platform_system_sepolicy/untrusted_app.te
Nick Kralevich 87f3802a8e appdomain: relax netlink_socket neverallow rule
Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

(cherry picked from commit d31936f89c)

Change-Id: I4763cb0c9510220693c506636dbb7584712b67e2
2015-02-05 23:19:08 +00:00

149 lines
5.2 KiB
Text

###
### Untrusted apps.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
### untrusted_app includes all the appdomain rules, plus the
### additional following rules:
###
type untrusted_app, domain;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app app_data_file:file { rx_file_perms execmod };
allow untrusted_app tun_device:chr_file rw_file_perms;
# ASEC
allow untrusted_app asec_apk_file:file r_file_perms;
# Execute libs in asec containers.
allow untrusted_app asec_public_file:file { execute execmod };
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
# TODO: Long term, we don't want apps probing into shell data files.
# Figure out a way to remove these rules.
allow untrusted_app shell_data_file:file r_file_perms;
allow untrusted_app shell_data_file:dir r_dir_perms;
# b/18504118: Allow reads from /data/anr/traces.txt
# TODO: We shouldn't be allowing all untrusted_apps to read
# this file. This is only needed for the GMS feedback agent.
# See also b/18340553. GMS runs as untrusted_app, and
# it's too late to change the domain it runs in.
# This line needs to be deleted.
allow untrusted_app anr_data_file:file r_file_perms;
#
# Rules migrated from old app domains coalesced into untrusted_app.
# This includes what used to be media_app, shared_app, and release_app.
#
# Access /dev/mtp_usb.
allow untrusted_app mtp_device:chr_file rw_file_perms;
# Access to /data/media.
allow untrusted_app media_rw_data_file:dir create_dir_perms;
allow untrusted_app media_rw_data_file:file create_file_perms;
# Write to /cache.
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app keystore_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app system_server_service:service_manager find;
allow untrusted_app tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
-accessibility_service
-account_service
-activity_service
-appops_service
-appwidget_service
-assetatlas_service
-audio_service
-backup_service
-batterystats_service
-bluetooth_manager_service
-connectivity_service
-content_service
-device_policy_service
-display_service
-dropbox_service
-input_method_service
-input_service
-jobscheduler_service
-location_service
-mount_service
-netstats_service
-network_management_service
-network_score_service
-notification_service
-persistent_data_block_service
-power_service
-registry_service
-textservices_service
-trust_service
-uimode_service
-user_service
-vibrator_service
-webviewupdate_service
-wifi_service
}:service_manager find;
###
### neverallow rules
###
# Receive or send uevent messages.
neverallow untrusted_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow untrusted_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow untrusted_app debugfs:file read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow untrusted_app service_manager_type:service_manager add;
# Do not allow untrusted_apps to connect to the property service
# or set properties. b/10243159
neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app init:unix_stream_socket connectto;
neverallow untrusted_app property_type:property_service set;
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;