app_neverallows.te revision 46e5a060f66dc585f2b2319ba1f19f1c6ecc3c98
1### 2### neverallow rules for untrusted app domains 3### 4 5# Receive or send uevent messages. 6neverallow { untrusted_app ephemeral_app isolated_app } domain:netlink_kobject_uevent_socket *; 7 8# Receive or send generic netlink messages 9neverallow { untrusted_app ephemeral_app isolated_app } domain:netlink_socket *; 10 11# Too much leaky information in debugfs. It's a security 12# best practice to ensure these files aren't readable. 13neverallow { untrusted_app ephemeral_app isolated_app } debugfs_type:file read; 14 15# Do not allow untrusted apps to register services. 16# Only trusted components of Android should be registering 17# services. 18neverallow { untrusted_app ephemeral_app isolated_app } service_manager_type:service_manager add; 19 20# Do not allow untrusted apps to connect to the property service 21# or set properties. b/10243159 22neverallow { untrusted_app ephemeral_app isolated_app } property_socket:sock_file write; 23neverallow { untrusted_app ephemeral_app isolated_app } init:unix_stream_socket connectto; 24neverallow { untrusted_app ephemeral_app isolated_app } property_type:property_service set; 25 26# Do not allow untrusted apps to be assigned mlstrustedsubject. 27# This would undermine the per-user isolation model being 28# enforced via levelFrom=user in seapp_contexts and the mls 29# constraints. As there is no direct way to specify a neverallow 30# on attribute assignment, this relies on the fact that fork 31# permission only makes sense within a domain (hence should 32# never be granted to any other domain within mlstrustedsubject) 33# and an untrusted app is allowed fork permission to itself. 34neverallow { untrusted_app ephemeral_app isolated_app } mlstrustedsubject:process fork; 35 36# Do not allow untrusted apps to hard link to any files. 37# In particular, if an untrusted app links to other app data 38# files, installd will not be able to guarantee the deletion 39# of the linked to file. Hard links also contribute to security 40# bugs, so we want to ensure untrusted apps never have this 41# capability. 42neverallow { untrusted_app ephemeral_app isolated_app } file_type:file link; 43 44# Do not allow untrusted apps to access network MAC address file 45neverallow { untrusted_app ephemeral_app isolated_app } sysfs_mac_address:file no_rw_file_perms; 46 47# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 48# ioctl permission, or 3. disallow the socket class. 49neverallowxperm { untrusted_app ephemeral_app isolated_app } domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 50neverallow { untrusted_app ephemeral_app isolated_app } *:{ netlink_route_socket netlink_selinux_socket } ioctl; 51neverallow { untrusted_app ephemeral_app isolated_app } *:{ 52 socket netlink_socket packet_socket key_socket appletalk_socket 53 netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket 54 netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket 55 netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 56 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 57 netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 58 netlink_rdma_socket netlink_crypto_socket 59} *; 60 61# Do not allow untrusted apps access to /cache 62neverallow { untrusted_app ephemeral_app isolated_app } { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; 63neverallow { untrusted_app ephemeral_app isolated_app } { cache_file cache_recovery_file }:file ~{ read getattr }; 64 65# Do not allow untrusted apps to create/unlink files outside of its sandbox, 66# internal storage or sdcard. 67# World accessible data locations allow application to fill the device 68# with unaccounted for data. This data will not get removed during 69# application un-installation. 70neverallow { untrusted_app ephemeral_app isolated_app } { 71 fs_type 72 -fuse # sdcard 73 -sdcardfs # sdcard 74 -vfat 75 file_type 76 -app_data_file # The apps sandbox itself 77 -media_rw_data_file # Internal storage. Known that apps can 78 # leave artfacts here after uninstall. 79 -user_profile_data_file # Access to profile files 80 -user_profile_foreign_dex_data_file # Access to profile files 81 userdebug_or_eng(` 82 -method_trace_data_file # only on ro.debuggable=1 83 -coredump_file # userdebug/eng only 84 ') 85}:dir_file_class_set { create unlink }; 86 87# Do not allow untrusted apps to directly open tun_device 88neverallow { untrusted_app ephemeral_app isolated_app } tun_device:chr_file open; 89 90# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 91neverallow { untrusted_app ephemeral_app isolated_app } anr_data_file:file ~{ open append }; 92neverallow { untrusted_app ephemeral_app isolated_app } anr_data_file:dir ~search; 93 94# Avoid reads from generically labeled /proc files 95# Create a more specific label if needed 96neverallow { untrusted_app ephemeral_app isolated_app } proc:file { no_rw_file_perms no_x_file_perms }; 97