app.te revision 9ba844fea12a0b08770e870d63f3d3c375c7c9b5
19066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 29066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### Domain for all zygote spawned apps 39066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 49066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### This file is the base policy for all zygote spawned apps. 59066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### Other policy files, such as isolated_app.te, untrusted_app.te, etc 69066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### extend from this policy. Only policies which should apply to ALL 79066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### zygote spawned apps should be added here. 89066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 99066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Dalvik Compiler JIT Mapping. 119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain self:process execmem; 129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain ashmem_device:chr_file execute; 139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Receive and use open file descriptors inherited from zygote. 159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain zygote:fd use; 169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# gdbserver for ndk-gdb reads the zygote. 189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain zygote_exec:file r_file_perms; 199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# gdbserver for ndk-gdb ptrace attaches to app process. 219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain self:process ptrace; 229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Read system properties managed by zygote. 24d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huberallow appdomain zygote_tmpfs:file read; 25c5d5ee34d7c1026ca8d5cd8b186e5a73c5230247Marco Nelissen 269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Notify zygote of death; 270041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongallow appdomain zygote:process sigchld; 289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 29c5d5ee34d7c1026ca8d5cd8b186e5a73c5230247Marco Nelissen# Notify shell and adbd of death when spawned via runas for ndk-gdb. 309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain shell:process sigchld; 315b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huberallow appdomain adbd:process sigchld; 325b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber 339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# child shell or gdbserver pty access for runas. 349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain devpts:chr_file { getattr read write ioctl }; 359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Use pipes and sockets provided by system_server via binder or local socket. 379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain system_server:fifo_file rw_file_perms; 389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 414935d05eaa306cef88cf0ab13eca386f270409ecMarco Nelissen# Communication with other apps via fifos 429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain appdomain:fifo_file rw_file_perms; 439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Communicate with surfaceflinger. 459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 46075e9a19ce645752f8282bc19c91b25978a7dc52Ashok Bhat 479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# App sandbox file accesses. 48df9b349b960fff95dff4fcf8b2661899e33059daJames Dongallow appdomain app_data_file:dir create_dir_perms; 49df9b349b960fff95dff4fcf8b2661899e33059daJames Dongallow appdomain app_data_file:notdevfile_class_set create_file_perms; 509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# lib subdirectory of /data/data dir is system-owned. 529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain system_data_file:dir r_dir_perms; 539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain system_data_file:file { execute execute_no_trans open }; 549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Execute the shell or other system executables. 569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain shell_exec:file rx_file_perms; 579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain system_file:file rx_file_perms; 589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Read/write wallpaper file (opened by system). 609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain wallpaper_file:file { getattr read write }; 619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 620041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# Write to /data/anr/traces.txt. 63425916e4c5305b9bfff5b5d60d203363afcb7b89Oscar Rydhéallow appdomain anr_data_file:dir search; 64425916e4c5305b9bfff5b5d60d203363afcb7b89Oscar Rydhéallow appdomain anr_data_file:file { open append }; 65425916e4c5305b9bfff5b5d60d203363afcb7b89Oscar Rydhé 66425916e4c5305b9bfff5b5d60d203363afcb7b89Oscar Rydhé# Allow apps to send dump information to dumpstate 670041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongallow appdomain dumpstate:fd use; 680041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongallow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 690041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongallow appdomain shell_data_file:file { write getattr }; 700041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong 710041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# Write to /proc/net/xt_qtaguid/ctrl file. 720041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongallow appdomain qtaguid_proc:file rw_file_perms; 730041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# Everybody can read the xt_qtaguid resource tracking misc dev. 740041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# So allow all apps to read from /dev/xt_qtaguid. 750041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongallow appdomain qtaguid_device:chr_file r_file_perms; 760041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong 770041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# Grant GPU access to all processes started by Zygote. 780041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# They need that to render the standard UI. 790041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongallow appdomain gpu_device:chr_file { rw_file_perms execute }; 800041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong 810041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# Use the Binder. 820041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dongbinder_use(appdomain) 830041b5c561a48ed8f63c4fe8ae3bff5196f68d0fJames Dong# Perform binder IPC to binder services. 845b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huberbinder_call(appdomain, binderservicedomain) 855b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber# Perform binder IPC to other apps. 865b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huberbinder_call(appdomain, appdomain) 875b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber 885b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber# Already connected, unnamed sockets being passed over some other IPC 895b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber# hence no sock_file or connectto permission. This appears to be how 905b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber# Chrome works, may need to be updated as more apps using isolated services 915b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber# are examined. 925b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huberallow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 935b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber 9417524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dong# Backup ability for every app. BMS opens and passes the fd 9517524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dong# to any app that has backup ability. Hence, no open permissions here. 9617524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dongallow appdomain backup_data_file:file { read write getattr }; 9717524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dongallow appdomain cache_backup_file:file { read write getattr }; 9817524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dongallow appdomain cache_backup_file:dir getattr; 9917524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dong# Backup ability using 'adb backup' 10017524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dongallow appdomain system_data_file:lnk_file getattr; 10117524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dong 10217524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dong# Allow read/stat of /data/media files passed by Binder or local socket IPC. 10317524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dongallow appdomain media_rw_data_file:file { read getattr }; 104d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huber 105d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huber# Read /data/data/com.android.providers.telephony files passed over Binder. 106d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huberallow appdomain radio_data_file:file { read getattr }; 107d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huber 108d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huber# Access SDcard. 109d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huberallow appdomain sdcard_type:dir create_dir_perms; 11017524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dongallow appdomain sdcard_type:file create_file_perms; 11117524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dong 11217524dc0d296146c8ffb3f692dc8ab05fee5b1e0James Dong# Allow apps to use the USB Accessory interface. 113d2506a506303ed94fd1991cf986b825b870a67c5Andreas Huber# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 1145b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber# 1155b7ced6a4ebcec34a36d0779773bc9e671732dbfAndreas Huber# USB devices are first opened by the system server (USBDeviceManagerService) 1169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# and the file descriptor is passed to the right Activity via binder. 1179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain usb_device:chr_file { read write getattr ioctl }; 1189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain usbaccessory_device:chr_file { read write getattr }; 1199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# For art. 1219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain dalvikcache_data_file:file execute; 1229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# For legacy unlabeled userdata on existing devices. 1249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# See discussion of Unlabeled files in domain.te for more information. 1259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain unlabeled:file x_file_perms; 1269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 1289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### CTS-specific rules 1299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 1309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 1329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Reads /proc/pid/status and statm entries to check that 1339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# no unexpected root processes are running. 1349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 1359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Reads /proc/pid/cmdline of vold. 1369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain domain:dir { open read search getattr }; 1379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain domain:{ file lnk_file } { open read getattr }; 1389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 1409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# testRunAsHasCorrectCapabilities 1419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain runas_exec:file getattr; 1429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Others are either allowed elsewhere or not desired. 1439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 1459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Check SELinux policy and contexts. 1469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectselinux_check_access(appdomain) 1479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectselinux_check_context(appdomain) 1489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Validate that each process is running in the correct security context. 1499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain domain:process getattr; 1509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# logd access 1529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectread_logd(appdomain) 1539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# application inherit logd write socket (urge is to deprecate this long term) 1549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectallow appdomain zygote:unix_dgram_socket write; 1559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 1579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### Neverallow rules 1589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 1599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### These are things that Android apps should NEVER be able to do 1609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project### 1619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Superuser capabilities. 1639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# bluetooth requires net_admin. 1649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain -bluetooth } self:capability *; 1659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } self:capability2 *; 1669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Block device access. 1689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 1699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Access to any of the following character devices. 1719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } { 1729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project audio_device 1739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project camera_device 1749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project dm_device 1759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project radio_device 1769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project gps_device 1779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project rpmsg_device 1789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project}:chr_file { read write }; 1799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Note: Try expanding list of app domains in the future. 1819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { untrusted_app isolated_app shell -unconfineddomain } 1829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project graphics_device:chr_file { read write }; 1839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file 1859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project { read write }; 1869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file 1879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project { read write }; 1889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; 1899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Privileged netlink socket interfaces. 1919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } 1929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project self:{ 1939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_socket 1949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_firewall_socket 1959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_tcpdiag_socket 1969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_nflog_socket 1979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_xfrm_socket 1989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_audit_socket 1999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_ip6fw_socket 2009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_dnrt_socket 2019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project netlink_kobject_uevent_socket 2029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } *; 2039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Sockets under /dev/socket that are not specifically typed. 2059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } socket_device:sock_file write; 2069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Unix domain sockets. 2089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; 2099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } installd_socket:sock_file write; 2109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } 2119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project property_socket:sock_file write; 2129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; 2139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } vold_socket:sock_file write; 2149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; 2159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# ptrace access to non-app domains. 2179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 2189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Write access to /proc/pid entries for any non-app domain. 220faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; 221faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong 222faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# signal access to non-app domains. 223faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# sigchld allowed for parent death notification. 224faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# signull allowed for kill(pid, 0) existence test. 225faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# All others prohibited. 226faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } { domain -appdomain }:process 227faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { sigkill sigstop signal }; 228faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong 229faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Transition to a non-app domain. 230faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Exception for the shell domain, can transition to runas, etc. 231faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -shell -unconfineddomain } ~appdomain:process 232faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { transition dyntransition }; 23311eab056dd0133a390169d3581edf3eef26d6a54James Dong 234faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Map low memory. 23511eab056dd0133a390169d3581edf3eef26d6a54James Dong# Note: Take to domain.te and apply to all domains in the future. 236faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; 23711eab056dd0133a390169d3581edf3eef26d6a54James Dong 238faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Write to rootfs. 23911eab056dd0133a390169d3581edf3eef26d6a54James Dongneverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set 240faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 24111eab056dd0133a390169d3581edf3eef26d6a54James Dong 242faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Write to /system. 243faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } system_file:dir_file_class_set 2449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project { create write setattr relabelfrom relabelto append unlink link rename }; 2459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Write to entrypoint executables. 247faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } exec_type:file 248faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 249faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong 250faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Write to system-owned parts of /data. 251faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# This is the default type for anything under /data not otherwise 252faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# specified in file_contexts. Define a different type for portions 253faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# that should be writable by apps. 254faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Exception for system_app for Settings. 255faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain -system_app } 256faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong system_data_file:dir_file_class_set 257faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 258faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong 259faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Write to various other parts of /data. 260faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -system_app -unconfineddomain } 261faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong security_file:dir_file_class_set 26211eab056dd0133a390169d3581edf3eef26d6a54James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 263faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set 264faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 265faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set 266faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 267faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -platform_app -unconfineddomain } 268faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong apk_data_file:dir_file_class_set 269faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 270faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -platform_app -unconfineddomain } 271faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong apk_tmp_file:dir_file_class_set 272faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 273faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -platform_app -unconfineddomain } 274faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong apk_private_data_file:dir_file_class_set 275faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 276faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -platform_app -unconfineddomain } 277faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong apk_private_tmp_file:dir_file_class_set 278faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 279faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -shell -unconfineddomain } 280faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong shell_data_file:dir_file_class_set 281faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create setattr relabelfrom relabelto append unlink link rename }; 282faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -bluetooth -unconfineddomain } 283faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong bluetooth_data_file:dir_file_class_set 284faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 285faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } 28611eab056dd0133a390169d3581edf3eef26d6a54James Dong keystore_data_file:dir_file_class_set 287faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 288faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } 289faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong systemkeys_data_file:dir_file_class_set 290faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 291faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } 292faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong wifi_data_file:dir_file_class_set 293faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 294faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } 295faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong dhcp_data_file:dir_file_class_set 296faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong { create write setattr relabelfrom relabelto append unlink link rename }; 297faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong 298faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dong# Access to factory files. 299faf09ba9405ff019b5ca7e2317debe4ff269d4f8James Dongneverallow { appdomain -unconfineddomain } 3009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project efs_file:dir_file_class_set { read write }; 3019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 3029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Write to various pseudo file systems. 303e8b26dcec7765786bbf063b3ae6b967b8b547ab6James Dongneverallow { appdomain -bluetooth -nfc -unconfineddomain } 30411eab056dd0133a390169d3581edf3eef26d6a54James Dong sysfs:dir_file_class_set write; 3059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } 3069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project proc:dir_file_class_set write; 3079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 308df9b349b960fff95dff4fcf8b2661899e33059daJames Dong# Access to syslog(2) or /proc/kmsg. 309df9b349b960fff95dff4fcf8b2661899e33059daJames Dongneverallow { appdomain -system_app -unconfineddomain } 310df9b349b960fff95dff4fcf8b2661899e33059daJames Dong kernel:system { syslog_read syslog_mod syslog_console }; 311df9b349b960fff95dff4fcf8b2661899e33059daJames Dong 312df9b349b960fff95dff4fcf8b2661899e33059daJames Dong# Ability to perform any filesystem operation other than statfs(2). 3139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# i.e. no mount(2), unmount(2), etc. 3149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; 3159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 3169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project# Ability to set system properties. 3179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectneverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } 3189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project property_type:property_service set; 3194935d05eaa306cef88cf0ab13eca386f270409ecMarco Nelissen