Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Blame History Permalink
  • Nick Kralevich's avatar
    Enforce execve() restrictions for API > 28 · 0dd738d8
    Nick Kralevich authored 
    untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
    0dd738d8
untrusted_app_27.te 1.35 KiB 
###
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
### 25 < targetSdkVersion <= 28.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory).  The untrusted_app_27 domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml.  In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key.  To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

typeattribute untrusted_app_27 coredomain;

app_domain(untrusted_app_27)
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)

# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;