From b9760aa0d59aafe5c36ee4522fb36d51a9c147df Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 27 Jul 2012 11:07:09 -0400
Subject: [PATCH] Only enforce per-app process and file isolation via SELinux
 for third party apps, not platform apps.

Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder.  Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.

Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
---
 app.te         | 17 +++++++++++++++++
 attributes     |  3 +++
 file.te        |  1 +
 seapp_contexts | 10 +++++-----
 te_macros      |  8 ++++++++
 5 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/app.te b/app.te
index 0866e9548..df0f5df35 100644
--- a/app.te
+++ b/app.te
@@ -8,6 +8,7 @@
 #
 type platform_app, domain;
 app_domain(platform_app)
+platform_app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
@@ -30,6 +31,7 @@ allow platform_app apk_tmp_file:file rw_file_perms;
 # Apps signed with the media key.
 type media_app, domain;
 app_domain(media_app)
+platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
 # Read logs.
@@ -45,9 +47,11 @@ allow media_app sdcard:file create_file_perms;
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow media_app qtaguid_proc:file rw_file_perms;
 allow media_app qtaguid_device:chr_file r_file_perms;
+
 # Apps signed with the shared key.
 type shared_app, domain;
 app_domain(shared_app)
+platform_app_domain(shared_app)
 # Access the network.
 net_domain(shared_app)
 # Access bluetooth.
@@ -58,6 +62,7 @@ allow shared_app log_device:chr_file read;
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
 app_domain(release_app)
+platform_app_domain(release_app)
 # Access the network.
 net_domain(release_app)
 # Access bluetooth.
@@ -70,9 +75,18 @@ allow release_app log_device:chr_file read;
 # A domain for com.android.browser.
 type browser_app, domain;
 app_domain(browser_app)
+platform_app_domain(browser_app)
 # Access the network.
 net_domain(browser_app)
 
+#
+# Rules for platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+
 #
 # Untrusted apps.
 #
@@ -132,6 +146,9 @@ allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
+# Read/write data files created by the platform apps.
+allow appdomain platform_app_data_file:file rw_file_perms;
+
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 
diff --git a/attributes b/attributes
index 1016ec65d..ef4a1708e 100644
--- a/attributes
+++ b/attributes
@@ -58,3 +58,6 @@ attribute bluetoothdomain;
 
 # All domains used for binder service domains.
 attribute binderservicedomain;
+
+# Allow domains used for platform (signed by build key) apps.
+attribute platformappdomain;
diff --git a/file.te b/file.te
index 9af8ca526..132f9ea79 100644
--- a/file.te
+++ b/file.te
@@ -51,6 +51,7 @@ type nfc_data_file, file_type, data_file_type;
 type camera_calibration_file, file_type, data_file_type;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
diff --git a/seapp_contexts b/seapp_contexts
index 502206a7b..088937bf6 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -33,8 +33,8 @@ user=system domain=system_app type=system_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=app_* domain=untrusted_app type=app_data_file levelFromUid=true
-user=app_* seinfo=platform domain=platform_app levelFromUid=true
-user=app_* seinfo=shared domain=shared_app levelFromUid=true
-user=app_* seinfo=media domain=media_app levelFromUid=true
-user=app_* seinfo=release domain=release_app levelFromUid=true
-user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
+user=app_* seinfo=platform domain=platform_app type=platform_app_data_file
+user=app_* seinfo=shared domain=shared_app type=platform_app_data_file
+user=app_* seinfo=media domain=media_app type=platform_app_data_file
+user=app_* seinfo=release domain=release_app type=platform_app_data_file
+user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
diff --git a/te_macros b/te_macros
index 9146e220b..6354496ad 100644
--- a/te_macros
+++ b/te_macros
@@ -108,6 +108,14 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 ')
 
+#####################################
+# platform_app_domain(domain)
+# Allow permissions specific to platform apps.
+define(`platform_app_domain', `
+typeattribute $1 platformappdomain;
+typeattribute $1 mlstrustedsubject;
+')
+
 #####################################
 # net_domain(domain)
 # Allow a base set of permissions required for network access.
-- 
GitLab