This reverts commit 15d1a12f7f.

Bug: 118737210
Bug: 112357170
Test: boot marlin
Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca
2018-11-07 18:07:18 +00:00
Nick Kralevich
15d1a12f7f Revert "Enforce execve() restrictions for API > 28"
This reverts commit 0dd738d810.

Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.

Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b
2018-10-31 03:40:13 +00:00
Nick Kralevich
0dd738d810 Enforce execve() restrictions for API > 28
untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
2018-10-29 09:24:09 -07:00
Chenbo Feng
16dbe82eaf Block access to xt_qtaguid proc files
In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.

Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest

Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2
2018-09-28 01:33:02 +00:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Jeff Vander Stoep
3aa7ca56fd Add untrusted_app_27
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc)
2018-04-03 12:25:51 -07:00
Renamed from public/untrusted_app_25.te (Browse further)