split out untrusted base app domains

Signed-off-by: anupritaisno1 <[email protected]>
Change-Id: I107b8365c938f03b7d98fefa01763cee6732eb57

Author: renlord

prebuilts/api/30.0/private/app_neverallows.te

@@ -12,6 +12,10 @@ define(`all_untrusted_apps',`{
   untrusted_app_27
   untrusted_app_29
   untrusted_app_all
+  untrusted_base_app
+  untrusted_base_app_25
+  untrusted_base_app_27
+  untrusted_base_app_29
 }')
 # Receive or send uevent messages.
 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
@@ -55,7 +59,9 @@ neverallow all_untrusted_apps app_exec_data_file:file
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
   -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
@@ -65,7 +71,9 @@ neverallow {
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
 } dex2oat_exec:file no_x_file_perms;
 
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
@@ -117,8 +125,11 @@ neverallow all_untrusted_apps *:{
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
   -untrusted_app_29
+  -untrusted_base_app_29
 } domain:netlink_route_socket { bind nlmsg_readpriv };
 
 # Do not allow untrusted apps access to /cache
@@ -244,7 +255,11 @@ neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 # b/33214085 b/33814662 b/33791054 b/33211769
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
-neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
+neverallow {
+    all_untrusted_apps
+    -untrusted_app_25
+    -untrusted_base_app_25
+} proc_tty_drivers:file r_file_perms;
 neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
 
 # Untrusted apps are not allowed to use cgroups.
@@ -255,7 +270,9 @@ neverallow all_untrusted_apps cgroup:file *;
 neverallow {
   all_untrusted_apps
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
 } mnt_sdcard_file:lnk_file *;
 
 # Only privileged apps may find the incident service

prebuilts/api/30.0/private/compat/26.0/26.0.ignore.cil

@@ -193,6 +193,10 @@
     traced_probes_tmpfs
     traced_producer_socket
     traced_tmpfs
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
+    untrusted_base_app_29
     untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop

prebuilts/api/30.0/private/compat/27.0/27.0.ignore.cil

@@ -172,6 +172,10 @@
     traceur_app
     traceur_app_tmpfs
     untrusted_app_all_devpts
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
+    untrusted_base_app_29
     update_engine_log_data_file
     uri_grants_service
     usbd

prebuilts/api/30.0/private/compat/28.0/28.0.ignore.cil

@@ -148,6 +148,10 @@
     traced_lazy_prop
     uri_grants_service
     use_memfd_prop
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
+    untrusted_base_app_29
     vendor_apex_file
     vendor_cgroup_desc_file
     vendor_idc_file

prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil

@@ -123,6 +123,10 @@
     userspace_reboot_test_prop
     vehicle_hal_prop
     tv_tuner_resource_mgr_service
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
+    untrusted_base_app_29
     vendor_apex_file
     vendor_boringssl_self_test
     vendor_install_recovery

prebuilts/api/30.0/private/seapp_contexts

@@ -170,15 +170,15 @@ user=_app isPrivApp=true name=com.google.android.providers.media.module domain=m
 user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app seinfo=base isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app seinfo=base minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app seinfo=base minTargetSdkVersion=30 domain=untrusted_base_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
-user=_app seinfo=base minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
+user=_app seinfo=base minTargetSdkVersion=29 domain=untrusted_base_app_29 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
-user=_app seinfo=base minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
+user=_app seinfo=base minTargetSdkVersion=28 domain=untrusted_base_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
-user=_app seinfo=base minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
+user=_app seinfo=base minTargetSdkVersion=26 domain=untrusted_base_app_27 type=app_data_file levelFrom=user
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
-user=_app seinfo=base domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app seinfo=base domain=untrusted_base_app_25 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
 user=_app seinfo=base minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
 user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all

prebuilts/api/30.0/private/untrusted_base_app.te

@@ -0,0 +1,16 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion >= 30.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_base_app coredomain;
+
+app_domain(untrusted_base_app)
+untrusted_app_domain(untrusted_base_app)
+net_domain(untrusted_base_app)
+bluetooth_domain(untrusted_base_app)

prebuilts/api/30.0/private/untrusted_base_app_25.te

@@ -0,0 +1,53 @@
+###
+### untrusted_base_app_25
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion <= 25.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_base_app_25 coredomain;
+
+app_domain(untrusted_base_app_25)
+untrusted_app_domain(untrusted_base_app_25)
+net_domain(untrusted_base_app_25)
+bluetooth_domain(untrusted_base_app_25)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_base_app_25 proc_misc:file r_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+allow untrusted_base_app_25 proc_tty_drivers:file r_file_perms;
+
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_base_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_base_app_25 app_data_file:file execute_no_trans;
+auditallow untrusted_base_app_25 app_data_file:file { execute execute_no_trans };
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_base_app_25 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_base_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_base_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_base_app_25 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_base_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_base_app_25 self:netlink_route_socket { bind nlmsg_readpriv };

prebuilts/api/30.0/private/untrusted_base_app_27.te

@@ -0,0 +1,41 @@
+###
+### Untrusted_27.
+###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 28.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_base_app_27 coredomain;
+
+app_domain(untrusted_base_app_27)
+untrusted_app_domain(untrusted_base_app_27)
+net_domain(untrusted_base_app_27)
+bluetooth_domain(untrusted_base_app_27)
+
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_base_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_base_app_27 app_data_file:file execute_no_trans;
+auditallow untrusted_base_app_27 app_data_file:file { execute execute_no_trans };
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_base_app_27 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_base_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_base_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_base_app_27 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_base_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_base_app_27 self:netlink_route_socket { bind nlmsg_readpriv };

prebuilts/api/30.0/private/untrusted_base_app_29.te

@@ -0,0 +1,19 @@
+###
+### Untrusted_29.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion = 29.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_base_app_29 coredomain;
+
+app_domain(untrusted_base_app_29)
+untrusted_app_domain(untrusted_base_app_29)
+net_domain(untrusted_base_app_29)
+bluetooth_domain(untrusted_base_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_base_app_29 self:netlink_route_socket { bind nlmsg_readpriv };

prebuilts/api/30.0/public/domain.te

@@ -1128,7 +1128,7 @@ neverallow * self:process { execstack execheap };
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
+neverallow { domain -untrusted_app_25 -untrusted_base_app_25 -untrusted_app_27 -untrusted_base_app_27 } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
 
@@ -1421,5 +1421,7 @@ neverallow {
   domain
   -ephemeral_app # We don't distinguish ephemeral apps based on target API.
   -untrusted_app_25
+  -untrusted_base_app_25
   -untrusted_app_27
+  -untrusted_base_app_27
 } ashmem_device:chr_file open;

prebuilts/api/30.0/public/untrusted_base_app.te

@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_base_app, domain;

prebuilts/api/30.0/public/untrusted_base_app_25.te

@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_base_app_25, domain;

prebuilts/api/30.0/public/untrusted_base_app_27.te

@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_base_app_27, domain;

prebuilts/api/30.0/public/untrusted_base_app_29.te

@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_base_app_29, domain;