CDD: add per-app selinux requirements for P
Apps that target Android P can no longer share data with other apps
using world-accessible Unix permissions. This change improves the
integrity of the Android Application Sandbox, particularly the
requirement that an app's private data is accessible only by that
app. [1]
To share files with another another app, use a content provider
or shared space in external storage.
This feature enforces an existing requirement that files saved in
internal storage are accessible by the owning app. [2]
[1] https://developer.android.com/guide/topics/data/data-storage.html#filesInternal
[2] https://developer.android.com/training/data-storage/files.html#PublicFiles
Bug: 73728376
Test: n/a
Change-Id: Ib2a93fde25f660782f315d5e02978637680f7594
diff --git a/9_security-model/9_7_kernel-security-features.md b/9_security-model/9_7_kernel-security-features.md
index a6a5d8d..09624fa 100644
--- a/9_security-model/9_7_kernel-security-features.md
+++ b/9_security-model/9_7_kernel-security-features.md
@@ -64,6 +64,9 @@
within the system/sepolicy folder provided in the upstream Android Open Source
Project (AOSP) and the policy MUST compile with all neverallow rules present,
for both AOSP SELinux domains as well as device/vendor specific domains.
+* [C-1-5] MUST run third-party applications targeting API level 28 or higher
+in per-application SELinux sandboxes with per-app SELinux restrictions on each
+application's private data directory.
* SHOULD retain the default SELinux policy provided in the system/sepolicy
folder of the upstream Android Open Source Project and only further add to this
policy for their own device-specific configuration.
@@ -72,4 +75,4 @@
If device implementations use kernel other than Linux, they:
* [C-2-1] MUST use an mandatory access control system that is
-equivalent to SELinux.
\ No newline at end of file
+equivalent to SELinux.