Commit graph

46 commits

Author SHA1 Message Date
dcashman
b075338d0e Assign app_api_service attribute to services.
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
2015-04-03 14:29:40 -07:00
dcashman
d12993f084 Add system_api_service and app_api_service attributes.
System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 11:20:00 -07:00
dcashman
8af4e9cb00 Record observed service accesses.
Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
2015-04-01 14:30:46 -07:00
John Reck
e8064afb5e Add graphicsstats service
Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
2015-03-27 19:10:58 +00:00
Nick Kralevich
85ce2c706e Don't grant hard link capabilities by default.
Modify create_file_perms and create_dir_perms so it doesn't have
the "link" permission. This permission controls whether hard links
are allowed or not on the given file label. Hard links are a common
source of security bugs, and isn't something we want to support by
default.

Get rid of link_file_perms and move the necessary permissions into
create_file_perms and create_dir_perms. Nobody is using this macro,
so it's pointless to keep it around.

Get rid of unlink on directories. It returns EISDIR if you attempt to
do it, independent of SELinux permissions.

SELinux domains which have a need for hard linking for a particular
file type can add it back to their permission set on an as-needed basis.

Add a compile time assertion (neverallow rule) for untrusted_app.
It's particularly dangerous for untrusted_app to ever have hard
link capabilities, and the neverallow rule will prevent regressions.

Bug: 19953790
Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0
2015-03-27 08:22:56 -07:00
Stephen Smalley
eaece936f2 neverallow untrusted_app as a mlstrustedsubject.
Assigning mlstrustedsubject to untrusted_app would undermine
the per-user isolation model being enforced via levelFrom=user
in seapp_contexts and the mls constraints.  There is no direct
way to specify a neverallow on attribute assignment, but this
makes use of a particular property of the fork permission to
prevent ever adding mlstrustedsubject to untrusted_app.

A similar restriction for app_data_file and mlstrustedobject
is also important for the same reason, but cannot be expressed
as a neverallow.

Change-Id: I5170cadc55cc614aef0cd5f6491de8f69a4fa2a0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 16:54:48 -04:00
Stephen Smalley
b8caf7fdd4 Move allow rules before neverallow rules.
There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file.  Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te.  Just move the rules as appropriate.
Should be no change in policy.

Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 16:42:42 -04:00
dcashman
bb3cef4488 Record observed bluetooth service access.
Bug: 18106000
Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4
2015-03-06 11:13:29 -08:00
Nick Kralevich
1aafc4c7d3 allow untrusted_app read /data/anr/traces.txt
The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.

Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.

Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.

Addresses the following denial:

W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

(cherrypick from commit e2547c3bff)

Bug: 18504118
Bug: 18340553
Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8
2015-03-05 17:00:58 -08:00
Nick Kralevich
8be3e77986 move untrusted_app statement to the correct file.
Change-Id: I5ae9606023ef7f3489f44e6657766e922160c470
2015-03-05 15:40:04 -08:00
dcashman
23f336156d Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
2015-03-03 11:38:07 -08:00
dcashman
6a2451b580 Allow platform_app access to keystore.
Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
2015-03-02 11:31:26 -08:00
Nick Kralevich
d31936f89c appdomain: relax netlink_socket neverallow rule
Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

Change-Id: I40de0ae28134ce71e808e5ef4a39779b71897571
2015-01-28 17:46:30 -08:00
dcashman
566e8fe258 Record service accesses.
Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
2015-01-16 17:27:25 -08:00
dcashman
c631ede7dc Remove known system_server service accesses from auditing.
Address observed  audit logs of the form:
granted  { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
2015-01-15 15:12:18 -08:00
dcashman
4a89cdfa89 Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2015-01-14 13:54:26 -08:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Pawit Pornkitprasan
c06ed8f7b2 sepolicy: allow system apps to access ASEC
Required for Settings to show name/icon of apps on sd card
(permission copied from untrusted_app)

Also removed duplicate permission (from domain) in untrusted_app

Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
2014-12-12 13:58:39 +07:00
Nick Kralevich
8c6dba90a5 fix whitespace
Change-Id: I2911d2b5d1931c6f6245cc54465458a8a3c2b2bb
2014-10-14 15:07:49 -07:00
Nick Kralevich
642b80427e relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets
Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.

Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.

Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.

No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.

Bug: 17525863
Change-Id: I3e538dc8096dc23b9678bcd20e3c1e742c21c967
2014-09-21 23:49:37 -07:00
dcashman
fbbe9e9117 Allow untrusted_app access to temporary apk files.
Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow.  This verifier runs as
a priv-app, which is in the untrusted_app domain.  Allow untrusted_app
read-access to these files.

Bug: 16515815

Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
2014-08-06 18:19:41 -07:00
Riley Spahn
603bc20509 Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 09:24:13 -07:00
Riley Spahn
af8d7ca9e9 Remove radio_service from untrusted_app auditallow.
Change untrusted_app to not auditallow radio_service find requests
to cut down on log spam.

Change-Id: I65d4a60ea1c7e81425937d5f1908e764fdec417f
2014-07-15 15:13:18 -07:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-14 11:09:27 -07:00
Nick Kralevich
f583566616 Don't use don't
Single quotes sometimes mess up m4 parsing

Change-Id: Ic53cf0f9b45b2173cbea5c96048750f6a582a535
2014-07-09 19:03:47 -07:00
Nick Kralevich
99d86c7a77 ensure that untrusted_app can't set properties
Bug: 10243159
Change-Id: I9409fe8898c446a33515f1bee2990f36a2e11535
2014-07-09 18:58:04 -07:00
Riley Spahn
76206abc9f Add neverallow rules further restricing service_manager.
Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.

Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156
2014-07-07 12:47:07 -07:00
Nick Kralevich
78706f9ef6 add execmod to various app domains
NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.

Addresses the following error / denial:

  06-02 13:28:59.495  3634  3634 W linker  : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
  <4>[   57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app

Expected:
  App runs

Actual:
  App crashes with error above.

Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
2014-06-02 15:56:44 -07:00
Nick Kralevich
4bdd13e4c3 untrusted_app: neverallow debugfs
Too many leaky files in that directory. It's a security best practice
to not mount this filesystem, however, we need it mounted for
tracing support. Even though it's mounted, make sure the files aren't
readable.

Bug: 11635985
Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd
2014-05-13 14:45:00 -07:00
Stephen Smalley
3a4eb96b2a Make the untrusted_app domain enforcing.
Change-Id: I4811da972f7e23ef86e04d05400169422fbaca35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-01 10:04:58 -07:00
Stephen Smalley
9ba844fea1 Coalesce shared_app, media_app, release_app into untrusted_app.
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-04 18:24:09 +00:00
Stephen Smalley
b0db712bf0 Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-07 15:47:33 -05:00
Stephen Smalley
1eb94035cd Remove redundant socket rules.
These same permissions are already allowed via net_domain() and
the rules in net.te.

Change-Id: I4681fb9993258b4ad668333ad7d7102e983b5c2b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 09:08:57 -05:00
Stephen Smalley
d823f83e54 Clarify meaning of untrusted_app and app domain assignment logic.
The current inline documentation is not entirely accurate and caused
user confusion, e.g. see:
https://groups.google.com/d/msg/android-security-discuss/javBrPT8ius/C4EVEFUu4ZoJ

Try to clarify the meaning of untrusted_app, how app domains are
assigned, and how to move other system apps out of untrusted_app into
a different domain.

Change-Id: I98d344dd078fe9e2738b68636adaabda1f4b3c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 13:29:54 -05:00
Robert Craig
48b18832c4 Introduce asec_public_file type.
This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-11 17:08:10 +00:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Stephen Smalley
65317124a0 Allow untrusted apps to execute binaries from their sandbox directories.
Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc:  denied  { execute_no_trans } for  pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file

While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.

Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.

Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.

Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-11 09:23:57 -05:00
Stephen Smalley
2dc4acf33b Isolate untrusted app ptys from other domains.
Add a create_pty() macro that allows a domain to
create and use its own ptys, isolated from the ptys
of any other domain, and use that macro for untrusted_app.
This permits the use of a pty by apps without opening up access
to ptys created by any other domain on the system.

Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 10:11:33 -04:00
Nick Kralevich
2f40a17a42 Revert "Add the ability to write shell files to the untrusted_app domain."
At this point, we still don't understand the root cause of
bug 10290009, or if it's even a real bug.  Rollback
29d0d40668 so we an get a device
in this state and figure out the root cause of this problem.

This reverts commit 29d0d40668.

Bug: 10290009
2013-09-04 16:12:33 -07:00
Geremy Condra
29d0d40668 Add the ability to write shell files to the untrusted_app domain.
Bug: 10290009
Change-Id: Ic794299261672b36a2b630893b65ab176c3eee6b
(cherry picked from commit eaa4e844e4c8549c9b4808a1272876a6995ca5a7)
2013-08-16 23:09:02 +00:00
Alex Klyubin
7cda86eb46 Permit apps to bind TCP/UDP sockets to a hostname
Change-Id: Ided2cf793e94bb58529789c3075f8480c0d0cf4e
2013-07-16 13:45:53 -07:00
Nick Kralevich
24617fc3b8 Move isolated_app.te / untrusted_app.te into permissive
OTAs aren't properly labeling /system, which is causing SELinux
breakage. Temporarily put isolated_app.te and untrusted_app.te
into permissive.

Bug: 9878561
Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c
2013-07-16 11:34:08 -07:00
Nick Kralevich
59faed058d Allow apps to create listening ports
Bug: 9872463
Change-Id: I47eabeace3387afd24c0fd4bee70e77c0a3586d5
2013-07-16 09:03:58 -07:00
Nick Kralevich
8a2ebe3477 Temporarily allow untrusted apps to read shell data files.
This is needed to support "Verify App" functionality.
During side loading, the Verify App functionality reads the APK
to determine if it's safe to install.

Bug: 9863154
Change-Id: I33f6b0fd012f6cb194e253d5d92cf6189d6aa222
2013-07-15 16:03:27 -07:00
Nick Kralevich
6634a1080e untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef349
with extensive modifications, some of which are included below.

* Allow communication with netd/dnsproxyd, to allow netd to handle
  dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
  the DAC allows access.

In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.

This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.

Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 18:46:03 -07:00
Nick Kralevich
748fdef626 Move *_app into their own file
app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.

Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.

No functional change.

Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
2013-07-12 18:18:41 -07:00