Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6407755..31551ac 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,6 +100,7 @@
-sdcard_type
file_type
-app_data_file # The apps sandbox itself
+ -privapp_data_file
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index f53a194..c8b7a1f 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -31,7 +31,7 @@
(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file))
+(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
(typeattributeset app_fuse_file_26_0 (app_fuse_file))
(typeattributeset app_fusefs_26_0 (app_fusefs))
(typeattributeset appops_service_26_0 (appops_service))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index e3ca2d0..d0cb9b7 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -737,7 +737,7 @@
(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file))
+(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
(typeattributeset app_fuse_file_27_0 (app_fuse_file))
(typeattributeset app_fusefs_27_0 (app_fusefs))
(typeattributeset appops_service_27_0 (appops_service))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d733132..a784b44 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -872,7 +872,7 @@
(typeattributeset apk_private_data_file_28_0 (apk_private_data_file))
(typeattributeset apk_private_tmp_file_28_0 (apk_private_tmp_file))
(typeattributeset apk_tmp_file_28_0 (apk_tmp_file))
-(typeattributeset app_data_file_28_0 (app_data_file))
+(typeattributeset app_data_file_28_0 (app_data_file privapp_data_file))
(typeattributeset app_fuse_file_28_0 (app_fuse_file))
(typeattributeset app_fusefs_28_0 (app_fusefs))
(typeattributeset appops_service_28_0 (appops_service))
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index dfc81b8..7d01ef5 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -19,12 +19,12 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
-dontaudit dexoptanalyzer app_data_file:dir audit_access;
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/domain.te b/private/domain.te
index f7f5d66..1ae31ae 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -128,7 +128,7 @@
domain
-appdomain
-installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
# Only the following processes should be directly accessing private app
# directories.
@@ -145,7 +145,7 @@
-runas
-system_server
-vold
-} app_data_file:dir *;
+} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. init and installd are exempted for
# restorecon and package install/uninstall.
@@ -154,7 +154,7 @@
-appdomain
-init
-installd
-} app_data_file:dir ~r_dir_perms;
+} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
domain
@@ -163,16 +163,16 @@
-mediaserver # b/80300620
userdebug_or_eng(`-perfprofd')
-vold # b/80418809
-} app_data_file:file_class_set open;
+} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
domain
-appdomain
-installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
-init
-installd
-} app_data_file:dir_file_class_set { relabelfrom relabelto };
+} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 75a6317..f28d28f 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -21,7 +21,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow ephemeral_app app_data_file:file {r_file_perms execute};
+allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
# services
allow ephemeral_app audioserver_service:service_manager find;
@@ -50,7 +50,7 @@
### neverallow rules
###
-neverallow ephemeral_app app_data_file:file execute_no_trans;
+neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index a6276b3..26cb122 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -61,7 +61,7 @@
neverallow isolated_app tun_device:chr_file open;
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
+neverallow isolated_app { app_data_file privapp_data_file }:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/mls b/private/mls
index 3b8ee3f..2eb621d 100644
--- a/private/mls
+++ b/private/mls
@@ -55,9 +55,9 @@
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != app_data_file and t2 != privapp_data_file) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
@@ -66,18 +66,18 @@
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/priv_app.te b/private/priv_app.te
index a952769..0afd721 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -19,7 +19,7 @@
# Some apps ship with shared libraries that they write out
# to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file execute;
+allow priv_app { app_data_file privapp_data_file }:file execute;
allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
diff --git a/private/storaged.te b/private/storaged.te
index 0916adf..f5f0735 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -29,7 +29,7 @@
# Needed for GMScore to call dumpsys storaged
allow storaged priv_app:fd use;
-allow storaged app_data_file:file write;
+allow storaged { privapp_data_file app_data_file }:file write;
allow storaged permission_service:service_manager find;
# Binder permissions
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index d9d7dea..a5ebfb0 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -55,7 +55,7 @@
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
+allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
# Allow writing surface traces to /data/misc/wmtrace.
userdebug_or_eng(`
diff --git a/private/system_server.te b/private/system_server.te
index 01da377..8950240 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -446,7 +446,16 @@
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+allow system_server {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:dir { getattr read search };
+
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
@@ -459,7 +468,15 @@
# Receive and use open app data files passed over binder IPC.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+allow system_server {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:file { getattr read write append };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
@@ -821,7 +838,13 @@
# file descriptor.
# Types extracted from seapp_contexts type= fields, excluding
# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+neverallow system_server {
+ bluetooth_data_file
+ nfc_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 07d9d4d..65be583 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -23,7 +23,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 55b268a..ea01412 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -95,6 +95,7 @@
# Should not have any access to app data files.
neverallow webview_zygote {
app_data_file
+ privapp_data_file
system_app_data_file
bluetooth_data_file
nfc_data_file