app_neverallows.te revision 92c44a578cbcb6ec7cdf8b304f1738cc75074379 
1###
2### neverallow rules for untrusted app domains
3###
4
5# Only allow domains in AOSP to use the untrusted_app_all attribute.
6neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
7
8define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
9# Receive or send uevent messages.
10neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
11
12# Receive or send generic netlink messages
13neverallow all_untrusted_apps domain:netlink_socket *;
14
15# Too much leaky information in debugfs. It's a security
16# best practice to ensure these files aren't readable.
17neverallow all_untrusted_apps debugfs_type:file read;
18
19# Do not allow untrusted apps to register services.
20# Only trusted components of Android should be registering
21# services.
22neverallow all_untrusted_apps service_manager_type:service_manager add;
23
24# Do not allow untrusted apps to connect to the property service
25# or set properties. b/10243159
26neverallow all_untrusted_apps property_socket:sock_file write;
27neverallow all_untrusted_apps init:unix_stream_socket connectto;
28neverallow all_untrusted_apps property_type:property_service set;
29
30# Do not allow untrusted apps to be assigned mlstrustedsubject.
31# This would undermine the per-user isolation model being
32# enforced via levelFrom=user in seapp_contexts and the mls
33# constraints.  As there is no direct way to specify a neverallow
34# on attribute assignment, this relies on the fact that fork
35# permission only makes sense within a domain (hence should
36# never be granted to any other domain within mlstrustedsubject)
37# and an untrusted app is allowed fork permission to itself.
38neverallow all_untrusted_apps mlstrustedsubject:process fork;
39
40# Do not allow untrusted apps to hard link to any files.
41# In particular, if an untrusted app links to other app data
42# files, installd will not be able to guarantee the deletion
43# of the linked to file. Hard links also contribute to security
44# bugs, so we want to ensure untrusted apps never have this
45# capability.
46neverallow all_untrusted_apps file_type:file link;
47
48# Do not allow untrusted apps to access network MAC address file
49neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
50
51# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
52# ioctl permission, or 3. disallow the socket class.
53neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
54neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
55neverallow all_untrusted_apps *:{
56  socket netlink_socket packet_socket key_socket appletalk_socket
57  netlink_tcpdiag_socket netlink_nflog_socket
58  netlink_xfrm_socket netlink_audit_socket
59  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
60  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
61  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
62  netlink_rdma_socket netlink_crypto_socket
63} *;
64
65# Do not allow untrusted apps access to /cache
66neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
67neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
68
69# Do not allow untrusted apps to create/unlink files outside of its sandbox,
70# internal storage or sdcard.
71# World accessible data locations allow application to fill the device
72# with unaccounted for data. This data will not get removed during
73# application un-installation.
74neverallow all_untrusted_apps {
75  fs_type
76  -fuse                     # sdcard
77  -sdcardfs                 # sdcard
78  -vfat
79  file_type
80  -app_data_file            # The apps sandbox itself
81  -media_rw_data_file       # Internal storage. Known that apps can
82                            # leave artfacts here after uninstall.
83  -user_profile_data_file   # Access to profile files
84  userdebug_or_eng(`
85    -method_trace_data_file # only on ro.debuggable=1
86    -coredump_file          # userdebug/eng only
87  ')
88}:dir_file_class_set { create unlink };
89
90# Do not allow untrusted apps to directly open tun_device
91neverallow all_untrusted_apps tun_device:chr_file open;
92
93# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
94neverallow all_untrusted_apps anr_data_file:file ~{ open append };
95neverallow all_untrusted_apps anr_data_file:dir ~search;
96
97# Avoid reads from generically labeled /proc files
98# Create a more specific label if needed
99neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
100
101# Do not allow untrusted apps access to preloads data files
102neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
103
104# Locking of files on /system could lead to denial of service attacks
105# against privileged system components
106neverallow all_untrusted_apps system_file:file lock;
107