split out untrusted base app domains

GrapheneOS · Feb 24, 2020 · 34b15aa · 34b15aa
1 parent 85d6977
commit 34b15aa
Show file tree

Hide file tree

Showing 21 changed files with 443 additions and 4 deletions.
diff --git a/prebuilts/api/29.0/private/app_neverallows.te b/prebuilts/api/29.0/private/app_neverallows.te
@@ -10,6 +10,9 @@ define(`all_untrusted_apps',`{
   untrusted_app_25
   untrusted_app_27
   untrusted_app_all
+  untrusted_base_app
+  untrusted_base_app_25
+  untrusted_base_app_27
 }')
 # Receive or send uevent messages.
 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
@@ -39,7 +42,7 @@ neverallow { all_untrusted_apps -mediaprovider } property_type:property_service
 
 # net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
 # but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+neverallow { all_untrusted_apps -untrusted_app_25 -untrusted_base_app_25 } net_dns_prop:file read;
 
 # Shared libraries created by trusted components within an app home
 # directory can be dlopen()ed. To maintain the W^X property, these files
@@ -54,7 +57,9 @@ neverallow all_untrusted_apps app_exec_data_file:file
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
   -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
@@ -64,7 +69,9 @@ neverallow {
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
 } dex2oat_exec:file no_x_file_perms;
 
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
@@ -327,7 +334,11 @@ full_treble_only(`
 # b/33214085 b/33814662 b/33791054 b/33211769
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
-neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
+neverallow { 
+    all_untrusted_apps
+    -untrusted_app_25 
+    -untrusted_base_app_25 
+} proc_tty_drivers:file r_file_perms;
 neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
 
 # Untrusted apps are not allowed to use cgroups.
@@ -339,5 +350,7 @@ neverallow {
   all_untrusted_apps
   -ephemeral_app
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
 } ashmem_device:chr_file open;
diff --git a/prebuilts/api/29.0/private/mac_permissions.xml b/prebuilts/api/29.0/private/mac_permissions.xml
@@ -56,6 +56,16 @@
       <seinfo value="media" />
     </signer>
 
+    <!-- Shared dev key in AOSP -->
+    <signer signature="@SHARED" >
+      <seinfo value="base" />
+    </signer>
+
+    <!-- Release dev key in AOSP -->
+    <signer signature="@RELEASE" >
+      <seinfo value="base" />
+    </signer>
+
     <signer signature="@NETWORK_STACK" >
       <seinfo value="network_stack" />
     </signer>

diff --git a/prebuilts/api/29.0/private/seapp_contexts b/prebuilts/api/29.0/private/seapp_contexts
@@ -157,8 +157,12 @@ user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app seinfo=base minTargetSdkVersion=29 domain=untrusted_base_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
+user=_app seinfo=base minTargetSdkVersion=28 domain=untrusted_base_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
+user=_app seinfo=base minTargetSdkVersion=26 domain=untrusted_base_app_27 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app seinfo=base domain=untrusted_base_app_25 type=app_data_file levelFrom=user
 user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
 user=_app fromRunAs=true domain=runas_app levelFrom=user
diff --git a/prebuilts/api/29.0/private/untrusted_base_app.te b/prebuilts/api/29.0/private/untrusted_base_app.te
@@ -0,0 +1,25 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_base_app coredomain;
+
+app_domain(untrusted_base_app)
+untrusted_app_domain(untrusted_base_app)
+net_domain(untrusted_base_app)
+bluetooth_domain(untrusted_base_app)
diff --git a/prebuilts/api/29.0/private/untrusted_base_app_25.te b/prebuilts/api/29.0/private/untrusted_base_app_25.te
@@ -0,0 +1,63 @@
+###
+### untrusted_base_app_25
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion <= 25.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_base_app_25 coredomain;
+
+app_domain(untrusted_base_app_25)
+untrusted_app_domain(untrusted_base_app_25)
+net_domain(untrusted_base_app_25)
+bluetooth_domain(untrusted_base_app_25)
+
+# b/34115651, b/33308258 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_base_app_25, net_dns_prop)
+auditallow untrusted_base_app_25 net_dns_prop:file read;
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_base_app_25 proc_misc:file r_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+allow untrusted_base_app_25 proc_tty_drivers:file r_file_perms;
+
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+# allow untrusted_base_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+# allow untrusted_base_app_25 app_data_file:file execute_no_trans;
+# auditallow untrusted_base_app_25 app_data_file:file { execute execute_no_trans };
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_base_app_25 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_base_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_base_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_base_app_25 ashmem_device:chr_file open;
diff --git a/prebuilts/api/29.0/private/untrusted_base_app_27.te b/prebuilts/api/29.0/private/untrusted_base_app_27.te
@@ -0,0 +1,47 @@
+###
+### Untrusted_27.
+###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 28.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_base_app_27 domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_base_app_27 coredomain;
+
+app_domain(untrusted_base_app_27)
+untrusted_app_domain(untrusted_base_app_27)
+net_domain(untrusted_base_app_27)
+bluetooth_domain(untrusted_base_app_27)
+
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+# allow untrusted_base_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+# allow untrusted_base_app_27 app_data_file:file execute_no_trans;
+# auditallow untrusted_base_app_27 app_data_file:file { execute execute_no_trans };
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_base_app_27 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_base_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_base_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_base_app_27 ashmem_device:chr_file open;
diff --git a/prebuilts/api/29.0/public/untrusted_base_app.te b/prebuilts/api/29.0/public/untrusted_base_app.te
@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_base_app, domain;
diff --git a/prebuilts/api/29.0/public/untrusted_base_app_25.te b/prebuilts/api/29.0/public/untrusted_base_app_25.te
@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_base_app_25, domain;
diff --git a/prebuilts/api/29.0/public/untrusted_base_app_27.te b/prebuilts/api/29.0/public/untrusted_base_app_27.te
@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_base_app_27, domain;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
@@ -10,6 +10,9 @@ define(`all_untrusted_apps',`{
   untrusted_app_25
   untrusted_app_27
   untrusted_app_all
+  untrusted_base_app
+  untrusted_base_app_25
+  untrusted_base_app_27
 }')
 # Receive or send uevent messages.
 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
@@ -39,7 +42,7 @@ neverallow { all_untrusted_apps -mediaprovider } property_type:property_service
 
 # net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
 # but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+neverallow { all_untrusted_apps -untrusted_app_25 -untrusted_base_app_25 } net_dns_prop:file read;
 
 # Shared libraries created by trusted components within an app home
 # directory can be dlopen()ed. To maintain the W^X property, these files
@@ -54,7 +57,9 @@ neverallow all_untrusted_apps app_exec_data_file:file
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
   -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
@@ -64,7 +69,9 @@ neverallow {
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
 } dex2oat_exec:file no_x_file_perms;
 
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
@@ -327,7 +334,11 @@ full_treble_only(`
 # b/33214085 b/33814662 b/33791054 b/33211769
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
-neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
+neverallow { 
+    all_untrusted_apps
+    -untrusted_app_25 
+    -untrusted_base_app_25 
+} proc_tty_drivers:file r_file_perms;
 neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
 
 # Untrusted apps are not allowed to use cgroups.
@@ -339,5 +350,7 @@ neverallow {
   all_untrusted_apps
   -ephemeral_app
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
 } ashmem_device:chr_file open;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
@@ -187,6 +187,9 @@
     traced_probes_tmpfs
     traced_producer_socket
     traced_tmpfs
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
     untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
@@ -166,6 +166,9 @@
     traceur_app
     traceur_app_tmpfs
     untrusted_app_all_devpts
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
     update_engine_log_data_file
     uri_grants_service
     usbd

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
@@ -139,6 +139,9 @@
     traced_lazy_prop
     uri_grants_service
     use_memfd_prop
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
     vendor_cgroup_desc_file
     vendor_idc_file
     vendor_keychars_file

diff --git a/private/seapp_contexts b/private/seapp_contexts
@@ -157,8 +157,12 @@ user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app seinfo=base minTargetSdkVersion=29 domain=untrusted_base_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
+user=_app seinfo=base minTargetSdkVersion=28 domain=untrusted_base_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
+user=_app seinfo=base minTargetSdkVersion=26 domain=untrusted_base_app_27 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app seinfo=base domain=untrusted_base_app_25 type=app_data_file levelFrom=user
 user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
 user=_app fromRunAs=true domain=runas_app levelFrom=user