untrusted_app.te revision ba12da95726e08c1c72ff3e6533899a062131d39
1### 2### Untrusted apps. 3### 4### This file defines the rules for untrusted apps. 5### Apps are labeled based on mac_permissions.xml (maps signer and 6### optionally package name to seinfo value) and seapp_contexts (maps UID 7### and optionally seinfo value to domain for process and type for data 8### directory). The untrusted_app domain is the default assignment in 9### seapp_contexts for any app with UID between APP_AID (10000) 10### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11### value as determined from mac_permissions.xml. In current AOSP, this 12### domain is assigned to all non-system apps as well as to any system apps 13### that are not signed by the platform key. To move 14### a system app into a specific domain, add a signer entry for it to 15### mac_permissions.xml and assign it one of the pre-existing seinfo values 16### or define and use a new seinfo value in both mac_permissions.xml and 17### seapp_contexts. 18### 19### untrusted_app includes all the appdomain rules, plus the 20### additional following rules: 21### 22 23type untrusted_app, domain; 24app_domain(untrusted_app) 25net_domain(untrusted_app) 26bluetooth_domain(untrusted_app) 27 28# Some apps ship with shared libraries and binaries that they write out 29# to their sandbox directory and then execute. 30allow untrusted_app app_data_file:file { rx_file_perms execmod }; 31 32# ASEC 33allow untrusted_app asec_apk_file:file r_file_perms; 34# Execute libs in asec containers. 35allow untrusted_app asec_public_file:file { execute execmod }; 36 37# Allow the allocation and use of ptys 38# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 39create_pty(untrusted_app) 40 41# Used by Finsky / Android "Verify Apps" functionality when 42# running "adb install foo.apk". 43# TODO: Long term, we don't want apps probing into shell data files. 44# Figure out a way to remove these rules. 45allow untrusted_app shell_data_file:file r_file_perms; 46allow untrusted_app shell_data_file:dir r_dir_perms; 47 48# Read and write system app data files passed over Binder. 49# Motivating case was /data/data/com.android.settings/cache/*.jpg for 50# cropping or taking user photos. 51allow untrusted_app system_app_data_file:file { read write getattr }; 52 53# 54# Rules migrated from old app domains coalesced into untrusted_app. 55# This includes what used to be media_app, shared_app, and release_app. 56# 57 58# Access to /data/media. 59allow untrusted_app media_rw_data_file:dir create_dir_perms; 60allow untrusted_app media_rw_data_file:file create_file_perms; 61 62# Traverse into /mnt/media_rw for bypassing FUSE daemon 63# TODO: narrow this to just MediaProvider 64allow untrusted_app mnt_media_rw_file:dir search; 65 66# allow cts to query all services 67allow untrusted_app servicemanager:service_manager list; 68 69allow untrusted_app audioserver_service:service_manager find; 70allow untrusted_app cameraserver_service:service_manager find; 71allow untrusted_app drmserver_service:service_manager find; 72allow untrusted_app healthd_service:service_manager find; 73allow untrusted_app mediaserver_service:service_manager find; 74allow untrusted_app mediaextractor_service:service_manager find; 75allow untrusted_app mediacodec_service:service_manager find; 76allow untrusted_app mediadrmserver_service:service_manager find; 77allow untrusted_app nfc_service:service_manager find; 78allow untrusted_app radio_service:service_manager find; 79allow untrusted_app surfaceflinger_service:service_manager find; 80allow untrusted_app app_api_service:service_manager find; 81 82# Allow GMS core to access perfprofd output, which is stored 83# in /data/misc/perfprofd/. GMS core will need to list all 84# data stored in that directory to process them one by one. 85userdebug_or_eng(` 86 allow untrusted_app perfprofd_data_file:file r_file_perms; 87 allow untrusted_app perfprofd_data_file:dir r_dir_perms; 88') 89 90# gdbserver for ndk-gdb ptrace attaches to app process. 91allow untrusted_app self:process ptrace; 92 93# Programs routinely attempt to scan through /system, looking 94# for files. Suppress the denials when they occur. 95dontaudit untrusted_app exec_type:file getattr; 96 97# TODO: switch to meminfo service 98allow untrusted_app proc_meminfo:file r_file_perms; 99 100# https://code.google.com/p/chromium/issues/detail?id=586021 101allow untrusted_app proc:file r_file_perms; 102auditallow untrusted_app proc:file r_file_perms; 103# access /proc/net/xt_qtguid/stats 104r_dir_file(untrusted_app, proc_net) 105 106### 107### neverallow rules 108### 109 110# Receive or send uevent messages. 111neverallow untrusted_app domain:netlink_kobject_uevent_socket *; 112 113# Receive or send generic netlink messages 114neverallow untrusted_app domain:netlink_socket *; 115 116# Too much leaky information in debugfs. It's a security 117# best practice to ensure these files aren't readable. 118neverallow untrusted_app debugfs_type:file read; 119 120# Do not allow untrusted apps to register services. 121# Only trusted components of Android should be registering 122# services. 123neverallow untrusted_app service_manager_type:service_manager add; 124 125# Do not allow untrusted_apps to connect to the property service 126# or set properties. b/10243159 127neverallow untrusted_app property_socket:sock_file write; 128neverallow untrusted_app init:unix_stream_socket connectto; 129neverallow untrusted_app property_type:property_service set; 130 131# Do not allow untrusted_app to be assigned mlstrustedsubject. 132# This would undermine the per-user isolation model being 133# enforced via levelFrom=user in seapp_contexts and the mls 134# constraints. As there is no direct way to specify a neverallow 135# on attribute assignment, this relies on the fact that fork 136# permission only makes sense within a domain (hence should 137# never be granted to any other domain within mlstrustedsubject) 138# and untrusted_app is allowed fork permission to itself. 139neverallow untrusted_app mlstrustedsubject:process fork; 140 141# Do not allow untrusted_app to hard link to any files. 142# In particular, if untrusted_app links to other app data 143# files, installd will not be able to guarantee the deletion 144# of the linked to file. Hard links also contribute to security 145# bugs, so we want to ensure untrusted_app never has this 146# capability. 147neverallow untrusted_app file_type:file link; 148 149# Do not allow untrusted_app to access network MAC address file 150neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 151 152# do not allow privileged socket ioctl commands 153neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 154 155# Do not allow untrusted_app access to /cache 156neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; 157neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; 158 159# Do not allow untrusted_app to set system properties. 160neverallow untrusted_app property_socket:sock_file write; 161neverallow untrusted_app property_type:property_service set; 162 163# Do not allow untrusted_app to create/unlink files outside of its sandbox, 164# internal storage or sdcard. 165# World accessible data locations allow application to fill the device 166# with unaccounted for data. This data will not get removed during 167# application un-installation. 168neverallow untrusted_app { 169 fs_type 170 -fuse # sdcard 171 file_type 172 -app_data_file # The apps sandbox itself 173 -media_rw_data_file # Internal storage. Known that apps can 174 # leave artfacts here after uninstall. 175 -user_profile_data_file # Access to profile files 176 userdebug_or_eng(` 177 -method_trace_data_file # only on ro.debuggable=1 178 -coredump_file # userdebug/eng only 179 ') 180}:dir_file_class_set { create unlink }; 181 182# Do not allow untrusted_app to directly open tun_device 183neverallow untrusted_app tun_device:chr_file open; 184