untrusted_app.te revision b03831fe58be86cfd94c31b91def6ae53ebd614f
1### 2### Untrusted apps. 3### 4### This file defines the rules for untrusted apps. 5### Apps are labeled based on mac_permissions.xml (maps signer and 6### optionally package name to seinfo value) and seapp_contexts (maps UID 7### and optionally seinfo value to domain for process and type for data 8### directory). The untrusted_app domain is the default assignment in 9### seapp_contexts for any app with UID between APP_AID (10000) 10### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11### value as determined from mac_permissions.xml. In current AOSP, this 12### domain is assigned to all non-system apps as well as to any system apps 13### that are not signed by the platform key. To move 14### a system app into a specific domain, add a signer entry for it to 15### mac_permissions.xml and assign it one of the pre-existing seinfo values 16### or define and use a new seinfo value in both mac_permissions.xml and 17### seapp_contexts. 18### 19### untrusted_app includes all the appdomain rules, plus the 20### additional following rules: 21### 22 23type untrusted_app, domain, domain_deprecated; 24app_domain(untrusted_app) 25net_domain(untrusted_app) 26bluetooth_domain(untrusted_app) 27 28# Some apps ship with shared libraries and binaries that they write out 29# to their sandbox directory and then execute. 30allow untrusted_app app_data_file:file { rx_file_perms execmod }; 31 32# Third party vpn apps receive an open tun fd from the framework for 33# device traffic. Do not allow untrusted app to directly open tun_device 34allow untrusted_app tun_device:chr_file { read write getattr ioctl append }; 35 36# ASEC 37allow untrusted_app asec_apk_file:file r_file_perms; 38# Execute libs in asec containers. 39allow untrusted_app asec_public_file:file { execute execmod }; 40 41# Allow the allocation and use of ptys 42# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 43create_pty(untrusted_app) 44 45# Used by Finsky / Android "Verify Apps" functionality when 46# running "adb install foo.apk". 47# TODO: Long term, we don't want apps probing into shell data files. 48# Figure out a way to remove these rules. 49allow untrusted_app shell_data_file:file r_file_perms; 50allow untrusted_app shell_data_file:dir r_dir_perms; 51 52# Read and write system app data files passed over Binder. 53# Motivating case was /data/data/com.android.settings/cache/*.jpg for 54# cropping or taking user photos. 55allow untrusted_app system_app_data_file:file { read write getattr }; 56 57# 58# Rules migrated from old app domains coalesced into untrusted_app. 59# This includes what used to be media_app, shared_app, and release_app. 60# 61 62# Access /dev/mtp_usb. 63# TODO android.process.media moved to priv_app domain. Does 64# untrusted_app still require these permissions? Can "open" 65# be removed? 66allow untrusted_app mtp_device:chr_file rw_file_perms; 67auditallow untrusted_app mtp_device:chr_file rw_file_perms; 68 69# Access to /data/media. 70allow untrusted_app media_rw_data_file:dir create_dir_perms; 71allow untrusted_app media_rw_data_file:file create_file_perms; 72 73# Traverse into /mnt/media_rw for bypassing FUSE daemon 74# TODO: narrow this to just MediaProvider 75allow untrusted_app mnt_media_rw_file:dir search; 76 77# allow cts to query all services 78allow untrusted_app servicemanager:service_manager list; 79 80allow untrusted_app audioserver_service:service_manager find; 81allow untrusted_app drmserver_service:service_manager find; 82allow untrusted_app healthd_service:service_manager find; 83allow untrusted_app mediaserver_service:service_manager find; 84allow untrusted_app mediaextractor_service:service_manager find; 85allow untrusted_app nfc_service:service_manager find; 86allow untrusted_app radio_service:service_manager find; 87allow untrusted_app surfaceflinger_service:service_manager find; 88allow untrusted_app app_api_service:service_manager find; 89 90# Allow GMS core to access perfprofd output, which is stored 91# in /data/misc/perfprofd/. GMS core will need to list all 92# data stored in that directory to process them one by one. 93userdebug_or_eng(` 94 allow untrusted_app perfprofd_data_file:file r_file_perms; 95 allow untrusted_app perfprofd_data_file:dir r_dir_perms; 96') 97 98# gdbserver for ndk-gdb ptrace attaches to app process. 99allow untrusted_app self:process ptrace; 100 101# Programs routinely attempt to scan through /system, looking 102# for files. Suppress the denials when they occur. 103dontaudit untrusted_app exec_type:file getattr; 104 105### 106### neverallow rules 107### 108 109# Receive or send uevent messages. 110neverallow untrusted_app domain:netlink_kobject_uevent_socket *; 111 112# Receive or send generic netlink messages 113neverallow untrusted_app domain:netlink_socket *; 114 115# Too much leaky information in debugfs. It's a security 116# best practice to ensure these files aren't readable. 117neverallow untrusted_app debugfs:file read; 118 119# Do not allow untrusted apps to register services. 120# Only trusted components of Android should be registering 121# services. 122neverallow untrusted_app service_manager_type:service_manager add; 123 124# Do not allow untrusted_apps to connect to the property service 125# or set properties. b/10243159 126neverallow untrusted_app property_socket:sock_file write; 127neverallow untrusted_app init:unix_stream_socket connectto; 128neverallow untrusted_app property_type:property_service set; 129 130# Do not allow untrusted_app to be assigned mlstrustedsubject. 131# This would undermine the per-user isolation model being 132# enforced via levelFrom=user in seapp_contexts and the mls 133# constraints. As there is no direct way to specify a neverallow 134# on attribute assignment, this relies on the fact that fork 135# permission only makes sense within a domain (hence should 136# never be granted to any other domain within mlstrustedsubject) 137# and untrusted_app is allowed fork permission to itself. 138neverallow untrusted_app mlstrustedsubject:process fork; 139 140# Do not allow untrusted_app to hard link to any files. 141# In particular, if untrusted_app links to other app data 142# files, installd will not be able to guarantee the deletion 143# of the linked to file. Hard links also contribute to security 144# bugs, so we want to ensure untrusted_app never has this 145# capability. 146neverallow untrusted_app file_type:file link; 147 148# Do not allow untrusted_app to access network MAC address file 149neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 150 151# Do not allow untrusted app to directly open tun_device 152neverallow untrusted_app tun_device:chr_file open; 153 154# Do not allow untrusted_app access to /cache 155neverallow untrusted_app cache_file:dir ~{ r_dir_perms }; 156neverallow untrusted_app cache_file:file ~{ read getattr }; 157