app.te revision fad4d5fb00ddb1f61c22c003429e10f10b046d0d
1b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### 2b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### Domain for all zygote spawned apps 38393335b955da7340c9f19b1b4b2d6c0c2c04be7Craig Cornelius### 4b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### This file is the base policy for all zygote spawned apps. 5b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### extend from this policy. Only policies which should apply to ALL 7b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### zygote spawned apps should be added here. 8b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### 9b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 10b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Dalvik Compiler JIT Mapping. 11b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain self:process execmem; 12b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain ashmem_device:chr_file execute; 13b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 14b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Receive and use open file descriptors inherited from zygote. 15b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain zygote:fd use; 16b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 17b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# gdbserver for ndk-gdb reads the zygote. 18b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# valgrind needs mmap exec for zygote 19b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain zygote_exec:file rx_file_perms; 20b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 21b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# gdbserver for ndk-gdb ptrace attaches to app process. 22b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain self:process ptrace; 23b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 24b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Read system properties managed by zygote. 25b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain zygote_tmpfs:file read; 26b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 27b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Notify zygote of death; 28b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain zygote:process sigchld; 29b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 30b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Notify shell and adbd of death when spawned via runas for ndk-gdb. 31b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain shell:process sigchld; 32b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain adbd:process sigchld; 33b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 34b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# child shell or gdbserver pty access for runas. 35b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain devpts:chr_file { getattr read write ioctl }; 36b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 37b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Use pipes and sockets provided by system_server via binder or local socket. 38b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain system_server:fifo_file rw_file_perms; 39b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 40b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 41b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 42b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Communication with other apps via fifos 43b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain appdomain:fifo_file rw_file_perms; 44b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 45b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Communicate with surfaceflinger. 46b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 47b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 488393335b955da7340c9f19b1b4b2d6c0c2c04be7Craig Cornelius# App sandbox file accesses. 498393335b955da7340c9f19b1b4b2d6c0c2c04be7Craig Corneliusallow appdomain app_data_file:dir create_dir_perms; 50b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain app_data_file:notdevfile_class_set create_file_perms; 51b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 52b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# lib subdirectory of /data/data dir is system-owned. 53b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain system_data_file:dir r_dir_perms; 54b0ac937921a2c196d8b9da665135bf6ba01a1ccfJean-Baptiste Queruallow appdomain system_data_file:file { execute execute_no_trans open execmod }; 55b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 56b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Access to OEM provided data and apps 57b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain oemfs:dir r_dir_perms; 58b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain oemfs:file rx_file_perms; 59b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 60b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Execute the shell or other system executables. 61b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain shell_exec:file rx_file_perms; 62b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain system_file:file rx_file_perms; 63b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 64b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Read/write wallpaper file (opened by system). 65b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain wallpaper_file:file { getattr read write }; 66b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 67b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write to /data/anr/traces.txt. 68b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain anr_data_file:dir search; 69b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain anr_data_file:file { open append }; 70b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 71b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Allow apps to send dump information to dumpstate 72b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain dumpstate:fd use; 73b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 74b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain shell_data_file:file { write getattr }; 75b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 76b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write to /proc/net/xt_qtaguid/ctrl file. 77b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain qtaguid_proc:file rw_file_perms; 78b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Everybody can read the xt_qtaguid resource tracking misc dev. 79b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# So allow all apps to read from /dev/xt_qtaguid. 80b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain qtaguid_device:chr_file r_file_perms; 81b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 82b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Grant GPU access to all processes started by Zygote. 83b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# They need that to render the standard UI. 84b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain gpu_device:chr_file { rw_file_perms execute }; 85b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 86b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Use the Binder. 87b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Querubinder_use(appdomain) 88b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Perform binder IPC to binder services. 89b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Querubinder_call(appdomain, binderservicedomain) 90b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Perform binder IPC to other apps. 91b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Querubinder_call(appdomain, appdomain) 92b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 93b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Already connected, unnamed sockets being passed over some other IPC 94b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# hence no sock_file or connectto permission. This appears to be how 95b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Chrome works, may need to be updated as more apps using isolated services 96b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# are examined. 97b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 98b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 99b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Backup ability for every app. BMS opens and passes the fd 100b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# to any app that has backup ability. Hence, no open permissions here. 101b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain backup_data_file:file { read write getattr }; 102b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain cache_backup_file:file { read write getattr }; 103b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain cache_backup_file:dir getattr; 104b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Backup ability using 'adb backup' 105b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain system_data_file:lnk_file getattr; 106b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 107b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Allow read/stat of /data/media files passed by Binder or local socket IPC. 108b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain media_rw_data_file:file { read getattr }; 109b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 110b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Read and write /data/data/com.android.providers.telephony files passed over Binder. 111b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain radio_data_file:file { read write getattr }; 112b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 113b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Read and write system app data files passed over Binder. 114b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Motivating case was /data/data/com.android.settings/cache/*.jpg for 115b0ac937921a2c196d8b9da665135bf6ba01a1ccfJean-Baptiste Queru# cropping or taking user photos. 116b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow untrusted_app system_app_data_file:file { read write getattr }; 117b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 118b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Access SDcard. 119b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain sdcard_type:dir create_dir_perms; 120b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain sdcard_type:file create_file_perms; 121b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 122b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Allow apps to use the USB Accessory interface. 123b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 124b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# 125b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# USB devices are first opened by the system server (USBDeviceManagerService) 126b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# and the file descriptor is passed to the right Activity via binder. 127b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain usb_device:chr_file { read write getattr ioctl }; 128b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain usbaccessory_device:chr_file { read write getattr }; 129b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 130b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# For art. 131b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain dalvikcache_data_file:file execute; 132b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 133b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# /data/dalvik-cache/profiles 134b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain dalvikcache_profiles_data_file:dir { search getattr }; 135b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain dalvikcache_profiles_data_file:file rw_file_perms; 136b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 137b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Allow any app to read shared RELRO files. 138b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain shared_relro_file:dir search; 139b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain shared_relro_file:file r_file_perms; 140b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 141b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Allow apps to read/execute installed binaries 142b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain apk_data_file:file { rx_file_perms execmod }; 143b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 144b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# /data/resource-cache 145b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain resourcecache_data_file:file r_file_perms; 146b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain resourcecache_data_file:dir r_dir_perms; 147b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 148b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### 149b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### CTS-specific rules 150b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### 151b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 152b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 153b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Reads /proc/pid/status and statm entries to check that 154b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# no unexpected root processes are running. 155b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 156b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Reads /proc/pid/cmdline of vold. 157b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain domain:dir { open read search getattr }; 158b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain domain:{ file lnk_file } { open read getattr }; 159b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 160b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 161b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# testRunAsHasCorrectCapabilities 162b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain runas_exec:file getattr; 163b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Others are either allowed elsewhere or not desired. 164b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 165b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 166b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Check SELinux policy and contexts. 167b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruselinux_check_access(appdomain) 168b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruselinux_check_context(appdomain) 169b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Validate that each process is running in the correct security context. 170b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain domain:process getattr; 171b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 172b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# logd access 173b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruread_logd(appdomain) 174b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# application inherit logd write socket (urge is to deprecate this long term) 175b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruallow appdomain zygote:unix_dgram_socket write; 176b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 177b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### 178b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### Neverallow rules 179b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### 180b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### These are things that Android apps should NEVER be able to do 181b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru### 182b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 183b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Superuser capabilities. 184b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# bluetooth requires net_admin. 185b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain -bluetooth } self:capability *; 186b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } self:capability2 *; 187b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 188b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Block device access. 189b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 190b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 191b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Access to any of the following character devices. 192b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } { 193b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru audio_device 194b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru camera_device 195b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru dm_device 196b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru radio_device 197b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru gps_device 198b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru rpmsg_device 199b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru}:chr_file { read write }; 200b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 201b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Note: Try expanding list of app domains in the future. 202b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { untrusted_app isolated_app shell -unconfineddomain } graphics_device:chr_file { read write }; 203b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 204b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file 205b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { read write }; 206b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file 207b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { read write }; 208b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; 209b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 210b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Privileged netlink socket interfaces. 211b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } 212b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru self:{ 213b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_socket 214b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_firewall_socket 215b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_tcpdiag_socket 216b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_nflog_socket 217b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_xfrm_socket 218b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_audit_socket 219b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_ip6fw_socket 220b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_dnrt_socket 221b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru netlink_kobject_uevent_socket 222b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru } *; 223b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 224b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Sockets under /dev/socket that are not specifically typed. 225b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } socket_device:sock_file write; 226b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 227b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Unix domain sockets. 228b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; 229b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } installd_socket:sock_file write; 230b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } 231b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru property_socket:sock_file write; 232b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; 233b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } vold_socket:sock_file write; 234b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; 235b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 236b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# ptrace access to non-app domains. 237b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 238b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 239b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write access to /proc/pid entries for any non-app domain. 240b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; 24150294ead5e5d23f5bbfed76e00e6b510bd41eee1claireho 242b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# signal access to non-app domains. 243b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# sigchld allowed for parent death notification. 244b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# signull allowed for kill(pid, 0) existence test. 245b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# All others prohibited. 246b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } { domain -appdomain }:process 247b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { sigkill sigstop signal }; 248b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 249b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Transition to a non-app domain. 250b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Exception for the shell domain, can transition to runas, etc. 251b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -shell -unconfineddomain } ~appdomain:process 252b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { transition dyntransition }; 253b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 254b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write to rootfs. 255b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set 256b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 257b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 258b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write to /system. 259b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } system_file:dir_file_class_set 260b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 261b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 262b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write to entrypoint executables. 263b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } exec_type:file 264b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 265b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 266b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write to system-owned parts of /data. 267b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# This is the default type for anything under /data not otherwise 268b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# specified in file_contexts. Define a different type for portions 269b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# that should be writable by apps. 270b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Exception for system_app for Settings. 271b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain -system_app } 272b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru system_data_file:dir_file_class_set 273b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 274b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru 275b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru# Write to various other parts of /data. 276b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set 277b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 278b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set 279b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 280b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -platform_app -unconfineddomain } 281b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru apk_data_file:dir_file_class_set 282b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 283b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -platform_app -unconfineddomain } 284b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru apk_tmp_file:dir_file_class_set 285b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 286b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -platform_app -unconfineddomain } 287b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru apk_private_data_file:dir_file_class_set 288b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 289b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -platform_app -unconfineddomain } 290b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru apk_private_tmp_file:dir_file_class_set 291b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 292b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -shell -unconfineddomain } 293b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru shell_data_file:dir_file_class_set 294b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create setattr relabelfrom relabelto append unlink link rename }; 295b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -bluetooth -unconfineddomain } 296b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru bluetooth_data_file:dir_file_class_set 297b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 298b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queruneverallow { appdomain -unconfineddomain } 299b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru keystore_data_file:dir_file_class_set 300b13da9df870a61b11249bf741347908dbea0edd8Jean-Baptiste Queru { create write setattr relabelfrom relabelto append unlink link rename }; 301neverallow { appdomain -unconfineddomain } 302 systemkeys_data_file:dir_file_class_set 303 { create write setattr relabelfrom relabelto append unlink link rename }; 304neverallow { appdomain -unconfineddomain } 305 wifi_data_file:dir_file_class_set 306 { create write setattr relabelfrom relabelto append unlink link rename }; 307neverallow { appdomain -unconfineddomain } 308 dhcp_data_file:dir_file_class_set 309 { create write setattr relabelfrom relabelto append unlink link rename }; 310 311# Access to factory files. 312neverallow { appdomain -unconfineddomain } 313 efs_file:dir_file_class_set { read write }; 314 315# Write to various pseudo file systems. 316neverallow { appdomain -bluetooth -nfc -unconfineddomain } 317 sysfs:dir_file_class_set write; 318neverallow { appdomain -unconfineddomain } 319 proc:dir_file_class_set write; 320 321# Access to syslog(2) or /proc/kmsg. 322neverallow { appdomain -system_app } 323 kernel:system { syslog_mod syslog_console }; 324neverallow { appdomain -system_app -shell } 325 kernel:system syslog_read; 326 327# Ability to perform any filesystem operation other than statfs(2). 328# i.e. no mount(2), unmount(2), etc. 329neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; 330 331# Ability to set system properties. 332neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } 333 property_type:property_service set; 334