PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
04b70519cf
android_system_sepolicy/private/platform_app.te

80 lines
3.1 KiB
Plaintext
Raw Normal View History

Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
###
### Apps signed with the platform key.
###
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 14:27:32 -07:00
typeattribute platform_app coredomain;
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
Whitespace fix Because I'm nitpicky. Test: policy compiles Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29
2016-12-09 20:14:31 -08:00
app_domain(platform_app)
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app icon_file:file { open getattr read };
Merge ephemeral data and apk files into app The rules for the two types were the same and /data/app-ephemeral is being removed. Remove these types. Test: Builds Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
2017-01-25 14:55:56 -08:00
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
# created by system server.
Merge ephemeral data and apk files into app The rules for the two types were the same and /data/app-ephemeral is being removed. Remove these types. Test: Builds Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
2017-01-25 14:55:56 -08:00
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;
# Access to /data/media.
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
allow platform_app vfat:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;
domain_deprecated: remove rootfs access Grant audited permissions collected in logs. tcontext=platform_app avc: granted { getattr } for comm=496E666C6174657254687265616420 path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=system_app avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=update_engine avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0" ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file Bug: 28760354 Test: build Change-Id: I6135eea1d10b903a4a7e69da468097f495484665
2017-07-10 20:39:50 -07:00
# com.android.systemui
allow platform_app rootfs:dir getattr;
domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
2017-07-25 16:43:49 -07:00
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app proc:file r_file_perms;
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
rename mediaanalytics->mediametrics, wider access reflect the change from "mediaanalytics" to "mediametrics" Also incorporates a broader access to the service -- e.g. anyone. This reflects that a number of metrics submissions come from application space and not only from our controlled, trusted media related processes. The metrics service (in another commit) checks on the source of any incoming metrics data and limits what is allowed from unprivileged clients. Bug: 34615027 Test: clean build, service running and accessible Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
2017-01-24 12:53:45 -08:00
allow platform_app mediametrics_service:service_manager find;
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
allow platform_app mediaextractor_service:service_manager find;
allow platform_app mediacodec_service:service_manager find;
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
PowerUI access to thermalservice Allow PowerUI / platform_app to use thermalservice for receiving notifications of thermal events. Bug: 66698613 Test: PowerNotificationWarningsTest, PowerUITest, manual: marlin and <redacted> with artificially low temperature threshold and logcat debugging messages Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629 Merged-In: I5428bd5f99424f83ef72d981afaf769bdcd03629
2017-07-12 18:12:52 -07:00
allow platform_app thermal_service:service_manager find;
Enable the TimeZoneManagerService Add policy changes to enable a new service. The service is currently switched off in config, but this change is needed before it could be enabled. Bug: 31008728 Test: make droid Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6 Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
2017-01-11 08:27:02 -08:00
allow platform_app timezone_service:service_manager find;
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 11:42:03 -07:00
allow platform_app preloads_media_file:file r_file_perms;
allow platform_app preloads_media_file:dir r_dir_perms;
Move platform_app policy to private This leaves only the existence of platform_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from platform_app_current attribute (as expected). Bug: 31364497 Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-07 15:11:39 -08:00
read_runtime_log_tags(platform_app)
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:40:48 -07:00
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-14 18:20:30 -08:00
# allow platform apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:40:48 -07:00
###
### Neverallow rules
###
# app domains which access /dev/fuse should not run as platform_app
neverallow platform_app fuse_device:chr_file *;
Reference in New Issue Copy Permalink