Merge "Revert "Migrate contexts tests to Android.bp"" am: 8bd664ba28 am: b9e7afda53 am: 24c0c93ae6 am: c6c7a7ff70
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1949061
Change-Id: Id7a02638043fb3ea7250d21b42b4a406f220a1c4
diff --git a/apex/Android.bp b/apex/Android.bp
index 166c2d3..01d57c8 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -256,3 +256,17 @@
"com.android.car.framework-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.supplementalprocess-file_contexts",
+ srcs: [
+ "com.android.supplementalprocess-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.auxiliary-file_contexts",
+ srcs: [
+ "com.android.auxiliary-file_contexts",
+ ],
+}
diff --git a/apex/com.android.auxiliary-file_contexts b/apex/com.android.auxiliary-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.auxiliary-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.supplementalprocess-file_contexts b/apex/com.android.supplementalprocess-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.supplementalprocess-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 7c478b4..2d3b9ae 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -22,7 +22,7 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
-all_plat_keys := platform media networkstack shared testkey
+all_plat_keys := platform supplemental_process media networkstack shared testkey
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
diff --git a/private/app.te b/private/app.te
index 7177b92..cec5ffe 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,34 @@
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -supplemental_process
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -supplemental_process
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
@@ -87,6 +118,355 @@
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -supplemental_process } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -supplemental_process } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -supplemental_process } vendor_file:file x_file_perms;')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -supplemental_process }, vendor_app_file)
+allow { appdomain -ephemeral_app -supplemental_process } vendor_app_file:file execute;
+
+# Perform binder IPC to supplemental process.
+binder_call(appdomain, supplemental_process)
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usbaccessory_device:chr_file { read write getattr };
+
+#logd access
+control_logd({ appdomain -ephemeral_app -supplemental_process })
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
+
+# For app fuse.
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app -supplemental_process }, bufferhub_client)
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file ioctl TUNGETIFF;
+
+
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# For AppFuse.
+allow appdomain vold:fd use;
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+allow appdomain system_file:file x_file_perms;
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write map };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write map };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read map };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read map };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read map };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+
+allow appdomain zygote:unix_dgram_socket write;
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write map };
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 2ae6a5f..971feb4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,6 +9,7 @@
artd_service
attestation_verification_service
camera2_extensions_prop
+ communal_service
device_config_nnapi_native_prop
dice_maintenance_service
dice_node_service
@@ -47,6 +48,7 @@
proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
+ supplemental_process_service
sysfs_fs_fuse_bpf
sysfs_vendor_sched
tv_iapp_service
diff --git a/private/domain.te b/private/domain.te
index ae5b0d7..1e90ced 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -586,3 +586,22 @@
userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+ -iorap_inode2filename
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ ephemeral_app
+ priv_app
+ supplemental_process
+ untrusted_app_all
+} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 799d7ff..427e7d8 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -6,8 +6,6 @@
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(gmscore_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
@@ -54,6 +52,8 @@
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app sysfs_net:file r_file_perms;
+dontaudit gmscore_app sysfs_net:dir r_dir_perms;
dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
@@ -142,3 +142,24 @@
# b/186488185: Allow GMSCore to read dck properties
get_prop(gmscore_app, dck_prop)
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow gmscore_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow gmscore_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 800775b..1fc9f00 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -136,7 +136,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
+neverallow isolated_app { self ephemeral_app priv_app supplemental_process untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/keys.conf b/private/keys.conf
index 362e73d..cc4e1f3 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -11,6 +11,9 @@
[@PLATFORM]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+[@SUPPLEMENTAL_PROCESS]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/supplemental_process.x509.pem
+
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 7fc37c1..0e77637 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -51,6 +51,11 @@
<seinfo value="platform" />
</signer>
+ <!-- Supplemental process key -->
+ <signer signature="@SUPPLEMENTAL_PROCESS" >
+ <seinfo value="supplemental_process" />
+ </signer>
+
<!-- Media key in AOSP -->
<signer signature="@MEDIA" >
<seinfo value="media" />
diff --git a/private/net.te b/private/net.te
new file mode 100644
index 0000000..3e20274
--- /dev/null
+++ b/private/net.te
@@ -0,0 +1,18 @@
+# Bind to ports.
+allow {netdomain -ephemeral_app -supplemental_process} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -supplemental_process} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -supplemental_process} port_type:tcp_socket name_bind;
+
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -supplemental_process
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
+
diff --git a/private/priv_app.te b/private/priv_app.te
index 909e676..38a797c 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -100,16 +100,11 @@
}:file r_file_perms;
allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(priv_app, sysfs_zram)
r_dir_file(priv_app, rootfs)
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
# Allow com.android.vending to communicate with statsd.
binder_call(priv_app, statsd)
@@ -262,3 +257,24 @@
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow priv_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow priv_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d47134b..f3dd77e 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -137,6 +137,9 @@
isSystemServer=true domain=system_server_startup
+# supplemental_process must run in the supplemental_process domain
+neverallow name=com.android.supplemental.process domain=((?!supplemental_process).)*
+
user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -171,3 +174,4 @@
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
+user=_app seinfo=supplemental_process name=com.android.supplemental.process domain=supplemental_process type=app_data_file levelFrom=user
diff --git a/private/service.te b/private/service.te
index 10461ec..78630f4 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,5 +1,6 @@
type attention_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
+type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index bee400f..8087d09 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -115,6 +115,7 @@
cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
+communal u:object_r:communal_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
@@ -304,6 +305,7 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
+supplemental_process u:object_r:supplemental_process_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
diff --git a/private/supplemental_process.te b/private/supplemental_process.te
new file mode 100644
index 0000000..cb56cb6
--- /dev/null
+++ b/private/supplemental_process.te
@@ -0,0 +1,73 @@
+###
+### Supplemental Process.
+###
+### This file defines the security policy for the supplemental process.
+
+type supplemental_process, domain;
+
+typeattribute supplemental_process coredomain;
+
+net_domain(supplemental_process)
+app_domain(supplemental_process)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow supplemental_process activity_service:service_manager find;
+allow supplemental_process activity_task_service:service_manager find;
+allow supplemental_process audio_service:service_manager find;
+# Audit the access to signal that we are still investigating whether supplemental_process
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow supplemental_process audio_service:service_manager find;
+allow supplemental_process hint_service:service_manager find;
+allow supplemental_process surfaceflinger_service:service_manager find;
+allow supplemental_process trust_service:service_manager find;
+allow supplemental_process uimode_service:service_manager find;
+allow supplemental_process webviewupdate_service:service_manager find;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(supplemental_process)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(supplemental_process)
+can_profile_perf(supplemental_process)
+
+# allow supplemental processes to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow supplemental_process system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+###
+### neverallow rules
+###
+
+neverallow supplemental_process { app_data_file privapp_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow supplemental_process domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow supplemental_process domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow supplemental_process debugfs:file read;
+
+# execute gpu_device
+neverallow supplemental_process gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow supplemental_process sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow supplemental_process proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow supplemental_process { sdcard_type media_rw_data_file }:file {open create};
+neverallow supplemental_process { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow supplemental_process proc_net:file no_rw_file_perms;
diff --git a/public/app.te b/public/app.te
index 7de9c00..09e30ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -8,375 +8,6 @@
###
type appdomain_tmpfs, file_type;
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Receive and use open file descriptors inherited from app zygote.
-allow appdomain app_zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
###
### Neverallow rules
###
diff --git a/public/domain.te b/public/domain.te
index e7853ec..6a13630 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1146,24 +1146,6 @@
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
- -iorap_inode2filename
- -traced_probes # resolve inodes for i/o tracing.
- # only needs open and read, the rest is neverallow in
- # traced_probes.te.
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
diff --git a/public/net.te b/public/net.te
index 714bcde..31c9c45 100644
--- a/public/net.te
+++ b/public/net.te
@@ -13,23 +13,8 @@
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps.
-# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
-# to avoid app-compat breakage.
-allow {
- netdomain
- -ephemeral_app
- -mediaprovider
- -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/service.te b/public/service.te
index 0e9488c..6b2fb54 100644
--- a/public/service.te
+++ b/public/service.te
@@ -207,6 +207,7 @@
type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type supplemental_process_service, app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;