app.te revision 2e7a301fad5b6065e2d364170a80bc58bc41aab0 
1###
2### Domain for all zygote spawned apps
3###
4### This file is the base policy for all zygote spawned apps.
5### Other policy files, such as isolated_app.te, untrusted_app.te, etc
6### extend from this policy. Only policies which should apply to ALL
7### zygote spawned apps should be added here.
8###
9
10# Dalvik Compiler JIT Mapping.
11allow appdomain self:process execmem;
12allow appdomain ashmem_device:chr_file execute;
13
14# Allow apps to connect to the keystore
15unix_socket_connect(appdomain, keystore, keystore)
16
17# Receive and use open file descriptors inherited from zygote.
18allow appdomain zygote:fd use;
19
20# Needed to close the zygote socket, which involves getopt / getattr
21# This should be deleted after b/12061011 is fixed
22allow appdomain zygote:unix_stream_socket { getopt getattr };
23
24# gdbserver for ndk-gdb reads the zygote.
25allow appdomain zygote_exec:file r_file_perms;
26
27# gdbserver for ndk-gdb ptrace attaches to app process.
28allow appdomain self:process ptrace;
29
30# Read system properties managed by zygote.
31allow appdomain zygote_tmpfs:file read;
32
33# Notify zygote of death;
34allow appdomain zygote:process sigchld;
35
36# Notify shell and adbd of death when spawned via runas for ndk-gdb.
37allow appdomain shell:process sigchld;
38allow appdomain adbd:process sigchld;
39
40# child shell or gdbserver pty access for runas.
41allow appdomain devpts:chr_file { getattr read write ioctl };
42
43# Communicate with system_server.
44allow appdomain system_server:fifo_file rw_file_perms;
45allow appdomain system_server:unix_stream_socket { read write setopt };
46binder_call(appdomain, system_server)
47
48# Communication with other apps via fifos
49allow appdomain appdomain:fifo_file rw_file_perms;
50
51# Communicate with surfaceflinger.
52allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
53binder_call(appdomain, surfaceflinger)
54
55# App sandbox file accesses.
56allow appdomain app_data_file:dir create_dir_perms;
57allow appdomain app_data_file:notdevfile_class_set create_file_perms;
58
59# Read/write data files created by the platform apps if they
60# were passed to the app via binder or local IPC.  Do not allow open.
61allow appdomain platform_app_data_file:file { getattr read write };
62
63# lib subdirectory of /data/data dir is system-owned.
64allow appdomain system_data_file:dir r_dir_perms;
65allow appdomain system_data_file:file { execute execute_no_trans open };
66
67# Execute the shell or other system executables.
68allow appdomain shell_exec:file rx_file_perms;
69allow appdomain system_file:file rx_file_perms;
70
71# Read/write wallpaper file (opened by system).
72allow appdomain wallpaper_file:file { read write };
73
74# Write to /data/anr/traces.txt.
75allow appdomain anr_data_file:dir search;
76allow appdomain anr_data_file:file { open append };
77
78# Allow apps to send dump information to dumpstate
79allow appdomain dumpstate:fd use;
80allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
81allow appdomain shell_data_file:file { write getattr };
82
83# Write to /proc/net/xt_qtaguid/ctrl file.
84allow appdomain qtaguid_proc:file rw_file_perms;
85# Everybody can read the xt_qtaguid resource tracking misc dev.
86# So allow all apps to read from /dev/xt_qtaguid.
87allow appdomain qtaguid_device:chr_file r_file_perms;
88
89# Grant GPU access to all processes started by Zygote.
90# They need that to render the standard UI.
91allow appdomain gpu_device:chr_file { rw_file_perms execute };
92
93# Use the Binder.
94binder_use(appdomain)
95# Perform binder IPC to binder services.
96binder_call(appdomain, binderservicedomain)
97# Perform binder IPC to other apps.
98binder_call(appdomain, appdomain)
99
100# Appdomain interaction with isolated apps
101r_dir_file(appdomain, isolated_app)
102
103# Already connected, unnamed sockets being passed over some other IPC
104# hence no sock_file or connectto permission. This appears to be how
105# Chrome works, may need to be updated as more apps using isolated services
106# are examined.
107allow appdomain isolated_app:unix_stream_socket { read write };
108
109# Backup ability for every app. BMS opens and passes the fd
110# to any app that has backup ability. Hence, no open permissions here.
111allow appdomain backup_data_file:file { read write getattr };
112allow appdomain cache_backup_file:file { read write getattr };
113# Backup ability using 'adb backup'
114allow appdomain system_data_file:lnk_file getattr;
115
116# Allow all applications to read downloaded files
117allow appdomain download_file:dir search;
118allow appdomain download_file:file r_file_perms;
119
120# Allow applications to communicate with netd via /dev/socket/dnsproxyd
121# to do DNS resolution
122unix_socket_connect(appdomain, dnsproxyd, netd)
123
124# Allow applications to communicate with drmserver over binder
125binder_call(appdomain, drmserver)
126
127# Allow applications to communicate with mediaserver over binder
128binder_call(appdomain, mediaserver)
129
130# Allow applications to make outbound tcp connections to any port
131allow appdomain port_type:tcp_socket name_connect;
132
133# Allow apps to see changes to the routing table.
134allow appdomain self:netlink_route_socket {
135    read
136    bind
137    create
138    nlmsg_read
139    ioctl
140    getattr
141    setattr
142    getopt
143    setopt
144    shutdown
145};
146
147# Allow apps to use rawip sockets. This is needed for apps which execute
148# /system/bin/ping, for example.
149allow appdomain self:rawip_socket create_socket_perms;
150
151# Allow apps to use the USB Accessory interface.
152# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
153#
154# USB devices are first opened by the system server (USBDeviceManagerService)
155# and the file descriptor is passed to the right Activity via binder.
156allow appdomain usb_device:chr_file { read write getattr ioctl };
157allow appdomain usbaccessory_device:chr_file { read write getattr };
158
159# For art.
160allow appdomain dalvikcache_data_file:file execute;
161
162# For legacy unlabeled userdata on existing devices.
163# See discussion of Unlabeled files in domain.te for more information.
164allow appdomain unlabeled:file x_file_perms;
165
166###
167### CTS-specific rules
168###
169
170# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
171# Reads /proc/pid/status and statm entries to check that
172# no unexpected root processes are running.
173# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
174# Reads /proc/pid/cmdline of vold.
175allow appdomain domain:dir { open read search getattr };
176allow appdomain domain:{ file lnk_file } { open read getattr };
177
178# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
179# testRunAsHasCorrectCapabilities
180allow appdomain runas_exec:file getattr;
181# Others are either allowed elsewhere or not desired.
182
183# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
184# Check SELinux policy and contexts.
185selinux_check_access(appdomain)
186selinux_check_context(appdomain)
187# Validate that each process is running in the correct security context.
188allow appdomain domain:process getattr;
189
190###
191### Neverallow rules
192###
193### These are things that Android apps should NEVER be able to do
194###
195
196# Superuser capabilities.
197# bluetooth requires net_admin.
198neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
199neverallow { appdomain -unconfineddomain } self:capability2 *;
200
201# Block device access.
202neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
203
204# Access to any character device that is not specifically typed.
205neverallow { appdomain -unconfineddomain } device:chr_file { read write };
206
207# Access to any of the following character devices.
208neverallow { appdomain -unconfineddomain } {
209    audio_device
210    camera_device
211    dm_device
212    radio_device
213    gps_device
214    rpmsg_device
215}:chr_file { read write };
216
217# Note: Try expanding list of app domains in the future.
218neverallow { untrusted_app isolated_app shell -unconfineddomain }
219    graphics_device:chr_file { read write };
220
221neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
222    { read write };
223neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
224    { read write };
225neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
226
227# Set SELinux enforcing mode, booleans or any other SELinux settings.
228neverallow { appdomain -unconfineddomain } kernel:security
229    { setenforce setbool setsecparam setcheckreqprot };
230
231# Load security policy.
232neverallow appdomain kernel:security load_policy;
233
234# Privileged netlink socket interfaces.
235neverallow { appdomain -unconfineddomain }
236    self:{
237        netlink_socket
238        netlink_firewall_socket
239        netlink_tcpdiag_socket
240        netlink_nflog_socket
241        netlink_xfrm_socket
242        netlink_audit_socket
243        netlink_ip6fw_socket
244        netlink_dnrt_socket
245        netlink_kobject_uevent_socket
246    } *;
247
248# Sockets under /dev/socket that are not specifically typed.
249neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
250
251# Unix domain sockets.
252neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
253neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
254neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
255    property_socket:sock_file write;
256neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
257neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
258neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
259
260# ptrace access to non-app domains.
261neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
262
263# Write access to /proc/pid entries for any non-app domain.
264neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
265
266# signal access to non-app domains.
267# sigchld allowed for parent death notification.
268# signull allowed for kill(pid, 0) existence test.
269# All others prohibited.
270neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
271    { sigkill sigstop signal };
272
273# Transition to a non-app domain.
274# Exception for the shell domain, can transition to runas, etc.
275neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
276    { transition dyntransition };
277
278# Map low memory.
279# Note: Take to domain.te and apply to all domains in the future.
280neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
281
282# Write to rootfs.
283neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set
284    { create write setattr relabelfrom relabelto append unlink link rename };
285
286# Write to /system.
287neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set
288    { create write setattr relabelfrom relabelto append unlink link rename };
289
290# Write to entrypoint executables.
291neverallow { appdomain -unconfineddomain } exec_type:file
292    { create write setattr relabelfrom relabelto append unlink link rename };
293
294# Write to system-owned parts of /data.
295# This is the default type for anything under /data not otherwise
296# specified in file_contexts.  Define a different type for portions
297# that should be writable by apps.
298# Exception for system_app for Settings.
299neverallow { appdomain -unconfineddomain -system_app }
300    system_data_file:dir_file_class_set
301    { create write setattr relabelfrom relabelto append unlink link rename };
302
303# Write to various other parts of /data.
304neverallow { appdomain -system_app -unconfineddomain }
305    security_file:dir_file_class_set
306    { create write setattr relabelfrom relabelto append unlink link rename };
307neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
308    { create write setattr relabelfrom relabelto append unlink link rename };
309neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set
310    { create write setattr relabelfrom relabelto append unlink link rename };
311neverallow { appdomain -platform_app -unconfineddomain }
312    apk_data_file:dir_file_class_set
313    { create write setattr relabelfrom relabelto append unlink link rename };
314neverallow { appdomain -platform_app -unconfineddomain }
315    apk_tmp_file:dir_file_class_set
316    { create write setattr relabelfrom relabelto append unlink link rename };
317neverallow { appdomain -platform_app -unconfineddomain }
318    apk_private_data_file:dir_file_class_set
319    { create write setattr relabelfrom relabelto append unlink link rename };
320neverallow { appdomain -platform_app -unconfineddomain }
321    apk_private_tmp_file:dir_file_class_set
322    { create write setattr relabelfrom relabelto append unlink link rename };
323neverallow { appdomain -shell -unconfineddomain }
324    shell_data_file:dir_file_class_set
325    { create setattr relabelfrom relabelto append unlink link rename };
326neverallow { appdomain -bluetooth -unconfineddomain }
327    bluetooth_data_file:dir_file_class_set
328    { create write setattr relabelfrom relabelto append unlink link rename };
329neverallow { appdomain -unconfineddomain }
330    keystore_data_file:dir_file_class_set
331    { create write setattr relabelfrom relabelto append unlink link rename };
332neverallow { appdomain -unconfineddomain }
333    systemkeys_data_file:dir_file_class_set
334    { create write setattr relabelfrom relabelto append unlink link rename };
335neverallow { appdomain -unconfineddomain }
336    wifi_data_file:dir_file_class_set
337    { create write setattr relabelfrom relabelto append unlink link rename };
338neverallow { appdomain -unconfineddomain }
339    dhcp_data_file:dir_file_class_set
340    { create write setattr relabelfrom relabelto append unlink link rename };
341
342# Access to factory files.
343neverallow { appdomain -unconfineddomain }
344    efs_file:dir_file_class_set { read write };
345
346# Write to various pseudo file systems.
347neverallow { appdomain -bluetooth -nfc -unconfineddomain }
348    sysfs:dir_file_class_set write;
349neverallow { appdomain -unconfineddomain }
350    proc:dir_file_class_set write;
351
352# Access to syslog(2) or /proc/kmsg.
353neverallow { appdomain -system_app -unconfineddomain }
354    kernel:system { syslog_read syslog_mod syslog_console };
355
356# Ability to perform any filesystem operation other than statfs(2).
357# i.e. no mount(2), unmount(2), etc.
358neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
359
360# Ability to set system properties.
361neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
362    property_type:property_service set;
363