Enforce execve() restrictions for API > 28

untrusted_app: Remove the ability to run execve() on files within an application's home directory. Executing code from a writable /home directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX). Additionally, loading code from application home directories violates a security requirement that all executable code mapped into memory must come from signed sources, or be derived from signed sources. Note: this change does *not* remove the ability to load executable code through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor from the app's home directory. In particular, functionality like dlopen() on files in an app's home directory continues to work even after this change. untrusted_app_25 and untrusted_app_27: For backwards compatibility, continue to allow these domains to execve() files from the application's home directory. seapp_contexts: Bump the minimum API level required to enter the untrusted_app domain. This will run API level 27-28 processes in the API level 27 sandbox. API level 28 will continue to run with levelFrom=all, and API level 27 will continue to run with levelFrom=user. Bug: 112357170 Test: Device boots and no obvious problems. Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228 Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0

Enforce execve() restrictions for API > 28
untrusted_app: Remove the ability to run execve() on files within an application's home directory. Executing code from a writable /home directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX). Additionally, loading code from application home directories violates a security requirement that all executable code mapped into memory must come from signed sources, or be derived from signed sources. Note: this change does *not* remove the ability to load executable code through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor from the app's home directory. In particular, functionality like dlopen() on files in an app's home directory continues to work even after this change. untrusted_app_25 and untrusted_app_27: For backwards compatibility, continue to allow these domains to execve() files from the application's home directory. seapp_contexts: Bump the minimum API level required to enter the untrusted_app domain. This will run API level 27-28 processes in the API level 27 sandbox. API level 28 will continue to run with levelFrom=all, and API level 27 will continue to run with levelFrom=user. Bug: 112357170 Test: Device boots and no obvious problems. Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228 Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
0dd738d8 · Nick Kralevich · f2cad2d9 · 0dd738d8 · 0dd738d8 · 0dd738d8
Commit 0dd738d8 authored 6 years ago by Nick Kralevich
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -40,6 +40,16 @@ neverallow { all_untrusted_apps -mediaprovider } property_type:property_service
 # but otherwise disallow untrusted apps from reading this property.
 neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;

+# Block calling execve() on files in an apps home directory.
+# This is a W^X violation (loading executable code from a writable
+# home directory). For compatibility, allow for targetApi <= 28.
+# b/112357170
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} { app_data_file privapp_data_file }:file execute_no_trans;
+
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
 # enforced via levelFrom=user in seapp_contexts and the mls

--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -113,6 +113,7 @@ user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -44,3 +44,8 @@ allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
 # Text relocation support for API < 23
 # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
 allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -2,7 +2,7 @@
 ### Untrusted_27.
 ###
 ### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 27.
+### 25 < targetSdkVersion <= 28.
 ###
 ### This file defines the rules for untrusted apps.
 ### Apps are labeled based on mac_permissions.xml (maps signer and
@@ -26,3 +26,7 @@ app_domain(untrusted_app_27)
 untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -22,7 +22,7 @@

 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };

 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;