Commit graph

19 commits

Author SHA1 Message Date
Bram Bonné
ea5460ab6e untrusted_app_30: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.

Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Test: atest CtsSelinuxTargetSdk30TestCases
Test: atest CtsSelinuxTargetSdk29TestCases
Test: atest CtsSelinuxTargetSdk28TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CompatChangesSelinuxTest
Test: atest NetlinkSocketTest
Change-Id: I2167e6cd564854c2656ee06c2202cfff2b727af5
2021-07-05 11:42:31 +02:00
Paul Hobbs
f6fc9377ad Revert "untrusted_app_30: add new targetSdk domain"
Revert "Ignore SELinux denials for all untrusted_app domains"

Revert "Update tests to check RTM_GETNEIGH{TBL} restrictions"

Revert submission 1748045-getneigh-enable-restrictions

Reason for revert: Breaks android.net.netlink.NetlinkSocketTest#testBasicWorkingGetNeighborsQuery with permissions error.

Bug: 192406650

Reverted Changes:
Iea29a1b36:Ignore SELinux denials for all untrusted_app domai...
I14b755020:Update tests to check RTM_GETNEIGH{TBL} restrictio...
I32ebb407b:untrusted_app_30: add new targetSdk domain
I8598662b7:libsepol: trigger new RTM_GETNEIGH{TBL} behavior

Change-Id: I525544191520607fdd238b5ac55aa5132f679253
2021-06-30 07:41:39 +00:00
Bram Bonné
55badc22c1 untrusted_app_30: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.

Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases

Change-Id: I32ebb407b8dde1c872f53a1bc3c1ec20b9a5cb49
2021-06-29 17:50:22 +02:00
Jeff Vander Stoep
1f7ae8ee3f reland: untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-22 09:47:53 +00:00
Santiago Seifert
1d241db7e5 Revert "untrusted_app_29: add new targetSdk domain"
This reverts commit a1aa2210a9.

Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission

Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
2020-01-21 11:35:24 +00:00
Jeff Vander Stoep
a1aa2210a9 untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
2020-01-20 15:31:52 +01:00
Jeff Vander Stoep
3aa7ca56fd Add untrusted_app_27
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc)
2018-04-03 12:25:51 -07:00
Nathan Harold
ee268643c1 Allow More Apps to Recv UDP Sockets from SystemServer
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2018-01-15 23:10:42 +00:00
Nathan Harold
0f75a62e2c Allow UDP Sockets to be returned from IpSecService
These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.

-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else

Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket

Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0
2017-04-12 11:32:18 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Jeff Vander Stoep
d152425133 Allow all untrusted_apps to create ptys
Bug: 35632346
Test: build and boot aosp_marlin
Change-Id: Ia2d019b0160e9b512f3e3a70ded70504fe4fea0c
2017-02-21 22:17:16 -08:00
Jeff Vander Stoep
bacb6d7936 untrusted_app: policy versioning based on targetSdkVersion
Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.

Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-14 13:30:12 -08:00
Craig Donner
9051eaf3f1 Allow untrusted apps to access VrManager.
There is only a single systemapi at the moment that is callable, and it is
protected by a signature/preinstalled permission.

(cherry picked from commit I778864afc9d02f8b2bfcf6b92a9f975ee87c4724)

Bug: 35059826,33297721
Test: manually on a marlin
Change-Id: I3789ce8238f5a52ead8f466dfa3045fbcef1958e
2017-02-10 16:30:31 -08:00
Nick Kralevich
4e404290e4 Move net.dns* to it's own label.
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.

Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:

  * system_server
  * system_app (apps which run as UID=system)
  * netmgrd
  * radio

This change:

1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.

In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.

Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
2017-02-09 16:14:05 -08:00
Chad Brubaker
46e5a060f6 Move neverallows from untrusted_app.te to app_neverallows.te
The neverallows in untrusted_app will all apply equally to ephemeral app
and any other untrusted app domains we may add, so this moves them to a
dedicated separate file.

This also removes the duplicate rules from isolated_app.te and ensures
that all the untrusted_app neverallows also apply to isolated_app.

Test: builds
Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-02-06 10:16:50 -08:00
Ray Essick
391854000a rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
2017-01-24 16:57:19 -08:00
Alex Klyubin
fce60d3dbc Move untrusted_app policy to private
This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from untrusted_domain_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92
2017-01-05 14:39:52 -08:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00