Commits

Joshua Brindle  committed 91e44c6

3rd party VPN applications use a tun device

Tun device is created by system and read/written to by the VPN app.
This adds a boolean, app_vpn, to allow untrusted_app to act as a VPN client
and vpn_app to use if a site wants to lock down 3rd party VPN access to a
single, approved client.

As an example there is a client signature added to mac_permissions.xml.

Change-Id: I41c2c0d4c36029fb79cc28af3df252c285326e7c

  • Participants
  • Parent commits 6271d66
  • Branches seandroid, seandroid-4.0.4 4
    1. seandroid-4.1
    2. seandroid-4.2
    3. seandroid-4.3
    4. seandroid-4.4

Comments (0)

Files changed (7)

 net_domain(browser_app)
 
 #
+# 3rd party VPN clients that have seinfo=vpn in mac_permissions.xml
+# This is a more secure alternative to allowing untrusted_app access
+# to create a VPN tunnel.
+type vpn_app, domain;
+app_domain(vpn_app)
+net_domain(vpn_app)
+allow vpn_app tun_device:chr_file rw_file_perms;
+allow vpn_app system_data_file:file { execute open };
+allow vpn_app qtaguid_device:chr_file r_file_perms;
+allow vpn_app vpn_app_data_file:dir create_dir_perms;
+allow vpn_app vpn_app_data_file:notdevfile_class_set create_file_perms;
+allow vpn_app vpn_app:netlink_route_socket write;
+
+#
 # Rules for platform app domains.
 #
 
 if (app_read_logs or android_cts) {
 allow untrusted_app log_device:chr_file read;
 }
+#
+# Allow access to read/write VPN tunnels.
+# Only needed if a 3rd party VPN client is running as untrusted_app.
+# Alternatively this can be disabled if the 3rd party app is labeled
+# as vpn_app by setting seinfo=vpn in mac_permissions.xml
+#
+bool app_vpn false;
+if (app_vpn) {
+allow untrusted_app tun_device:chr_file rw_file_perms;
+allow untrusted_app untrusted_app:netlink_route_socket write;
+}
 
 #
 # Rules for all app domains.
 # All devices have a rpmsg device for 
 # achieving remoteproc and rpmsg modules
 type rpmsg_device, dev_type;
+
+# tun_device is used for 3rd party VPN clients
+# and must be an mlstrustedobject for the
+# case when untrusted_app is allowed to use it
+# which is when the app_vpn boolean is enabled.
+type tun_device, dev_type, mlstrustedobject;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
 type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/data directory for vpn_app
+type vpn_app_data_file, file_type, data_file_type;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
 # Default type for anything under /efs

File file_contexts

 /dev/tf_driver		u:object_r:tee_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
+/dev/tun		u:object_r:tun_device:s0
 /dev/uinput		u:object_r:input_device:s0
 /dev/urandom		u:object_r:urandom_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0

File mac_permissions.xml

       </package>
     </signer>
 
+    <!-- Sample 3rd party VPN client which will run in the vpn_app domain. Any
+         3rd party VPN should use <seinfo value="vpn" /> if the app_vpn boolean
+         is disabled, preventing untrusted_app from accessing the vpn tun device -->
+    <signer signature="308203eb30820354a003020102020900f3aa093e92efb5cf300d06092a864886f70d0101050500308199310b3009060355040613025553311630140603550408130d4d617373616368757365747473311330110603550407130a426f78626f726f756768311c301a060355040a1313436973636f2053797374656d732c20496e632e3121301f060355040b13184d6f62696c6520456e64706f696e74205365637572697479311c301a06035504031313436973636f2053797374656d732c20496e632e301e170d3131303730373136313933365a170d3337303731303136313933365a308199310b3009060355040613025553311630140603550408130d4d617373616368757365747473311330110603550407130a426f78626f726f756768311c301a060355040a1313436973636f2053797374656d732c20496e632e3121301f060355040b13184d6f62696c6520456e64706f696e74205365637572697479311c301a06035504031313436973636f2053797374656d732c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100c99808244b2c475734755e1a3a5663e0d75f09fbc60992e648c30b93380cc49e4ac7d846d1b8954b7535034bac1a4b19fe02b561598791d0cef2e58b16154a65d53ea26fea52b63f172772652a90b5366962aa3e82fe0551160a8d03b470c0d8419e80e764d0189297a893a95b711b7cb35e0d4b4ebbd0fc66f834b109b56d930203010001a382013730820133301d0603551d0e04160414bae56165a81b66c5edee2956fe208067153c5f403081ce0603551d230481c63081c38014bae56165a81b66c5edee2956fe208067153c5f40a1819fa4819c308199310b3009060355040613025553311630140603550408130d4d617373616368757365747473311330110603550407130a426f78626f726f756768311c301a060355040a1313436973636f2053797374656d732c20496e632e3121301f060355040b13184d6f62696c6520456e64706f696e74205365637572697479311c301a06035504031313436973636f2053797374656d732c20496e632e820900f3aa093e92efb5cf300c0603551d13040530030101ff300b0603551d0f04040302078030130603551d25040c300a06082b06010505070303301106096086480186f8420101040403020410300d06092a864886f70d0101050500038181007b84596901e8c113812d0f81cf5a6078f2462c40d1878714e523ccce52e50db64e814d187dd2d47a6b6c0dec563b7cb15debb6ee5a9c144363541db87cfc644b56d1128d00dbd8b2f1b4f0f5850816c975c7fd439f52be549c0d25b28d154620c4ab5e1297a34616d00d764ce8216d40a7856b33dea534c9cf504b131c806503">
+      <package name="com.cisco.anyconnect.vpn.android.avf">
+        <allow-permission name="android.permission.ACCESS_CHECKIN_PROPERTIES" />
+        <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
+        <allow-permission name="android.permission.ACCESS_WIFI_STATE" />
+        <allow-permission name="android.permission.BROADCAST_STICKY" />
+        <allow-permission name="android.permission.DIAGNOSTIC" />
+        <allow-permission name="android.permission.DUMP" />
+        <allow-permission name="android.permission.INTERNET" />
+        <allow-permission name="android.permission.READ_LOGS" />
+        <allow-permission name="android.permission.READ_PHONE_STATE" />
+        <allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
+        <allow-permission name="android.permission.WRITE_SECURE_SETTINGS" />
+        <allow-permission name="android.permission.WRITE_SETTINGS" />
+        <seinfo value="vpn" />
+      </package>
+    </signer>
+
     <!-- All other keys -->
     <default>
       <seinfo value="default" />

File seapp_contexts

 user=_app seinfo=media domain=media_app type=platform_app_data_file
 user=_app seinfo=release domain=release_app type=platform_app_data_file
 user=_app seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
+user=_app seinfo=vpn domain=vpn_app type=vpn_app_data_file
 user=_isolated domain=isolated_app
 # WifiWatchdog uses a packet_socket
 allow system self:packet_socket *;
 
+# 3rd party VPN clients require a tun_socket to be created
+allow system self:tun_socket create;
+
 # Notify init of death.
 allow system init:process sigchld;
 
 allow system video_device:chr_file rw_file_perms;
 allow system qemu_device:chr_file rw_file_perms;
 
+# tun device used for 3rd party vpn apps
+allow system tun_device:chr_file rw_file_perms;
+
 # Manage data files.
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 allow system gps_device:chr_file rw_file_perms;
 allow system gps_control:file rw_file_perms;
 
-# system Read/Write udp_socket of untrusted_app
-allow system appdomain:udp_socket { read write };
+# system Read/Write tcp/udp_socket of untrusted_app
+allow system appdomain:{ tcp_socket udp_socket } { setopt read write };
 # Allow abstract socket connection
 allow system rild:unix_stream_socket connectto;