Add untrusted_app_27
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.
Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.
Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f998e55..4b79060 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -8,6 +8,7 @@
mediaprovider
untrusted_app
untrusted_app_25
+ untrusted_app_27
untrusted_app_all
untrusted_v2_app
}')
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 74fef1a..cf7bed7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -681,7 +681,9 @@
(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
(typeattributeset unlabeled_26_0 (unlabeled))
(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0 (untrusted_app))
+(typeattributeset untrusted_app_26_0
+ ( untrusted_app
+ untrusted_app_27))
(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
(typeattributeset update_engine_26_0 (update_engine))
(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 403fde7..cfda748 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -109,6 +109,7 @@
traced_probes_tmpfs
traced_producer_socket
traced_tmpfs
+ untrusted_app_all_devpts
update_engine_log_data_file
vendor_default_prop
usbd
@@ -131,4 +132,6 @@
;; Thus, these types are also not mapped, but recorded for checkapi tests
(typeattribute priv_objects)
(typeattributeset priv_objects
- ( adbd_tmpfs ))
+ ( adbd_tmpfs
+ untrusted_app_27_tmpfs
+ ))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 791a6f1..0163658 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1403,7 +1403,9 @@
(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
(typeattributeset unlabeled_27_0 (unlabeled))
(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0 (untrusted_app))
+(typeattributeset untrusted_app_27_0
+ ( untrusted_app
+ untrusted_app_27))
(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
(typeattributeset update_engine_27_0 (update_engine))
(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 09ffe56..a3f7bb5 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -84,6 +84,7 @@
traced_tmpfs
traceur_app
traceur_app_tmpfs
+ untrusted_app_all_devpts
update_engine_log_data_file
usbd
usbd_exec
@@ -101,3 +102,8 @@
wpantund_service
wpantund_tmpfs))
+;; private_objects - a collection of types that were labeled differently in
+;; older policy, but that should not remain accessible to vendor policy.
+;; Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects (untrusted_app_27_tmpfs))
diff --git a/private/mls b/private/mls
index a561de1..3b8ee3f 100644
--- a/private/mls
+++ b/private/mls
@@ -53,11 +53,11 @@
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
+# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+ (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+ (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41..c15fa22 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -23,7 +23,3 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 3fa79ef..ba2c1e1 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_25)
-
# b/34115651 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
diff --git a/public/untrusted_app_25.te b/private/untrusted_app_27.te
similarity index 65%
rename from public/untrusted_app_25.te
rename to private/untrusted_app_27.te
index 4ca6e31..79c7762 100644
--- a/public/untrusted_app_25.te
+++ b/private/untrusted_app_27.te
@@ -1,10 +1,14 @@
###
-### Untrusted apps.
+### Untrusted_27.
###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 27.
+###
+### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
+### directory). The untrusted_app_27 domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
@@ -16,5 +20,9 @@
### seapp_contexts.
###
-type untrusted_app_25, domain;
+typeattribute untrusted_app_27 coredomain;
+app_domain(untrusted_app_27)
+untrusted_app_domain(untrusted_app_27)
+net_domain(untrusted_app_27)
+bluetooth_domain(untrusted_app_27)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 5d0461d..feac216 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -133,3 +133,7 @@
dontaudit untrusted_app_all proc_stat:file read;
dontaudit untrusted_app_all proc_vmstat:file read;
dontaudit untrusted_app_all proc_uptime:file read;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_all)
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 6f29396..5289bf9 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,3 +17,5 @@
###
type untrusted_app, domain;
+type untrusted_app_27, domain;
+type untrusted_app_25, domain;