untrusted_app.te revision 3a0ce49b8623299ac7458306b30bda6adda12383
1### 2### Untrusted apps. 3### 4### This file defines the rules for untrusted apps. 5### Apps are labeled based on mac_permissions.xml (maps signer and 6### optionally package name to seinfo value) and seapp_contexts (maps UID 7### and optionally seinfo value to domain for process and type for data 8### directory). The untrusted_app domain is the default assignment in 9### seapp_contexts for any app with UID between APP_AID (10000) 10### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11### value as determined from mac_permissions.xml. In current AOSP, this 12### domain is assigned to all non-system apps as well as to any system apps 13### that are not signed by the platform key. To move 14### a system app into a specific domain, add a signer entry for it to 15### mac_permissions.xml and assign it one of the pre-existing seinfo values 16### or define and use a new seinfo value in both mac_permissions.xml and 17### seapp_contexts. 18### 19### untrusted_app includes all the appdomain rules, plus the 20### additional following rules: 21### 22 23type untrusted_app, domain, domain_deprecated; 24app_domain(untrusted_app) 25net_domain(untrusted_app) 26bluetooth_domain(untrusted_app) 27 28# Some apps ship with shared libraries and binaries that they write out 29# to their sandbox directory and then execute. 30allow untrusted_app app_data_file:file { rx_file_perms execmod }; 31 32# Third party vpn apps receive an open tun fd from the framework for 33# device traffic. Do not allow untrusted app to directly open tun_device 34allow untrusted_app tun_device:chr_file { read write getattr ioctl append }; 35 36# ASEC 37allow untrusted_app asec_apk_file:file r_file_perms; 38# Execute libs in asec containers. 39allow untrusted_app asec_public_file:file { execute execmod }; 40 41# Allow the allocation and use of ptys 42# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 43create_pty(untrusted_app) 44 45# Used by Finsky / Android "Verify Apps" functionality when 46# running "adb install foo.apk". 47# TODO: Long term, we don't want apps probing into shell data files. 48# Figure out a way to remove these rules. 49allow untrusted_app shell_data_file:file r_file_perms; 50allow untrusted_app shell_data_file:dir r_dir_perms; 51 52# Read and write system app data files passed over Binder. 53# Motivating case was /data/data/com.android.settings/cache/*.jpg for 54# cropping or taking user photos. 55allow untrusted_app system_app_data_file:file { read write getattr }; 56 57# 58# Rules migrated from old app domains coalesced into untrusted_app. 59# This includes what used to be media_app, shared_app, and release_app. 60# 61 62# Access /dev/mtp_usb. 63# TODO android.process.media moved to priv_app domain. Does 64# untrusted_app still require these permissions? Can "open" 65# be removed? 66allow untrusted_app mtp_device:chr_file rw_file_perms; 67auditallow untrusted_app mtp_device:chr_file rw_file_perms; 68 69# Access to /data/media. 70allow untrusted_app media_rw_data_file:dir create_dir_perms; 71allow untrusted_app media_rw_data_file:file create_file_perms; 72 73# Traverse into /mnt/media_rw for bypassing FUSE daemon 74# TODO: narrow this to just MediaProvider 75allow untrusted_app mnt_media_rw_file:dir search; 76 77# allow cts to query all services 78allow untrusted_app servicemanager:service_manager list; 79 80allow untrusted_app drmserver_service:service_manager find; 81allow untrusted_app healthd_service:service_manager find; 82allow untrusted_app mediaserver_service:service_manager find; 83allow untrusted_app mediaextractor_service:service_manager find; 84allow untrusted_app mediaextractor_service:service_manager find; 85allow untrusted_app nfc_service:service_manager find; 86allow untrusted_app radio_service:service_manager find; 87allow untrusted_app surfaceflinger_service:service_manager find; 88allow untrusted_app app_api_service:service_manager find; 89 90# only allow unprivileged socket ioctl commands 91allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls; 92 93# Allow GMS core to access perfprofd output, which is stored 94# in /data/misc/perfprofd/. GMS core will need to list all 95# data stored in that directory to process them one by one. 96userdebug_or_eng(` 97 allow untrusted_app perfprofd_data_file:file r_file_perms; 98 allow untrusted_app perfprofd_data_file:dir r_dir_perms; 99') 100 101# gdbserver for ndk-gdb ptrace attaches to app process. 102allow untrusted_app self:process ptrace; 103 104# Programs routinely attempt to scan through /system, looking 105# for files. Suppress the denials when they occur. 106dontaudit untrusted_app exec_type:file getattr; 107 108### 109### neverallow rules 110### 111 112# Receive or send uevent messages. 113neverallow untrusted_app domain:netlink_kobject_uevent_socket *; 114 115# Receive or send generic netlink messages 116neverallow untrusted_app domain:netlink_socket *; 117 118# Too much leaky information in debugfs. It's a security 119# best practice to ensure these files aren't readable. 120neverallow untrusted_app debugfs:file read; 121 122# Do not allow untrusted apps to register services. 123# Only trusted components of Android should be registering 124# services. 125neverallow untrusted_app service_manager_type:service_manager add; 126 127# Do not allow untrusted_apps to connect to the property service 128# or set properties. b/10243159 129neverallow untrusted_app property_socket:sock_file write; 130neverallow untrusted_app init:unix_stream_socket connectto; 131neverallow untrusted_app property_type:property_service set; 132 133# Do not allow untrusted_app to be assigned mlstrustedsubject. 134# This would undermine the per-user isolation model being 135# enforced via levelFrom=user in seapp_contexts and the mls 136# constraints. As there is no direct way to specify a neverallow 137# on attribute assignment, this relies on the fact that fork 138# permission only makes sense within a domain (hence should 139# never be granted to any other domain within mlstrustedsubject) 140# and untrusted_app is allowed fork permission to itself. 141neverallow untrusted_app mlstrustedsubject:process fork; 142 143# Do not allow untrusted_app to hard link to any files. 144# In particular, if untrusted_app links to other app data 145# files, installd will not be able to guarantee the deletion 146# of the linked to file. Hard links also contribute to security 147# bugs, so we want to ensure untrusted_app never has this 148# capability. 149neverallow untrusted_app file_type:file link; 150 151# Do not allow untrusted_app to access network MAC address file 152neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 153 154# do not allow privileged socket ioctl commands 155neverallowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 156 157# Do not allow untrusted_app access to /cache 158neverallow untrusted_app cache_file:dir ~{ r_dir_perms }; 159neverallow untrusted_app cache_file:file ~{ read getattr }; 160