Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
split out untrusted base app domains
Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
  • Loading branch information
renlord authored and thestinger committed Oct 14, 2020
1 parent 52d5d2f commit 3afbdf2
Show file tree
Hide file tree
Showing 31 changed files with 496 additions and 14 deletions.
19 changes: 18 additions & 1 deletion prebuilts/api/30.0/private/app_neverallows.te
Expand Up @@ -12,6 +12,10 @@ define(`all_untrusted_apps',`{
untrusted_app_27
untrusted_app_29
untrusted_app_all
untrusted_base_app
untrusted_base_app_25
untrusted_base_app_27
untrusted_base_app_29
}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
Expand Down Expand Up @@ -55,7 +59,9 @@ neverallow all_untrusted_apps app_exec_data_file:file
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_base_app_25
-untrusted_app_27
-untrusted_base_app_27
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;

Expand All @@ -65,7 +71,9 @@ neverallow {
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_base_app_25
-untrusted_app_27
-untrusted_base_app_27
} dex2oat_exec:file no_x_file_perms;

# Do not allow untrusted apps to be assigned mlstrustedsubject.
Expand Down Expand Up @@ -117,8 +125,11 @@ neverallow all_untrusted_apps *:{
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_base_app_25
-untrusted_app_27
-untrusted_base_app_27
-untrusted_app_29
-untrusted_base_app_29
} domain:netlink_route_socket { bind nlmsg_readpriv };

# Do not allow untrusted apps access to /cache
Expand Down Expand Up @@ -244,7 +255,11 @@ neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_base_app_25
} proc_tty_drivers:file r_file_perms;
neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;

# Untrusted apps are not allowed to use cgroups.
Expand All @@ -255,7 +270,9 @@ neverallow all_untrusted_apps cgroup:file *;
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_base_app_25
-untrusted_app_27
-untrusted_base_app_27
} mnt_sdcard_file:lnk_file *;

# Only privileged apps may find the incident service
Expand Down
4 changes: 4 additions & 0 deletions prebuilts/api/30.0/private/compat/26.0/26.0.ignore.cil
Expand Up @@ -190,6 +190,10 @@
traced_probes_tmpfs
traced_producer_socket
traced_tmpfs
untrusted_base_app
untrusted_base_app_25
untrusted_base_app_27
untrusted_base_app_29
untrusted_app_all_devpts
update_engine_log_data_file
vendor_default_prop
Expand Down
4 changes: 4 additions & 0 deletions prebuilts/api/30.0/private/compat/27.0/27.0.ignore.cil
Expand Up @@ -169,6 +169,10 @@
traceur_app
traceur_app_tmpfs
untrusted_app_all_devpts
untrusted_base_app
untrusted_base_app_25
untrusted_base_app_27
untrusted_base_app_29
update_engine_log_data_file
uri_grants_service
usbd
Expand Down
4 changes: 4 additions & 0 deletions prebuilts/api/30.0/private/compat/28.0/28.0.ignore.cil
Expand Up @@ -145,6 +145,10 @@
traced_lazy_prop
uri_grants_service
use_memfd_prop
untrusted_base_app
untrusted_base_app_25
untrusted_base_app_27
untrusted_base_app_29
vendor_apex_file
vendor_cgroup_desc_file
vendor_idc_file
Expand Down
4 changes: 4 additions & 0 deletions prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
Expand Up @@ -121,6 +121,10 @@
userspace_reboot_test_prop
vehicle_hal_prop
tv_tuner_resource_mgr_service
untrusted_base_app
untrusted_base_app_25
untrusted_base_app_27
untrusted_base_app_29
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
Expand Down
10 changes: 5 additions & 5 deletions prebuilts/api/30.0/private/seapp_contexts
Expand Up @@ -170,15 +170,15 @@ user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app
#user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
#user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=app.seamlessupdate.client domain=updater_app type=app_data_file levelFrom=user
user=_app seinfo=base minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
user=_app seinfo=base minTargetSdkVersion=30 domain=untrusted_base_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
user=_app seinfo=base minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app seinfo=base minTargetSdkVersion=29 domain=untrusted_base_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app seinfo=base minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app seinfo=base minTargetSdkVersion=28 domain=untrusted_base_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app seinfo=base minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app seinfo=base minTargetSdkVersion=26 domain=untrusted_base_app_27 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app seinfo=base domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app seinfo=base domain=untrusted_base_app_25 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app seinfo=base minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
Expand Down
16 changes: 16 additions & 0 deletions prebuilts/api/30.0/private/untrusted_base_app.te
@@ -0,0 +1,16 @@
###
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion >= 30.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_base_app coredomain;

app_domain(untrusted_base_app)
untrusted_app_domain(untrusted_base_app)
net_domain(untrusted_base_app)
bluetooth_domain(untrusted_base_app)
53 changes: 53 additions & 0 deletions prebuilts/api/30.0/private/untrusted_base_app_25.te
@@ -0,0 +1,53 @@
###
### untrusted_base_app_25
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion <= 25.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_base_app_25 coredomain;

app_domain(untrusted_base_app_25)
untrusted_app_domain(untrusted_base_app_25)
net_domain(untrusted_base_app_25)
bluetooth_domain(untrusted_base_app_25)

# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_base_app_25 proc_misc:file r_file_perms;

# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_base_app_25 proc_tty_drivers:file r_file_perms;

# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_base_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;

# The ability to call exec() on files in the apps home directories
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_base_app_25 app_data_file:file execute_no_trans;
auditallow untrusted_base_app_25 app_data_file:file { execute execute_no_trans };

# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_base_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_base_app_25 dex2oat_exec:file rx_file_perms;')

# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_base_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_base_app_25 ashmem_device:chr_file open;

# Read /mnt/sdcard symlink.
allow untrusted_base_app_25 mnt_sdcard_file:lnk_file r_file_perms;

# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_base_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
41 changes: 41 additions & 0 deletions prebuilts/api/30.0/private/untrusted_base_app_27.te
@@ -0,0 +1,41 @@
###
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
### 25 < targetSdkVersion <= 28.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_base_app_27 coredomain;

app_domain(untrusted_base_app_27)
untrusted_app_domain(untrusted_base_app_27)
net_domain(untrusted_base_app_27)
bluetooth_domain(untrusted_base_app_27)

# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_base_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;

# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_base_app_27 app_data_file:file execute_no_trans;
auditallow untrusted_base_app_27 app_data_file:file { execute execute_no_trans };

# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_base_app_27 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_base_app_27 dex2oat_exec:file rx_file_perms;')

# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_base_app_27 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_base_app_27 ashmem_device:chr_file open;

# Read /mnt/sdcard symlink.
allow untrusted_base_app_27 mnt_sdcard_file:lnk_file r_file_perms;

# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_base_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
19 changes: 19 additions & 0 deletions prebuilts/api/30.0/private/untrusted_base_app_29.te
@@ -0,0 +1,19 @@
###
### Untrusted_29.
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion = 29.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_base_app_29 coredomain;

app_domain(untrusted_base_app_29)
untrusted_app_domain(untrusted_base_app_29)
net_domain(untrusted_base_app_29)
bluetooth_domain(untrusted_base_app_29)

# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_base_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
4 changes: 3 additions & 1 deletion prebuilts/api/30.0/public/domain.te
Expand Up @@ -1123,7 +1123,7 @@ neverallow * self:process { execstack execheap };

# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
neverallow { domain -untrusted_app_25 -untrusted_base_app_25 -untrusted_app_27 -untrusted_base_app_27 } file_type:file execmod;

neverallow { domain -init } proc:{ file dir } mounton;

Expand Down Expand Up @@ -1416,5 +1416,7 @@ neverallow {
domain
-ephemeral_app # We don't distinguish ephemeral apps based on target API.
-untrusted_app_25
-untrusted_base_app_25
-untrusted_app_27
-untrusted_base_app_27
} ashmem_device:chr_file open;
19 changes: 19 additions & 0 deletions prebuilts/api/30.0/public/untrusted_base_app.te
@@ -0,0 +1,19 @@
###
### Untrusted apps.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

type untrusted_base_app, domain;
19 changes: 19 additions & 0 deletions prebuilts/api/30.0/public/untrusted_base_app_25.te
@@ -0,0 +1,19 @@
###
### Untrusted apps.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

type untrusted_base_app_25, domain;
19 changes: 19 additions & 0 deletions prebuilts/api/30.0/public/untrusted_base_app_27.te
@@ -0,0 +1,19 @@
###
### Untrusted apps.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

type untrusted_base_app_27, domain;
19 changes: 19 additions & 0 deletions prebuilts/api/30.0/public/untrusted_base_app_29.te
@@ -0,0 +1,19 @@
###
### Untrusted apps.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

type untrusted_base_app_29, domain;

0 comments on commit 3afbdf2

Please sign in to comment.