Halaman utama Jelajahi Bantuan
Daftar Masuk
drachfly
/
android10
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Cabang: master
Ranting Tag
android10
/
system
/
sepolicy
/
private
/
untrusted_app_all.te

untrusted_app_all.te 8.5 KB
Permalink Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. ###
    2. 

  2. ### Untrusted_app_all.
    3. 

  3. ###
    4. 

  4. ### This file defines the rules shared by all untrusted app domains except
    5. 

  5. ### ephemeral_app for instant apps.
    6. 

  6. ### Apps are labeled based on mac_permissions.xml (maps signer and
    7. 

  7. ### optionally package name to seinfo value) and seapp_contexts (maps UID
    8. 

  8. ### and optionally seinfo value to domain for process and type for data
    9. 

  9. ### directory).  The untrusted_app_all attribute is assigned to all default
    10. 

  10. ### seapp_contexts for any app with UID between APP_AID (10000)
    11. 

  11. ### and AID_ISOLATED_START (99000) if the app has no specific seinfo
    12. 

  12. ### value as determined from mac_permissions.xml.  In current AOSP, this
    13. 

  13. ### attribute is assigned to all non-system apps as well as to any system apps
    14. 

  14. ### that are not signed by the platform key.  To move
    15. 

  15. ### a system app into a specific domain, add a signer entry for it to
    16. 

  16. ### mac_permissions.xml and assign it one of the pre-existing seinfo values
    17. 

  17. ### or define and use a new seinfo value in both mac_permissions.xml and
    18. 

  18. ### seapp_contexts.
    19. 

  19. ###
    20. 

  20. ### Note that rules that should apply to all untrusted apps must be in app.te or also
    21. 

  21. ### added to ephemeral_app.te.
    22. 

  22. 

  23. # Some apps ship with shared libraries and binaries that they write out
    24. 

  24. # to their sandbox directory and then execute.
    25. 

  25. allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
    26. 

  26. allow untrusted_app_all app_data_file:file     { r_file_perms execute };
    27. 

  27. auditallow untrusted_app_all app_data_file:file execute;
    28. 

  28. 

  29. # Chrome Crashpad uses the the dynamic linker to load native executables
    30. 

  30. # from an APK (b/112050209, crbug.com/928422)
    31. 

  31. allow untrusted_app_all system_linker_exec:file execute_no_trans;
    32. 

  32. 

  33. # Follow priv-app symlinks. This is used for dynamite functionality.
    34. 

  34. allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
    35. 

  35. 

  36. # Allow handling of less common filesystem objects
    37. 

  37. allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
    38. 

  38. 

  39. # Allow loading and deleting executable shared libraries
    40. 

  40. # within an application home directory. Such shared libraries would be
    41. 

  41. # created by things like renderscript or via other mechanisms.
    42. 

  42. allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
    43. 

  43. 

  44. # ASEC
    45. 

  45. allow untrusted_app_all asec_apk_file:file r_file_perms;
    46. 

  46. allow untrusted_app_all asec_apk_file:dir r_dir_perms;
    47. 

  47. # Execute libs in asec containers.
    48. 

  48. allow untrusted_app_all asec_public_file:file { execute };
    49. 

  49. 

  50. # Used by Finsky / Android "Verify Apps" functionality when
    51. 

  51. # running "adb install foo.apk".
    52. 

  52. # TODO: Long term, we don't want apps probing into shell data files.
    53. 

  53. # Figure out a way to remove these rules.
    54. 

  54. allow untrusted_app_all shell_data_file:file r_file_perms;
    55. 

  55. allow untrusted_app_all shell_data_file:dir r_dir_perms;
    56. 

  56. 

  57. # Allow traceur to pass file descriptors through a content provider to untrusted apps
    58. 

  58. # for the purpose of sharing files through e.g. gmail
    59. 

  59. allow untrusted_app_all trace_data_file:file { getattr read };
    60. 

  60. 

  61. # untrusted apps should not be able to open trace data files, they should depend
    62. 

  62. # upon traceur to pass a file descriptor
    63. 

  63. neverallow untrusted_app_all trace_data_file:dir *;
    64. 

  64. neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
    65. 

  65. 

  66. # Allow to read staged apks.
    67. 

  67. allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
    68. 

  68. 

  69. # Read and write system app data files passed over Binder.
    70. 

  70. # Motivating case was /data/data/com.android.settings/cache/*.jpg for
    71. 

  71. # cropping or taking user photos.
    72. 

  72. allow untrusted_app_all system_app_data_file:file { read write getattr };
    73. 

  73. 

  74. #
    75. 

  75. # Rules migrated from old app domains coalesced into untrusted_app.
    76. 

  76. # This includes what used to be media_app, shared_app, and release_app.
    77. 

  77. #
    78. 

  78. 

  79. # Access to /data/media.
    80. 

  80. allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
    81. 

  81. allow untrusted_app_all media_rw_data_file:file create_file_perms;
    82. 

  82. 

  83. # Traverse into /mnt/media_rw for bypassing FUSE daemon
    84. 

  84. # TODO: narrow this to just MediaProvider
    85. 

  85. allow untrusted_app_all mnt_media_rw_file:dir search;
    86. 

  86. 

  87. # allow cts to query all services
    88. 

  88. allow untrusted_app_all servicemanager:service_manager list;
    89. 

  89. 

  90. allow untrusted_app_all audioserver_service:service_manager find;
    91. 

  91. allow untrusted_app_all cameraserver_service:service_manager find;
    92. 

  92. allow untrusted_app_all drmserver_service:service_manager find;
    93. 

  93. allow untrusted_app_all mediaserver_service:service_manager find;
    94. 

  94. allow untrusted_app_all mediaextractor_service:service_manager find;
    95. 

  95. allow untrusted_app_all mediacodec_service:service_manager find;
    96. 

  96. allow untrusted_app_all mediametrics_service:service_manager find;
    97. 

  97. allow untrusted_app_all mediadrmserver_service:service_manager find;
    98. 

  98. allow untrusted_app_all nfc_service:service_manager find;
    99. 

  99. allow untrusted_app_all radio_service:service_manager find;
    100. 

  100. allow untrusted_app_all app_api_service:service_manager find;
    101. 

  101. allow untrusted_app_all vr_manager_service:service_manager find;
    102. 

  102. allow untrusted_app_all gpu_service:service_manager find;
    103. 

  103. 

  104. # Allow untrusted apps to interact with gpuservice
    105. 

  105. binder_call(untrusted_app_all, gpuservice)
    106. 

  106. 

  107. # Allow GMS core to access perfprofd output, which is stored
    108. 

  108. # in /data/misc/perfprofd/. GMS core will need to list all
    109. 

  109. # data stored in that directory to process them one by one.
    110. 

  110. userdebug_or_eng(`
    111. 

  111.   allow untrusted_app_all perfprofd_data_file:file r_file_perms;
    112. 

  112.   allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
    113. 

  113. ')
    114. 

  114. 

  115. # gdbserver for ndk-gdb ptrace attaches to app process.
    116. 

  116. allow untrusted_app_all self:process ptrace;
    117. 

  117. 

  118. # Android Studio Instant Run has the application connect to a
    119. 

  119. # runas_app socket listening in the abstract namespace.
    120. 

  120. # https://developer.android.com/studio/run/
    121. 

  121. # b/123297648
    122. 

  122. allow untrusted_app_all runas_app:unix_stream_socket connectto;
    123. 

  123. 

  124. # Untrusted apps need to be able to send a SIGCHLD to runas_app
    125. 

  125. # when running under a debugger (b/123612207)
    126. 

  126. allow untrusted_app_all runas_app:process sigchld;
    127. 

  127. 

  128. # Cts: HwRngTest
    129. 

  129. allow untrusted_app_all sysfs_hwrandom:dir search;
    130. 

  130. allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
    131. 

  131. 

  132. # Allow apps to view preloaded media content
    133. 

  133. allow untrusted_app_all preloads_media_file:dir r_dir_perms;
    134. 

  134. allow untrusted_app_all preloads_media_file:file r_file_perms;
    135. 

  135. allow untrusted_app_all preloads_data_file:dir search;
    136. 

  136. 

  137. # Allow untrusted apps read / execute access to /vendor/app for there can
    138. 

  138. # be pre-installed vendor apps that package a library within themselves.
    139. 

  139. # TODO (b/37784178) Consider creating  a special type for /vendor/app installed
    140. 

  140. # apps.
    141. 

  141. allow untrusted_app_all vendor_app_file:dir { open getattr read search };
    142. 

  142. allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
    143. 

  143. allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
    144. 

  144. 

  145. # Write app-specific trace data to the Perfetto traced damon. This requires
    146. 

  146. # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
    147. 

  147. allow untrusted_app_all traced:fd use;
    148. 

  148. allow untrusted_app_all traced_tmpfs:file { read write getattr map };
    149. 

  149. unix_socket_connect(untrusted_app_all, traced_producer, traced)
    150. 

  150. 

  151. # Allow heap profiling if the app opts in by being marked
    152. 

  152. # profileable/debuggable.
    153. 

  153. can_profile_heap(untrusted_app_all)
    154. 

  154. 

  155. # allow untrusted apps to use UDP sockets provided by the system server but not
    156. 

  156. # modify them other than to connect
    157. 

  157. allow untrusted_app_all system_server:udp_socket {
    158. 

  158.         connect getattr read recvfrom sendto write getopt setopt };
    159. 

  159. 

  160. # Allow the renderscript compiler to be run.
    161. 

  161. domain_auto_trans(untrusted_app_all, rs_exec, rs)
    162. 

  162. 

  163. # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
    164. 

  164. dontaudit untrusted_app_all net_dns_prop:file read;
    165. 

  165. 

  166. # These have been disallowed since Android O.
    167. 

  167. # For P, we assume that apps are safely handling the denial.
    168. 

  168. dontaudit untrusted_app_all proc_stat:file read;
    169. 

  169. dontaudit untrusted_app_all proc_vmstat:file read;
    170. 

  170. dontaudit untrusted_app_all proc_uptime:file read;
    171. 

  171. 

  172. # Allow the allocation and use of ptys
    173. 

  173. # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
    174. 

  174. create_pty(untrusted_app_all)
    175. 

  175. 

  176. # Attempts to write to system_data_file is generally a sign
    177. 

  177. # that apps are attempting to access encrypted storage before
    178. 

  178. # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
    179. 

  179. # denial to prevent third party apps from spamming the logs.
    180. 

  180. dontaudit untrusted_app_all system_data_file:dir write;
    181. 

  181. 

  182. # Allow access to kcov via its ioctl interface for coverage
    183. 

  183. # guided kernel fuzzing.
    184. 

  184. userdebug_or_eng(`
    185. 

  185.   allow untrusted_app_all debugfs_kcov:file rw_file_perms;
    186. 

  186.   allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
    187. 

  187. ')
    188. 

  188. 

  189. # Allow access to ashmemd to request /dev/ashmem fds.
    190. 

  190. binder_call(untrusted_app_all, ashmemd)
    191. 

  191. allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
    192.