History log of /system/sepolicy/untrusted_app.te
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
69270e53c0b74da49df6159548dfc3103862c737 22-Jul-2016 Eric Bae <eric.bae@lge.com> allow policy to create a file by vfat (fs_type) for a case using sdcardfs
am: 320a0f54a1

Change-Id: I6aec72f8175839f4fefeb50f86fedc4202c776b8
320a0f54a14ef992bacaa9d399cf3b54ced66ac7 19-Jul-2016 Eric Bae <eric.bae@lge.com> allow policy to create a file by vfat (fs_type) for a case using sdcardfs

Change-Id: Ia938d73b1a49b9ba4acf906df37095d21edee22e
/system/sepolicy/untrusted_app.te
77a15a173759adba089e5c7e59b72d70567460f7 15-Jul-2016 Amith Yamasani <yamasani@google.com> Merge "Allow apps to read preloaded photos" into nyc-mr1-dev
e01654f98258461448d1761914e32bdad491ec6f 06-Jul-2016 Amith Yamasani <yamasani@google.com> Allow apps to read preloaded photos

For Retail Demo mode, we need to preload photos in
/data/preloads and allow regular apps to access the
photos returned by the media provider from the preloads
directory.

Bug: 29940807
Change-Id: Ic1061dac55ace1b125ae04b5b0c70aae9aa0c732
/system/sepolicy/untrusted_app.te
addd3c9fba67b8df998a3aa61113b4a0c5cffdf9 13-Jul-2016 dcashman <dcashman@google.com> Grant untrusted_app dir access to asec_apk_file.

untrusted_app lost all of the domain_deprecated permissions in N,
including the ability to read asec_apk_file dirs. This is used for
forward locked apps.

Addresses the following denials:
avc: denied { search } for name="asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0

Bug: 30082229
Change-Id: I44119f218433b9009cf8d09d0ee5f8a13cc15dd9
/system/sepolicy/untrusted_app.te
f77bc233ad7d3c7d3792d58ae96da1a522aeb73b 16-Apr-2016 TreeHugger Robot <treehugger-gerrit@google.com> Merge "Further restrict socket ioctls available to apps" into nyc-dev
32333536032bf1d133e56fe4156175b76b7a1779 15-Apr-2016 Jeff Vander Stoep <jeffv@google.com> Further restrict socket ioctls available to apps

(cherry picked from commit 6ba383c575985d56752e006d6e65ba7a49abd52e)

Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.

Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.

Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
/system/sepolicy/untrusted_app.te
0e61a7a96d76ea46c65286d64474bb7ba301d1d6 25-Mar-2016 Nick Kralevich <nnk@google.com> neverallow /data/anr access for isolated/untrusted apps

Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.

Bug: 18340553
Bug: 27853304

(cherry picked from commit 369cf8cde5f69e6d6b752e250edfba80289b9c83)

Change-Id: Ib33e7ea0342ad28e5a89dfffdd9bc16fe54d8b3d
/system/sepolicy/untrusted_app.te
cf8719e7bad53d6c38b2825b736c27c3f37dbf4e 22-Mar-2016 Daniel Rosenberg <drosen@google.com> Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
027ec20696a46ee9e5fd0d89a8d98a89ca916a2f 14-Mar-2016 dcashman <dcashman@google.com> Mark batteryproperties service as app_api_service.

Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries. Mark it as an app_api_service so
that all applications may use this API. Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties. As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.

(cherry-picked from commit: 9ed71eff4bed91653cba393ea6cb42f041d4e257)

Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9
/system/sepolicy/untrusted_app.te
85c0f8affa4d3aa3c50331e272327e360eb8bed9 12-Mar-2016 dcashman <dcashman@google.com> Create sysfs_hwrandom type.

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.

Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
/system/sepolicy/untrusted_app.te
47fb4b9fc46fe2675b509874da340797fc43a947 02-Mar-2016 Daniel Rosenberg <drosen@google.com> sepolicy: Add policy for sdcardfs and configfs

Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
/system/sepolicy/untrusted_app.te
6e4bcbe6daa3c959fceb86ae97a8a267e6e9212a 07-Mar-2016 Nick Kralevich <nnk@google.com> DO NOT MERGE: untrusted_app: drop /proc auditallow

It's unlikely we'll get /proc locked down for the N release, so
delete the auditallow to avoid spamming the logs. Mark this
commit as DO NOT MERGE so we can continue to make progress on this
for future Android releases.

Change-Id: Ibf27bc5cb1b23c21e123aae8a4f190560d0ac2dc
/system/sepolicy/untrusted_app.te
837bc42f5f52760c511140b5ae146898ea75cba8 23-Feb-2016 Calin Juravle <calin@google.com> Add SElinux policies to allow foreign dex usage tracking.

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
/system/sepolicy/untrusted_app.te
ba12da95726e08c1c72ff3e6533899a062131d39 29-Feb-2016 Nick Kralevich <nnk@google.com> Allow bluetooth access to the tun device.

Bluetooth uses the tun device for tethering. Allow access.

STEPS TO REPRODUCE:
0. Have two devices to test on, say Device A and Device B
1. On Device A, Go to settings ->Bluetooth .
2. Turn on the Bluetooth .
3. Pair it with device B
4. Tap on the paired device

OBSERVED RESULTS:
-Bluetooth share crash is observed with "Bluetooth share has stopped"
error message
-Unable to use Bluetooth tethering due to this issue

EXPECTED RESULTS:
No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573

(cherry picked from commit 9a1347eee668990a8fb357d0d088beb430a61c27)

Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497
/system/sepolicy/untrusted_app.te
971aeeda2138b27e3f8850f2fd7c95f60508154c 24-Feb-2016 dcashman <dcashman@google.com> Label /proc/meminfo.

Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

Bug: 22032619
Chromium Bug: 586021

Change-Id: I584345c84d870c313da69ec97a0b1e54c0eb9ee1
/system/sepolicy/untrusted_app.te
89625c9a6488d01466e5b21856f8fdede047f128 01-Feb-2016 Calin Juravle <calin@google.com> Update permissions for the dedicated profile folders

Bug: 26719109
Bug: 26563023

Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995
/system/sepolicy/untrusted_app.te
0d5bac13e1a98a942689f3b2183ed6f7ff66b976 12-Feb-2016 Jeff Tinker <jtinker@google.com> Add mediadrm service

Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
/system/sepolicy/untrusted_app.te
a8a1faae7b36ab6ffd23900ca97f342afaf27702 11-Feb-2016 dcashman <dcashman@google.com> Auditallow untrusted_app procfs access.

Access to proc is being removed but there are still some consumers. Add
an auditallow to identify them and adjust labels appropriately before
removal.

Change-Id: I853b79bf0f22a71ea5c6c48641422c2daf247df5
/system/sepolicy/untrusted_app.te
d21987702eab571efc94540ca33152f0ad645a82 10-Feb-2016 Marco Nelissen <marcone@google.com> Merge "selinux rules for codec process" into nyc-dev
c3ba2e5130d28a0025f798f8b739ee86084fe9da 03-Feb-2016 Marco Nelissen <marcone@google.com> selinux rules for codec process

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b
/system/sepolicy/untrusted_app.te
db664c9ed37f933753bc29c335b70cee7e707caa 09-Feb-2016 William Roberts <william.c.roberts@intel.com> untrusted_app: confine filesystem creation to sandbox

untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.

Keep untrusted_app file creation to sandbox, sdcard and media
locations.

Signed-off-by: William Roberts <william.c.roberts@intel.com>

(cherry picked from commit bd0768cc93e6c934ccec62e521228fecddb5d61b)

Change-Id: Ideb275f696606882d8a5d8fdedb48545a34de887
/system/sepolicy/untrusted_app.te
b1bf83fd794c5863289edf459c8c05a906dac9f7 28-Jan-2016 Marco Nelissen <marcone@google.com> Revert "selinux rules for codec process"

This reverts commit 2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
/system/sepolicy/untrusted_app.te
e0378303b5ec8a4440fcdea38cca7ebf695dc2b3 04-Dec-2015 Chien-Yu Chen <cychen@google.com> selinux: Update policies for cameraserver

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
/system/sepolicy/untrusted_app.te
87a79cf9dd5e677b9ae51a4196dec27d480b9b69 27-Jan-2016 Marco Nelissen <marcone@google.com> Merge "selinux rules for codec process"
e458f9abd4f4d0a4785a5c150bdc6477080be442 27-Jan-2016 dcashman <dcashman@google.com> Restore untrusted_app proc_net access. am: 5833e3f5ca
am: a321dde852

* commit 'a321dde852731f320e24f93347f39278bcf0b58b':
Restore untrusted_app proc_net access.
5833e3f5ca04e88629e3bd76331fa0ab42d568f4 27-Jan-2016 dcashman <dcashman@google.com> Restore untrusted_app proc_net access.

Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4
/system/sepolicy/untrusted_app.te
ee25c98428f449837f12df52eb8bbe09bfeda04e 23-Jan-2016 dcashman <dcashman@google.com> Remove domain_deprecated from untrusted_app. am: cbf7ba18db
am: b768bd4642

* commit 'b768bd4642afb99f5ffaad46833e47c785667e3e':
Remove domain_deprecated from untrusted_app.
0503a405700df69788e65be1af16438113b56138 23-Jan-2016 dcashman <dcashman@google.com> Temporarily allow untrusted_app to read proc files. am: 2193f766bc
am: d7ff314ada

* commit 'd7ff314adabc5646e77b844335408201811412d9':
Temporarily allow untrusted_app to read proc files.
cbf7ba18db3c607834d3f8d0745dae99f3e2a4ec 23-Jan-2016 dcashman <dcashman@google.com> Remove domain_deprecated from untrusted_app.

Bug: 22032619
Change-Id: Iaa192f98df3128da5e11ce1fd3cf9d1a597fedf5
/system/sepolicy/untrusted_app.te
2193f766bc1c7f997906a365238eb80839eb2617 23-Jan-2016 dcashman <dcashman@google.com> Temporarily allow untrusted_app to read proc files.

Address the following denial:
01-22 09:15:53.998 5325 5325 W ChildProcessMai: type=1400 audit(0.0:44): avc: denied { read } for name="meminfo" dev="proc" ino=4026535444 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Change-Id: Id2db5ba09dc9de58e6da7c213d4aa4657c6e655c
/system/sepolicy/untrusted_app.te
2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd 17-Dec-2015 Marco Nelissen <marcone@google.com> selinux rules for codec process

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44
/system/sepolicy/untrusted_app.te
02863a7ca749a090a427ac663fd3c8f998ec9187 09-Jan-2016 Jeff Vander Stoep <jeffv@google.com> grant appdomain rw perms to tun_device am: 2b935cd78d
am: 43412f6514

* commit '43412f6514a97572622e009e13f76a61c9d5f987':
grant appdomain rw perms to tun_device
2b935cd78dae5db5035808f79b00c71be0e32b43 09-Jan-2016 Jeff Vander Stoep <jeffv@google.com> grant appdomain rw perms to tun_device

Previously granted to only untrusted_app, allow all apps except
isolated_app read write permissions to tun_device.

avc: denied { read write } for path="/dev/tun" dev="tmpfs" ino=8906 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file

Bug: 26462997
Change-Id: Id6f5b09cda26dc6c8651eb76f6791fb95640e4c7
/system/sepolicy/untrusted_app.te
39e29b6f29966961026a113f2e4b29ca443e505e 08-Jan-2016 Johan Redestig <johan.redestig@sonymobile.com> Neverallow isolated and untrusted apps to write system properties am: 0d8e9adf49
am: fc3b0dd350

* commit 'fc3b0dd350598fb8a9219b296f15ec241fbcdbb2':
Neverallow isolated and untrusted apps to write system properties
0d8e9adf49a1db942ad3c556d87d25bde94e0df5 08-Jan-2016 Johan Redestig <johan.redestig@sonymobile.com> Neverallow isolated and untrusted apps to write system properties

and as a consequence open up for other appdomains (e.g. platform_app)
to write system properties.

Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7
/system/sepolicy/untrusted_app.te
ef0b7b1ae541275f80a188fb91af196261a62051 06-Jan-2016 Jeffrey Vander Stoep <jeffv@google.com> Merge "app: expand socket ioctl restrictions to all apps"
bb1ece494ffb160690e045fb383c93140f471a77 06-Jan-2016 Jeff Vander Stoep <jeffv@google.com> app: expand socket ioctl restrictions to all apps

Exempt bluetooth which has net_admin capability.

Allow Droidguard to access the MAC address - droidguard runs in
priv_app domain.

Change-Id: Ia3cf07f4a96353783b2cfd7fc4506b7034daa2f1
/system/sepolicy/untrusted_app.te
4eb8d39db66973c447fd689f688629026530922f 06-Jan-2016 Jeff Vander Stoep <jeffv@google.com> untrusted_app: remove mtp_device perms am: 956ca4c504
am: e139b40f0c

* commit 'e139b40f0c339654bdfa92f04f11fc6ed326b2fa':
untrusted_app: remove mtp_device perms
956ca4c504889bcb06e8c07ce7580449dc014ef3 06-Jan-2016 Jeff Vander Stoep <jeffv@google.com> untrusted_app: remove mtp_device perms

No longer necessary after android.process.media moved to the
priv_app domain. Verified no new denials via audit2allow rule.

Bug: 25085347
Change-Id: I2d9498d5d92e79ddabd002b4a5c6f918e1eb9bcc
/system/sepolicy/untrusted_app.te
a8d89c31025caa594dae28d528f8a97cfbc3cc79 05-Jan-2016 Jeff Vander Stoep <jeffv@google.com> expand scope of priv_sock_ioctls neverallows

From self to domain

Change-Id: I97aeea67a6b66bc307715a050cf7699e5be9715e
/system/sepolicy/untrusted_app.te
e97bd887ca353ae02dd1641687431786d7d60cd6 05-Jan-2016 Felipe Leme <felipeal@google.com> Creates a new permission for /cache/recovery am: 549ccf77e3
am: b16fc899d7

* commit 'b16fc899d718f91935932fb9b15de0a0b82835c8':
Creates a new permission for /cache/recovery
549ccf77e3fd23bb6c690da7023441c1007c4fd8 22-Dec-2015 Felipe Leme <felipeal@google.com> Creates a new permission for /cache/recovery

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
/system/sepolicy/untrusted_app.te
06d10f6062d10ff5471676406353e6b9fe0c26e2 18-Dec-2015 Nick Kralevich <nnk@google.com> neverallow debugfs access am: 96b1c9ca6f
am: 0abe8cdbe0

* commit '0abe8cdbe0343edf547dfa4e71b6f09b4afa6f2a':
neverallow debugfs access
96b1c9ca6f72f3adfa7f6051568efeb450c3756c 18-Dec-2015 Nick Kralevich <nnk@google.com> neverallow debugfs access

Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.

Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.

Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
/system/sepolicy/untrusted_app.te
e02e6c03a59d1f60f07affa8540b74aca077a6c8 11-Dec-2015 Andy Hung <hunga@google.com> Merge "Add rules for running audio services in audioserver"
3a0ce49b8623299ac7458306b30bda6adda12383 07-Dec-2015 Jeff Vander Stoep <jeffv@google.com> Migrate to upstream policy version 30

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/untrusted_app.te
4f9107df8f691164c56f86fa1d352c63b28bd02b 08-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Revert "Migrate to upstream policy version 30"

This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/untrusted_app.te
5ca5696e8b656466a9d46b13d7ab18a13d8c1bba 08-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Revert "Migrate to upstream policy version 30"

This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/untrusted_app.te
e0bc1627c44668c763d0562c12eceebd1aa37da9 08-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Merge "Migrate to upstream policy version 30" am: 9a3d490edd am: 862e4ab15f
am: af56999ec2

* commit 'af56999ec2eef1b21b50b10c0292367b55ff15c2':
Migrate to upstream policy version 30
862e4ab15ff6b2a47d30ad6a5782f3687035f7a6 08-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Merge "Migrate to upstream policy version 30"
am: 9a3d490edd

* commit '9a3d490edd843e544084c487422aa54f39080876':
Migrate to upstream policy version 30
2ea23a6e1ade883ba81f58b364109c4da94ba584 07-Dec-2015 Jeff Vander Stoep <jeffv@google.com> Migrate to upstream policy version 30

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/untrusted_app.te
b03831fe58be86cfd94c31b91def6ae53ebd614f 09-Sep-2015 Marco Nelissen <marcone@google.com> Add rules for running audio services in audioserver

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d
/system/sepolicy/untrusted_app.te
e759543568599e5419767cdeff5278454079c002 04-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Merge "Further restrict access to tun_device" am: 98c3f9971f am: cd47828c12
am: 1484b0c369

* commit '1484b0c3690ec23729a160e5f3a1468a4816ab4d':
Further restrict access to tun_device
cd47828c128230c589327570fb15a617f14eb943 04-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Merge "Further restrict access to tun_device"
am: 98c3f9971f

* commit '98c3f9971f4b551fd5578c63f77fa9111bed94ad':
Further restrict access to tun_device
e555f4b971c6bb34633dd2edbe3dd950a052ec41 04-Dec-2015 Jeff Vander Stoep <jeffv@google.com> Further restrict access to tun_device

Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
/system/sepolicy/untrusted_app.te
d20a46ef175079d210da8320d8c8ce32cbe8207f 04-Nov-2015 Jeff Vander Stoep <jeffv@google.com> Create attribute for moving perms out of domain am: d22987b4da am: e2280fbcdd
am: b476b95488

* commit 'b476b954882a48bf2c27da0227209c197dcfb666':
Create attribute for moving perms out of domain
e2280fbcdd5553c61870420d1ffd46b72e6412d0 04-Nov-2015 Jeff Vander Stoep <jeffv@google.com> Create attribute for moving perms out of domain
am: d22987b4da

* commit 'd22987b4daf02a8dae5bb10119d9ec5ec9f637cf':
Create attribute for moving perms out of domain
d22987b4daf02a8dae5bb10119d9ec5ec9f637cf 03-Nov-2015 Jeff Vander Stoep <jeffv@google.com> Create attribute for moving perms out of domain

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
/system/sepolicy/untrusted_app.te
0f754edf7b72582ed28d062a9c8f1b911d57a6f3 22-Sep-2015 Marco Nelissen <marcone@google.com> Update selinux policies for mediaextractor process

Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd
/system/sepolicy/untrusted_app.te
ad32785689beec1939f215e1947bac0ee12b099d 23-Oct-2015 Jeff Vander Stoep <jeffv@google.com> audit untrusted_app access to mtp_device am: 7b8f9f153e
am: 775dda1fb3

* commit '775dda1fb3641e3ea2be4124a9a77cb236648d6f':
audit untrusted_app access to mtp_device
4b1c3de99ae22ce98da97266bc1903f71e285571 23-Oct-2015 Jeff Vander Stoep <jeffv@google.com> Temporarily downgrade to policy version number am: 0fc831c3b0
am: 312c2511f7

* commit '312c2511f7dfbebf110f1372db55d811bc1ad29f':
Temporarily downgrade to policy version number
775dda1fb3641e3ea2be4124a9a77cb236648d6f 23-Oct-2015 Jeff Vander Stoep <jeffv@google.com> audit untrusted_app access to mtp_device
am: 7b8f9f153e

* commit '7b8f9f153edf7c8bbefe3d472c86419d8048e5dd':
audit untrusted_app access to mtp_device
312c2511f7dfbebf110f1372db55d811bc1ad29f 23-Oct-2015 Jeff Vander Stoep <jeffv@google.com> Temporarily downgrade to policy version number
am: 0fc831c3b0

* commit '0fc831c3b0b8d9a4e10d0931131a0eed06cd4275':
Temporarily downgrade to policy version number
7b8f9f153edf7c8bbefe3d472c86419d8048e5dd 20-Oct-2015 Jeff Vander Stoep <jeffv@google.com> audit untrusted_app access to mtp_device

android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.

Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d
/system/sepolicy/untrusted_app.te
0fc831c3b0b8d9a4e10d0931131a0eed06cd4275 29-Jul-2015 Jeff Vander Stoep <jeffv@google.com> Temporarily downgrade to policy version number

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083f7da758ff5a5910027ea48ce065fe2fd)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
/system/sepolicy/untrusted_app.te
2736e7d6f97fb39ac33a4ef620ab4fdadcec17ed 19-Oct-2015 Nick Kralevich <nnk@google.com> am 40367ad8: Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev am: 6ab438dc8b

* commit '40367ad87e084f78e310b33963aa3da4309442e8':
untrusted_apps: Allow untrusted apps to find healthd_service.
6ab438dc8b4c8b661c8209ecfb66b626b8bdc532 19-Oct-2015 Nick Kralevich <nnk@google.com> Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev
ac8b5750b08edf4d476b490dcbeef3159b7b7ea1 19-Oct-2015 Ruchi Kandoi <kandoiruchi@google.com> untrusted_apps: Allow untrusted apps to find healthd_service.

This allows apps to find the healthd service which is used to query
battery properties.

Bug: 24759218
Change-Id: I72ce5a28b2ffd57aa424faeb2d039b6c92f9597d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
/system/sepolicy/untrusted_app.te
5f34265c5af472042c338780a39145661cca0e09 19-Oct-2015 Jeff Vander Stoep <jeffv@google.com> am a910a287: Remove untrusted_app access to tmp apk files

* commit 'a910a287d81bf5e9885af9e5be60ed444964a86a':
Remove untrusted_app access to tmp apk files
e9aaae4ffbe6f549aa724891affb176b2f7b465e 19-Oct-2015 Jeff Vander Stoep <jeffv@google.com> resolved conflicts for f1203bf0 to stage-aosp-master

Change-Id: I7f17a87595a05967879ccc33326eb80d7bd00251
a910a287d81bf5e9885af9e5be60ed444964a86a 19-Oct-2015 Jeff Vander Stoep <jeffv@google.com> Remove untrusted_app access to tmp apk files

Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.

Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d
/system/sepolicy/untrusted_app.te
68748c2166847469a06347e6d22e20d8e35107d8 16-Oct-2015 Jeff Vander Stoep <jeffv@google.com> Remove untrusted_app access to cache

neverallow access to untrusted_app and isolated app

Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.

Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
/system/sepolicy/untrusted_app.te
b3af06305c84790c729eac1415f62e7a0d14cbc8 14-Oct-2015 Jeffrey Vander Stoep <jeffv@google.com> am d62fac7d: Merge "Remove permissions for untrusted_app"

* commit 'd62fac7d0989f242204bc24622f392dbe110fd7e':
Remove permissions for untrusted_app
0d186fcf89729015d8015c54f20b36b85e353ff8 05-Oct-2015 Jeff Vander Stoep <jeffv@google.com> Remove permissions for untrusted_app

Privileged apps now run in the priv_app domain. Remove permissions
from untrusted_app that were originaly added for GMS core, Finsky, and
Play store.

Bug: 22033466
Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be
/system/sepolicy/untrusted_app.te
f57e2fd77c49594286dd2ba04f477b18cf504e14 14-Oct-2015 Nick Kralevich <nnk@google.com> am de11f501: Remove ptrace from app.te

* commit 'de11f5017c53aabba212425406962d21148fd2f6':
Remove ptrace from app.te
de11f5017c53aabba212425406962d21148fd2f6 14-Oct-2015 Nick Kralevich <nnk@google.com> Remove ptrace from app.te

Remove ptrace from app.te, and only add it to the app domains
which explicitly require it.

Change-Id: I327aabd154ae07ce90e3529dee2b324ca125dd16
/system/sepolicy/untrusted_app.te
694e2bfbafdd5ef40db0dedfb573f117a402e3a2 07-Oct-2015 Jeff Vander Stoep <jeffv@google.com> am de53051a: Do not allow untrusted_app to open tun_device

* commit 'de53051a8282ec59fdd21667850997bc4096f8d2':
Do not allow untrusted_app to open tun_device
de53051a8282ec59fdd21667850997bc4096f8d2 06-Oct-2015 Jeff Vander Stoep <jeffv@google.com> Do not allow untrusted_app to open tun_device

Third party vpn apps must receive open tun fd from the framework
for device traffic.

neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.

Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
/system/sepolicy/untrusted_app.te
cdce1f04b60c8a8e26c87b75981784e6d8b8b507 12-Sep-2015 dcashman <dcashman@google.com> am 887fd5d1: am 0b764ae9: Allow untrusted_app to list services.

* commit '887fd5d1d148a84991998c0f7654d108072d6084':
Allow untrusted_app to list services.
0b764ae98a7fe452690616b7d722a63bb7cd5fa8 09-Sep-2015 dcashman <dcashman@google.com> Allow untrusted_app to list services.

CTS relies on the ability to see all services on the system to make sure
the dump permission is properly enforced on all services. Allow this.

Bug: 23476772
Change-Id: I144b825c3a637962aaca59565c9f567953a866e8
/system/sepolicy/untrusted_app.te
cd68c3a84eaa019434d0adebef0bc46b585e9d02 29-Jul-2015 Jeffrey Vander Stoep <jeffv@google.com> am 6f7de297: Merge "Do not allow apps to access network address file"

* commit '6f7de297b3e67942cdc525b6f626a811ddf5132e':
Do not allow apps to access network address file
278658c2d8a80cf15ca016affbecf17297a234d6 29-Jul-2015 Jeffrey Vander Stoep <jeffv@google.com> am 6f7de297: Merge "Do not allow apps to access network address file"

* commit '6f7de297b3e67942cdc525b6f626a811ddf5132e':
Do not allow apps to access network address file
e45cad770c6ffcc46ca834320d7892d744d0693b 24-Jul-2015 Jeff Vander Stoep <jeffv@google.com> Do not allow apps to access network address file

Bug: 18068520
Bug: 21852542
Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049
/system/sepolicy/untrusted_app.te
de9b5301a14abf388589b06e819bb001d69e0cf1 06-Jun-2015 Jeff Vander Stoep <jeffv@google.com> restrict app access to socket ioctls

Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls

Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
/system/sepolicy/untrusted_app.te
6e1f405c8b8b5d91a350ff14d1100930d7bff844 19-May-2015 Jeff Sharkey <jsharkey@android.com> Allow MediaProvider to traverse /mnt/media_rw.

As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.

Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider. The actual
access control is still managed by POSIX permissions on that
directory.

avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0

Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
/system/sepolicy/untrusted_app.te
929c85870a7aba08963ad0c592bd66f4aea9bedc 16-May-2015 Jeff Vander Stoep <jeffv@google.com> Merge "Allow tty and wireless extensions ioctls" into mnc-dev
a0fbeb97c0476891e177fb04953367aae90fc8a9 16-May-2015 Jeff Vander Stoep <jeffv@google.com> Allow tty and wireless extensions ioctls

Allow tty ioctls TIOCOUTQ 0x5411 and FIOCLEX 0x5451.

Allow/audit all wireless extension ioctls.

Bug: 21120188
Change-Id: Icd447ee40351c615c236f041931d210751e0f0c3
/system/sepolicy/untrusted_app.te
f6d12c6979128843a0bddee8de8f61f8ed1b646f 14-May-2015 Nick Kralevich <nnk@google.com> dontaudit untrusted_app exec_type:file getattr

Programs routinely scan through /system, looking at the files there.
Don't generate an SELinux denial when it happens.

Bug: 21120228
Change-Id: I85367406e7ffbb3e24ddab6f97448704df990603
/system/sepolicy/untrusted_app.te
34a468fad2c0b624b0cf383671384d0452dd83e6 06-May-2015 Dehao Chen <dehao@google.com> Update sepolicy to add label for /data/misc/perfprofd.

Bug: 19483574
(cherry picked from commit 7d66f783c2ddea4dd5f9fcd91b2589ab74e30f8a)

Change-Id: If617e29b6fd36c88c157941bc9e11cf41329da48
/system/sepolicy/untrusted_app.te
7d66f783c2ddea4dd5f9fcd91b2589ab74e30f8a 06-May-2015 Dehao Chen <dehao@google.com> Update sepolicy to add label for /data/misc/perfprofd.

Bug: 19483574
Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64
/system/sepolicy/untrusted_app.te
86f30cb16a8aa2ea337b1c36071bfa833f798c96 06-May-2015 Jeff Vander Stoep <jeffv@google.com> Deny untrusted app ioctl access to MAC addr

MAC address access is no longer allowed via the java API. Deny access
from native code.

Bug: 17787238
Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf
/system/sepolicy/untrusted_app.te
ab5cf6687397bf2b80ecc11cba92876cef7417c9 29-Apr-2015 Alex Klyubin <klyubin@google.com> Expand access to gatekeeperd.

This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

(cherry picked from commit effcac7d7eddded5fa31d294dfe3fd1757de51c7)

Bug: 20526234
Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13
/system/sepolicy/untrusted_app.te
effcac7d7eddded5fa31d294dfe3fd1757de51c7 29-Apr-2015 Alex Klyubin <klyubin@google.com> Expand access to gatekeeperd.

This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
/system/sepolicy/untrusted_app.te
367757d2ef0ee5c8edc47ce8203a0d3369774e9c 18-Apr-2015 Nick Kralevich <nnk@google.com> gatekeeperd: use more specific label for /data file

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
/system/sepolicy/untrusted_app.te
bd7f5803f924b0ca318c1d426b683c3f658754f9 09-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
/system/sepolicy/untrusted_app.te
03a6f64f9568e2c58eb043463a5b4ff1cf10bef6 08-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
/system/sepolicy/untrusted_app.te
91b7c67d1647b2a88b1547cc57b69fc685bbac18 08-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
/system/sepolicy/untrusted_app.te
3cc6fc5ffbd6e3d647f8c425e5298912d3733e45 07-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
/system/sepolicy/untrusted_app.te
d4c78f4b3fed1ca77aa9f13e757644aca3ed2b21 07-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
/system/sepolicy/untrusted_app.te
4cdea7fc40ea29c8cf4134a71b67808d143ec9dc 04-Apr-2015 dcashman <dcashman@google.com> Assign app_api_service attribute to services.

Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
/system/sepolicy/untrusted_app.te
b075338d0e335eb2dbd786ae4f8e033e78eeca37 03-Apr-2015 dcashman <dcashman@google.com> Assign app_api_service attribute to services.

Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
/system/sepolicy/untrusted_app.te
d12993f0846744ae8188a299cb1bb135014f626a 03-Apr-2015 dcashman <dcashman@google.com> Add system_api_service and app_api_service attributes.

System services differ in designed access level. Add attributes reflecting this
distinction and label services appropriately. Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute. Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
/system/sepolicy/untrusted_app.te
8af4e9cb0032244b0a356eb236ea97379956fa52 01-Apr-2015 dcashman <dcashman@google.com> Record observed service accesses.

Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
/system/sepolicy/untrusted_app.te
e8064afb5e8adc96d1becc7b31a8a92f77e284d9 23-Mar-2015 John Reck <jreck@google.com> Add graphicsstats service

Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
/system/sepolicy/untrusted_app.te
85ce2c706e95f96c95b3af418b7bda0bfe9918f4 27-Mar-2015 Nick Kralevich <nnk@google.com> Don't grant hard link capabilities by default.

Modify create_file_perms and create_dir_perms so it doesn't have
the "link" permission. This permission controls whether hard links
are allowed or not on the given file label. Hard links are a common
source of security bugs, and isn't something we want to support by
default.

Get rid of link_file_perms and move the necessary permissions into
create_file_perms and create_dir_perms. Nobody is using this macro,
so it's pointless to keep it around.

Get rid of unlink on directories. It returns EISDIR if you attempt to
do it, independent of SELinux permissions.

SELinux domains which have a need for hard linking for a particular
file type can add it back to their permission set on an as-needed basis.

Add a compile time assertion (neverallow rule) for untrusted_app.
It's particularly dangerous for untrusted_app to ever have hard
link capabilities, and the neverallow rule will prevent regressions.

Bug: 19953790
Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0
/system/sepolicy/untrusted_app.te
eaece936f297e1c77939c0ff0ad4d741de6990b4 13-Mar-2015 Stephen Smalley <sds@tycho.nsa.gov> neverallow untrusted_app as a mlstrustedsubject.

Assigning mlstrustedsubject to untrusted_app would undermine
the per-user isolation model being enforced via levelFrom=user
in seapp_contexts and the mls constraints. There is no direct
way to specify a neverallow on attribute assignment, but this
makes use of a particular property of the fork permission to
prevent ever adding mlstrustedsubject to untrusted_app.

A similar restriction for app_data_file and mlstrustedobject
is also important for the same reason, but cannot be expressed
as a neverallow.

Change-Id: I5170cadc55cc614aef0cd5f6491de8f69a4fa2a0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
b8caf7fdd4dcf531900a2f8ab4e762e58eb0e0f9 13-Mar-2015 Stephen Smalley <sds@tycho.nsa.gov> Move allow rules before neverallow rules.

There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file. Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te. Just move the rules as appropriate.
Should be no change in policy.

Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
bb3cef4488b86ea815bc9b35c528f62e47377f5d 06-Mar-2015 dcashman <dcashman@google.com> Record observed bluetooth service access.

Bug: 18106000
Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4
/system/sepolicy/untrusted_app.te
1aafc4c7d34b30870ab985a8c33f9c87e16fd73c 04-Dec-2014 Nick Kralevich <nnk@google.com> allow untrusted_app read /data/anr/traces.txt

The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.

Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.

Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.

Addresses the following denial:

W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

(cherrypick from commit e2547c3bffbbd03d6512de145a7f563d83d6fb9e)

Bug: 18504118
Bug: 18340553
Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8
/system/sepolicy/untrusted_app.te
8be3e77986e573751cb74634f58c4fbacb0bcd11 06-Mar-2015 Nick Kralevich <nnk@google.com> move untrusted_app statement to the correct file.

Change-Id: I5ae9606023ef7f3489f44e6657766e922160c470
/system/sepolicy/untrusted_app.te
23f336156daf61ba07c024af2fe96994605f46eb 03-Mar-2015 dcashman <dcashman@google.com> Record observed system_server servicemanager service requests.

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
/system/sepolicy/untrusted_app.te
6a2451b580487a07a7e9919efa3ea5289f3ed696 02-Mar-2015 dcashman <dcashman@google.com> Allow platform_app access to keystore.

Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc: denied { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
/system/sepolicy/untrusted_app.te
d31936f89c49bc5c54b84bd5095f3c417da14935 29-Jan-2015 Nick Kralevich <nnk@google.com> appdomain: relax netlink_socket neverallow rule

Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

Change-Id: I40de0ae28134ce71e808e5ef4a39779b71897571
/system/sepolicy/untrusted_app.te
566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63 17-Jan-2015 dcashman <dcashman@google.com> Record service accesses.

Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
/system/sepolicy/untrusted_app.te
c631ede7dc7cb131b1bdd03ce296eeac53dc9add 16-Jan-2015 dcashman <dcashman@google.com> Remove known system_server service accesses from auditing.

Address observed audit logs of the form:
granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
/system/sepolicy/untrusted_app.te
4a89cdfa89448c8660308a31bfcb517fffaa239e 17-Dec-2014 dcashman <dcashman@google.com> Make system_server_service an attribute.

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
/system/sepolicy/untrusted_app.te
cd82557d4069c20bda8e18aa7f72fc0521a3ae32 12-Dec-2014 dcashman <dcashman@google.com> Restrict service_manager find and list access.

All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
/system/sepolicy/untrusted_app.te
c06ed8f7b26af01132db6d09ebf69807d09aa8bf 11-Dec-2014 Pawit Pornkitprasan <p.pawit@gmail.com> sepolicy: allow system apps to access ASEC

Required for Settings to show name/icon of apps on sd card
(permission copied from untrusted_app)

Also removed duplicate permission (from domain) in untrusted_app

Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
/system/sepolicy/untrusted_app.te
8c6dba90a570608a600184741a4a59bf4db1230d 15-Oct-2014 Nick Kralevich <nnk@google.com> fix whitespace

Change-Id: I2911d2b5d1931c6f6245cc54465458a8a3c2b2bb
/system/sepolicy/untrusted_app.te
642b80427ec2e95eb13cf03a74d814f240813e71 22-Sep-2014 Nick Kralevich <nnk@google.com> relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets

Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.

Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.

Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.

No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.

Bug: 17525863
Change-Id: I3e538dc8096dc23b9678bcd20e3c1e742c21c967
/system/sepolicy/untrusted_app.te
fbbe9e9117bd55c46ee971577f2fdd64993eb64a 07-Aug-2014 dcashman <dcashman@google.com> Allow untrusted_app access to temporary apk files.

Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow. This verifier runs as
a priv-app, which is in the untrusted_app domain. Allow untrusted_app
read-access to these files.

Bug: 16515815

Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
/system/sepolicy/untrusted_app.te
603bc2050959dd353154bf33fa0c2b0612da9c6e 18-Jul-2014 Riley Spahn <rileyspahn@google.com> Further refined service_manager auditallow statements.

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
/system/sepolicy/untrusted_app.te
af8d7ca9e9ddf2601f0d8c0399dcf343db11657d 16-Jul-2014 Riley Spahn <rileyspahn@google.com> Remove radio_service from untrusted_app auditallow.

Change untrusted_app to not auditallow radio_service find requests
to cut down on log spam.

Change-Id: I65d4a60ea1c7e81425937d5f1908e764fdec417f
/system/sepolicy/untrusted_app.te
b8511e0d98880a683c276589ab7d8d7666b7f8c1 07-Jul-2014 Riley Spahn <rileyspahn@google.com> Add access control for each service_manager action.

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
/system/sepolicy/untrusted_app.te
f58356661632d4c08870122f2cf944ea4edfe810 10-Jul-2014 Nick Kralevich <nnk@google.com> Don't use don't

Single quotes sometimes mess up m4 parsing

Change-Id: Ic53cf0f9b45b2173cbea5c96048750f6a582a535
/system/sepolicy/untrusted_app.te
99d86c7a77d402a106a1b3fe57af06dbb231c750 10-Jul-2014 Nick Kralevich <nnk@google.com> ensure that untrusted_app can't set properties

Bug: 10243159
Change-Id: I9409fe8898c446a33515f1bee2990f36a2e11535
/system/sepolicy/untrusted_app.te
76206abc9f5140e85da2d4e4845eca2c4f3a6ad5 07-Jul-2014 Riley Spahn <rileyspahn@google.com> Add neverallow rules further restricing service_manager.

Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.

Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156
/system/sepolicy/untrusted_app.te
78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57 02-Jun-2014 Nick Kralevich <nnk@google.com> add execmod to various app domains

NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.

Addresses the following error / denial:

06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
<4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app

Expected:
App runs

Actual:
App crashes with error above.

Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
/system/sepolicy/untrusted_app.te
4bdd13e4c3632587c72b487a16d6c71a7a30714f 13-May-2014 Nick Kralevich <nnk@google.com> untrusted_app: neverallow debugfs

Too many leaky files in that directory. It's a security best practice
to not mount this filesystem, however, we need it mounted for
tracing support. Even though it's mounted, make sure the files aren't
readable.

Bug: 11635985
Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd
/system/sepolicy/untrusted_app.te
3a4eb96b2a462dd68636c749cec47723fd8dc51f 01-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Make the untrusted_app domain enforcing.

Change-Id: I4811da972f7e23ef86e04d05400169422fbaca35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
9ba844fea12a0b08770e870d63f3d3c375c7c9b5 04-Apr-2014 Stephen Smalley <sds@tycho.nsa.gov> Coalesce shared_app, media_app, release_app into untrusted_app.

This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro. We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well. However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
b0db712bf048dc634363b658a647b1f1897d8433 06-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Clean up, unify, and deduplicate app domain rules.

Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
1eb94035cd6f1671ea74141f57b430f64eaf42e0 24-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Remove redundant socket rules.

These same permissions are already allowed via net_domain() and
the rules in net.te.

Change-Id: I4681fb9993258b4ad668333ad7d7102e983b5c2b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
d823f83e5466b53521b098c0865b89c7f12025fa 21-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Clarify meaning of untrusted_app and app domain assignment logic.

The current inline documentation is not entirely accurate and caused
user confusion, e.g. see:
https://groups.google.com/d/msg/android-security-discuss/javBrPT8ius/C4EVEFUu4ZoJ

Try to clarify the meaning of untrusted_app, how app domains are
assigned, and how to move other system apps out of untrusted_app into
a different domain.

Change-Id: I98d344dd078fe9e2738b68636adaabda1f4b3c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
48b18832c476f0bd8fcb8ee3e308258392f36aaf 04-Feb-2014 Robert Craig <rpcraig@tycho.ncsc.mil> Introduce asec_public_file type.

This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/untrusted_app.te
623975fa5aece708032aaf29689d73e1f3a615e7 11-Jan-2014 Nick Kralevich <nnk@google.com> Support forcing permissive domains to unconfined.

Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/system/sepolicy/untrusted_app.te
65317124a0bb7db4829f78e74c7bfe18e27f1c43 11-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Allow untrusted apps to execute binaries from their sandbox directories.

Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file

While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.

Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.

Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.

Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
2dc4acf33b78284f514fe9a6c5102cc783c4309f 27-Sep-2013 Stephen Smalley <sds@tycho.nsa.gov> Isolate untrusted app ptys from other domains.

Add a create_pty() macro that allows a domain to
create and use its own ptys, isolated from the ptys
of any other domain, and use that macro for untrusted_app.
This permits the use of a pty by apps without opening up access
to ptys created by any other domain on the system.

Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
2f40a17a42d19b6d92944c78c1d6a9c9517a725b 05-Sep-2013 Nick Kralevich <nnk@google.com> Revert "Add the ability to write shell files to the untrusted_app domain."

At this point, we still don't understand the root cause of
bug 10290009, or if it's even a real bug. Rollback
29d0d40668e686adc91cdfbf0d083e71ed82bac6 so we an get a device
in this state and figure out the root cause of this problem.

This reverts commit 29d0d40668e686adc91cdfbf0d083e71ed82bac6.

Bug: 10290009
/system/sepolicy/untrusted_app.te
29d0d40668e686adc91cdfbf0d083e71ed82bac6 17-Aug-2013 Geremy Condra <gcondra@google.com> Add the ability to write shell files to the untrusted_app domain.

Bug: 10290009
Change-Id: Ic794299261672b36a2b630893b65ab176c3eee6b
(cherry picked from commit eaa4e844e4c8549c9b4808a1272876a6995ca5a7)
/system/sepolicy/untrusted_app.te
7cda86eb46021cff20a08dcde56c1a15291fa582 16-Jul-2013 Alex Klyubin <klyubin@google.com> Permit apps to bind TCP/UDP sockets to a hostname

Change-Id: Ided2cf793e94bb58529789c3075f8480c0d0cf4e
/system/sepolicy/untrusted_app.te
24617fc3b8de501d3e6197e21d058496f400db07 16-Jul-2013 Nick Kralevich <nnk@google.com> Move isolated_app.te / untrusted_app.te into permissive

OTAs aren't properly labeling /system, which is causing SELinux
breakage. Temporarily put isolated_app.te and untrusted_app.te
into permissive.

Bug: 9878561
Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c
/system/sepolicy/untrusted_app.te
59faed058de762f3920cd0a6219c68e5f16844bd 16-Jul-2013 Nick Kralevich <nnk@google.com> Allow apps to create listening ports

Bug: 9872463
Change-Id: I47eabeace3387afd24c0fd4bee70e77c0a3586d5
/system/sepolicy/untrusted_app.te
8a2ebe3477837b21b728135cd8780ffd528696af 16-Jul-2013 Nick Kralevich <nnk@google.com> Temporarily allow untrusted apps to read shell data files.

This is needed to support "Verify App" functionality.
During side loading, the Verify App functionality reads the APK
to determine if it's safe to install.

Bug: 9863154
Change-Id: I33f6b0fd012f6cb194e253d5d92cf6189d6aa222
/system/sepolicy/untrusted_app.te
6634a1080e6617854d0b29bc65bb1c852ad3d5b6 13-Jul-2013 Nick Kralevich <nnk@google.com> untrusted_app.te / isolated_app.te / app.te first pass

This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.

* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.

In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.

This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.

Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
/system/sepolicy/untrusted_app.te
748fdef626d1dda2a0a727ea35d85d04363f5307 13-Jul-2013 Nick Kralevich <nnk@google.com> Move *_app into their own file

app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.

Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.

No functional change.

Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
/system/sepolicy/untrusted_app.te