reland: untrusted_app_29: add new targetSdk domain Enforce new requirements on app with targetSdkVersion=30 including: - No RTM_GETLINK on netlink route sockets. Remove some of the repetitive descriptions in each untrusted_app_N.te file, and instead refer to the description in public/untrusted_app.te. Bug: 141455849 Test: CtsSelinuxTargetSdkCurrentTestCases Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b

commit: 1f7ae8ee3f589aece315dc61662ea95d26786236 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Mon Jan 20 10:14:48 2020 +0100
committer: Jeffrey Vander Stoep <jeffv@google.com> Wed Jan 22 09:47:53 2020 +0000
tree: 5848f0a91de4cec5a8f61fd23a8127c79f723aac
parent: 1d241db7e59b08c3d94ddc3d9e21be76d671ea9e [diff] [blame]
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
new file mode 100644
index 0000000..344ae89
--- /dev/null
+++ b/private/untrusted_app_29.te

@@ -0,0 +1,19 @@
+###
+### Untrusted_29.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion = 29.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_29 coredomain;
+
+app_domain(untrusted_app_29)
+untrusted_app_domain(untrusted_app_29)
+net_domain(untrusted_app_29)
+bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
commit	1f7ae8ee3f589aece315dc61662ea95d26786236	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Mon Jan 20 10:14:48 2020 +0100
committer	Jeffrey Vander Stoep <jeffv@google.com>	Wed Jan 22 09:47:53 2020 +0000
tree	5848f0a91de4cec5a8f61fd23a8127c79f723aac
parent	1d241db7e59b08c3d94ddc3d9e21be76d671ea9e [diff] [blame]