c47e149a0b
There is a problem with on-disk labeling of files created by secondary
dex background compilation which is causing unexpected denials to show
up. Drop the auditallow rule to avoid logspam.
Steps to reproduce:
1) boot android device.
2) adb root
3) Run cmd package compile -r bg-dexopt --secondary-dex com.google.android.gms
4) Examine the files in /data/user_de/0/com.google.android.gms
Expected:
All files have the label privapp_data_file
Actual:
The files in /data/user_de/0/com.google.android.gms/app_chimera/m
are labeled "app_data_file", not "privapp_data_file".
Addresses the following audit logspam:
type=1400 audit(0.0:117): avc: granted { execute } for comm=4173796E635461736B202331 path="/data/user_de/0/com.google.android.gms/app_chimera/m/00000002/oat/arm/DynamiteLoader.odex" dev="dm-0" ino=5775 scontext=u:r:untrusted_app:s0:c111,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.android.chrome
Additionally, this removes auditallow statements for older untrusted
apps. Lots of big apps are executing files from their home directory.
Additional restrictions in this area will need to be tied to API
versions.
Addresses the following audit logspam:
type=1400 audit(0.0:619): avc: granted { execute } for comm="na:notification" path="/data/data/com.facebook.katana/lib-xzs/libbreakpad.so" dev="dm-3" ino=28333 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.katana
type=1400 audit(0.0:129): avc: granted { execute } for comm="ticlock" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
type=1400 audit(0.0:1239): avc: granted { execute } for comm="Analytics-Norma" path="/data/data/com.facebook.orca/lib-xzs/libchipsetmerged.so" dev="dm-3" ino=50243 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.orca
type=1400 audit(0.0:58): avc: granted { execute_no_trans } for comm="sh" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
type=1400 audit(0.0:1948): avc: granted { execute_no_trans } for comm="sh" path="/data/data/com.mxdata.tube.Market/files/osmcore" dev="sda13" ino=2752651 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.mxdata.tube.Market
type=1400 audit(0.0:2875): avc: granted { execute_no_trans } for comm="ThreadPoolManag" path="/data/data/com.amazon.kindle/files/hardwareTest" dev="sda13" ino=1935346 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.amazon.kindle
This reverts commit 4738b93db2
.
Bug: 112357170
Test: policy compiles
154 lines
6.9 KiB
Text
154 lines
6.9 KiB
Text
###
|
|
### Untrusted_app_all.
|
|
###
|
|
### This file defines the rules shared by all untrusted app domains except
|
|
### ephemeral_app for instant apps.
|
|
### Apps are labeled based on mac_permissions.xml (maps signer and
|
|
### optionally package name to seinfo value) and seapp_contexts (maps UID
|
|
### and optionally seinfo value to domain for process and type for data
|
|
### directory). The untrusted_app_all attribute is assigned to all default
|
|
### seapp_contexts for any app with UID between APP_AID (10000)
|
|
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
|
|
### value as determined from mac_permissions.xml. In current AOSP, this
|
|
### attribute is assigned to all non-system apps as well as to any system apps
|
|
### that are not signed by the platform key. To move
|
|
### a system app into a specific domain, add a signer entry for it to
|
|
### mac_permissions.xml and assign it one of the pre-existing seinfo values
|
|
### or define and use a new seinfo value in both mac_permissions.xml and
|
|
### seapp_contexts.
|
|
###
|
|
### Note that rules that should apply to all untrusted apps must be in app.te or also
|
|
### added to ephemeral_app.te.
|
|
|
|
# Some apps ship with shared libraries and binaries that they write out
|
|
# to their sandbox directory and then execute.
|
|
allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
|
|
|
|
# ASEC
|
|
allow untrusted_app_all asec_apk_file:file r_file_perms;
|
|
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
|
|
# Execute libs in asec containers.
|
|
allow untrusted_app_all asec_public_file:file { execute };
|
|
|
|
# Used by Finsky / Android "Verify Apps" functionality when
|
|
# running "adb install foo.apk".
|
|
# TODO: Long term, we don't want apps probing into shell data files.
|
|
# Figure out a way to remove these rules.
|
|
allow untrusted_app_all shell_data_file:file r_file_perms;
|
|
allow untrusted_app_all shell_data_file:dir r_dir_perms;
|
|
|
|
# Allow traceur to pass file descriptors through a content provider to untrusted apps
|
|
# for the purpose of sharing files through e.g. gmail
|
|
allow untrusted_app_all trace_data_file:file { getattr read };
|
|
|
|
# untrusted apps should not be able to open trace data files, they should depend
|
|
# upon traceur to pass a file descriptor
|
|
neverallow untrusted_app_all trace_data_file:dir *;
|
|
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
|
|
|
|
# Allow to read staged apks.
|
|
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
|
|
|
|
# Read and write system app data files passed over Binder.
|
|
# Motivating case was /data/data/com.android.settings/cache/*.jpg for
|
|
# cropping or taking user photos.
|
|
allow untrusted_app_all system_app_data_file:file { read write getattr };
|
|
|
|
#
|
|
# Rules migrated from old app domains coalesced into untrusted_app.
|
|
# This includes what used to be media_app, shared_app, and release_app.
|
|
#
|
|
|
|
# Access to /data/media.
|
|
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
|
|
allow untrusted_app_all media_rw_data_file:file create_file_perms;
|
|
|
|
# Traverse into /mnt/media_rw for bypassing FUSE daemon
|
|
# TODO: narrow this to just MediaProvider
|
|
allow untrusted_app_all mnt_media_rw_file:dir search;
|
|
|
|
# allow cts to query all services
|
|
allow untrusted_app_all servicemanager:service_manager list;
|
|
|
|
allow untrusted_app_all audioserver_service:service_manager find;
|
|
allow untrusted_app_all cameraserver_service:service_manager find;
|
|
allow untrusted_app_all drmserver_service:service_manager find;
|
|
allow untrusted_app_all mediaserver_service:service_manager find;
|
|
allow untrusted_app_all mediaextractor_service:service_manager find;
|
|
allow untrusted_app_all mediacodec_service:service_manager find;
|
|
allow untrusted_app_all mediametrics_service:service_manager find;
|
|
allow untrusted_app_all mediadrmserver_service:service_manager find;
|
|
allow untrusted_app_all nfc_service:service_manager find;
|
|
allow untrusted_app_all radio_service:service_manager find;
|
|
allow untrusted_app_all app_api_service:service_manager find;
|
|
allow untrusted_app_all vr_manager_service:service_manager find;
|
|
|
|
# Allow GMS core to access perfprofd output, which is stored
|
|
# in /data/misc/perfprofd/. GMS core will need to list all
|
|
# data stored in that directory to process them one by one.
|
|
userdebug_or_eng(`
|
|
allow untrusted_app_all perfprofd_data_file:file r_file_perms;
|
|
allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
|
|
')
|
|
|
|
# gdbserver for ndk-gdb ptrace attaches to app process.
|
|
allow untrusted_app_all self:process ptrace;
|
|
|
|
# Cts: HwRngTest
|
|
allow untrusted_app_all sysfs_hwrandom:dir search;
|
|
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
|
|
|
|
# Allow apps to view preloaded media content
|
|
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
|
|
allow untrusted_app_all preloads_media_file:file r_file_perms;
|
|
allow untrusted_app_all preloads_data_file:dir search;
|
|
|
|
# Allow untrusted apps read / execute access to /vendor/app for there can
|
|
# be pre-installed vendor apps that package a library within themselves.
|
|
# TODO (b/37784178) Consider creating a special type for /vendor/app installed
|
|
# apps.
|
|
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
|
|
allow untrusted_app_all vendor_app_file:file { open getattr read execute };
|
|
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
|
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
allow untrusted_app_all traced:fd use;
|
|
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect(untrusted_app_all, traced_producer, traced)
|
|
|
|
# allow untrusted apps to use UDP sockets provided by the system server but not
|
|
# modify them other than to connect
|
|
allow untrusted_app_all system_server:udp_socket {
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
|
|
|
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
|
|
dontaudit untrusted_app_all net_dns_prop:file read;
|
|
|
|
# These have been disallowed since Android O.
|
|
# For P, we assume that apps are safely handling the denial.
|
|
dontaudit untrusted_app_all proc_stat:file read;
|
|
dontaudit untrusted_app_all proc_vmstat:file read;
|
|
dontaudit untrusted_app_all proc_uptime:file read;
|
|
|
|
# Allow the allocation and use of ptys
|
|
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
|
|
create_pty(untrusted_app_all)
|
|
|
|
# /proc/net access.
|
|
# TODO(b/9496886) Audit access for removal.
|
|
# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
|
|
# limited through a mechanism other than SELinux.
|
|
r_dir_file(untrusted_app_all, proc_net_type)
|
|
userdebug_or_eng(`
|
|
auditallow untrusted_app_all {
|
|
proc_net_type
|
|
-proc_net_vpn
|
|
}:{ dir file lnk_file } { getattr open read };
|
|
')
|
|
|
|
# Attempts to write to system_data_file is generally a sign
|
|
# that apps are attempting to access encrypted storage before
|
|
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
|
|
# denial to prevent third party apps from spamming the logs.
|
|
dontaudit untrusted_app_all system_data_file:dir write;
|