Validate no-cross-domain /proc/PID access
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf
Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.
TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.
Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
diff --git a/private/app.te b/private/app.te
index 28895a3..b3bb516 100644
--- a/private/app.te
+++ b/private/app.te
@@ -367,8 +367,10 @@
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
# signal access to non-app domains.
# sigchld allowed for parent death notification.
diff --git a/public/te_macros b/public/te_macros
index 582cf33..3efbe32 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
')
#####################################
