commit bacb6d79360f3591680b215177602dcdc3181bf3
author Jeff Vander Stoep <jeffv@google.com> Mon Feb 13 13:33:27 2017 -0800
committer Jeff Vander Stoep <jeffv@google.com> Tue Feb 14 13:30:12 2017 -0800
tree 43b043a9875a152858558f98f781ea2629aefcc2
parent f54b3622c70d9c0fbdd6cdf2eff89ec5dd5d7f16

untrusted_app: policy versioning based on targetSdkVersion

Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.

Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083

private/untrusted_app.te

diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 50d79ee..ead9a16 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -18,93 +18,6 @@
 ###
 
 app_domain(untrusted_app)
+untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
-
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app, net_dns_prop)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
-# Legacy text relocations
-allow untrusted_app apk_data_file:file execmod;
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file { rx_file_perms execmod };
-
-# ASEC
-allow untrusted_app asec_apk_file:file r_file_perms;
-allow untrusted_app asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app asec_public_file:file { execute execmod };
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app shell_data_file:file r_file_perms;
-allow untrusted_app shell_data_file:dir r_dir_perms;
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app media_rw_data_file:dir create_dir_perms;
-allow untrusted_app media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_app servicemanager:service_manager list;
-
-allow untrusted_app audioserver_service:service_manager find;
-allow untrusted_app cameraserver_service:service_manager find;
-allow untrusted_app drmserver_service:service_manager find;
-allow untrusted_app mediaserver_service:service_manager find;
-allow untrusted_app mediaextractor_service:service_manager find;
-allow untrusted_app mediacodec_service:service_manager find;
-allow untrusted_app mediametrics_service:service_manager find;
-allow untrusted_app mediadrmserver_service:service_manager find;
-allow untrusted_app nfc_service:service_manager find;
-allow untrusted_app radio_service:service_manager find;
-allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app app_api_service:service_manager find;
-allow untrusted_app vr_manager_service:service_manager find;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
-  allow untrusted_app perfprofd_data_file:file r_file_perms;
-  allow untrusted_app perfprofd_data_file:dir r_dir_perms;
-')
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app self:process ptrace;
-
-# Cts: HwRngTest
-allow untrusted_app sysfs_hwrandom:dir search;
-allow untrusted_app sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded content
-allow untrusted_app preloads_data_file:dir r_dir_perms;
-allow untrusted_app preloads_data_file:file r_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-allow untrusted_app proc_tty_drivers:file r_file_perms;