android_system_sepolicy/private/untrusted_app_25.te

###
### Untrusted_app_25
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion <= 25.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory).  The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml.  In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key.  To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

typeattribute untrusted_app_25 coredomain;

app_domain(untrusted_app_25)
untrusted_app_domain(untrusted_app_25)
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)

# b/34115651, b/33308258 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
auditallow untrusted_app_25 net_dns_prop:file read;

# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file r_file_perms;

# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;

# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;

# The ability to call exec() on files in the apps home directories
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };

# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')

# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_25 ashmem_device:chr_file open;
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 13:33:27 -08:00			`###`
			`### Untrusted_app_25`
			`###`
			`### This file defines the rules for untrusted apps running with`
			`### targetSdkVersion <= 25.`
			`###`
			`### Apps are labeled based on mac_permissions.xml (maps signer and`
			`### optionally package name to seinfo value) and seapp_contexts (maps UID`
			`### and optionally seinfo value to domain for process and type for data`
			`### directory). The untrusted_app domain is the default assignment in`
			`### seapp_contexts for any app with UID between APP_AID (10000)`
			`### and AID_ISOLATED_START (99000) if the app has no specific seinfo`
			`### value as determined from mac_permissions.xml. In current AOSP, this`
			`### domain is assigned to all non-system apps as well as to any system apps`
			`### that are not signed by the platform key. To move`
			`### a system app into a specific domain, add a signer entry for it to`
			`### mac_permissions.xml and assign it one of the pre-existing seinfo values`
			`### or define and use a new seinfo value in both mac_permissions.xml and`
			`### seapp_contexts.`
			`###`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 14:27:32 -07:00			`typeattribute untrusted_app_25 coredomain;`

untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 13:33:27 -08:00			`app_domain(untrusted_app_25)`
			`untrusted_app_domain(untrusted_app_25)`
			`net_domain(untrusted_app_25)`
			`bluetooth_domain(untrusted_app_25)`

audit use of net.dns. property Bug: 33308258 Test: atest CtsSelinuxTargetSdk25TestCases Change-Id: Ifeceecec7b2f38ebd38b6693712b8f65ee24dc5d 2019-01-08 10:22:01 -08:00			`# b/34115651, b/33308258 - net.dns* properties read`
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 2017-02-13 13:33:27 -08:00			`# This will go away in a future Android release`
			`get_prop(untrusted_app_25, net_dns_prop)`
audit use of net.dns. property Bug: 33308258 Test: atest CtsSelinuxTargetSdk25TestCases Change-Id: Ifeceecec7b2f38ebd38b6693712b8f65ee24dc5d 2019-01-08 10:22:01 -08:00			`auditallow untrusted_app_25 net_dns_prop:file read;`
Label /proc/misc Label /proc/misc and allow access to untrusted_apps targeting older API versions, as well as update_engine_common. /proc/misc is used by some banking apps to try to detect if they are running in an emulated environment. TODO: Remove access to proc:file from update_engine_common after more testing. Bug: 35917228 Test: Device boots and no new denials. Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75 2017-03-03 12:17:49 -08:00
			`# b/35917228 - /proc/misc access`
			`# This will go away in a future Android release`
			`allow untrusted_app_25 proc_misc:file r_file_perms;`
Move /proc/tty/drivers access to untrusted_app_25 This should only be granted to legacy apps, not to newer API versions. Change-Id: Ia4b9b3a3cf33aa31bcad2fe15d8470c50132e2a9 Test: policy compiles. 2017-03-04 20:09:10 -08:00
			`# Access to /proc/tty/drivers, to allow apps to determine if they`
			`# are running in an emulated environment.`
			`# b/33214085 b/33814662 b/33791054 b/33211769`
			`# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java`
			`# This will go away in a future Android release`
			`allow untrusted_app_25 proc_tty_drivers:file r_file_perms;`
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e) 2018-04-10 12:47:48 -07:00
Allow execmod for apps with targetSdkVersion=26-28 Bug: 129760476 Test: build Change-Id: I239c16e8269b81c22738e7813c1d4ae46068aa53 2019-04-02 13:01:10 -07:00			`# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.`
Remove legacy execmod access from API >= 26. Text relocation support was removed from the linker for apps targeting API >= 23. See https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 However, the security policy was not updated to remove the execmod permission at that time, since we didn't have support for targeting SELinux policies to API versions. Remove execmod permissions for apps targeting API 26 or greater. The linker support was removed, so it's pointless to keep around the SELinux permissions. Retain execmod support for apps targeting API 25 or lower. While in theory we could remove support for API 23-25, that would involve the introduction of a new SELinux domain (and the associated rule explosion), which I would prefer to avoid. This change helps protect application executable code from modification, enforcing W^X properties on executable code pages loaded from files. https://en.wikipedia.org/wiki/W%5EX Test: auditallow rules were added and nothing triggered for apps targeting API >= 26. Code compiles and device boots. Bug: 111544476 Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41 2018-08-07 15:14:34 -07:00			`# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23`
			`allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;`
Revert "Revert "Enforce execve() restrictions for API > 28"" This reverts commit 15d1a12f7f57f589c2f1401f8e72813546fd8dda. Bug: 118737210 Bug: 112357170 Test: boot marlin Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca 2018-11-02 11:12:43 -07:00
Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots 2018-12-21 10:03:50 -08:00			`# The ability to call exec() on files in the apps home directories`
			`# for targetApi<=25. This is also allowed for targetAPIs 26, 27,`
			`# and 28 in untrusted_app_27.te.`
			`allow untrusted_app_25 app_data_file:file execute_no_trans;`
Audit native code loading on user builds. Extend the auditing of native code loading from non-priv app home directories to user builds. Only applies to apps targeting SDK <= 28. Bug: 111338677 Test: Builds Change-Id: I6fbbd80626a1c87dd7ece689f9fecd7c0a1a59d6 2019-01-28 02:33:08 -08:00			`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };`
Remove 'dex2oat_exec' from untrusted_app Remove the permission to execute dex2oat from apps targetSdkVersion>28. This has been historically used by ART to compile secondary dex files but that functionality has been removed in Q and the permission is therefore not needed. Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for targetSdkVersion<= 28. Test: atest CtsSelinuxTargetSdk25TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Bug: 117606664 Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5 2018-11-19 15:02:49 -08:00
			`# The ability to invoke dex2oat. Historically required by ART, now only`
			`# allowed for targetApi<=28 for compat reasons.`
			`allow untrusted_app_25 dex2oat_exec:file rx_file_perms;`
place dex2oat auditallow statements in userdebug_or_eng blocks By convention, auditallow statements are always placed in userdebug_or_eng() blocks. This ensures that we don't inadvertently ship audit rules on production devices, which could result in device logspam, and in pathological situations, impact device performance (generating audit messages is much more expensive than a standard SELinux check). Bug: 117606664 Test: policy compiles. Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490 2018-11-20 10:45:56 -08:00			userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
sepolicy for ashmemd all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider are now expected to go to ashmemd for /dev/ashmem fds. Give coredomain access to ashmemd, because ashmemd is the default way for coredomain to get a /dev/ashmem fd. Bug: 113362644 Test: device boots, ashmemd running Test: Chrome app works Test: "lsof /system/lib64/libashmemd_client.so" shows libashmemd_client.so being loaded into apps. Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a 2019-01-27 13:39:19 -08:00
			`# The ability to talk to /dev/ashmem directly. targetApi>=29 must use`
			`# ASharedMemory instead.`
			`allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;`
Neverallow app open access to /dev/ashmem Apps are no longer allowed open access to /dev/ashmem, unless they target API level < Q. Bug: 113362644 Test: device boots, Chrome, instant apps work Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42 2019-02-12 14:14:30 -08:00			`auditallow untrusted_app_25 ashmem_device:chr_file open;`