1 ### 2 ### Untrusted apps. 3 ### 4 ### This file defines the rules for untrusted apps. 5 ### Apps are labeled based on mac_permissions.xml (maps signer and 6 ### optionally package name to seinfo value) and seapp_contexts (maps UID 7 ### and optionally seinfo value to domain for process and type for data 8 ### directory). The untrusted_app domain is the default assignment in 9 ### seapp_contexts for any app with UID between APP_AID (10000) 10 ### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11 ### value as determined from mac_permissions.xml. In current AOSP, this 12 ### domain is assigned to all non-system apps as well as to any system apps 13 ### that are not signed by the platform key. To move 14 ### a system app into a specific domain, add a signer entry for it to 15 ### mac_permissions.xml and assign it one of the pre-existing seinfo values 16 ### or define and use a new seinfo value in both mac_permissions.xml and 17 ### seapp_contexts. 18 ### 19 ### untrusted_app includes all the appdomain rules, plus the 20 ### additional following rules: 21 ### 22 23 type untrusted_app, domain; 24 app_domain(untrusted_app) 25 net_domain(untrusted_app) 26 bluetooth_domain(untrusted_app) 27 28 # Some apps ship with shared libraries and binaries that they write out 29 # to their sandbox directory and then execute. 30 allow untrusted_app app_data_file:file { rx_file_perms execmod }; 31 32 # ASEC 33 allow untrusted_app asec_apk_file:file r_file_perms; 34 allow untrusted_app asec_apk_file:dir r_dir_perms; 35 # Execute libs in asec containers. 36 allow untrusted_app asec_public_file:file { execute execmod }; 37 38 # Allow the allocation and use of ptys 39 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 40 create_pty(untrusted_app) 41 42 # Used by Finsky / Android "Verify Apps" functionality when 43 # running "adb install foo.apk". 44 # TODO: Long term, we don't want apps probing into shell data files. 45 # Figure out a way to remove these rules. 46 allow untrusted_app shell_data_file:file r_file_perms; 47 allow untrusted_app shell_data_file:dir r_dir_perms; 48 49 # Read and write system app data files passed over Binder. 50 # Motivating case was /data/data/com.android.settings/cache/*.jpg for 51 # cropping or taking user photos. 52 allow untrusted_app system_app_data_file:file { read write getattr }; 53 54 # 55 # Rules migrated from old app domains coalesced into untrusted_app. 56 # This includes what used to be media_app, shared_app, and release_app. 57 # 58 59 # Access to /data/media. 60 allow untrusted_app media_rw_data_file:dir create_dir_perms; 61 allow untrusted_app media_rw_data_file:file create_file_perms; 62 63 # Traverse into /mnt/media_rw for bypassing FUSE daemon 64 # TODO: narrow this to just MediaProvider 65 allow untrusted_app mnt_media_rw_file:dir search; 66 67 # allow cts to query all services 68 allow untrusted_app servicemanager:service_manager list; 69 70 allow untrusted_app audioserver_service:service_manager find; 71 allow untrusted_app cameraserver_service:service_manager find; 72 allow untrusted_app drmserver_service:service_manager find; 73 allow untrusted_app mediaserver_service:service_manager find; 74 allow untrusted_app mediaextractor_service:service_manager find; 75 allow untrusted_app mediacodec_service:service_manager find; 76 allow untrusted_app mediadrmserver_service:service_manager find; 77 allow untrusted_app nfc_service:service_manager find; 78 allow untrusted_app radio_service:service_manager find; 79 allow untrusted_app surfaceflinger_service:service_manager find; 80 allow untrusted_app app_api_service:service_manager find; 81 82 # Allow GMS core to access perfprofd output, which is stored 83 # in /data/misc/perfprofd/. GMS core will need to list all 84 # data stored in that directory to process them one by one. 85 userdebug_or_eng(` 86 allow untrusted_app perfprofd_data_file:file r_file_perms; 87 allow untrusted_app perfprofd_data_file:dir r_dir_perms; 88 ') 89 90 # gdbserver for ndk-gdb ptrace attaches to app process. 91 allow untrusted_app self:process ptrace; 92 93 # Programs routinely attempt to scan through /system, looking 94 # for files. Suppress the denials when they occur. 95 dontaudit untrusted_app exec_type:file getattr; 96 97 # TODO: switch to meminfo service 98 allow untrusted_app proc_meminfo:file r_file_perms; 99 100 # https://code.google.com/p/chromium/issues/detail?id=586021 101 allow untrusted_app proc:file r_file_perms; 102 # access /proc/net/xt_qtguid/stats 103 r_dir_file(untrusted_app, proc_net) 104 105 # Cts: HwRngTest 106 allow untrusted_app sysfs_hwrandom:dir search; 107 allow untrusted_app sysfs_hwrandom:file r_file_perms; 108 109 # Allow apps to view preloaded content 110 allow untrusted_app preloads_data_file:dir r_dir_perms; 111 allow untrusted_app preloads_data_file:file r_file_perms; 112 113 ### 114 ### neverallow rules 115 ### 116 117 # Receive or send uevent messages. 118 neverallow untrusted_app domain:netlink_kobject_uevent_socket *; 119 120 # Receive or send generic netlink messages 121 neverallow untrusted_app domain:netlink_socket *; 122 123 # Too much leaky information in debugfs. It's a security 124 # best practice to ensure these files aren't readable. 125 neverallow untrusted_app debugfs_type:file read; 126 127 # Do not allow untrusted apps to register services. 128 # Only trusted components of Android should be registering 129 # services. 130 neverallow untrusted_app service_manager_type:service_manager add; 131 132 # Do not allow untrusted_apps to connect to the property service 133 # or set properties. b/10243159 134 neverallow untrusted_app property_socket:sock_file write; 135 neverallow untrusted_app init:unix_stream_socket connectto; 136 neverallow untrusted_app property_type:property_service set; 137 138 # Do not allow untrusted_app to be assigned mlstrustedsubject. 139 # This would undermine the per-user isolation model being 140 # enforced via levelFrom=user in seapp_contexts and the mls 141 # constraints. As there is no direct way to specify a neverallow 142 # on attribute assignment, this relies on the fact that fork 143 # permission only makes sense within a domain (hence should 144 # never be granted to any other domain within mlstrustedsubject) 145 # and untrusted_app is allowed fork permission to itself. 146 neverallow untrusted_app mlstrustedsubject:process fork; 147 148 # Do not allow untrusted_app to hard link to any files. 149 # In particular, if untrusted_app links to other app data 150 # files, installd will not be able to guarantee the deletion 151 # of the linked to file. Hard links also contribute to security 152 # bugs, so we want to ensure untrusted_app never has this 153 # capability. 154 neverallow untrusted_app file_type:file link; 155 156 # Do not allow untrusted_app to access network MAC address file 157 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 158 159 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 160 # ioctl permission, or 3. disallow the socket class. 161 neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 162 neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; 163 neverallow untrusted_app *:{ 164 socket netlink_socket packet_socket key_socket appletalk_socket 165 netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket 166 netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket 167 netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 168 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 169 netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 170 netlink_rdma_socket netlink_crypto_socket 171 } *; 172 173 # Do not allow untrusted_app access to /cache 174 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; 175 neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; 176 177 # Do not allow untrusted_app to set system properties. 178 neverallow untrusted_app property_socket:sock_file write; 179 neverallow untrusted_app property_type:property_service set; 180 181 # Do not allow untrusted_app to create/unlink files outside of its sandbox, 182 # internal storage or sdcard. 183 # World accessible data locations allow application to fill the device 184 # with unaccounted for data. This data will not get removed during 185 # application un-installation. 186 neverallow untrusted_app { 187 fs_type 188 -fuse # sdcard 189 -sdcardfs # sdcard 190 -vfat 191 file_type 192 -app_data_file # The apps sandbox itself 193 -media_rw_data_file # Internal storage. Known that apps can 194 # leave artfacts here after uninstall. 195 -user_profile_data_file # Access to profile files 196 -user_profile_foreign_dex_data_file # Access to profile files 197 userdebug_or_eng(` 198 -method_trace_data_file # only on ro.debuggable=1 199 -coredump_file # userdebug/eng only 200 ') 201 }:dir_file_class_set { create unlink }; 202 203 # Do not allow untrusted_app to directly open tun_device 204 neverallow untrusted_app tun_device:chr_file open; 205 206 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 207 neverallow untrusted_app anr_data_file:file ~{ open append }; 208 neverallow untrusted_app anr_data_file:dir ~search; 209
