app.te revision 81560733a47633036133ce548bf638bc3d91f5cf
1748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 2748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### Domain for all zygote spawned apps 3748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 4748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### This file is the base policy for all zygote spawned apps. 5748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### extend from this policy. Only policies which should apply to ALL 7748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### zygote spawned apps should be added here. 8748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 9748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich 106634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow apps to connect to the keystore 116634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichunix_socket_connect(appdomain, keystore, keystore) 126634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 136634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Receive and use open file descriptors inherited from zygote. 146634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain zygote:fd use; 156634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 166634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Read system properties managed by zygote. 176634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain zygote_tmpfs:file read; 186634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 196634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Notify zygote of death; 206634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain zygote:process sigchld; 216634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 226634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Communicate with system_server. 236634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain system:fifo_file rw_file_perms; 246634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain system:unix_stream_socket { read write setopt }; 256634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_call(appdomain, system) 266634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 276634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Communicate with surfaceflinger. 286634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain surfaceflinger:unix_stream_socket { read write setopt }; 296634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_call(appdomain, surfaceflinger) 306634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 316634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# App sandbox file accesses. 326634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain app_data_file:dir create_dir_perms; 336634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain app_data_file:notdevfile_class_set create_file_perms; 346634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 356634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Read/write data files created by the platform apps if they 366634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# were passed to the app via binder or local IPC. Do not allow open. 376634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain platform_app_data_file:file { getattr read write }; 386634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 396634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# lib subdirectory of /data/data dir is system-owned. 406634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain system_data_file:dir r_dir_perms; 416634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain system_data_file:file { execute open }; 426634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 436634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Execute the shell or other system executables. 446634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain shell_exec:file rx_file_perms; 456634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain system_file:file rx_file_perms; 466634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 476634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Read/write wallpaper file (opened by system). 486634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain wallpaper_file:file { read write }; 496634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 506634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Write to /data/anr/traces.txt. 516634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain anr_data_file:dir search; 526634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain anr_data_file:file { open append }; 536634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 546634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Write to /proc/net/xt_qtaguid/ctrl file. 556634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain qtaguid_proc:file rw_file_perms; 566634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Everybody can read the xt_qtaguid resource tracking misc dev. 576634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# So allow all apps to read from /dev/xt_qtaguid. 586634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain qtaguid_device:chr_file r_file_perms; 596634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 606634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Use the Binder. 616634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_use(appdomain) 626634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Perform binder IPC to binder services. 636634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_call(appdomain, binderservicedomain) 646634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Perform binder IPC to other apps. 656634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_call(appdomain, appdomain) 666634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 676634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Appdomain interaction with isolated apps 686634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichr_dir_file(appdomain, isolated_app) 696634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_call(appdomain, isolated_app) 706634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 716634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Already connected, unnamed sockets being passed over some other IPC 726634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# hence no sock_file or connectto permission. This appears to be how 736634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Chrome works, may need to be updated as more apps using isolated services 746634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# are examined. 756634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain isolated_app:unix_stream_socket { read write }; 766634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 776634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Backup ability for every app. BMS opens and passes the fd 786634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# to any app that has backup ability. Hence, no open permissions here. 7981560733a47633036133ce548bf638bc3d91f5cfGeremy Condraallow appdomain backup_data_file:file { read write getattr }; 8081560733a47633036133ce548bf638bc3d91f5cfGeremy Condraallow appdomain cache_backup_file:file { read write getattr }; 816634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Backup ability using 'adb backup' 826634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain system_data_file:lnk_file getattr; 836634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 846634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow all applications to read downloaded files 856634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain download_file:file r_file_perms; 866634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichfile_type_auto_trans(appdomain, download_file, download_file) 876634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 886634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow applications to communicate with netd via /dev/socket/dnsproxyd 896634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# to do DNS resolution 906634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichunix_socket_connect(appdomain, dnsproxyd, netd) 916634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 926634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow applications to communicate with drmserver over binder 936634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_call(appdomain, drmserver) 946634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 956634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow applications to communicate with mediaserver over binder 966634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichbinder_call(appdomain, mediaserver) 976634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 986634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow applications to make outbound tcp connections to any port 996634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain port_type:tcp_socket name_connect; 1006634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1016634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow apps to see changes to the routing table. 1026634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain self:netlink_route_socket { 1036634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich read 1046634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich bind 1056634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich create 1066634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich nlmsg_read 1076634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich ioctl 1086634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich getattr 1096634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich setattr 1106634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich getopt 1116634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich setopt 1126634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich shutdown 1136634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich}; 1146634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1156634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow apps to use rawip sockets. This is needed for apps which execute 1166634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# /system/bin/ping, for example. 1176634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow appdomain self:rawip_socket create_socket_perms; 1186634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1196634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich### 1206634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich### Neverallow rules 1216634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich### 1226634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich### These are things that Android apps should NEVER be able to do 1236634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich### 1246634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1256634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Superuser capabilities. 1266634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Only exception is sys_nice for binder, might not be necessary. 1276634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } self:capability ~sys_nice; 1286634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } self:capability2 *; 1296634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1306634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Block device access. 1316634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 1326634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1336634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Kernel memory access. 1346634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write }; 1356634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1366634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Setting SELinux enforcing status or booleans. 1376634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Conditionally allowed to system_app for SEAndroidManager. 1386634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool }; 1396634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1406634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Load security policy. 1412637198f92d5d9c65262e42d78123d216889d546Nick Kralevichneverallow appdomain kernel:security load_policy; 1426634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1436634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Privileged netlink socket interfaces. 1446634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } 1456634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich self:{ 1466634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_socket 1476634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_firewall_socket 1486634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_tcpdiag_socket 1496634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_nflog_socket 1506634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_xfrm_socket 1516634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_selinux_socket 1526634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_audit_socket 1536634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_ip6fw_socket 1546634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_dnrt_socket 1556634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich netlink_kobject_uevent_socket 1566634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich } *; 1576634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1586634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# ptrace access to non-app domains. 1596634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 1606634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1616634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Transition to a non-app domain. 1626634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } ~appdomain:process { transition dyntransition }; 1636634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1646634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Write to /system. 1656634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain } system_file:dir_file_class_set write; 1666634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 1676634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Write to system-owned parts of /data. 1686634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# This is the default type for anything under /data not otherwise 1696634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# specified in file_contexts. Define a different type for portions 1706634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# that should be writable by apps. 1716634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Exception for system_app for Settings. 1726634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichneverallow { appdomain -unconfineddomain -system_app } system_data_file:dir_file_class_set write; 173