app.te revision 2e7a301fad5b6065e2d364170a80bc58bc41aab0
1### 2### Domain for all zygote spawned apps 3### 4### This file is the base policy for all zygote spawned apps. 5### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6### extend from this policy. Only policies which should apply to ALL 7### zygote spawned apps should be added here. 8### 9 10# Dalvik Compiler JIT Mapping. 11allow appdomain self:process execmem; 12allow appdomain ashmem_device:chr_file execute; 13 14# Allow apps to connect to the keystore 15unix_socket_connect(appdomain, keystore, keystore) 16 17# Receive and use open file descriptors inherited from zygote. 18allow appdomain zygote:fd use; 19 20# Needed to close the zygote socket, which involves getopt / getattr 21# This should be deleted after b/12061011 is fixed 22allow appdomain zygote:unix_stream_socket { getopt getattr }; 23 24# gdbserver for ndk-gdb reads the zygote. 25allow appdomain zygote_exec:file r_file_perms; 26 27# gdbserver for ndk-gdb ptrace attaches to app process. 28allow appdomain self:process ptrace; 29 30# Read system properties managed by zygote. 31allow appdomain zygote_tmpfs:file read; 32 33# Notify zygote of death; 34allow appdomain zygote:process sigchld; 35 36# Notify shell and adbd of death when spawned via runas for ndk-gdb. 37allow appdomain shell:process sigchld; 38allow appdomain adbd:process sigchld; 39 40# child shell or gdbserver pty access for runas. 41allow appdomain devpts:chr_file { getattr read write ioctl }; 42 43# Communicate with system_server. 44allow appdomain system_server:fifo_file rw_file_perms; 45allow appdomain system_server:unix_stream_socket { read write setopt }; 46binder_call(appdomain, system_server) 47 48# Communication with other apps via fifos 49allow appdomain appdomain:fifo_file rw_file_perms; 50 51# Communicate with surfaceflinger. 52allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; 53binder_call(appdomain, surfaceflinger) 54 55# App sandbox file accesses. 56allow appdomain app_data_file:dir create_dir_perms; 57allow appdomain app_data_file:notdevfile_class_set create_file_perms; 58 59# Read/write data files created by the platform apps if they 60# were passed to the app via binder or local IPC. Do not allow open. 61allow appdomain platform_app_data_file:file { getattr read write }; 62 63# lib subdirectory of /data/data dir is system-owned. 64allow appdomain system_data_file:dir r_dir_perms; 65allow appdomain system_data_file:file { execute execute_no_trans open }; 66 67# Execute the shell or other system executables. 68allow appdomain shell_exec:file rx_file_perms; 69allow appdomain system_file:file rx_file_perms; 70 71# Read/write wallpaper file (opened by system). 72allow appdomain wallpaper_file:file { read write }; 73 74# Write to /data/anr/traces.txt. 75allow appdomain anr_data_file:dir search; 76allow appdomain anr_data_file:file { open append }; 77 78# Allow apps to send dump information to dumpstate 79allow appdomain dumpstate:fd use; 80allow appdomain dumpstate:unix_stream_socket { read write getopt getattr }; 81allow appdomain shell_data_file:file { write getattr }; 82 83# Write to /proc/net/xt_qtaguid/ctrl file. 84allow appdomain qtaguid_proc:file rw_file_perms; 85# Everybody can read the xt_qtaguid resource tracking misc dev. 86# So allow all apps to read from /dev/xt_qtaguid. 87allow appdomain qtaguid_device:chr_file r_file_perms; 88 89# Grant GPU access to all processes started by Zygote. 90# They need that to render the standard UI. 91allow appdomain gpu_device:chr_file { rw_file_perms execute }; 92 93# Use the Binder. 94binder_use(appdomain) 95# Perform binder IPC to binder services. 96binder_call(appdomain, binderservicedomain) 97# Perform binder IPC to other apps. 98binder_call(appdomain, appdomain) 99 100# Appdomain interaction with isolated apps 101r_dir_file(appdomain, isolated_app) 102 103# Already connected, unnamed sockets being passed over some other IPC 104# hence no sock_file or connectto permission. This appears to be how 105# Chrome works, may need to be updated as more apps using isolated services 106# are examined. 107allow appdomain isolated_app:unix_stream_socket { read write }; 108 109# Backup ability for every app. BMS opens and passes the fd 110# to any app that has backup ability. Hence, no open permissions here. 111allow appdomain backup_data_file:file { read write getattr }; 112allow appdomain cache_backup_file:file { read write getattr }; 113# Backup ability using 'adb backup' 114allow appdomain system_data_file:lnk_file getattr; 115 116# Allow all applications to read downloaded files 117allow appdomain download_file:dir search; 118allow appdomain download_file:file r_file_perms; 119 120# Allow applications to communicate with netd via /dev/socket/dnsproxyd 121# to do DNS resolution 122unix_socket_connect(appdomain, dnsproxyd, netd) 123 124# Allow applications to communicate with drmserver over binder 125binder_call(appdomain, drmserver) 126 127# Allow applications to communicate with mediaserver over binder 128binder_call(appdomain, mediaserver) 129 130# Allow applications to make outbound tcp connections to any port 131allow appdomain port_type:tcp_socket name_connect; 132 133# Allow apps to see changes to the routing table. 134allow appdomain self:netlink_route_socket { 135 read 136 bind 137 create 138 nlmsg_read 139 ioctl 140 getattr 141 setattr 142 getopt 143 setopt 144 shutdown 145}; 146 147# Allow apps to use rawip sockets. This is needed for apps which execute 148# /system/bin/ping, for example. 149allow appdomain self:rawip_socket create_socket_perms; 150 151# Allow apps to use the USB Accessory interface. 152# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 153# 154# USB devices are first opened by the system server (USBDeviceManagerService) 155# and the file descriptor is passed to the right Activity via binder. 156allow appdomain usb_device:chr_file { read write getattr ioctl }; 157allow appdomain usbaccessory_device:chr_file { read write getattr }; 158 159# For art. 160allow appdomain dalvikcache_data_file:file execute; 161 162# For legacy unlabeled userdata on existing devices. 163# See discussion of Unlabeled files in domain.te for more information. 164allow appdomain unlabeled:file x_file_perms; 165 166### 167### CTS-specific rules 168### 169 170# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 171# Reads /proc/pid/status and statm entries to check that 172# no unexpected root processes are running. 173# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 174# Reads /proc/pid/cmdline of vold. 175allow appdomain domain:dir { open read search getattr }; 176allow appdomain domain:{ file lnk_file } { open read getattr }; 177 178# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 179# testRunAsHasCorrectCapabilities 180allow appdomain runas_exec:file getattr; 181# Others are either allowed elsewhere or not desired. 182 183# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 184# Check SELinux policy and contexts. 185selinux_check_access(appdomain) 186selinux_check_context(appdomain) 187# Validate that each process is running in the correct security context. 188allow appdomain domain:process getattr; 189 190### 191### Neverallow rules 192### 193### These are things that Android apps should NEVER be able to do 194### 195 196# Superuser capabilities. 197# bluetooth requires net_admin. 198neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; 199neverallow { appdomain -unconfineddomain } self:capability2 *; 200 201# Block device access. 202neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 203 204# Access to any character device that is not specifically typed. 205neverallow { appdomain -unconfineddomain } device:chr_file { read write }; 206 207# Access to any of the following character devices. 208neverallow { appdomain -unconfineddomain } { 209 audio_device 210 camera_device 211 dm_device 212 radio_device 213 gps_device 214 rpmsg_device 215}:chr_file { read write }; 216 217# Note: Try expanding list of app domains in the future. 218neverallow { untrusted_app isolated_app shell -unconfineddomain } 219 graphics_device:chr_file { read write }; 220 221neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file 222 { read write }; 223neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file 224 { read write }; 225neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; 226 227# Set SELinux enforcing mode, booleans or any other SELinux settings. 228neverallow { appdomain -unconfineddomain } kernel:security 229 { setenforce setbool setsecparam setcheckreqprot }; 230 231# Load security policy. 232neverallow appdomain kernel:security load_policy; 233 234# Privileged netlink socket interfaces. 235neverallow { appdomain -unconfineddomain } 236 self:{ 237 netlink_socket 238 netlink_firewall_socket 239 netlink_tcpdiag_socket 240 netlink_nflog_socket 241 netlink_xfrm_socket 242 netlink_audit_socket 243 netlink_ip6fw_socket 244 netlink_dnrt_socket 245 netlink_kobject_uevent_socket 246 } *; 247 248# Sockets under /dev/socket that are not specifically typed. 249neverallow { appdomain -unconfineddomain } socket_device:sock_file write; 250 251# Unix domain sockets. 252neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; 253neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; 254neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } 255 property_socket:sock_file write; 256neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; 257neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; 258neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; 259 260# ptrace access to non-app domains. 261neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 262 263# Write access to /proc/pid entries for any non-app domain. 264neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; 265 266# signal access to non-app domains. 267# sigchld allowed for parent death notification. 268# signull allowed for kill(pid, 0) existence test. 269# All others prohibited. 270neverallow { appdomain -unconfineddomain } { domain -appdomain }:process 271 { sigkill sigstop signal }; 272 273# Transition to a non-app domain. 274# Exception for the shell domain, can transition to runas, etc. 275neverallow { appdomain -shell -unconfineddomain } ~appdomain:process 276 { transition dyntransition }; 277 278# Map low memory. 279# Note: Take to domain.te and apply to all domains in the future. 280neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; 281 282# Write to rootfs. 283neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set 284 { create write setattr relabelfrom relabelto append unlink link rename }; 285 286# Write to /system. 287neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set 288 { create write setattr relabelfrom relabelto append unlink link rename }; 289 290# Write to entrypoint executables. 291neverallow { appdomain -unconfineddomain } exec_type:file 292 { create write setattr relabelfrom relabelto append unlink link rename }; 293 294# Write to system-owned parts of /data. 295# This is the default type for anything under /data not otherwise 296# specified in file_contexts. Define a different type for portions 297# that should be writable by apps. 298# Exception for system_app for Settings. 299neverallow { appdomain -unconfineddomain -system_app } 300 system_data_file:dir_file_class_set 301 { create write setattr relabelfrom relabelto append unlink link rename }; 302 303# Write to various other parts of /data. 304neverallow { appdomain -system_app -unconfineddomain } 305 security_file:dir_file_class_set 306 { create write setattr relabelfrom relabelto append unlink link rename }; 307neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set 308 { create write setattr relabelfrom relabelto append unlink link rename }; 309neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set 310 { create write setattr relabelfrom relabelto append unlink link rename }; 311neverallow { appdomain -platform_app -unconfineddomain } 312 apk_data_file:dir_file_class_set 313 { create write setattr relabelfrom relabelto append unlink link rename }; 314neverallow { appdomain -platform_app -unconfineddomain } 315 apk_tmp_file:dir_file_class_set 316 { create write setattr relabelfrom relabelto append unlink link rename }; 317neverallow { appdomain -platform_app -unconfineddomain } 318 apk_private_data_file:dir_file_class_set 319 { create write setattr relabelfrom relabelto append unlink link rename }; 320neverallow { appdomain -platform_app -unconfineddomain } 321 apk_private_tmp_file:dir_file_class_set 322 { create write setattr relabelfrom relabelto append unlink link rename }; 323neverallow { appdomain -shell -unconfineddomain } 324 shell_data_file:dir_file_class_set 325 { create setattr relabelfrom relabelto append unlink link rename }; 326neverallow { appdomain -bluetooth -unconfineddomain } 327 bluetooth_data_file:dir_file_class_set 328 { create write setattr relabelfrom relabelto append unlink link rename }; 329neverallow { appdomain -unconfineddomain } 330 keystore_data_file:dir_file_class_set 331 { create write setattr relabelfrom relabelto append unlink link rename }; 332neverallow { appdomain -unconfineddomain } 333 systemkeys_data_file:dir_file_class_set 334 { create write setattr relabelfrom relabelto append unlink link rename }; 335neverallow { appdomain -unconfineddomain } 336 wifi_data_file:dir_file_class_set 337 { create write setattr relabelfrom relabelto append unlink link rename }; 338neverallow { appdomain -unconfineddomain } 339 dhcp_data_file:dir_file_class_set 340 { create write setattr relabelfrom relabelto append unlink link rename }; 341 342# Access to factory files. 343neverallow { appdomain -unconfineddomain } 344 efs_file:dir_file_class_set { read write }; 345 346# Write to various pseudo file systems. 347neverallow { appdomain -bluetooth -nfc -unconfineddomain } 348 sysfs:dir_file_class_set write; 349neverallow { appdomain -unconfineddomain } 350 proc:dir_file_class_set write; 351 352# Access to syslog(2) or /proc/kmsg. 353neverallow { appdomain -system_app -unconfineddomain } 354 kernel:system { syslog_read syslog_mod syslog_console }; 355 356# Ability to perform any filesystem operation other than statfs(2). 357# i.e. no mount(2), unmount(2), etc. 358neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; 359 360# Ability to set system properties. 361neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } 362 property_type:property_service set; 363