7a4af30b38
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f
)
95 lines
3.5 KiB
Text
95 lines
3.5 KiB
Text
###
|
|
### Apps signed with the platform key.
|
|
###
|
|
|
|
typeattribute platform_app coredomain;
|
|
|
|
app_domain(platform_app)
|
|
|
|
# Access the network.
|
|
net_domain(platform_app)
|
|
# Access bluetooth.
|
|
bluetooth_domain(platform_app)
|
|
# Read from /data/local/tmp or /data/data/com.android.shell.
|
|
allow platform_app shell_data_file:dir search;
|
|
allow platform_app shell_data_file:file { open getattr read };
|
|
allow platform_app icon_file:file { open getattr read };
|
|
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
|
# created by system server.
|
|
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
|
|
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
|
|
allow platform_app apk_private_data_file:dir search;
|
|
# ASEC
|
|
allow platform_app asec_apk_file:dir create_dir_perms;
|
|
allow platform_app asec_apk_file:file create_file_perms;
|
|
|
|
# Access to /data/media.
|
|
allow platform_app media_rw_data_file:dir create_dir_perms;
|
|
allow platform_app media_rw_data_file:file create_file_perms;
|
|
|
|
# Read access to FDs from the DropboxManagerService.
|
|
allow platform_app dropbox_data_file:file { getattr read };
|
|
|
|
# Write to /cache.
|
|
allow platform_app cache_file:dir create_dir_perms;
|
|
allow platform_app cache_file:file create_file_perms;
|
|
|
|
# Direct access to vold-mounted storage under /mnt/media_rw
|
|
# This is a performance optimization that allows platform apps to bypass the FUSE layer
|
|
allow platform_app mnt_media_rw_file:dir r_dir_perms;
|
|
allow platform_app sdcard_type:dir create_dir_perms;
|
|
allow platform_app sdcard_type:file create_file_perms;
|
|
|
|
# com.android.systemui
|
|
allow platform_app rootfs:dir getattr;
|
|
|
|
# com.android.captiveportallogin reads /proc/vmstat
|
|
allow platform_app {
|
|
proc_vmstat
|
|
}:file r_file_perms;
|
|
|
|
# /proc/net access.
|
|
# TODO(b/9496886) Audit access for removal.
|
|
r_dir_file(platform_app, proc_net_type)
|
|
userdebug_or_eng(`
|
|
auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
|
|
')
|
|
|
|
allow platform_app audioserver_service:service_manager find;
|
|
allow platform_app cameraserver_service:service_manager find;
|
|
allow platform_app drmserver_service:service_manager find;
|
|
allow platform_app mediaserver_service:service_manager find;
|
|
allow platform_app mediametrics_service:service_manager find;
|
|
allow platform_app mediaextractor_service:service_manager find;
|
|
allow platform_app mediacodec_service:service_manager find;
|
|
allow platform_app mediadrmserver_service:service_manager find;
|
|
allow platform_app persistent_data_block_service:service_manager find;
|
|
allow platform_app radio_service:service_manager find;
|
|
allow platform_app thermal_service:service_manager find;
|
|
allow platform_app timezone_service:service_manager find;
|
|
allow platform_app app_api_service:service_manager find;
|
|
allow platform_app system_api_service:service_manager find;
|
|
allow platform_app vr_manager_service:service_manager find;
|
|
|
|
# Access to /data/preloads
|
|
allow platform_app preloads_data_file:file r_file_perms;
|
|
allow platform_app preloads_data_file:dir r_dir_perms;
|
|
allow platform_app preloads_media_file:file r_file_perms;
|
|
allow platform_app preloads_media_file:dir r_dir_perms;
|
|
|
|
read_runtime_log_tags(platform_app)
|
|
|
|
# allow platform apps to use UDP sockets provided by the system server but not
|
|
# modify them other than to connect
|
|
allow platform_app system_server:udp_socket {
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
|
|
|
# allow platform apps to connect to the property service
|
|
set_prop(platform_app, test_boot_reason_prop)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# app domains which access /dev/fuse should not run as platform_app
|
|
neverallow platform_app fuse_device:chr_file *;
|