Initial sepolicy for supplemental process
Almost 1:1 of the sepolicy for ephemeral apps
Test: make
Bug: 203670791
Ignore-AOSP-First: Feature is developed in internal branch
Change-Id: Ib085c49f29dab47268e479fe5266490a66adaa87
diff --git a/private/app.te b/private/app.te
index 8477133..56f9a0b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,34 @@
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -supplemental_process
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -supplemental_process
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
@@ -86,6 +117,69 @@
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -supplemental_process } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -supplemental_process } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -supplemental_process } vendor_file:file x_file_perms;')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -supplemental_process }, vendor_app_file)
+allow { appdomain -ephemeral_app -supplemental_process } vendor_app_file:file execute;
+
+# Perform binder IPC to supplemental process.
+binder_call(appdomain, supplemental_process)
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usbaccessory_device:chr_file { read write getattr };
+
+#logd access
+control_logd({ appdomain -ephemeral_app -supplemental_process })
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
+
+# For app fuse.
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app -supplemental_process }, bufferhub_client)
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file ioctl TUNGETIFF;
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
diff --git a/private/domain.te b/private/domain.te
index 5b9a5b1..b19fee7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -579,3 +579,22 @@
userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+ -iorap_inode2filename
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ ephemeral_app
+ priv_app
+ supplemental_process
+ untrusted_app_all
+} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 800775b..1fc9f00 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -136,7 +136,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
+neverallow isolated_app { self ephemeral_app priv_app supplemental_process untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/net.te b/private/net.te
new file mode 100644
index 0000000..3e20274
--- /dev/null
+++ b/private/net.te
@@ -0,0 +1,18 @@
+# Bind to ports.
+allow {netdomain -ephemeral_app -supplemental_process} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -supplemental_process} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -supplemental_process} port_type:tcp_socket name_bind;
+
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -supplemental_process
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
+
diff --git a/private/supplemental_process.te b/private/supplemental_process.te
new file mode 100644
index 0000000..7066825
--- /dev/null
+++ b/private/supplemental_process.te
@@ -0,0 +1,68 @@
+###
+### Supplemental Process.
+###
+### This file defines the security policy for the supplemental process.
+
+type supplemental_process, domain;
+
+typeattribute supplemental_process coredomain;
+
+net_domain(supplemental_process)
+app_domain(supplemental_process)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow supplemental_process activity_service:service_manager find;
+allow supplemental_process surfaceflinger_service:service_manager find;
+allow supplemental_process hint_service:service_manager find;
+allow supplemental_process webviewupdate_service:service_manager find;
+allow supplemental_process uimode_service:service_manager find;
+allow supplemental_process trust_service:service_manager find;
+allow supplemental_process activity_task_service:service_manager find;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(supplemental_process)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(supplemental_process)
+can_profile_perf(supplemental_process)
+
+# allow supplemental processes to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow supplemental_process system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+###
+### neverallow rules
+###
+
+neverallow supplemental_process { app_data_file privapp_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow supplemental_process domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow supplemental_process domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow supplemental_process debugfs:file read;
+
+# execute gpu_device
+neverallow supplemental_process gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow supplemental_process sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow supplemental_process proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow supplemental_process { sdcard_type media_rw_data_file }:file {open create};
+neverallow supplemental_process { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow supplemental_process proc_net:file no_rw_file_perms;
diff --git a/public/app.te b/public/app.te
index 7de9c00..4dcda95 100644
--- a/public/app.te
+++ b/public/app.te
@@ -90,11 +90,7 @@
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
@@ -110,11 +106,6 @@
allow { appdomain -isolated_app } vendor_file:dir { open read };
')
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
# Allow apps access to /vendor/overlay
r_dir_file(appdomain, vendor_overlay_file)
@@ -185,35 +176,6 @@
allow appdomain heapdump_data_file:file append;
')
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
@@ -253,29 +215,6 @@
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
# For art.
allow appdomain dalvikcache_data_file:file execute;
allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
@@ -294,20 +233,9 @@
# logd access
read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
+
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
@@ -337,13 +265,6 @@
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write map };
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
###
### CTS-specific rules
###
@@ -353,11 +274,6 @@
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow appdomain adbd:unix_stream_socket connectto;
diff --git a/public/domain.te b/public/domain.te
index e7853ec..6a13630 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1146,24 +1146,6 @@
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
- -iorap_inode2filename
- -traced_probes # resolve inodes for i/o tracing.
- # only needs open and read, the rest is neverallow in
- # traced_probes.te.
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
diff --git a/public/net.te b/public/net.te
index 714bcde..31c9c45 100644
--- a/public/net.te
+++ b/public/net.te
@@ -13,23 +13,8 @@
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps.
-# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
-# to avoid app-compat breakage.
-allow {
- netdomain
- -ephemeral_app
- -mediaprovider
- -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)