app.te revision 8ee37b4f1c58e1dcd00b198a9bbfeafb4221fdc9
1116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### 2116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### Domain for all zygote spawned apps 3116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### 4116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### This file is the base policy for all zygote spawned apps. 5116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### extend from this policy. Only policies which should apply to ALL 7116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### zygote spawned apps should be added here. 8116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch### 9116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 10116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Dalvik Compiler JIT Mapping. 11116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain self:process execmem; 12116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain ashmem_device:chr_file execute; 13116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 14116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Receive and use open file descriptors inherited from zygote. 15116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain zygote:fd use; 16116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 17116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# gdbserver for ndk-gdb reads the zygote. 18116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# valgrind needs mmap exec for zygote 19116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain zygote_exec:file rx_file_perms; 20116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 21116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# gdbserver for ndk-gdb ptrace attaches to app process. 22116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain self:process ptrace; 23116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 24116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Read system properties managed by zygote. 25116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain zygote_tmpfs:file read; 26116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 27116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Notify zygote of death; 28116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain zygote:process sigchld; 29116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 30116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Notify shell and adbd of death when spawned via runas for ndk-gdb. 31116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain shell:process sigchld; 32116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain adbd:process sigchld; 33116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 34116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# child shell or gdbserver pty access for runas. 35116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain devpts:chr_file { getattr read write ioctl }; 36116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 37116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Use pipes and sockets provided by system_server via binder or local socket. 38116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain system_server:fifo_file rw_file_perms; 39116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 40116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 41116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 42116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Communication with other apps via fifos 43116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain appdomain:fifo_file rw_file_perms; 44116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 45116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Communicate with surfaceflinger. 46116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 471320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 481320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# App sandbox file accesses. 491320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucciallow appdomain app_data_file:dir create_dir_perms; 501320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucciallow appdomain app_data_file:notdevfile_class_set create_file_perms; 51116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 521320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# lib subdirectory of /data/data dir is system-owned. 531320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucciallow appdomain system_data_file:dir r_dir_perms; 541320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucciallow appdomain system_data_file:file { execute execute_no_trans open execmod }; 551320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 561320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# Access to OEM provided data and apps 57116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain oemfs:dir r_dir_perms; 58116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain oemfs:file rx_file_perms; 59116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 60116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Execute the shell or other system executables. 61116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain shell_exec:file rx_file_perms; 62116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain system_file:file rx_file_perms; 63116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 64116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Execute dex2oat when apps call dexclassloader 65116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain dex2oat_exec:file rx_file_perms; 66116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 67116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Read/write wallpaper file (opened by system). 68116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain wallpaper_file:file { getattr read write }; 69116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 70116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Write to /data/anr/traces.txt. 71116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain anr_data_file:dir search; 72116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain anr_data_file:file { open append }; 73116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 741320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# Allow apps to send dump information to dumpstate 75116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain dumpstate:fd use; 76116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 77116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain shell_data_file:file { write getattr }; 78116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 79116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Write to /proc/net/xt_qtaguid/ctrl file. 80116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain qtaguid_proc:file rw_file_perms; 81116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Everybody can read the xt_qtaguid resource tracking misc dev. 82116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# So allow all apps to read from /dev/xt_qtaguid. 83116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain qtaguid_device:chr_file r_file_perms; 84116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 85116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Grant GPU access to all processes started by Zygote. 86116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# They need that to render the standard UI. 87116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain gpu_device:chr_file { rw_file_perms execute }; 88116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 89116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Use the Binder. 90116680a4aac90f2aa7413d9095a592090648e557Ben Murdochbinder_use(appdomain) 91116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Perform binder IPC to binder services. 92116680a4aac90f2aa7413d9095a592090648e557Ben Murdochbinder_call(appdomain, binderservicedomain) 93116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Perform binder IPC to other apps. 94116680a4aac90f2aa7413d9095a592090648e557Ben Murdochbinder_call(appdomain, appdomain) 95116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 96116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Already connected, unnamed sockets being passed over some other IPC 97116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# hence no sock_file or connectto permission. This appears to be how 98116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Chrome works, may need to be updated as more apps using isolated services 99116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# are examined. 100116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 101116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 102116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# Backup ability for every app. BMS opens and passes the fd 103116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch# to any app that has backup ability. Hence, no open permissions here. 104116680a4aac90f2aa7413d9095a592090648e557Ben Murdochallow appdomain backup_data_file:file { read write getattr }; 105allow appdomain cache_backup_file:file { read write getattr }; 106allow appdomain cache_backup_file:dir getattr; 107# Backup ability using 'adb backup' 108allow appdomain system_data_file:lnk_file getattr; 109 110# Allow read/stat of /data/media files passed by Binder or local socket IPC. 111allow appdomain media_rw_data_file:file { read getattr }; 112 113# Read and write /data/data/com.android.providers.telephony files passed over Binder. 114allow appdomain radio_data_file:file { read write getattr }; 115 116# Read and write system app data files passed over Binder. 117# Motivating case was /data/data/com.android.settings/cache/*.jpg for 118# cropping or taking user photos. 119allow untrusted_app system_app_data_file:file { read write getattr }; 120 121# Access SDcard via the fuse mount. 122allow appdomain fuse:dir create_dir_perms; 123allow appdomain fuse:file create_file_perms; 124 125# Allow apps to use the USB Accessory interface. 126# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 127# 128# USB devices are first opened by the system server (USBDeviceManagerService) 129# and the file descriptor is passed to the right Activity via binder. 130allow appdomain usb_device:chr_file { read write getattr ioctl }; 131allow appdomain usbaccessory_device:chr_file { read write getattr }; 132 133# For art. 134allow appdomain dalvikcache_data_file:file execute; 135 136# /data/dalvik-cache/profiles 137allow appdomain dalvikcache_profiles_data_file:dir { search getattr }; 138allow appdomain dalvikcache_profiles_data_file:file rw_file_perms; 139 140# Allow any app to read shared RELRO files. 141allow appdomain shared_relro_file:dir search; 142allow appdomain shared_relro_file:file r_file_perms; 143 144# Allow apps to read/execute installed binaries 145allow appdomain apk_data_file:file { rx_file_perms execmod }; 146 147# /data/resource-cache 148allow appdomain resourcecache_data_file:file r_file_perms; 149allow appdomain resourcecache_data_file:dir r_dir_perms; 150 151### 152### CTS-specific rules 153### 154 155# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 156# Reads /proc/pid/status and statm entries to check that 157# no unexpected root processes are running. 158# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 159# Reads /proc/pid/cmdline of vold. 160allow appdomain domain:dir { open read search getattr }; 161allow appdomain domain:{ file lnk_file } { open read getattr }; 162 163# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 164# testRunAsHasCorrectCapabilities 165allow appdomain runas_exec:file getattr; 166# Others are either allowed elsewhere or not desired. 167 168# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 169# Check SELinux policy and contexts. 170selinux_check_access(appdomain) 171selinux_check_context(appdomain) 172# Validate that each process is running in the correct security context. 173allow appdomain domain:process getattr; 174 175# logd access 176read_logd(appdomain) 177# application inherit logd write socket (urge is to deprecate this long term) 178allow appdomain zygote:unix_dgram_socket write; 179 180allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify }; 181 182use_keystore(appdomain) 183 184### 185### Neverallow rules 186### 187### These are things that Android apps should NEVER be able to do 188### 189 190# Superuser capabilities. 191# bluetooth requires net_admin and wake_alarm. 192neverallow { appdomain -bluetooth } self:capability *; 193neverallow { appdomain -bluetooth } self:capability2 *; 194 195# Block device access. 196neverallow appdomain dev_type:blk_file { read write }; 197 198# Access to any of the following character devices. 199neverallow appdomain { 200 audio_device 201 camera_device 202 dm_device 203 radio_device 204 gps_device 205 rpmsg_device 206}:chr_file { read write }; 207 208# Note: Try expanding list of app domains in the future. 209neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 210 211neverallow { appdomain -nfc } nfc_device:chr_file 212 { read write }; 213neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 214 { read write }; 215neverallow appdomain tee_device:chr_file { read write }; 216 217# Privileged netlink socket interfaces. 218neverallow appdomain 219 self:{ 220 netlink_socket 221 netlink_firewall_socket 222 netlink_tcpdiag_socket 223 netlink_nflog_socket 224 netlink_xfrm_socket 225 netlink_audit_socket 226 netlink_ip6fw_socket 227 netlink_dnrt_socket 228 netlink_kobject_uevent_socket 229 } *; 230 231# Sockets under /dev/socket that are not specifically typed. 232neverallow appdomain socket_device:sock_file write; 233 234# Unix domain sockets. 235neverallow appdomain adbd_socket:sock_file write; 236neverallow appdomain installd_socket:sock_file write; 237neverallow { appdomain -bluetooth -radio -shell -system_app } 238 property_socket:sock_file write; 239neverallow { appdomain -radio } rild_socket:sock_file write; 240neverallow appdomain vold_socket:sock_file write; 241neverallow appdomain zygote_socket:sock_file write; 242 243# ptrace access to non-app domains. 244neverallow appdomain { domain -appdomain }:process ptrace; 245 246# Write access to /proc/pid entries for any non-app domain. 247neverallow appdomain { domain -appdomain }:file write; 248 249# signal access to non-app domains. 250# sigchld allowed for parent death notification. 251# signull allowed for kill(pid, 0) existence test. 252# All others prohibited. 253neverallow appdomain { domain -appdomain }:process 254 { sigkill sigstop signal }; 255 256# Transition to a non-app domain. 257# Exception for the shell domain, can transition to runas, etc. 258neverallow { appdomain -shell } ~appdomain:process 259 { transition dyntransition }; 260 261# Write to rootfs. 262neverallow appdomain rootfs:dir_file_class_set 263 { create write setattr relabelfrom relabelto append unlink link rename }; 264 265# Write to /system. 266neverallow appdomain system_file:dir_file_class_set 267 { create write setattr relabelfrom relabelto append unlink link rename }; 268 269# Write to entrypoint executables. 270neverallow appdomain exec_type:file 271 { create write setattr relabelfrom relabelto append unlink link rename }; 272 273# Write to system-owned parts of /data. 274# This is the default type for anything under /data not otherwise 275# specified in file_contexts. Define a different type for portions 276# that should be writable by apps. 277# Exception for system_app for Settings. 278neverallow { appdomain -system_app } 279 system_data_file:dir_file_class_set 280 { create write setattr relabelfrom relabelto append unlink link rename }; 281 282# Write to various other parts of /data. 283neverallow appdomain drm_data_file:dir_file_class_set 284 { create write setattr relabelfrom relabelto append unlink link rename }; 285neverallow appdomain gps_data_file:dir_file_class_set 286 { create write setattr relabelfrom relabelto append unlink link rename }; 287neverallow { appdomain -platform_app } 288 apk_data_file:dir_file_class_set 289 { create write setattr relabelfrom relabelto append unlink link rename }; 290neverallow { appdomain -platform_app } 291 apk_tmp_file:dir_file_class_set 292 { create write setattr relabelfrom relabelto append unlink link rename }; 293neverallow { appdomain -platform_app } 294 apk_private_data_file:dir_file_class_set 295 { create write setattr relabelfrom relabelto append unlink link rename }; 296neverallow { appdomain -platform_app } 297 apk_private_tmp_file:dir_file_class_set 298 { create write setattr relabelfrom relabelto append unlink link rename }; 299neverallow { appdomain -shell } 300 shell_data_file:dir_file_class_set 301 { create setattr relabelfrom relabelto append unlink link rename }; 302neverallow { appdomain -bluetooth } 303 bluetooth_data_file:dir_file_class_set 304 { create write setattr relabelfrom relabelto append unlink link rename }; 305neverallow appdomain 306 keystore_data_file:dir_file_class_set 307 { create write setattr relabelfrom relabelto append unlink link rename }; 308neverallow appdomain 309 systemkeys_data_file:dir_file_class_set 310 { create write setattr relabelfrom relabelto append unlink link rename }; 311neverallow appdomain 312 wifi_data_file:dir_file_class_set 313 { create write setattr relabelfrom relabelto append unlink link rename }; 314neverallow appdomain 315 dhcp_data_file:dir_file_class_set 316 { create write setattr relabelfrom relabelto append unlink link rename }; 317 318# Access to factory files. 319neverallow appdomain 320 efs_file:dir_file_class_set { read write }; 321 322# Write to various pseudo file systems. 323neverallow { appdomain -bluetooth -nfc } 324 sysfs:dir_file_class_set write; 325neverallow appdomain 326 proc:dir_file_class_set write; 327 328# Access to syslog(2) or /proc/kmsg. 329neverallow { appdomain -system_app } 330 kernel:system { syslog_mod syslog_console }; 331neverallow { appdomain -system_app -shell } 332 kernel:system syslog_read; 333 334# Ability to perform any filesystem operation other than statfs(2). 335# i.e. no mount(2), unmount(2), etc. 336neverallow appdomain fs_type:filesystem ~getattr; 337 338# Ability to set system properties. 339neverallow { appdomain -system_app -radio -shell -bluetooth } 340 property_type:property_service set; 341