untrusted_app.te revision 8be3e77986e573751cb74634f58c4fbacb0bcd11
1748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 2748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### Untrusted apps. 3748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 4d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### This file defines the rules for untrusted apps. 5d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### Apps are labeled based on mac_permissions.xml (maps signer and 6d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### optionally package name to seinfo value) and seapp_contexts (maps UID 7d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and optionally seinfo value to domain for process and type for data 8d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### directory). The untrusted_app domain is the default assignment in 9d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts for any app with UID between APP_AID (10000) 10d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### value as determined from mac_permissions.xml. In current AOSP, this 12d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### domain is assigned to all non-system apps as well as to any system apps 139ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley### that are not signed by the platform key. To move 14d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### a system app into a specific domain, add a signer entry for it to 15d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### mac_permissions.xml and assign it one of the pre-existing seinfo values 16d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### or define and use a new seinfo value in both mac_permissions.xml and 17d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts. 18748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 19748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### untrusted_app includes all the appdomain rules, plus the 20748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### additional following rules: 21748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 22748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich 23748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichtype untrusted_app, domain; 24748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichapp_domain(untrusted_app) 25748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichnet_domain(untrusted_app) 26748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichbluetooth_domain(untrusted_app) 276634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 2865317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# Some apps ship with shared libraries and binaries that they write out 2965317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# to their sandbox directory and then execute. 3078706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app app_data_file:file { rx_file_perms execmod }; 3165317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley 326634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow untrusted_app tun_device:chr_file rw_file_perms; 336634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 346634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# ASEC 356634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow untrusted_app asec_apk_file:file r_file_perms; 3648b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig# Execute libs in asec containers. 3778706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app asec_public_file:file { execute execmod }; 386634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 396634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow the allocation and use of ptys 406634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 412dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleycreate_pty(untrusted_app) 428a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich 438a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Used by Finsky / Android "Verify Apps" functionality when 448a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# running "adb install foo.apk". 458a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# TODO: Long term, we don't want apps probing into shell data files. 468a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Figure out a way to remove these rules. 472f40a17a42d19b6d92944c78c1d6a9c9517a725bNick Kralevichallow untrusted_app shell_data_file:file r_file_perms; 488a2ebe3477837b21b728135cd8780ffd528696afNick Kralevichallow untrusted_app shell_data_file:dir r_dir_perms; 499ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 508be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Read and write system app data files passed over Binder. 518be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Motivating case was /data/data/com.android.settings/cache/*.jpg for 528be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# cropping or taking user photos. 538be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevichallow untrusted_app system_app_data_file:file { read write getattr }; 548be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich 559ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 569ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Rules migrated from old app domains coalesced into untrusted_app. 579ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# This includes what used to be media_app, shared_app, and release_app. 589ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 599ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 609ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Access /dev/mtp_usb. 619ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app mtp_device:chr_file rw_file_perms; 629ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 639ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Access to /data/media. 649ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:dir create_dir_perms; 659ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:file create_file_perms; 669ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 679ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Write to /cache. 689ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app cache_file:dir create_dir_perms; 699ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app cache_file:file create_file_perms; 704bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich 71cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app drmserver_service:service_manager find; 72cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app mediaserver_service:service_manager find; 73cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app nfc_service:service_manager find; 74cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app radio_service:service_manager find; 75cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app surfaceflinger_service:service_manager find; 76cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app system_server_service:service_manager find; 774a89cdfa89448c8660308a31bfcb517fffaa239edcashmanallow untrusted_app tmp_system_server_service:service_manager find; 784a89cdfa89448c8660308a31bfcb517fffaa239edcashman 794a89cdfa89448c8660308a31bfcb517fffaa239edcashmanservice_manager_local_audit_domain(untrusted_app) 804a89cdfa89448c8660308a31bfcb517fffaa239edcashmanauditallow untrusted_app { 814a89cdfa89448c8660308a31bfcb517fffaa239edcashman tmp_system_server_service 824a89cdfa89448c8660308a31bfcb517fffaa239edcashman -accessibility_service 834a89cdfa89448c8660308a31bfcb517fffaa239edcashman -account_service 844a89cdfa89448c8660308a31bfcb517fffaa239edcashman -activity_service 854a89cdfa89448c8660308a31bfcb517fffaa239edcashman -appops_service 864a89cdfa89448c8660308a31bfcb517fffaa239edcashman -appwidget_service 874a89cdfa89448c8660308a31bfcb517fffaa239edcashman -assetatlas_service 884a89cdfa89448c8660308a31bfcb517fffaa239edcashman -audio_service 89c631ede7dc7cb131b1bdd03ce296eeac53dc9adddcashman -backup_service 9023f336156daf61ba07c024af2fe96994605f46ebdcashman -battery_service 91c631ede7dc7cb131b1bdd03ce296eeac53dc9adddcashman -batterystats_service 924a89cdfa89448c8660308a31bfcb517fffaa239edcashman -bluetooth_manager_service 934a89cdfa89448c8660308a31bfcb517fffaa239edcashman -connectivity_service 944a89cdfa89448c8660308a31bfcb517fffaa239edcashman -content_service 9523f336156daf61ba07c024af2fe96994605f46ebdcashman -country_detector_service 9623f336156daf61ba07c024af2fe96994605f46ebdcashman -default_android_service 974a89cdfa89448c8660308a31bfcb517fffaa239edcashman -device_policy_service 984a89cdfa89448c8660308a31bfcb517fffaa239edcashman -display_service 994a89cdfa89448c8660308a31bfcb517fffaa239edcashman -dropbox_service 1004a89cdfa89448c8660308a31bfcb517fffaa239edcashman -input_method_service 1014a89cdfa89448c8660308a31bfcb517fffaa239edcashman -input_service 1024a89cdfa89448c8660308a31bfcb517fffaa239edcashman -jobscheduler_service 10323f336156daf61ba07c024af2fe96994605f46ebdcashman -launcherapps_service 104c631ede7dc7cb131b1bdd03ce296eeac53dc9adddcashman -location_service 10523f336156daf61ba07c024af2fe96994605f46ebdcashman -lock_settings_service 10623f336156daf61ba07c024af2fe96994605f46ebdcashman -media_router_service 10723f336156daf61ba07c024af2fe96994605f46ebdcashman -media_session_service 10823f336156daf61ba07c024af2fe96994605f46ebdcashman -meminfo_service 109c631ede7dc7cb131b1bdd03ce296eeac53dc9adddcashman -mount_service 11023f336156daf61ba07c024af2fe96994605f46ebdcashman -netpolicy_service 111c631ede7dc7cb131b1bdd03ce296eeac53dc9adddcashman -netstats_service 112566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63dcashman -network_management_service 113c631ede7dc7cb131b1bdd03ce296eeac53dc9adddcashman -network_score_service 1144a89cdfa89448c8660308a31bfcb517fffaa239edcashman -notification_service 1154a89cdfa89448c8660308a31bfcb517fffaa239edcashman -persistent_data_block_service 1164a89cdfa89448c8660308a31bfcb517fffaa239edcashman -power_service 1174a89cdfa89448c8660308a31bfcb517fffaa239edcashman -registry_service 11823f336156daf61ba07c024af2fe96994605f46ebdcashman -search_service 11923f336156daf61ba07c024af2fe96994605f46ebdcashman -sensorservice_service 1204a89cdfa89448c8660308a31bfcb517fffaa239edcashman -textservices_service 1214a89cdfa89448c8660308a31bfcb517fffaa239edcashman -trust_service 122c631ede7dc7cb131b1bdd03ce296eeac53dc9adddcashman -uimode_service 1234a89cdfa89448c8660308a31bfcb517fffaa239edcashman -user_service 124566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63dcashman -vibrator_service 12523f336156daf61ba07c024af2fe96994605f46ebdcashman -voiceinteraction_service 12623f336156daf61ba07c024af2fe96994605f46ebdcashman -wallpaper_service 1274a89cdfa89448c8660308a31bfcb517fffaa239edcashman -webviewupdate_service 1284a89cdfa89448c8660308a31bfcb517fffaa239edcashman -wifi_service 12923f336156daf61ba07c024af2fe96994605f46ebdcashman -wifip2p_service 1304a89cdfa89448c8660308a31bfcb517fffaa239edcashman}:service_manager find; 131b8511e0d98880a683c276589ab7d8d7666b7f8c1Riley Spahn 1324bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1334bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### neverallow rules 1344bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1354bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich 136642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich# Receive or send uevent messages. 137d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_kobject_uevent_socket *; 138d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich 139d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich# Receive or send generic netlink messages 140d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_socket *; 141642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich 1424bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# Too much leaky information in debugfs. It's a security 1434bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# best practice to ensure these files aren't readable. 1444bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevichneverallow untrusted_app debugfs:file read; 14576206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn 14676206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Do not allow untrusted apps to register services. 14776206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Only trusted components of Android should be registering 14876206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# services. 14976206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahnneverallow untrusted_app service_manager_type:service_manager add; 15099d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich 151f58356661632d4c08870122f2cf944ea4edfe810Nick Kralevich# Do not allow untrusted_apps to connect to the property service 15299d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich# or set properties. b/10243159 15399d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_socket:sock_file write; 15499d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app init:unix_stream_socket connectto; 15599d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_type:property_service set; 156fbbe9e9117bd55c46ee971577f2fdd64993eb64adcashman 157fbbe9e9117bd55c46ee971577f2fdd64993eb64adcashman# Allow verifier to access staged apks. 158fbbe9e9117bd55c46ee971577f2fdd64993eb64adcashmanallow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 1598c6dba90a570608a600184741a4a59bf4db1230dNick Kralevichallow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 160