From 41b21ee96a94e286e6c308ff03c49b0f14d66e99 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 6 Aug 2018 12:36:20 -0700 Subject: Delete untrusted_v2_app As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 , the untrusted_v2_app domain is no longer used. Bug: 112233317 Test: policy compiles, device boots, and no problems Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6 --- private/app_neverallows.te | 1 - private/compat/26.0/26.0.cil | 1 + private/compat/27.0/27.0.cil | 3 ++- private/compat/28.0/28.0.cil | 1 + private/untrusted_app_all.te | 5 ++--- private/untrusted_v2_app.te | 47 ------------------------------------------ public/app.te | 14 ++++++------- public/untrusted_v2_app.te | 5 ----- tests/treble_sepolicy_tests.py | 1 - 9 files changed, 13 insertions(+), 65 deletions(-) delete mode 100644 private/untrusted_v2_app.te delete mode 100644 public/untrusted_v2_app.te diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 31551acc..23594b82 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -10,7 +10,6 @@ define(`all_untrusted_apps',`{ untrusted_app_25 untrusted_app_27 untrusted_app_all - untrusted_v2_app }') # Receive or send uevent messages. neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil index 085948a5..cad7123b 100644 --- a/private/compat/26.0/26.0.cil +++ b/private/compat/26.0/26.0.cil @@ -4,6 +4,7 @@ (typeattribute hal_wifi_keystore_server) ;; types removed from current policy +(type untrusted_v2_app) (type asan_reboot_prop) (type commontime_management_service) (type log_device) diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil index fcf4561c..d99b499b 100644 --- a/private/compat/27.0/27.0.cil +++ b/private/compat/27.0/27.0.cil @@ -1,10 +1,11 @@ ;; types removed from current policy (type commontime_management_service) -(type qtaguid_proc) (type mediacodec) (type mediacodec_exec) +(type qtaguid_proc) (type reboot_data_file) (type rild) +(type untrusted_v2_app) (type webview_zygote_socket) (type vold_socket) (type thermalcallback_hwservice) diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil index 054cca26..c69a1111 100644 --- a/private/compat/28.0/28.0.cil +++ b/private/compat/28.0/28.0.cil @@ -4,6 +4,7 @@ (type mediacodec_exec) (type qtaguid_proc) (type thermalcallback_hwservice) +(type untrusted_v2_app) ;; TODO: remove once P sepolicy is pushed to AOSP. (type vold_socket) diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index 65be583a..11cea6ea 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -2,8 +2,7 @@ ### Untrusted_app_all. ### ### This file defines the rules shared by all untrusted app domains except -### apps which target the v2 security sandbox (ephemeral_app for instant apps, -### untrusted_v2_app for fully installed v2 apps). +### ephemeral_app for instant apps. ### Apps are labeled based on mac_permissions.xml (maps signer and ### optionally package name to seinfo value) and seapp_contexts (maps UID ### and optionally seinfo value to domain for process and type for data @@ -19,7 +18,7 @@ ### seapp_contexts. ### ### Note that rules that should apply to all untrusted apps must be in app.te or also -### added to untrusted_v2_app.te and ephemeral_app.te. +### added to ephemeral_app.te. # Some apps ship with shared libraries and binaries that they write out # to their sandbox directory and then execute. diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te deleted file mode 100644 index 8f4bceb2..00000000 --- a/private/untrusted_v2_app.te +++ /dev/null @@ -1,47 +0,0 @@ -### -### Untrusted v2 sandbox apps. -### - -typeattribute untrusted_v2_app coredomain; - -app_domain(untrusted_v2_app) -net_domain(untrusted_v2_app) -bluetooth_domain(untrusted_v2_app) - -# Read and write system app data files passed over Binder. -# Motivating case was /data/data/com.android.settings/cache/*.jpg for -# cropping or taking user photos. -allow untrusted_v2_app system_app_data_file:file { read write getattr }; - -# Access to /data/media. -allow untrusted_v2_app media_rw_data_file:dir create_dir_perms; -allow untrusted_v2_app media_rw_data_file:file create_file_perms; - -# Traverse into /mnt/media_rw for bypassing FUSE daemon -# TODO: narrow this to just MediaProvider -allow untrusted_v2_app mnt_media_rw_file:dir search; - -# allow cts to query all services -allow untrusted_v2_app servicemanager:service_manager list; - -allow untrusted_v2_app audioserver_service:service_manager find; -allow untrusted_v2_app cameraserver_service:service_manager find; -allow untrusted_v2_app drmserver_service:service_manager find; -allow untrusted_v2_app mediaserver_service:service_manager find; -allow untrusted_v2_app mediaextractor_service:service_manager find; -allow untrusted_v2_app mediacodec_service:service_manager find; -allow untrusted_v2_app mediametrics_service:service_manager find; -allow untrusted_v2_app mediadrmserver_service:service_manager find; -allow untrusted_v2_app nfc_service:service_manager find; -allow untrusted_v2_app radio_service:service_manager find; -# TODO: potentially provide a tighter list of services here -allow untrusted_v2_app app_api_service:service_manager find; - -# gdbserver for ndk-gdb ptrace attaches to app process. -allow untrusted_v2_app self:process ptrace; - -# Write app-specific trace data to the Perfetto traced damon. This requires -# connecting to its producer socket and obtaining a (per-process) tmpfs fd. -allow untrusted_v2_app traced:fd use; -allow untrusted_v2_app traced_tmpfs:file { read write getattr map }; -unix_socket_connect(untrusted_v2_app, traced_producer, traced) diff --git a/public/app.te b/public/app.te index bc4ad611..12a9b81c 100644 --- a/public/app.te +++ b/public/app.te @@ -85,10 +85,10 @@ allow appdomain oemfs:dir r_dir_perms; allow appdomain oemfs:file rx_file_perms; # Execute the shell or other system executables. -allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms; -allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms; -allow { appdomain -untrusted_v2_app } system_file:file x_file_perms; -not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;') +allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms; +allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms; +allow appdomain system_file:file x_file_perms; +not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;') # Renderscript needs the ability to read directories on /system allow appdomain system_file:dir r_dir_perms; @@ -106,8 +106,8 @@ full_treble_only(` # Allow apps access to /vendor/app except for privileged # apps which cannot be in /vendor. -r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file) -allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute; +r_dir_file({ appdomain -ephemeral_app }, vendor_app_file) +allow { appdomain -ephemeral_app } vendor_app_file:file execute; # Allow apps access to /vendor/overlay r_dir_file(appdomain, vendor_overlay_file) @@ -285,7 +285,7 @@ allow appdomain resourcecache_data_file:dir r_dir_perms; # logd access read_logd(appdomain) -control_logd({ appdomain -ephemeral_app untrusted_v2_app }) +control_logd({ appdomain -ephemeral_app }) # application inherit logd write socket (urge is to deprecate this long term) allow appdomain zygote:unix_dgram_socket write; diff --git a/public/untrusted_v2_app.te b/public/untrusted_v2_app.te deleted file mode 100644 index ac82f153..00000000 --- a/public/untrusted_v2_app.te +++ /dev/null @@ -1,5 +0,0 @@ -### -### Untrusted v2 sandbox apps. -### - -type untrusted_v2_app, domain; diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py index cfa8ef9c..6e9eb6ad 100644 --- a/tests/treble_sepolicy_tests.py +++ b/tests/treble_sepolicy_tests.py @@ -29,7 +29,6 @@ coreAppdomain = { 'system_app', 'untrusted_app', 'untrusted_app_25', - 'untrusted_v2_app', } coredomainWhitelist = { 'adbd', -- cgit v1.2.3