untrusted_app.te revision 6e4bcbe6daa3c959fceb86ae97a8a267e6e9212a
1### 2### Untrusted apps. 3### 4### This file defines the rules for untrusted apps. 5### Apps are labeled based on mac_permissions.xml (maps signer and 6### optionally package name to seinfo value) and seapp_contexts (maps UID 7### and optionally seinfo value to domain for process and type for data 8### directory). The untrusted_app domain is the default assignment in 9### seapp_contexts for any app with UID between APP_AID (10000) 10### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11### value as determined from mac_permissions.xml. In current AOSP, this 12### domain is assigned to all non-system apps as well as to any system apps 13### that are not signed by the platform key. To move 14### a system app into a specific domain, add a signer entry for it to 15### mac_permissions.xml and assign it one of the pre-existing seinfo values 16### or define and use a new seinfo value in both mac_permissions.xml and 17### seapp_contexts. 18### 19### untrusted_app includes all the appdomain rules, plus the 20### additional following rules: 21### 22 23type untrusted_app, domain; 24app_domain(untrusted_app) 25net_domain(untrusted_app) 26bluetooth_domain(untrusted_app) 27 28# Some apps ship with shared libraries and binaries that they write out 29# to their sandbox directory and then execute. 30allow untrusted_app app_data_file:file { rx_file_perms execmod }; 31 32# ASEC 33allow untrusted_app asec_apk_file:file r_file_perms; 34# Execute libs in asec containers. 35allow untrusted_app asec_public_file:file { execute execmod }; 36 37# Allow the allocation and use of ptys 38# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 39create_pty(untrusted_app) 40 41# Used by Finsky / Android "Verify Apps" functionality when 42# running "adb install foo.apk". 43# TODO: Long term, we don't want apps probing into shell data files. 44# Figure out a way to remove these rules. 45allow untrusted_app shell_data_file:file r_file_perms; 46allow untrusted_app shell_data_file:dir r_dir_perms; 47 48# Read and write system app data files passed over Binder. 49# Motivating case was /data/data/com.android.settings/cache/*.jpg for 50# cropping or taking user photos. 51allow untrusted_app system_app_data_file:file { read write getattr }; 52 53# 54# Rules migrated from old app domains coalesced into untrusted_app. 55# This includes what used to be media_app, shared_app, and release_app. 56# 57 58# Access to /data/media. 59allow untrusted_app media_rw_data_file:dir create_dir_perms; 60allow untrusted_app media_rw_data_file:file create_file_perms; 61 62# Traverse into /mnt/media_rw for bypassing FUSE daemon 63# TODO: narrow this to just MediaProvider 64allow untrusted_app mnt_media_rw_file:dir search; 65 66# allow cts to query all services 67allow untrusted_app servicemanager:service_manager list; 68 69allow untrusted_app audioserver_service:service_manager find; 70allow untrusted_app cameraserver_service:service_manager find; 71allow untrusted_app drmserver_service:service_manager find; 72allow untrusted_app healthd_service:service_manager find; 73allow untrusted_app mediaserver_service:service_manager find; 74allow untrusted_app mediaextractor_service:service_manager find; 75allow untrusted_app mediacodec_service:service_manager find; 76allow untrusted_app mediadrmserver_service:service_manager find; 77allow untrusted_app nfc_service:service_manager find; 78allow untrusted_app radio_service:service_manager find; 79allow untrusted_app surfaceflinger_service:service_manager find; 80allow untrusted_app app_api_service:service_manager find; 81 82# Allow GMS core to access perfprofd output, which is stored 83# in /data/misc/perfprofd/. GMS core will need to list all 84# data stored in that directory to process them one by one. 85userdebug_or_eng(` 86 allow untrusted_app perfprofd_data_file:file r_file_perms; 87 allow untrusted_app perfprofd_data_file:dir r_dir_perms; 88') 89 90# gdbserver for ndk-gdb ptrace attaches to app process. 91allow untrusted_app self:process ptrace; 92 93# Programs routinely attempt to scan through /system, looking 94# for files. Suppress the denials when they occur. 95dontaudit untrusted_app exec_type:file getattr; 96 97# TODO: switch to meminfo service 98allow untrusted_app proc_meminfo:file r_file_perms; 99 100# https://code.google.com/p/chromium/issues/detail?id=586021 101allow untrusted_app proc:file r_file_perms; 102# access /proc/net/xt_qtguid/stats 103r_dir_file(untrusted_app, proc_net) 104 105### 106### neverallow rules 107### 108 109# Receive or send uevent messages. 110neverallow untrusted_app domain:netlink_kobject_uevent_socket *; 111 112# Receive or send generic netlink messages 113neverallow untrusted_app domain:netlink_socket *; 114 115# Too much leaky information in debugfs. It's a security 116# best practice to ensure these files aren't readable. 117neverallow untrusted_app debugfs_type:file read; 118 119# Do not allow untrusted apps to register services. 120# Only trusted components of Android should be registering 121# services. 122neverallow untrusted_app service_manager_type:service_manager add; 123 124# Do not allow untrusted_apps to connect to the property service 125# or set properties. b/10243159 126neverallow untrusted_app property_socket:sock_file write; 127neverallow untrusted_app init:unix_stream_socket connectto; 128neverallow untrusted_app property_type:property_service set; 129 130# Do not allow untrusted_app to be assigned mlstrustedsubject. 131# This would undermine the per-user isolation model being 132# enforced via levelFrom=user in seapp_contexts and the mls 133# constraints. As there is no direct way to specify a neverallow 134# on attribute assignment, this relies on the fact that fork 135# permission only makes sense within a domain (hence should 136# never be granted to any other domain within mlstrustedsubject) 137# and untrusted_app is allowed fork permission to itself. 138neverallow untrusted_app mlstrustedsubject:process fork; 139 140# Do not allow untrusted_app to hard link to any files. 141# In particular, if untrusted_app links to other app data 142# files, installd will not be able to guarantee the deletion 143# of the linked to file. Hard links also contribute to security 144# bugs, so we want to ensure untrusted_app never has this 145# capability. 146neverallow untrusted_app file_type:file link; 147 148# Do not allow untrusted_app to access network MAC address file 149neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 150 151# do not allow privileged socket ioctl commands 152neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 153 154# Do not allow untrusted_app access to /cache 155neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; 156neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; 157 158# Do not allow untrusted_app to set system properties. 159neverallow untrusted_app property_socket:sock_file write; 160neverallow untrusted_app property_type:property_service set; 161 162# Do not allow untrusted_app to create/unlink files outside of its sandbox, 163# internal storage or sdcard. 164# World accessible data locations allow application to fill the device 165# with unaccounted for data. This data will not get removed during 166# application un-installation. 167neverallow untrusted_app { 168 fs_type 169 -fuse # sdcard 170 file_type 171 -app_data_file # The apps sandbox itself 172 -media_rw_data_file # Internal storage. Known that apps can 173 # leave artfacts here after uninstall. 174 -user_profile_data_file # Access to profile files 175 -user_profile_foreign_dex_data_file # Access to profile files 176 userdebug_or_eng(` 177 -method_trace_data_file # only on ro.debuggable=1 178 -coredump_file # userdebug/eng only 179 ') 180}:dir_file_class_set { create unlink }; 181 182# Do not allow untrusted_app to directly open tun_device 183neverallow untrusted_app tun_device:chr_file open; 184