commit 81e4e877f330a77b8d828a1403f6c5422fafc3b8
author Alan Stokes <alanstokes@google.com> Tue Feb 11 14:43:05 2020 +0000
committer Alan Stokes <alanstokes@google.com> Wed Jul 22 14:41:31 2020 +0100
tree 6b3492665874b456fc23d39e83d9557a04147b78
parent 792219e48d03c95bd7b8dffc30bb347d7003d0dd

Make cross-user apps mlstrustedsubject.

We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).

This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.

Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).

This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.

A neverallow rule is added to ensure this remains true.

Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.

Test: builds, boots, no new denials.
Bug: 141677108

Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e

private/bluetooth.te

diff --git a/private/bluetooth.te b/private/bluetooth.te
index 1680361..0453b3d 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,6 +1,6 @@
 # bluetooth app
 
-typeattribute bluetooth coredomain;
+typeattribute bluetooth coredomain, mlstrustedsubject;
 
 app_domain(bluetooth)
 net_domain(bluetooth)

private/mlstrustedsubject.te

diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
new file mode 100644
index 0000000..b803dbc
--- /dev/null
+++ b/private/mlstrustedsubject.te
@@ -0,0 +1,32 @@
+# MLS override can't be used to access private app data.
+
+# Apps should not normally be mlstrustedsubject, but if they must be
+# they cannot use this to access app private data files; their own app
+# data files must use a different label.
+
+neverallow {
+  mlstrustedsubject
+  -installd
+  -iorap_prefetcherd
+  -iorap_inode2filename
+} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
+
+neverallow {
+  mlstrustedsubject
+  -installd
+  -iorap_prefetcherd
+  -iorap_inode2filename
+} { app_data_file privapp_data_file }:dir ~{ read getattr search };
+
+# TODO(b/141677108): See if we can remove any of these.
+neverallow {
+  mlstrustedsubject
+  -installd
+  -iorap_prefetcherd
+  -iorap_inode2filename
+  -system_server
+  -adbd
+  -runas
+  -dexoptanalyzer
+  -zygote
+} { app_data_file privapp_data_file }:dir { read getattr search };

private/nfc.te

diff --git a/private/nfc.te b/private/nfc.te
index 2e48eef..315b096 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,5 +1,5 @@
 # nfc subsystem
-typeattribute nfc coredomain;
+typeattribute nfc coredomain, mlstrustedsubject;
 app_domain(nfc)
 net_domain(nfc)
 

private/radio.te

diff --git a/private/radio.te b/private/radio.te
index fad6174..f43a4c1 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1,4 @@
-typeattribute radio coredomain;
+typeattribute radio coredomain, mlstrustedsubject;
 
 app_domain(radio)
 

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 9758b36..78909bf 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,5 +1,4 @@
-
-typeattribute shell coredomain;
+typeattribute shell coredomain, mlstrustedsubject;
 
 # allow shell input injection
 allow shell uhid_device:chr_file rw_file_perms;

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index e160ff4..a12d6c2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,7 +4,7 @@
 ### server.
 ###
 
-typeattribute system_app coredomain;
+typeattribute system_app coredomain, mlstrustedsubject;
 
 app_domain(system_app)
 net_domain(system_app)

public/app.te

diff --git a/public/app.te b/public/app.te
index 433bb7d..77f85bd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,8 +66,11 @@
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
 
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;