app.te revision be66069765b019257ed3bf1ca1285e643360a998
153f17a9db278d33517d9888dd77848f554522a38JP Abgrall### 253f17a9db278d33517d9888dd77848f554522a38JP Abgrall### Domain for all zygote spawned apps 353f17a9db278d33517d9888dd77848f554522a38JP Abgrall### 453f17a9db278d33517d9888dd77848f554522a38JP Abgrall### This file is the base policy for all zygote spawned apps. 553f17a9db278d33517d9888dd77848f554522a38JP Abgrall### Other policy files, such as isolated_app.te, untrusted_app.te, etc 653f17a9db278d33517d9888dd77848f554522a38JP Abgrall### extend from this policy. Only policies which should apply to ALL 753f17a9db278d33517d9888dd77848f554522a38JP Abgrall### zygote spawned apps should be added here. 853f17a9db278d33517d9888dd77848f554522a38JP Abgrall### 953f17a9db278d33517d9888dd77848f554522a38JP Abgrall 1053f17a9db278d33517d9888dd77848f554522a38JP Abgrall# Dalvik Compiler JIT Mapping. 1153f17a9db278d33517d9888dd77848f554522a38JP Abgrallallow appdomain self:process execmem; 1253f17a9db278d33517d9888dd77848f554522a38JP Abgrallallow appdomain ashmem_device:chr_file execute; 1353f17a9db278d33517d9888dd77848f554522a38JP Abgrall 1453f17a9db278d33517d9888dd77848f554522a38JP Abgrall# Receive and use open file descriptors inherited from zygote. 1553f17a9db278d33517d9888dd77848f554522a38JP Abgrallallow appdomain zygote:fd use; 1653f17a9db278d33517d9888dd77848f554522a38JP Abgrall 1753f17a9db278d33517d9888dd77848f554522a38JP Abgrall# gdbserver for ndk-gdb reads the zygote. 1853f17a9db278d33517d9888dd77848f554522a38JP Abgrall# valgrind needs mmap exec for zygote 1953f17a9db278d33517d9888dd77848f554522a38JP Abgrallallow appdomain zygote_exec:file rx_file_perms; 2053f17a9db278d33517d9888dd77848f554522a38JP Abgrall 2153f17a9db278d33517d9888dd77848f554522a38JP Abgrall# gdbserver for ndk-gdb ptrace attaches to app process. 2253f17a9db278d33517d9888dd77848f554522a38JP Abgrallallow appdomain self:process ptrace; 2353f17a9db278d33517d9888dd77848f554522a38JP Abgrall 2453f17a9db278d33517d9888dd77848f554522a38JP Abgrall# Read system properties managed by zygote. 25allow appdomain zygote_tmpfs:file read; 26 27# Notify zygote of death; 28allow appdomain zygote:process sigchld; 29 30# Notify shell and adbd of death when spawned via runas for ndk-gdb. 31allow appdomain shell:process sigchld; 32allow appdomain adbd:process sigchld; 33 34# child shell or gdbserver pty access for runas. 35allow appdomain devpts:chr_file { getattr read write ioctl }; 36 37# Use pipes and sockets provided by system_server via binder or local socket. 38allow appdomain system_server:fifo_file rw_file_perms; 39allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 40allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 41 42# Communication with other apps via fifos 43allow appdomain appdomain:fifo_file rw_file_perms; 44 45# Communicate with surfaceflinger. 46allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 47 48# App sandbox file accesses. 49allow appdomain app_data_file:dir create_dir_perms; 50allow appdomain app_data_file:notdevfile_class_set create_file_perms; 51 52# lib subdirectory of /data/data dir is system-owned. 53allow appdomain system_data_file:dir r_dir_perms; 54allow appdomain system_data_file:file { execute execute_no_trans open execmod }; 55 56# Access to OEM provided data and apps 57allow appdomain oemfs:dir r_dir_perms; 58allow appdomain oemfs:file rx_file_perms; 59 60# Execute the shell or other system executables. 61allow appdomain shell_exec:file rx_file_perms; 62allow appdomain system_file:file rx_file_perms; 63 64# Read/write wallpaper file (opened by system). 65allow appdomain wallpaper_file:file { getattr read write }; 66 67# Write to /data/anr/traces.txt. 68allow appdomain anr_data_file:dir search; 69allow appdomain anr_data_file:file { open append }; 70 71# Allow apps to send dump information to dumpstate 72allow appdomain dumpstate:fd use; 73allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 74allow appdomain shell_data_file:file { write getattr }; 75 76# Write to /proc/net/xt_qtaguid/ctrl file. 77allow appdomain qtaguid_proc:file rw_file_perms; 78# Everybody can read the xt_qtaguid resource tracking misc dev. 79# So allow all apps to read from /dev/xt_qtaguid. 80allow appdomain qtaguid_device:chr_file r_file_perms; 81 82# Grant GPU access to all processes started by Zygote. 83# They need that to render the standard UI. 84allow appdomain gpu_device:chr_file { rw_file_perms execute }; 85 86# Use the Binder. 87binder_use(appdomain) 88# Perform binder IPC to binder services. 89binder_call(appdomain, binderservicedomain) 90# Perform binder IPC to other apps. 91binder_call(appdomain, appdomain) 92 93# Already connected, unnamed sockets being passed over some other IPC 94# hence no sock_file or connectto permission. This appears to be how 95# Chrome works, may need to be updated as more apps using isolated services 96# are examined. 97allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 98 99# Backup ability for every app. BMS opens and passes the fd 100# to any app that has backup ability. Hence, no open permissions here. 101allow appdomain backup_data_file:file { read write getattr }; 102allow appdomain cache_backup_file:file { read write getattr }; 103allow appdomain cache_backup_file:dir getattr; 104# Backup ability using 'adb backup' 105allow appdomain system_data_file:lnk_file getattr; 106 107# Allow read/stat of /data/media files passed by Binder or local socket IPC. 108allow appdomain media_rw_data_file:file { read getattr }; 109 110# Read and write /data/data/com.android.providers.telephony files passed over Binder. 111allow appdomain radio_data_file:file { read write getattr }; 112 113# Read and write system app data files passed over Binder. 114# Motivating case was /data/data/com.android.settings/cache/*.jpg for 115# cropping or taking user photos. 116allow untrusted_app system_app_data_file:file { read write getattr }; 117 118# Access SDcard via the fuse mount. 119allow appdomain sdcard_internal:dir create_dir_perms; 120allow appdomain sdcard_internal:file create_file_perms; 121 122# Allow apps to use the USB Accessory interface. 123# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 124# 125# USB devices are first opened by the system server (USBDeviceManagerService) 126# and the file descriptor is passed to the right Activity via binder. 127allow appdomain usb_device:chr_file { read write getattr ioctl }; 128allow appdomain usbaccessory_device:chr_file { read write getattr }; 129 130# For art. 131allow appdomain dalvikcache_data_file:file execute; 132 133# /data/dalvik-cache/profiles 134allow appdomain dalvikcache_profiles_data_file:dir { search getattr }; 135allow appdomain dalvikcache_profiles_data_file:file rw_file_perms; 136 137# Allow any app to read shared RELRO files. 138allow appdomain shared_relro_file:dir search; 139allow appdomain shared_relro_file:file r_file_perms; 140 141# Allow apps to read/execute installed binaries 142allow appdomain apk_data_file:file { rx_file_perms execmod }; 143 144# /data/resource-cache 145allow appdomain resourcecache_data_file:file r_file_perms; 146allow appdomain resourcecache_data_file:dir r_dir_perms; 147 148### 149### CTS-specific rules 150### 151 152# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 153# Reads /proc/pid/status and statm entries to check that 154# no unexpected root processes are running. 155# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 156# Reads /proc/pid/cmdline of vold. 157allow appdomain domain:dir { open read search getattr }; 158allow appdomain domain:{ file lnk_file } { open read getattr }; 159 160# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 161# testRunAsHasCorrectCapabilities 162allow appdomain runas_exec:file getattr; 163# Others are either allowed elsewhere or not desired. 164 165# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 166# Check SELinux policy and contexts. 167selinux_check_access(appdomain) 168selinux_check_context(appdomain) 169# Validate that each process is running in the correct security context. 170allow appdomain domain:process getattr; 171 172# logd access 173read_logd(appdomain) 174# application inherit logd write socket (urge is to deprecate this long term) 175allow appdomain zygote:unix_dgram_socket write; 176 177allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify }; 178 179use_keystore(appdomain) 180 181### 182### Neverallow rules 183### 184### These are things that Android apps should NEVER be able to do 185### 186 187# Superuser capabilities. 188# bluetooth requires net_admin and wake_alarm. 189neverallow { appdomain -bluetooth } self:capability *; 190neverallow { appdomain -bluetooth } self:capability2 *; 191 192# Block device access. 193neverallow appdomain dev_type:blk_file { read write }; 194 195# Access to any of the following character devices. 196neverallow appdomain { 197 audio_device 198 camera_device 199 dm_device 200 radio_device 201 gps_device 202 rpmsg_device 203}:chr_file { read write }; 204 205# Note: Try expanding list of app domains in the future. 206neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 207 208neverallow { appdomain -nfc } nfc_device:chr_file 209 { read write }; 210neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 211 { read write }; 212neverallow appdomain tee_device:chr_file { read write }; 213 214# Privileged netlink socket interfaces. 215neverallow appdomain 216 self:{ 217 netlink_socket 218 netlink_firewall_socket 219 netlink_tcpdiag_socket 220 netlink_nflog_socket 221 netlink_xfrm_socket 222 netlink_audit_socket 223 netlink_ip6fw_socket 224 netlink_dnrt_socket 225 netlink_kobject_uevent_socket 226 } *; 227 228# Sockets under /dev/socket that are not specifically typed. 229neverallow appdomain socket_device:sock_file write; 230 231# Unix domain sockets. 232neverallow appdomain adbd_socket:sock_file write; 233neverallow appdomain installd_socket:sock_file write; 234neverallow { appdomain -bluetooth -radio -shell -system_app } 235 property_socket:sock_file write; 236neverallow { appdomain -radio } rild_socket:sock_file write; 237neverallow appdomain vold_socket:sock_file write; 238neverallow appdomain zygote_socket:sock_file write; 239 240# ptrace access to non-app domains. 241neverallow appdomain { domain -appdomain }:process ptrace; 242 243# Write access to /proc/pid entries for any non-app domain. 244neverallow appdomain { domain -appdomain }:file write; 245 246# signal access to non-app domains. 247# sigchld allowed for parent death notification. 248# signull allowed for kill(pid, 0) existence test. 249# All others prohibited. 250neverallow appdomain { domain -appdomain }:process 251 { sigkill sigstop signal }; 252 253# Transition to a non-app domain. 254# Exception for the shell domain, can transition to runas, etc. 255neverallow { appdomain -shell } ~appdomain:process 256 { transition dyntransition }; 257 258# Write to rootfs. 259neverallow appdomain rootfs:dir_file_class_set 260 { create write setattr relabelfrom relabelto append unlink link rename }; 261 262# Write to /system. 263neverallow appdomain system_file:dir_file_class_set 264 { create write setattr relabelfrom relabelto append unlink link rename }; 265 266# Write to entrypoint executables. 267neverallow appdomain exec_type:file 268 { create write setattr relabelfrom relabelto append unlink link rename }; 269 270# Write to system-owned parts of /data. 271# This is the default type for anything under /data not otherwise 272# specified in file_contexts. Define a different type for portions 273# that should be writable by apps. 274# Exception for system_app for Settings. 275neverallow { appdomain -system_app } 276 system_data_file:dir_file_class_set 277 { create write setattr relabelfrom relabelto append unlink link rename }; 278 279# Write to various other parts of /data. 280neverallow appdomain drm_data_file:dir_file_class_set 281 { create write setattr relabelfrom relabelto append unlink link rename }; 282neverallow appdomain gps_data_file:dir_file_class_set 283 { create write setattr relabelfrom relabelto append unlink link rename }; 284neverallow { appdomain -platform_app } 285 apk_data_file:dir_file_class_set 286 { create write setattr relabelfrom relabelto append unlink link rename }; 287neverallow { appdomain -platform_app } 288 apk_tmp_file:dir_file_class_set 289 { create write setattr relabelfrom relabelto append unlink link rename }; 290neverallow { appdomain -platform_app } 291 apk_private_data_file:dir_file_class_set 292 { create write setattr relabelfrom relabelto append unlink link rename }; 293neverallow { appdomain -platform_app } 294 apk_private_tmp_file:dir_file_class_set 295 { create write setattr relabelfrom relabelto append unlink link rename }; 296neverallow { appdomain -shell } 297 shell_data_file:dir_file_class_set 298 { create setattr relabelfrom relabelto append unlink link rename }; 299neverallow { appdomain -bluetooth } 300 bluetooth_data_file:dir_file_class_set 301 { create write setattr relabelfrom relabelto append unlink link rename }; 302neverallow appdomain 303 keystore_data_file:dir_file_class_set 304 { create write setattr relabelfrom relabelto append unlink link rename }; 305neverallow appdomain 306 systemkeys_data_file:dir_file_class_set 307 { create write setattr relabelfrom relabelto append unlink link rename }; 308neverallow appdomain 309 wifi_data_file:dir_file_class_set 310 { create write setattr relabelfrom relabelto append unlink link rename }; 311neverallow appdomain 312 dhcp_data_file:dir_file_class_set 313 { create write setattr relabelfrom relabelto append unlink link rename }; 314 315# Access to factory files. 316neverallow appdomain 317 efs_file:dir_file_class_set { read write }; 318 319# Write to various pseudo file systems. 320neverallow { appdomain -bluetooth -nfc } 321 sysfs:dir_file_class_set write; 322neverallow appdomain 323 proc:dir_file_class_set write; 324 325# Access to syslog(2) or /proc/kmsg. 326neverallow { appdomain -system_app } 327 kernel:system { syslog_mod syslog_console }; 328neverallow { appdomain -system_app -shell } 329 kernel:system syslog_read; 330 331# Ability to perform any filesystem operation other than statfs(2). 332# i.e. no mount(2), unmount(2), etc. 333neverallow appdomain fs_type:filesystem ~getattr; 334 335# Ability to set system properties. 336neverallow { appdomain -system_app -radio -shell -bluetooth } 337 property_type:property_service set; 338