Add autoplay_app domain

Initial check in of empty autoplay_app.te policy file. Create isAutoPlayApp input selector. Give this selector high precedence - only below isSystemServer. Add neverallow rule disallowing an app context with isAutoPlayApp=true from running in a domain other than autoplay_app. Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4

Add autoplay_app domain
Initial check in of empty autoplay_app.te policy file. Create isAutoPlayApp input selector. Give this selector high precedence - only below isSystemServer. Add neverallow rule disallowing an app context with isAutoPlayApp=true from running in a domain other than autoplay_app. Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4
400d3ac1 · Jeff Vander Stoep · d20a46ef · 400d3ac1 · 400d3ac1 · 400d3ac1
Commit 400d3ac1 authored 9 years ago by Jeff Vander Stoep
--- a/autoplay_app.te
+++ b/autoplay_app.te
+###
+### AutoPlay apps.
+###
+### This file defines the security policy for apps with the autoplay
+### feature.
+###
+### The autoplay_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to autoplay to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as autoplay at install time.
+type autoplay_app, domain;
--- a/file.te
+++ b/file.te
@@ -131,6 +131,7 @@ type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
 typealias audio_data_file alias audio_firmware_file;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+type autoplay_data_file, file_type, data_file_type;
 # /data/data subdirectory for system UID apps.
 type system_app_data_file, file_type, data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.

--- a/seapp_contexts
+++ b/seapp_contexts
 # Input selectors:
 #	isSystemServer (boolean)
+#	isAutoPlayApp (boolean)
 #	isOwner (boolean)
 #	user (string)
 #	seinfo (string)
@@ -8,6 +9,7 @@
 #	isPrivApp (boolean)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
+# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
 # isOwner=true will only match for the owner/primary user.
 # isOwner=false will only match for secondary users.
 # If unspecified, the entry can match either case.
@@ -22,15 +24,16 @@
 #
 # Precedence rules:
 # 	  (1) isSystemServer=true before isSystemServer=false.
-# 	  (2) Specified isOwner= before unspecified isOwner= boolean.
+# 	  (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
-#	  (3) Specified user= string before unspecified user= string.
+# 	  (3) Specified isOwner= before unspecified isOwner= boolean.
-#	  (4) Fixed user= string before user= prefix (i.e. ending in *).
+#	  (4) Specified user= string before unspecified user= string.
-#	  (5) Longer user= prefix before shorter user= prefix.
+#	  (5) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (6) Specified seinfo= string before unspecified seinfo= string.
+#	  (6) Longer user= prefix before shorter user= prefix.
+#	  (7) Specified seinfo= string before unspecified seinfo= string.
 #	      ':' character is reserved and may not be used.
-#	  (7) Specified name= string before unspecified name= string.
+#	  (8) Specified name= string before unspecified name= string.
-#	  (8) Specified path= string before unspecified path= string.
+#	  (9) Specified path= string before unspecified path= string.
-# 	  (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# 	  (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
 #
 # Outputs:
 #	domain (string)
@@ -79,6 +82,9 @@ neverallow user=((?!_isolated).)* domain=isolated_app
 # uid's can be in shell domain
 neverallow user=shell domain=((?!shell).)*
+# AutoPlay Apps must run in the autoplay_app domain
+neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
 isSystemServer=true domain=system_server
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
@@ -88,5 +94,6 @@ user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
 user=_app domain=untrusted_app type=app_data_file levelFrom=user
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -204,6 +204,7 @@ static list nallow_list = list_init(line_order_list_freefn);
 key_map rules[] = {
                /*Inputs*/
                { .name = "isSystemServer", .type = dt_bool,   .dir = dir_in,  .data = NULL },
+                { .name = "isAutoPlayApp",  .type = dt_bool,   .dir = dir_in,  .data = NULL },
                { .name = "isOwner",        .type = dt_bool,   .dir = dir_in,  .data = NULL },
                { .name = "user",           .type = dt_string, .dir = dir_in,  .data = NULL },
                { .name = "seinfo",         .type = dt_string, .dir = dir_in,  .data = NULL },