app.te revision 1545b6061518bac473cf93af576cbea12a992298
1### 2### Domain for all zygote spawned apps 3### 4### This file is the base policy for all zygote spawned apps. 5### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6### extend from this policy. Only policies which should apply to ALL 7### zygote spawned apps should be added here. 8### 9 10# Dalvik Compiler JIT Mapping. 11allow appdomain self:process execmem; 12allow appdomain ashmem_device:chr_file execute; 13 14# Receive and use open file descriptors inherited from zygote. 15allow appdomain zygote:fd use; 16 17# gdbserver for ndk-gdb reads the zygote. 18allow appdomain zygote_exec:file r_file_perms; 19 20# gdbserver for ndk-gdb ptrace attaches to app process. 21allow appdomain self:process ptrace; 22 23# Read system properties managed by zygote. 24allow appdomain zygote_tmpfs:file read; 25 26# Notify zygote of death; 27allow appdomain zygote:process sigchld; 28 29# Notify shell and adbd of death when spawned via runas for ndk-gdb. 30allow appdomain shell:process sigchld; 31allow appdomain adbd:process sigchld; 32 33# child shell or gdbserver pty access for runas. 34allow appdomain devpts:chr_file { getattr read write ioctl }; 35 36# Use pipes and sockets provided by system_server via binder or local socket. 37allow appdomain system_server:fifo_file rw_file_perms; 38allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 39allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 40 41# Communication with other apps via fifos 42allow appdomain appdomain:fifo_file rw_file_perms; 43 44# Communicate with surfaceflinger. 45allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 46 47# App sandbox file accesses. 48allow appdomain app_data_file:dir create_dir_perms; 49allow appdomain app_data_file:notdevfile_class_set create_file_perms; 50 51# lib subdirectory of /data/data dir is system-owned. 52allow appdomain system_data_file:dir r_dir_perms; 53allow appdomain system_data_file:file { execute execute_no_trans open }; 54 55# Access to OEM provided data and apps 56allow appdomain oemfs:dir r_dir_perms; 57allow appdomain oemfs:file rx_file_perms; 58 59# Execute the shell or other system executables. 60allow appdomain shell_exec:file rx_file_perms; 61allow appdomain system_file:file rx_file_perms; 62 63# Read/write wallpaper file (opened by system). 64allow appdomain wallpaper_file:file { getattr read write }; 65 66# Write to /data/anr/traces.txt. 67allow appdomain anr_data_file:dir search; 68allow appdomain anr_data_file:file { open append }; 69 70# Allow apps to send dump information to dumpstate 71allow appdomain dumpstate:fd use; 72allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 73allow appdomain shell_data_file:file { write getattr }; 74 75# Write to /proc/net/xt_qtaguid/ctrl file. 76allow appdomain qtaguid_proc:file rw_file_perms; 77# Everybody can read the xt_qtaguid resource tracking misc dev. 78# So allow all apps to read from /dev/xt_qtaguid. 79allow appdomain qtaguid_device:chr_file r_file_perms; 80 81# Grant GPU access to all processes started by Zygote. 82# They need that to render the standard UI. 83allow appdomain gpu_device:chr_file { rw_file_perms execute }; 84 85# Use the Binder. 86binder_use(appdomain) 87# Perform binder IPC to binder services. 88binder_call(appdomain, binderservicedomain) 89# Perform binder IPC to other apps. 90binder_call(appdomain, appdomain) 91 92# Already connected, unnamed sockets being passed over some other IPC 93# hence no sock_file or connectto permission. This appears to be how 94# Chrome works, may need to be updated as more apps using isolated services 95# are examined. 96allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 97 98# Backup ability for every app. BMS opens and passes the fd 99# to any app that has backup ability. Hence, no open permissions here. 100allow appdomain backup_data_file:file { read write getattr }; 101allow appdomain cache_backup_file:file { read write getattr }; 102allow appdomain cache_backup_file:dir getattr; 103# Backup ability using 'adb backup' 104allow appdomain system_data_file:lnk_file getattr; 105 106# Allow read/stat of /data/media files passed by Binder or local socket IPC. 107allow appdomain media_rw_data_file:file { read getattr }; 108 109# Read and write /data/data/com.android.providers.telephony files passed over Binder. 110allow appdomain radio_data_file:file { read write getattr }; 111 112# Access SDcard. 113allow appdomain sdcard_type:dir create_dir_perms; 114allow appdomain sdcard_type:file create_file_perms; 115 116# Allow apps to use the USB Accessory interface. 117# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 118# 119# USB devices are first opened by the system server (USBDeviceManagerService) 120# and the file descriptor is passed to the right Activity via binder. 121allow appdomain usb_device:chr_file { read write getattr ioctl }; 122allow appdomain usbaccessory_device:chr_file { read write getattr }; 123 124# For art. 125allow appdomain dalvikcache_data_file:file execute; 126 127# /data/dalvik-cache/profiles 128allow appdomain dalvikcache_profiles_data_file:file write; 129 130# For legacy unlabeled userdata on existing devices. 131# See discussion of Unlabeled files in domain.te for more information. 132allow appdomain unlabeled:file x_file_perms; 133auditallow appdomain unlabeled:file x_file_perms; 134 135### 136### CTS-specific rules 137### 138 139# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 140# Reads /proc/pid/status and statm entries to check that 141# no unexpected root processes are running. 142# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 143# Reads /proc/pid/cmdline of vold. 144allow appdomain domain:dir { open read search getattr }; 145allow appdomain domain:{ file lnk_file } { open read getattr }; 146 147# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 148# testRunAsHasCorrectCapabilities 149allow appdomain runas_exec:file getattr; 150# Others are either allowed elsewhere or not desired. 151 152# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 153# Check SELinux policy and contexts. 154selinux_check_access(appdomain) 155selinux_check_context(appdomain) 156# Validate that each process is running in the correct security context. 157allow appdomain domain:process getattr; 158 159# logd access 160read_logd(appdomain) 161# application inherit logd write socket (urge is to deprecate this long term) 162allow appdomain zygote:unix_dgram_socket write; 163 164### 165### Neverallow rules 166### 167### These are things that Android apps should NEVER be able to do 168### 169 170# Superuser capabilities. 171# bluetooth requires net_admin. 172neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; 173neverallow { appdomain -unconfineddomain } self:capability2 *; 174 175# Block device access. 176neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 177 178# Access to any of the following character devices. 179neverallow { appdomain -unconfineddomain } { 180 audio_device 181 camera_device 182 dm_device 183 radio_device 184 gps_device 185 rpmsg_device 186}:chr_file { read write }; 187 188# Note: Try expanding list of app domains in the future. 189neverallow { untrusted_app isolated_app shell -unconfineddomain } 190 graphics_device:chr_file { read write }; 191 192neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file 193 { read write }; 194neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file 195 { read write }; 196neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; 197 198# Privileged netlink socket interfaces. 199neverallow { appdomain -unconfineddomain } 200 self:{ 201 netlink_socket 202 netlink_firewall_socket 203 netlink_tcpdiag_socket 204 netlink_nflog_socket 205 netlink_xfrm_socket 206 netlink_audit_socket 207 netlink_ip6fw_socket 208 netlink_dnrt_socket 209 netlink_kobject_uevent_socket 210 } *; 211 212# Sockets under /dev/socket that are not specifically typed. 213neverallow { appdomain -unconfineddomain } socket_device:sock_file write; 214 215# Unix domain sockets. 216neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; 217neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; 218neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } 219 property_socket:sock_file write; 220neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; 221neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; 222neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; 223 224# ptrace access to non-app domains. 225neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 226 227# Write access to /proc/pid entries for any non-app domain. 228neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; 229 230# signal access to non-app domains. 231# sigchld allowed for parent death notification. 232# signull allowed for kill(pid, 0) existence test. 233# All others prohibited. 234neverallow { appdomain -unconfineddomain } { domain -appdomain }:process 235 { sigkill sigstop signal }; 236 237# Transition to a non-app domain. 238# Exception for the shell domain, can transition to runas, etc. 239neverallow { appdomain -shell -unconfineddomain } ~appdomain:process 240 { transition dyntransition }; 241 242# Map low memory. 243# Note: Take to domain.te and apply to all domains in the future. 244neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; 245 246# Write to rootfs. 247neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set 248 { create write setattr relabelfrom relabelto append unlink link rename }; 249 250# Write to /system. 251neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set 252 { create write setattr relabelfrom relabelto append unlink link rename }; 253 254# Write to entrypoint executables. 255neverallow { appdomain -unconfineddomain } exec_type:file 256 { create write setattr relabelfrom relabelto append unlink link rename }; 257 258# Write to system-owned parts of /data. 259# This is the default type for anything under /data not otherwise 260# specified in file_contexts. Define a different type for portions 261# that should be writable by apps. 262# Exception for system_app for Settings. 263neverallow { appdomain -unconfineddomain -system_app } 264 system_data_file:dir_file_class_set 265 { create write setattr relabelfrom relabelto append unlink link rename }; 266 267# Write to various other parts of /data. 268neverallow { appdomain -system_app -unconfineddomain } 269 security_file:dir_file_class_set 270 { create write setattr relabelfrom relabelto append unlink link rename }; 271neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set 272 { create write setattr relabelfrom relabelto append unlink link rename }; 273neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set 274 { create write setattr relabelfrom relabelto append unlink link rename }; 275neverallow { appdomain -platform_app -unconfineddomain } 276 apk_data_file:dir_file_class_set 277 { create write setattr relabelfrom relabelto append unlink link rename }; 278neverallow { appdomain -platform_app -unconfineddomain } 279 apk_tmp_file:dir_file_class_set 280 { create write setattr relabelfrom relabelto append unlink link rename }; 281neverallow { appdomain -platform_app -unconfineddomain } 282 apk_private_data_file:dir_file_class_set 283 { create write setattr relabelfrom relabelto append unlink link rename }; 284neverallow { appdomain -platform_app -unconfineddomain } 285 apk_private_tmp_file:dir_file_class_set 286 { create write setattr relabelfrom relabelto append unlink link rename }; 287neverallow { appdomain -shell -unconfineddomain } 288 shell_data_file:dir_file_class_set 289 { create setattr relabelfrom relabelto append unlink link rename }; 290neverallow { appdomain -bluetooth -unconfineddomain } 291 bluetooth_data_file:dir_file_class_set 292 { create write setattr relabelfrom relabelto append unlink link rename }; 293neverallow { appdomain -unconfineddomain } 294 keystore_data_file:dir_file_class_set 295 { create write setattr relabelfrom relabelto append unlink link rename }; 296neverallow { appdomain -unconfineddomain } 297 systemkeys_data_file:dir_file_class_set 298 { create write setattr relabelfrom relabelto append unlink link rename }; 299neverallow { appdomain -unconfineddomain } 300 wifi_data_file:dir_file_class_set 301 { create write setattr relabelfrom relabelto append unlink link rename }; 302neverallow { appdomain -unconfineddomain } 303 dhcp_data_file:dir_file_class_set 304 { create write setattr relabelfrom relabelto append unlink link rename }; 305 306# Access to factory files. 307neverallow { appdomain -unconfineddomain } 308 efs_file:dir_file_class_set { read write }; 309 310# Write to various pseudo file systems. 311neverallow { appdomain -bluetooth -nfc -unconfineddomain } 312 sysfs:dir_file_class_set write; 313neverallow { appdomain -unconfineddomain } 314 proc:dir_file_class_set write; 315 316# Access to syslog(2) or /proc/kmsg. 317neverallow { appdomain -system_app -unconfineddomain } 318 kernel:system { syslog_read syslog_mod syslog_console }; 319 320# Ability to perform any filesystem operation other than statfs(2). 321# i.e. no mount(2), unmount(2), etc. 322neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; 323 324# Ability to set system properties. 325neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } 326 property_type:property_service set; 327