Commit graph

8 commits

Author SHA1 Message Date
Jeff Vander Stoep
6231b4d9fc Enforce per-app data protections for targetSdk 28+
Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.

Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]

Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+

To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.

Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2018-01-18 13:32:57 -08:00
Alex Klyubin
fce60d3dbc Move untrusted_app policy to private
This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from untrusted_domain_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92
2017-01-05 14:39:52 -08:00
Nick Kralevich
e427a2b2be untrusted_app: allow access to /proc/tty/drivers
/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.

Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:

1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive

While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.

Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49
2017-01-04 08:43:09 -08:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Nick Kralevich
0b7506ff53 neverallow some /proc file reads
Lock in the gains we've made so far in restricting access to generically
labeled /proc files. There's more we can do here, but let's avoid
inadvertent regressions.

Test: policy compiles. Only compile time assertions added.
Bug: 26813932
Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a
2016-11-22 13:18:02 -08:00
Daniel Micay
dc083f596d only permit text relocations in untrusted_app
The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.

It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).

Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
2016-11-20 15:10:34 +00:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from untrusted_app.te (Browse further)