untrusted_app.te revision 68748c2166847469a06347e6d22e20d8e35107d8
1748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 2748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### Untrusted apps. 3748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 4d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### This file defines the rules for untrusted apps. 5d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### Apps are labeled based on mac_permissions.xml (maps signer and 6d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### optionally package name to seinfo value) and seapp_contexts (maps UID 7d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and optionally seinfo value to domain for process and type for data 8d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### directory). The untrusted_app domain is the default assignment in 9d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts for any app with UID between APP_AID (10000) 10d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### value as determined from mac_permissions.xml. In current AOSP, this 12d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### domain is assigned to all non-system apps as well as to any system apps 139ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley### that are not signed by the platform key. To move 14d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### a system app into a specific domain, add a signer entry for it to 15d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### mac_permissions.xml and assign it one of the pre-existing seinfo values 16d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### or define and use a new seinfo value in both mac_permissions.xml and 17d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts. 18748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 19748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### untrusted_app includes all the appdomain rules, plus the 20748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### additional following rules: 21748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 22748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich 23748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichtype untrusted_app, domain; 24748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichapp_domain(untrusted_app) 25748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichnet_domain(untrusted_app) 26748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichbluetooth_domain(untrusted_app) 276634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 2865317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# Some apps ship with shared libraries and binaries that they write out 2965317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# to their sandbox directory and then execute. 3078706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app app_data_file:file { rx_file_perms execmod }; 3165317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley 32de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep# Third party vpn apps receive an open tun fd from the framework for 33de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep# device traffic. Do not allow untrusted app to directly open tun_device 34de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoepallow untrusted_app tun_device:chr_file { read write getattr ioctl append }; 356634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 366634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# ASEC 376634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow untrusted_app asec_apk_file:file r_file_perms; 3848b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig# Execute libs in asec containers. 3978706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app asec_public_file:file { execute execmod }; 406634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 416634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow the allocation and use of ptys 426634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 432dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleycreate_pty(untrusted_app) 448a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich 458a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Used by Finsky / Android "Verify Apps" functionality when 468a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# running "adb install foo.apk". 478a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# TODO: Long term, we don't want apps probing into shell data files. 488a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Figure out a way to remove these rules. 492f40a17a42d19b6d92944c78c1d6a9c9517a725bNick Kralevichallow untrusted_app shell_data_file:file r_file_perms; 508a2ebe3477837b21b728135cd8780ffd528696afNick Kralevichallow untrusted_app shell_data_file:dir r_dir_perms; 519ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 528be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Read and write system app data files passed over Binder. 538be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Motivating case was /data/data/com.android.settings/cache/*.jpg for 548be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# cropping or taking user photos. 558be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevichallow untrusted_app system_app_data_file:file { read write getattr }; 568be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich 579ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 589ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Rules migrated from old app domains coalesced into untrusted_app. 599ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# This includes what used to be media_app, shared_app, and release_app. 609ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 619ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 629ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Access /dev/mtp_usb. 639ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app mtp_device:chr_file rw_file_perms; 649ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 659ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Access to /data/media. 669ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:dir create_dir_perms; 679ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:file create_file_perms; 689ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 696e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey# Traverse into /mnt/media_rw for bypassing FUSE daemon 706e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey# TODO: narrow this to just MediaProvider 716e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkeyallow untrusted_app mnt_media_rw_file:dir search; 726e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey 73cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app drmserver_service:service_manager find; 74cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app mediaserver_service:service_manager find; 75cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app nfc_service:service_manager find; 76cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app radio_service:service_manager find; 77cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app surfaceflinger_service:service_manager find; 78d12993f0846744ae8188a299cb1bb135014f626adcashmanallow untrusted_app app_api_service:service_manager find; 79d12993f0846744ae8188a299cb1bb135014f626adcashman 80b8caf7fdd4dcf531900a2f8ab4e762e58eb0e0f9Stephen Smalley# Allow verifier to access staged apks. 81b8caf7fdd4dcf531900a2f8ab4e762e58eb0e0f9Stephen Smalleyallow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 82b8caf7fdd4dcf531900a2f8ab4e762e58eb0e0f9Stephen Smalleyallow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 83b8caf7fdd4dcf531900a2f8ab4e762e58eb0e0f9Stephen Smalley 84de9b5301a14abf388589b06e819bb001d69e0cf1Jeff Vander Stoep# only allow unprivileged socket ioctl commands 85de9b5301a14abf388589b06e819bb001d69e0cf1Jeff Vander Stoepallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; 8686f30cb16a8aa2ea337b1c36071bfa833f798c96Jeff Vander Stoep 8734a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# Allow GMS core to access perfprofd output, which is stored 8834a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# in /data/misc/perfprofd/. GMS core will need to list all 8934a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# data stored in that directory to process them one by one. 9034a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chenuserdebug_or_eng(` 9134a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen allow untrusted_app perfprofd_data_file:file r_file_perms; 9234a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen allow untrusted_app perfprofd_data_file:dir r_dir_perms; 9334a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen') 94f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich 95de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# gdbserver for ndk-gdb ptrace attaches to app process. 96de11f5017c53aabba212425406962d21148fd2f6Nick Kralevichallow untrusted_app self:process ptrace; 97de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich 98f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich# Programs routinely attempt to scan through /system, looking 99f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich# for files. Suppress the denials when they occur. 100f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevichdontaudit untrusted_app exec_type:file getattr; 101f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich 1024bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1034bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### neverallow rules 1044bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1054bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich 106642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich# Receive or send uevent messages. 107d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_kobject_uevent_socket *; 108d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich 109d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich# Receive or send generic netlink messages 110d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_socket *; 111642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich 1124bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# Too much leaky information in debugfs. It's a security 1134bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# best practice to ensure these files aren't readable. 1144bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevichneverallow untrusted_app debugfs:file read; 11576206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn 11676206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Do not allow untrusted apps to register services. 11776206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Only trusted components of Android should be registering 11876206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# services. 11976206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahnneverallow untrusted_app service_manager_type:service_manager add; 12099d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich 121f58356661632d4c08870122f2cf944ea4edfe810Nick Kralevich# Do not allow untrusted_apps to connect to the property service 12299d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich# or set properties. b/10243159 12399d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_socket:sock_file write; 12499d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app init:unix_stream_socket connectto; 12599d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_type:property_service set; 126eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley 127eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# Do not allow untrusted_app to be assigned mlstrustedsubject. 128eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# This would undermine the per-user isolation model being 129eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# enforced via levelFrom=user in seapp_contexts and the mls 130eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# constraints. As there is no direct way to specify a neverallow 131eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# on attribute assignment, this relies on the fact that fork 132eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# permission only makes sense within a domain (hence should 133eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# never be granted to any other domain within mlstrustedsubject) 134eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# and untrusted_app is allowed fork permission to itself. 135eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalleyneverallow untrusted_app mlstrustedsubject:process fork; 13685ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich 13785ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# Do not allow untrusted_app to hard link to any files. 13885ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# In particular, if untrusted_app links to other app data 13985ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# files, installd will not be able to guarantee the deletion 14085ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# of the linked to file. Hard links also contribute to security 14185ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# bugs, so we want to ensure untrusted_app never has this 14285ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# capability. 14385ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevichneverallow untrusted_app file_type:file link; 144e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoep 145e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoep# Do not allow untrusted_app to access network MAC address file 146e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoepneverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 147de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep 148de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep# Do not allow untrusted app to directly open tun_device 149de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoepneverallow untrusted_app tun_device:chr_file open; 15068748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoep 15168748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoep# Do not allow untrusted_app access to /cache 15268748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoepneverallow untrusted_app cache_file:dir ~{ r_dir_perms }; 15368748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoepneverallow untrusted_app cache_file:file ~{ read getattr }; 154