tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/app_neverallows.te
Jiyong Park e95c704b6f Access to HALs from untrusted apps is blacklist-based 
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.

This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.

All the hwservice context that were not in the whitelist are now put
to blacklist.

This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.

Bug: 139645938
Test: m

Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)

Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
2019-09-06 14:10:38 +09:00

256 lines
10 KiB
Text
Raw Blame History

###
### neverallow rules for untrusted app domains
###
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
mediaprovider
untrusted_app
untrusted_app_25
untrusted_app_27
untrusted_app_all
}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow all_untrusted_apps domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
# Do not allow untrusted apps to use VendorBinder
neverallow all_untrusted_apps vndbinder_device:chr_file *;
neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} dex2oat_exec:file no_x_file_perms;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
neverallow all_untrusted_apps mlstrustedsubject:process fork;
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
# Do not allow any write access to files in /sys
neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
# Apps may never access the default sysfs label.
neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
-app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
}:dir_file_class_set { create unlink };
# No untrusted component except mediaprovider should be touching /dev/fuse
neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
SIOCGIFHWADDR
SIOCSIFHWADDR
TUNATTACHFILTER
TUNDETACHFILTER
TUNGETFEATURES
TUNGETFILTER
TUNGETSNDBUF
TUNGETVNETHDRSZ
TUNSETDEBUG
TUNSETGROUP
TUNSETIFF
TUNSETLINK
TUNSETNOCSUM
TUNSETOFFLOAD
TUNSETOWNER
TUNSETPERSIST
TUNSETQUEUE
TUNSETSNDBUF
TUNSETTXFILTER
TUNSETVNETHDRSZ
};
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
neverallow all_untrusted_apps anr_data_file:dir ~search;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
proc_asound
proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
proc_pagetypeinfo
proc_slabinfo
proc_stat
proc_swaps
proc_uptime
proc_version
proc_vmallocinfo
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
# Do not permit access from apps which host arbitrary code to the protected HwBinder
# services.
# The two main reasons for this are:
# 1. Protected HwBinder servers do not perform client authentication because HIDL
# currently does not expose caller UID information and, even if it did, those
# HwBinder services either operate at a level below that of apps (e.g., HALs)
# or must not rely on app identity for authorization. Thus, to be safe, the
# default assumption is that every HwBinder service treats all its clients as
# equally authorized to perform operations offered by the service.
# 2. HAL servers (a subset of HwBinder services) contain code with higher
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
neverallow all_untrusted_apps {
vendor_service
}:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
# They must use ASharedMemory NDK API instead.
neverallow {
all_untrusted_apps
-ephemeral_app
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} mnt_sdcard_file:lnk_file *;
Reference in a new issue View git blame Copy permalink