diff options
Diffstat (limited to 'untrusted_app.te')
| -rw-r--r-- | untrusted_app.te | 46 |
1 files changed, 43 insertions, 3 deletions
diff --git a/untrusted_app.te b/untrusted_app.te index c5c887f..1b7aaee 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -55,6 +55,11 @@ allow untrusted_app shell_data_file:dir r_dir_perms; # This line needs to be deleted. allow untrusted_app anr_data_file:file r_file_perms; +# Read and write system app data files passed over Binder. +# Motivating case was /data/data/com.android.settings/cache/*.jpg for +# cropping or taking user photos. +allow untrusted_app system_app_data_file:file { read write getattr }; + # # Rules migrated from old app domains coalesced into untrusted_app. # This includes what used to be media_app, shared_app, and release_app. @@ -71,6 +76,27 @@ allow untrusted_app media_rw_data_file:file create_file_perms; allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; +allow untrusted_app drmserver_service:service_manager find; +allow untrusted_app mediaserver_service:service_manager find; +allow untrusted_app nfc_service:service_manager find; +allow untrusted_app radio_service:service_manager find; +allow untrusted_app surfaceflinger_service:service_manager find; +allow untrusted_app app_api_service:service_manager find; + +# TODO: remove this once priv-apps are no longer running in untrusted_app +allow untrusted_app system_api_service:service_manager find; + +# TODO: remove and replace with specific package that accesses this +allow untrusted_app persistent_data_block_service:service_manager find; + +# Allow verifier to access staged apks. +allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; +allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; + +# Apps using KeyStore API will request the SID from GateKeeper +allow untrusted_app gatekeeper_service:service_manager find; +binder_call(untrusted_app, gatekeeperd) + ### ### neverallow rules ### @@ -96,6 +122,20 @@ neverallow untrusted_app property_socket:sock_file write; neverallow untrusted_app init:unix_stream_socket connectto; neverallow untrusted_app property_type:property_service set; -# Allow verifier to access staged apks. -allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; -allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; +# Do not allow untrusted_app to be assigned mlstrustedsubject. +# This would undermine the per-user isolation model being +# enforced via levelFrom=user in seapp_contexts and the mls +# constraints. As there is no direct way to specify a neverallow +# on attribute assignment, this relies on the fact that fork +# permission only makes sense within a domain (hence should +# never be granted to any other domain within mlstrustedsubject) +# and untrusted_app is allowed fork permission to itself. +neverallow untrusted_app mlstrustedsubject:process fork; + +# Do not allow untrusted_app to hard link to any files. +# In particular, if untrusted_app links to other app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure untrusted_app never has this +# capability. +neverallow untrusted_app file_type:file link; |