1###
2### neverallow rules for untrusted app domains
3###
4
5define(`all_untrusted_apps',`{
6  ephemeral_app
7  isolated_app
8  mediaprovider
9  untrusted_app
10  untrusted_app_25
11  untrusted_app_27
12  untrusted_app_all
13}')
14# Receive or send uevent messages.
15neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
16
17# Receive or send generic netlink messages
18neverallow all_untrusted_apps domain:netlink_socket *;
19
20# Too much leaky information in debugfs. It's a security
21# best practice to ensure these files aren't readable.
22neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
23neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
24
25# Do not allow untrusted apps to register services.
26# Only trusted components of Android should be registering
27# services.
28neverallow all_untrusted_apps service_manager_type:service_manager add;
29
30# Do not allow untrusted apps to use VendorBinder
31neverallow all_untrusted_apps vndbinder_device:chr_file *;
32neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
33
34# Do not allow untrusted apps to connect to the property service
35# or set properties. b/10243159
36neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
37neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
38neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
39
40# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
41# but otherwise disallow untrusted apps from reading this property.
42neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
43
44# Shared libraries created by trusted components within an app home
45# directory can be dlopen()ed. To maintain the W^X property, these files
46# must never be writable to the app.
47neverallow all_untrusted_apps app_exec_data_file:file
48  { append create link relabelfrom relabelto rename setattr write };
49
50# Block calling execve() on files in an apps home directory.
51# This is a W^X violation (loading executable code from a writable
52# home directory). For compatibility, allow for targetApi <= 28.
53# b/112357170
54neverallow {
55  all_untrusted_apps
56  -untrusted_app_25
57  -untrusted_app_27
58  -runas_app
59} { app_data_file privapp_data_file }:file execute_no_trans;
60
61# Do not allow untrusted apps to invoke dex2oat. This was historically required
62# by ART for compiling secondary dex files but has been removed in Q.
63# Exempt legacy apps (targetApi<=28) for compatibility.
64neverallow {
65  all_untrusted_apps
66  -untrusted_app_25
67  -untrusted_app_27
68} dex2oat_exec:file no_x_file_perms;
69
70# Do not allow untrusted apps to be assigned mlstrustedsubject.
71# This would undermine the per-user isolation model being
72# enforced via levelFrom=user in seapp_contexts and the mls
73# constraints.  As there is no direct way to specify a neverallow
74# on attribute assignment, this relies on the fact that fork
75# permission only makes sense within a domain (hence should
76# never be granted to any other domain within mlstrustedsubject)
77# and an untrusted app is allowed fork permission to itself.
78neverallow all_untrusted_apps mlstrustedsubject:process fork;
79
80# Do not allow untrusted apps to hard link to any files.
81# In particular, if an untrusted app links to other app data
82# files, installd will not be able to guarantee the deletion
83# of the linked to file. Hard links also contribute to security
84# bugs, so we want to ensure untrusted apps never have this
85# capability.
86neverallow all_untrusted_apps file_type:file link;
87
88# Do not allow untrusted apps to access network MAC address file
89neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
90
91# Do not allow any write access to files in /sys
92neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
93
94# Apps may never access the default sysfs label.
95neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
96
97# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
98# ioctl permission, or 3. disallow the socket class.
99neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
100neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
101neverallow all_untrusted_apps *:{
102  socket netlink_socket packet_socket key_socket appletalk_socket
103  netlink_tcpdiag_socket netlink_nflog_socket
104  netlink_xfrm_socket netlink_audit_socket
105  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
106  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
107  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
108  netlink_rdma_socket netlink_crypto_socket sctp_socket
109  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
110  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
111  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
112  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
113} *;
114
115# Do not allow untrusted apps access to /cache
116neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
117neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
118
119# Do not allow untrusted apps to create/unlink files outside of its sandbox,
120# internal storage or sdcard.
121# World accessible data locations allow application to fill the device
122# with unaccounted for data. This data will not get removed during
123# application un-installation.
124neverallow { all_untrusted_apps -mediaprovider } {
125  fs_type
126  -sdcard_type
127  file_type
128  -app_data_file            # The apps sandbox itself
129  -privapp_data_file
130  -app_exec_data_file       # stored within the app sandbox directory
131  -media_rw_data_file       # Internal storage. Known that apps can
132                            # leave artfacts here after uninstall.
133  -user_profile_data_file   # Access to profile files
134  userdebug_or_eng(`
135    -method_trace_data_file # only on ro.debuggable=1
136    -coredump_file          # userdebug/eng only
137  ')
138}:dir_file_class_set { create unlink };
139
140# No untrusted component should be touching /dev/fuse
141neverallow all_untrusted_apps fuse_device:chr_file *;
142
143# Do not allow untrusted apps to directly open the tun_device
144neverallow all_untrusted_apps tun_device:chr_file open;
145# The tun_device ioctls below are not allowed, to prove equivalence
146# to the kernel patch at
147# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
148neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
149  SIOCGIFHWADDR
150  SIOCSIFHWADDR
151  TUNATTACHFILTER
152  TUNDETACHFILTER
153  TUNGETFEATURES
154  TUNGETFILTER
155  TUNGETSNDBUF
156  TUNGETVNETHDRSZ
157  TUNSETDEBUG
158  TUNSETGROUP
159  TUNSETIFF
160  TUNSETLINK
161  TUNSETNOCSUM
162  TUNSETOFFLOAD
163  TUNSETOWNER
164  TUNSETPERSIST
165  TUNSETQUEUE
166  TUNSETSNDBUF
167  TUNSETTXFILTER
168  TUNSETVNETHDRSZ
169};
170
171# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
172neverallow all_untrusted_apps anr_data_file:file ~{ open append };
173neverallow all_untrusted_apps anr_data_file:dir ~search;
174
175# Avoid reads from generically labeled /proc files
176# Create a more specific label if needed
177neverallow all_untrusted_apps {
178  proc
179  proc_asound
180  proc_filesystems
181  proc_kmsg
182  proc_loadavg
183  proc_mounts
184  proc_pagetypeinfo
185  proc_slabinfo
186  proc_stat
187  proc_swaps
188  proc_uptime
189  proc_version
190  proc_vmallocinfo
191  proc_vmstat
192}:file { no_rw_file_perms no_x_file_perms };
193
194# Avoid all access to kernel configuration
195neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
196
197# Do not allow untrusted apps access to preloads data files
198neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
199
200# Locking of files on /system could lead to denial of service attacks
201# against privileged system components
202neverallow all_untrusted_apps system_file:file lock;
203
204# Do not permit untrusted apps to perform actions on HwBinder service_manager
205# other than find actions for services listed below
206neverallow all_untrusted_apps *:hwservice_manager ~find;
207
208# Do not permit access from apps which host arbitrary code to HwBinder services,
209# except those considered sufficiently safe for access from such apps.
210# The two main reasons for this are:
211# 1. HwBinder servers do not perform client authentication because HIDL
212#    currently does not expose caller UID information and, even if it did, many
213#    HwBinder services either operate at a level below that of apps (e.g., HALs)
214#    or must not rely on app identity for authorization. Thus, to be safe, the
215#    default assumption is that every HwBinder service treats all its clients as
216#    equally authorized to perform operations offered by the service.
217# 2. HAL servers (a subset of HwBinder services) contain code with higher
218#    incidence rate of security issues than system/core components and have
219#    access to lower layes of the stack (all the way down to hardware) thus
220#    increasing opportunities for bypassing the Android security model.
221#
222# Safe services include:
223# - same process services: because they by definition run in the process
224#   of the client and thus have the same access as the client domain in which
225#   the process runs
226# - coredomain_hwservice: are considered safe because they do not pose risks
227#   associated with reason #2 above.
228# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
229#   designed for use by any domain.
230# - hal_graphics_allocator_hwservice: because these operations are also offered
231#   by surfaceflinger Binder service, which apps are permitted to access
232# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
233#   Binder service which apps were permitted to access.
234# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
235neverallow all_untrusted_apps {
236  hwservice_manager_type
237  -same_process_hwservice
238  -coredomain_hwservice
239  -hal_codec2_hwservice
240  -hal_configstore_ISurfaceFlingerConfigs
241  -hal_graphics_allocator_hwservice
242  -hal_omx_hwservice
243  -hal_cas_hwservice
244  -hal_neuralnetworks_hwservice
245  -untrusted_app_visible_hwservice_violators
246}:hwservice_manager find;
247
248# Make sure that the following services are never accessible by untrusted_apps
249neverallow all_untrusted_apps {
250  default_android_hwservice
251  hal_atrace_hwservice
252  hal_audio_hwservice
253  hal_authsecret_hwservice
254  hal_bluetooth_hwservice
255  hal_bootctl_hwservice
256  hal_camera_hwservice
257  hal_confirmationui_hwservice
258  hal_contexthub_hwservice
259  hal_drm_hwservice
260  hal_dumpstate_hwservice
261  hal_fingerprint_hwservice
262  hal_gatekeeper_hwservice
263  hal_gnss_hwservice
264  hal_graphics_composer_hwservice
265  hal_health_hwservice
266  hal_input_classifier_hwservice
267  hal_ir_hwservice
268  hal_keymaster_hwservice
269  hal_light_hwservice
270  hal_memtrack_hwservice
271  hal_nfc_hwservice
272  hal_oemlock_hwservice
273  hal_power_hwservice
274  hal_power_stats_hwservice
275  hal_secure_element_hwservice
276  hal_sensors_hwservice
277  hal_telephony_hwservice
278  hal_thermal_hwservice
279  hal_tv_cec_hwservice
280  hal_tv_input_hwservice
281  hal_usb_hwservice
282  hal_vibrator_hwservice
283  hal_vr_hwservice
284  hal_weaver_hwservice
285  hal_wifi_hwservice
286  hal_wifi_offload_hwservice
287  hal_wifi_supplicant_hwservice
288  hidl_base_hwservice
289  system_net_netd_hwservice
290  thermalcallback_hwservice
291}:hwservice_manager find;
292# HwBinder services offered by core components (as opposed to vendor components)
293# are considered somewhat safer due to point #2 above.
294neverallow all_untrusted_apps {
295  coredomain_hwservice
296  -same_process_hwservice
297  -fwk_bufferhub_hwservice # Designed for use by any domain
298  -hidl_allocator_hwservice # Designed for use by any domain
299  -hidl_manager_hwservice # Designed for use by any domain
300  -hidl_memory_hwservice # Designed for use by any domain
301  -hidl_token_hwservice # Designed for use by any domain
302}:hwservice_manager find;
303
304# SELinux is not an API for untrusted apps to use
305neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
306
307# Restrict *Binder access from apps to HAL domains. We can only do this on full
308# Treble devices where *Binder communications between apps and HALs are tightly
309# restricted.
310full_treble_only(`
311  neverallow all_untrusted_apps {
312    halserverdomain
313    -coredomain
314    -hal_cas_server
315    -hal_codec2_server
316    -hal_configstore_server
317    -hal_graphics_allocator_server
318    -hal_neuralnetworks_server
319    -hal_omx_server
320    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
321    -untrusted_app_visible_halserver_violators
322  }:binder { call transfer };
323')
324
325# Access to /proc/tty/drivers, to allow apps to determine if they
326# are running in an emulated environment.
327# b/33214085 b/33814662 b/33791054 b/33211769
328# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
329# This will go away in a future Android release
330neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
331neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
332
333# Untrusted apps are not allowed to use cgroups.
334neverallow all_untrusted_apps cgroup:file *;
335
336# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
337# They must use ASharedMemory NDK API instead.
338neverallow {
339  all_untrusted_apps
340  -ephemeral_app
341  -untrusted_app_25
342  -untrusted_app_27
343} ashmem_device:chr_file open;
344