From 6231b4d9fc98bb42956198e9f54cabde69464339 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sun, 17 Dec 2017 20:55:12 -0800
Subject: [PATCH] Enforce per-app data protections for targetSdk 28+

Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.

Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]

Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+

To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.

Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
---
 private/app_neverallows.te                         |  1 +
 private/compat/26.0/26.0.cil                       |  4 +++-
 private/compat/26.0/26.0.ignore.cil                |  5 ++++-
 private/mls                                        |  6 +++---
 private/seapp_contexts                             |  7 ++++---
 private/untrusted_app.te                           |  4 ----
 private/untrusted_app_25.te                        |  4 ----
 .../untrusted_app_27.te                            | 14 +++++++++++---
 private/untrusted_app_all.te                       |  4 ++++
 public/untrusted_app.te                            |  2 ++
 10 files changed, 32 insertions(+), 19 deletions(-)
 rename public/untrusted_app_25.te => private/untrusted_app_27.te (65%)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c4cbfd859..b349cca7e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -8,6 +8,7 @@ define(`all_untrusted_apps',`{
   mediaprovider
   untrusted_app
   untrusted_app_25
+  untrusted_app_27
   untrusted_app_all
   untrusted_v2_app
 }')
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index dcb3216f7..800db3e68 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -671,7 +671,9 @@
 (typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
 (typeattributeset unlabeled_26_0 (unlabeled))
 (typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0 (untrusted_app))
+(typeattributeset untrusted_app_26_0
+  ( untrusted_app
+    untrusted_app_27))
 (typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
 (typeattributeset update_engine_26_0 (update_engine))
 (typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index e0dcc7193..3d4b4f859 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -78,6 +78,7 @@
     traced_probes_tmpfs
     traced_producer_socket
     traced_tmpfs
+    untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop
     vendor_init
@@ -96,4 +97,6 @@
 ;;     Thus, these types are also not mapped, but recorded for checkapi tests
 (typeattribute priv_objects)
 (typeattributeset priv_objects
-     ( adbd_tmpfs ))
+     ( adbd_tmpfs
+       untrusted_app_27_tmpfs
+     ))
diff --git a/private/mls b/private/mls
index a561de1f0..3b8ee3f47 100644
--- a/private/mls
+++ b/private/mls
@@ -53,11 +53,11 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 
 # Only constrain open, not read/write.
 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
+# Subject must dominate object unless the subject is trusted.
 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
-	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
-	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
 
 #
 # Constraints for file types other than app data files.
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 76f299866..0807f5874 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -102,10 +102,11 @@ user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
-user=_isolated domain=isolated_app levelFrom=user
+user=_isolated domain=isolated_app levelFrom=all
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
+user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
-user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
+user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41bd..c15fa2244 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -23,7 +23,3 @@ app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 3fa79efce..ba2c1e1c7 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@ untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
 bluetooth_domain(untrusted_app_25)
 
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_25)
-
 # b/34115651 - net.dns* properties read
 # This will go away in a future Android release
 get_prop(untrusted_app_25, net_dns_prop)
diff --git a/public/untrusted_app_25.te b/private/untrusted_app_27.te
similarity index 65%
rename from public/untrusted_app_25.te
rename to private/untrusted_app_27.te
index 4ca6e3134..79c776287 100644
--- a/public/untrusted_app_25.te
+++ b/private/untrusted_app_27.te
@@ -1,10 +1,14 @@
 ###
-### Untrusted apps.
+### Untrusted_27.
 ###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 27.
+###
+### This file defines the rules for untrusted apps.
 ### Apps are labeled based on mac_permissions.xml (maps signer and
 ### optionally package name to seinfo value) and seapp_contexts (maps UID
 ### and optionally seinfo value to domain for process and type for data
-### directory).  The untrusted_app domain is the default assignment in
+### directory).  The untrusted_app_27 domain is the default assignment in
 ### seapp_contexts for any app with UID between APP_AID (10000)
 ### and AID_ISOLATED_START (99000) if the app has no specific seinfo
 ### value as determined from mac_permissions.xml.  In current AOSP, this
@@ -16,5 +20,9 @@
 ### seapp_contexts.
 ###
 
-type untrusted_app_25, domain;
+typeattribute untrusted_app_27 coredomain;
 
+app_domain(untrusted_app_27)
+untrusted_app_domain(untrusted_app_27)
+net_domain(untrusted_app_27)
+bluetooth_domain(untrusted_app_27)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index a43f04c35..306dba9a5 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -115,3 +115,7 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)
 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
 allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_all)
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 6f29396c3..5289bf96b 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,3 +17,5 @@
 ###
 
 type untrusted_app, domain;
+type untrusted_app_27, domain;
+type untrusted_app_25, domain;
-- 
GitLab