1###
2### neverallow rules for untrusted app domains
3###
4
5define(`all_untrusted_apps',`{
6  ephemeral_app
7  isolated_app
8  mediaprovider
9  mediaprovider_app
10  untrusted_app
11  untrusted_app_25
12  untrusted_app_27
13  untrusted_app_29
14  untrusted_app_all
15}')
16# Receive or send uevent messages.
17neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
18
19# Receive or send generic netlink messages
20neverallow all_untrusted_apps domain:netlink_socket *;
21
22# Too much leaky information in debugfs. It's a security
23# best practice to ensure these files aren't readable.
24neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
25neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
26
27# Do not allow untrusted apps to register services.
28# Only trusted components of Android should be registering
29# services.
30neverallow all_untrusted_apps service_manager_type:service_manager add;
31
32# Do not allow untrusted apps to use VendorBinder
33neverallow all_untrusted_apps vndbinder_device:chr_file *;
34neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
35
36# Do not allow untrusted apps to connect to the property service
37# or set properties. b/10243159
38neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
39neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
40neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
41
42# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
43neverallow { all_untrusted_apps } net_dns_prop:file read;
44
45# Shared libraries created by trusted components within an app home
46# directory can be dlopen()ed. To maintain the W^X property, these files
47# must never be writable to the app.
48neverallow all_untrusted_apps app_exec_data_file:file
49  { append create link relabelfrom relabelto rename setattr write };
50
51# Block calling execve() on files in an apps home directory.
52# This is a W^X violation (loading executable code from a writable
53# home directory). For compatibility, allow for targetApi <= 28.
54# b/112357170
55neverallow {
56  all_untrusted_apps
57  -untrusted_app_25
58  -untrusted_app_27
59  -runas_app
60} { app_data_file privapp_data_file }:file execute_no_trans;
61
62# Do not allow untrusted apps to invoke dex2oat. This was historically required
63# by ART for compiling secondary dex files but has been removed in Q.
64# Exempt legacy apps (targetApi<=28) for compatibility.
65neverallow {
66  all_untrusted_apps
67  -untrusted_app_25
68  -untrusted_app_27
69} dex2oat_exec:file no_x_file_perms;
70
71# Do not allow untrusted apps to be assigned mlstrustedsubject.
72# This would undermine the per-user isolation model being
73# enforced via levelFrom=user in seapp_contexts and the mls
74# constraints.  As there is no direct way to specify a neverallow
75# on attribute assignment, this relies on the fact that fork
76# permission only makes sense within a domain (hence should
77# never be granted to any other domain within mlstrustedsubject)
78# and an untrusted app is allowed fork permission to itself.
79neverallow all_untrusted_apps mlstrustedsubject:process fork;
80
81# Do not allow untrusted apps to hard link to any files.
82# In particular, if an untrusted app links to other app data
83# files, installd will not be able to guarantee the deletion
84# of the linked to file. Hard links also contribute to security
85# bugs, so we want to ensure untrusted apps never have this
86# capability.
87neverallow all_untrusted_apps file_type:file link;
88
89# Do not allow untrusted apps to access network MAC address file
90neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
91
92# Do not allow any write access to files in /sys
93neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
94
95# Apps may never access the default sysfs label.
96neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
97
98# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
99# ioctl permission, or 3. disallow the socket class.
100neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
101neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
102neverallow all_untrusted_apps *:{
103  socket netlink_socket packet_socket key_socket appletalk_socket
104  netlink_tcpdiag_socket netlink_nflog_socket
105  netlink_xfrm_socket netlink_audit_socket
106  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
107  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
108  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
109  netlink_rdma_socket netlink_crypto_socket sctp_socket
110  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
111  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
112  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
113  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
114} *;
115
116# Disallow sending RTM_GETLINK messages on netlink sockets.
117neverallow {
118  all_untrusted_apps
119  -untrusted_app_25
120  -untrusted_app_27
121  -untrusted_app_29
122} domain:netlink_route_socket { bind nlmsg_readpriv };
123
124# Do not allow untrusted apps access to /cache
125neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
126neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
127
128# Do not allow untrusted apps to create/unlink files outside of its sandbox,
129# internal storage or sdcard.
130# World accessible data locations allow application to fill the device
131# with unaccounted for data. This data will not get removed during
132# application un-installation.
133neverallow { all_untrusted_apps -mediaprovider } {
134  fs_type
135  -sdcard_type
136  file_type
137  -app_data_file            # The apps sandbox itself
138  -privapp_data_file
139  -app_exec_data_file       # stored within the app sandbox directory
140  -media_rw_data_file       # Internal storage. Known that apps can
141                            # leave artfacts here after uninstall.
142  -user_profile_data_file   # Access to profile files
143  userdebug_or_eng(`
144    -method_trace_data_file # only on ro.debuggable=1
145    -coredump_file          # userdebug/eng only
146  ')
147}:dir_file_class_set { create unlink };
148
149# No untrusted component except mediaprovider_app should be touching /dev/fuse
150neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
151
152# Do not allow untrusted apps to directly open the tun_device
153neverallow all_untrusted_apps tun_device:chr_file open;
154# The tun_device ioctls below are not allowed, to prove equivalence
155# to the kernel patch at
156# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
157neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
158  SIOCGIFHWADDR
159  SIOCSIFHWADDR
160  TUNATTACHFILTER
161  TUNDETACHFILTER
162  TUNGETFEATURES
163  TUNGETFILTER
164  TUNGETSNDBUF
165  TUNGETVNETHDRSZ
166  TUNSETDEBUG
167  TUNSETGROUP
168  TUNSETIFF
169  TUNSETLINK
170  TUNSETNOCSUM
171  TUNSETOFFLOAD
172  TUNSETOWNER
173  TUNSETPERSIST
174  TUNSETQUEUE
175  TUNSETSNDBUF
176  TUNSETTXFILTER
177  TUNSETVNETHDRSZ
178};
179
180# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
181neverallow all_untrusted_apps anr_data_file:file ~{ open append };
182neverallow all_untrusted_apps anr_data_file:dir ~search;
183
184# Avoid reads from generically labeled /proc files
185# Create a more specific label if needed
186neverallow all_untrusted_apps {
187  proc
188  proc_asound
189  proc_kmsg
190  proc_loadavg
191  proc_mounts
192  proc_pagetypeinfo
193  proc_slabinfo
194  proc_stat
195  proc_swaps
196  proc_uptime
197  proc_version
198  proc_vmallocinfo
199  proc_vmstat
200}:file { no_rw_file_perms no_x_file_perms };
201
202# /proc/filesystems is accessible to mediaprovider_app only since it handles
203# external storage
204neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
205
206# Avoid all access to kernel configuration
207neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
208
209# Do not allow untrusted apps access to preloads data files
210neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
211
212# Locking of files on /system could lead to denial of service attacks
213# against privileged system components
214neverallow all_untrusted_apps system_file:file lock;
215
216# Do not permit untrusted apps to perform actions on HwBinder service_manager
217# other than find actions for services listed below
218neverallow all_untrusted_apps *:hwservice_manager ~find;
219
220# Do not permit access from apps which host arbitrary code to the protected HwBinder
221# services.
222# The two main reasons for this are:
223# 1. Protected HwBinder servers do not perform client authentication because HIDL
224#    currently does not expose caller UID information and, even if it did, those
225#    HwBinder services either operate at a level below that of apps (e.g., HALs)
226#    or must not rely on app identity for authorization. Thus, to be safe, the
227#    default assumption is that every HwBinder service treats all its clients as
228#    equally authorized to perform operations offered by the service.
229# 2. HAL servers (a subset of HwBinder services) contain code with higher
230#    incidence rate of security issues than system/core components and have
231#    access to lower layes of the stack (all the way down to hardware) thus
232#    increasing opportunities for bypassing the Android security model.
233neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
234
235neverallow all_untrusted_apps {
236  vendor_service
237}:service_manager find;
238
239# SELinux is not an API for untrusted apps to use
240neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
241
242# Access to /proc/tty/drivers, to allow apps to determine if they
243# are running in an emulated environment.
244# b/33214085 b/33814662 b/33791054 b/33211769
245# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
246# This will go away in a future Android release
247neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
248neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
249
250# Untrusted apps are not allowed to use cgroups.
251neverallow all_untrusted_apps cgroup:file *;
252
253# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
254# must not use it.
255neverallow {
256  all_untrusted_apps
257  -untrusted_app_25
258  -untrusted_app_27
259} mnt_sdcard_file:lnk_file *;
260
261# Only privileged apps may find the incident service
262neverallow all_untrusted_apps incident_service:service_manager find;
263