untrusted_app.te revision 549ccf77e3fd23bb6c690da7023441c1007c4fd8
1748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 2748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### Untrusted apps. 3748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 4d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### This file defines the rules for untrusted apps. 5d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### Apps are labeled based on mac_permissions.xml (maps signer and 6d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### optionally package name to seinfo value) and seapp_contexts (maps UID 7d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and optionally seinfo value to domain for process and type for data 8d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### directory). The untrusted_app domain is the default assignment in 9d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts for any app with UID between APP_AID (10000) 10d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### value as determined from mac_permissions.xml. In current AOSP, this 12d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### domain is assigned to all non-system apps as well as to any system apps 139ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley### that are not signed by the platform key. To move 14d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### a system app into a specific domain, add a signer entry for it to 15d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### mac_permissions.xml and assign it one of the pre-existing seinfo values 16d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### or define and use a new seinfo value in both mac_permissions.xml and 17d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts. 18748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 19748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### untrusted_app includes all the appdomain rules, plus the 20748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### additional following rules: 21748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 22748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich 23d22987b4daf02a8dae5bb10119d9ec5ec9f637cfJeff Vander Stoeptype untrusted_app, domain, domain_deprecated; 24748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichapp_domain(untrusted_app) 25748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichnet_domain(untrusted_app) 26748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichbluetooth_domain(untrusted_app) 276634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 2865317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# Some apps ship with shared libraries and binaries that they write out 2965317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# to their sandbox directory and then execute. 3078706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app app_data_file:file { rx_file_perms execmod }; 3165317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley 32de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep# Third party vpn apps receive an open tun fd from the framework for 33de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep# device traffic. Do not allow untrusted app to directly open tun_device 34de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoepallow untrusted_app tun_device:chr_file { read write getattr ioctl append }; 356634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 366634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# ASEC 376634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow untrusted_app asec_apk_file:file r_file_perms; 3848b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig# Execute libs in asec containers. 3978706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app asec_public_file:file { execute execmod }; 406634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 416634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow the allocation and use of ptys 426634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 432dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleycreate_pty(untrusted_app) 448a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich 458a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Used by Finsky / Android "Verify Apps" functionality when 468a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# running "adb install foo.apk". 478a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# TODO: Long term, we don't want apps probing into shell data files. 488a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Figure out a way to remove these rules. 492f40a17a42d19b6d92944c78c1d6a9c9517a725bNick Kralevichallow untrusted_app shell_data_file:file r_file_perms; 508a2ebe3477837b21b728135cd8780ffd528696afNick Kralevichallow untrusted_app shell_data_file:dir r_dir_perms; 519ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 528be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Read and write system app data files passed over Binder. 538be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Motivating case was /data/data/com.android.settings/cache/*.jpg for 548be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# cropping or taking user photos. 558be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevichallow untrusted_app system_app_data_file:file { read write getattr }; 568be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich 579ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 589ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Rules migrated from old app domains coalesced into untrusted_app. 599ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# This includes what used to be media_app, shared_app, and release_app. 609ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 619ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 629ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Access /dev/mtp_usb. 637b8f9f153edf7c8bbefe3d472c86419d8048e5ddJeff Vander Stoep# TODO android.process.media moved to priv_app domain. Does 647b8f9f153edf7c8bbefe3d472c86419d8048e5ddJeff Vander Stoep# untrusted_app still require these permissions? Can "open" 657b8f9f153edf7c8bbefe3d472c86419d8048e5ddJeff Vander Stoep# be removed? 669ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app mtp_device:chr_file rw_file_perms; 677b8f9f153edf7c8bbefe3d472c86419d8048e5ddJeff Vander Stoepauditallow untrusted_app mtp_device:chr_file rw_file_perms; 689ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 699ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Access to /data/media. 709ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:dir create_dir_perms; 719ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:file create_file_perms; 729ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 736e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey# Traverse into /mnt/media_rw for bypassing FUSE daemon 746e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey# TODO: narrow this to just MediaProvider 756e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkeyallow untrusted_app mnt_media_rw_file:dir search; 766e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey 770b764ae98a7fe452690616b7d722a63bb7cd5fa8dcashman# allow cts to query all services 780b764ae98a7fe452690616b7d722a63bb7cd5fa8dcashmanallow untrusted_app servicemanager:service_manager list; 790b764ae98a7fe452690616b7d722a63bb7cd5fa8dcashman 80cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app drmserver_service:service_manager find; 81ac8b5750b08edf4d476b490dcbeef3159b7b7ea1Ruchi Kandoiallow untrusted_app healthd_service:service_manager find; 82cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app mediaserver_service:service_manager find; 83cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app nfc_service:service_manager find; 84cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app radio_service:service_manager find; 85cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app surfaceflinger_service:service_manager find; 86d12993f0846744ae8188a299cb1bb135014f626adcashmanallow untrusted_app app_api_service:service_manager find; 87d12993f0846744ae8188a299cb1bb135014f626adcashman 8834a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# Allow GMS core to access perfprofd output, which is stored 8934a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# in /data/misc/perfprofd/. GMS core will need to list all 9034a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# data stored in that directory to process them one by one. 9134a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chenuserdebug_or_eng(` 9234a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen allow untrusted_app perfprofd_data_file:file r_file_perms; 9334a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen allow untrusted_app perfprofd_data_file:dir r_dir_perms; 9434a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen') 95f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich 96de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# gdbserver for ndk-gdb ptrace attaches to app process. 97de11f5017c53aabba212425406962d21148fd2f6Nick Kralevichallow untrusted_app self:process ptrace; 98de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich 99f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich# Programs routinely attempt to scan through /system, looking 100f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich# for files. Suppress the denials when they occur. 101f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevichdontaudit untrusted_app exec_type:file getattr; 102f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich 1034bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1044bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### neverallow rules 1054bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1064bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich 107642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich# Receive or send uevent messages. 108d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_kobject_uevent_socket *; 109d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich 110d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich# Receive or send generic netlink messages 111d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_socket *; 112642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich 1134bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# Too much leaky information in debugfs. It's a security 1144bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# best practice to ensure these files aren't readable. 11596b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevichneverallow untrusted_app debugfs_type:file read; 11676206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn 11776206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Do not allow untrusted apps to register services. 11876206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Only trusted components of Android should be registering 11976206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# services. 12076206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahnneverallow untrusted_app service_manager_type:service_manager add; 12199d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich 122f58356661632d4c08870122f2cf944ea4edfe810Nick Kralevich# Do not allow untrusted_apps to connect to the property service 12399d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich# or set properties. b/10243159 12499d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_socket:sock_file write; 12599d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app init:unix_stream_socket connectto; 12699d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_type:property_service set; 127eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley 128eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# Do not allow untrusted_app to be assigned mlstrustedsubject. 129eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# This would undermine the per-user isolation model being 130eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# enforced via levelFrom=user in seapp_contexts and the mls 131eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# constraints. As there is no direct way to specify a neverallow 132eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# on attribute assignment, this relies on the fact that fork 133eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# permission only makes sense within a domain (hence should 134eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# never be granted to any other domain within mlstrustedsubject) 135eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# and untrusted_app is allowed fork permission to itself. 136eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalleyneverallow untrusted_app mlstrustedsubject:process fork; 13785ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich 13885ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# Do not allow untrusted_app to hard link to any files. 13985ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# In particular, if untrusted_app links to other app data 14085ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# files, installd will not be able to guarantee the deletion 14185ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# of the linked to file. Hard links also contribute to security 14285ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# bugs, so we want to ensure untrusted_app never has this 14385ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# capability. 14485ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevichneverallow untrusted_app file_type:file link; 145e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoep 146e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoep# Do not allow untrusted_app to access network MAC address file 147e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoepneverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 148de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep 14968748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoep# Do not allow untrusted_app access to /cache 150549ccf77e3fd23bb6c690da7023441c1007c4fd8Felipe Lemeneverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; 151549ccf77e3fd23bb6c690da7023441c1007c4fd8Felipe Lemeneverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; 152