app.te revision 2a273ad2c50b255985a71e92898ac9224a9d2bd7
1### 2### Domain for all zygote spawned apps 3### 4### This file is the base policy for all zygote spawned apps. 5### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6### extend from this policy. Only policies which should apply to ALL 7### zygote spawned apps should be added here. 8### 9 10# Allow apps to connect to the keystore 11unix_socket_connect(appdomain, keystore, keystore) 12 13# Receive and use open file descriptors inherited from zygote. 14allow appdomain zygote:fd use; 15 16# Read system properties managed by zygote. 17allow appdomain zygote_tmpfs:file read; 18 19# Notify zygote of death; 20allow appdomain zygote:process sigchld; 21 22# Communicate with system_server. 23allow appdomain system_server:fifo_file rw_file_perms; 24allow appdomain system_server:unix_stream_socket { read write setopt }; 25binder_call(appdomain, system_server) 26 27# Communicate with surfaceflinger. 28allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; 29binder_call(appdomain, surfaceflinger) 30 31# App sandbox file accesses. 32allow appdomain app_data_file:dir create_dir_perms; 33allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute }; 34 35# Read/write data files created by the platform apps if they 36# were passed to the app via binder or local IPC. Do not allow open. 37allow appdomain platform_app_data_file:file { getattr read write }; 38 39# lib subdirectory of /data/data dir is system-owned. 40allow appdomain system_data_file:dir r_dir_perms; 41allow appdomain system_data_file:file { execute open }; 42 43# Execute the shell or other system executables. 44allow appdomain shell_exec:file rx_file_perms; 45allow appdomain system_file:file rx_file_perms; 46 47# Read/write wallpaper file (opened by system). 48allow appdomain wallpaper_file:file { read write }; 49 50# Write to /data/anr/traces.txt. 51allow appdomain anr_data_file:dir search; 52allow appdomain anr_data_file:file { open append }; 53 54# Write to /proc/net/xt_qtaguid/ctrl file. 55allow appdomain qtaguid_proc:file rw_file_perms; 56# Everybody can read the xt_qtaguid resource tracking misc dev. 57# So allow all apps to read from /dev/xt_qtaguid. 58allow appdomain qtaguid_device:chr_file r_file_perms; 59 60# Use the Binder. 61binder_use(appdomain) 62# Perform binder IPC to binder services. 63binder_call(appdomain, binderservicedomain) 64# Perform binder IPC to other apps. 65binder_call(appdomain, appdomain) 66 67# Appdomain interaction with isolated apps 68r_dir_file(appdomain, isolated_app) 69 70# Already connected, unnamed sockets being passed over some other IPC 71# hence no sock_file or connectto permission. This appears to be how 72# Chrome works, may need to be updated as more apps using isolated services 73# are examined. 74allow appdomain isolated_app:unix_stream_socket { read write }; 75 76# Backup ability for every app. BMS opens and passes the fd 77# to any app that has backup ability. Hence, no open permissions here. 78allow appdomain backup_data_file:file { read write getattr }; 79allow appdomain cache_backup_file:file { read write getattr }; 80# Backup ability using 'adb backup' 81allow appdomain system_data_file:lnk_file getattr; 82 83# Allow all applications to read downloaded files 84allow appdomain download_file:dir search; 85allow appdomain download_file:file r_file_perms; 86 87# Allow applications to communicate with netd via /dev/socket/dnsproxyd 88# to do DNS resolution 89unix_socket_connect(appdomain, dnsproxyd, netd) 90 91# Allow applications to communicate with drmserver over binder 92binder_call(appdomain, drmserver) 93 94# Allow applications to communicate with mediaserver over binder 95binder_call(appdomain, mediaserver) 96 97# Allow applications to make outbound tcp connections to any port 98allow appdomain port_type:tcp_socket name_connect; 99 100# Allow apps to see changes to the routing table. 101allow appdomain self:netlink_route_socket { 102 read 103 bind 104 create 105 nlmsg_read 106 ioctl 107 getattr 108 setattr 109 getopt 110 setopt 111 shutdown 112}; 113 114# Allow apps to use rawip sockets. This is needed for apps which execute 115# /system/bin/ping, for example. 116allow appdomain self:rawip_socket create_socket_perms; 117 118### 119### Neverallow rules 120### 121### These are things that Android apps should NEVER be able to do 122### 123 124# Superuser capabilities. 125# bluetooth requires net_admin. 126neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; 127neverallow { bluetooth -unconfineddomain } self:capability ~net_admin; 128neverallow { appdomain -unconfineddomain } self:capability2 *; 129 130# Block device access. 131neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 132 133# Kernel memory access. 134neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write }; 135 136# Access to any character device that is not specifically typed. 137neverallow { appdomain -unconfineddomain } device:chr_file { read write }; 138 139# Access to any of the following character devices. 140neverallow { appdomain -unconfineddomain } { 141 audio_device 142 camera_device 143 dm_device 144 radio_device 145 gps_device 146 rpmsg_device 147}:chr_file { read write }; 148 149# Note: Try expanding list of app domains in the future. 150neverallow { untrusted_app isolated_app shell -unconfineddomain } 151 graphics_device:chr_file { read write }; 152 153neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file 154 { read write }; 155neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file 156 { read write }; 157neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; 158 159# Set SELinux enforcing mode, booleans or any other SELinux settings. 160neverallow { appdomain -unconfineddomain } kernel:security 161 { setenforce setbool setsecparam setcheckreqprot }; 162 163# Load security policy. 164neverallow appdomain kernel:security load_policy; 165 166# Privileged netlink socket interfaces. 167neverallow { appdomain -unconfineddomain } 168 self:{ 169 netlink_socket 170 netlink_firewall_socket 171 netlink_tcpdiag_socket 172 netlink_nflog_socket 173 netlink_xfrm_socket 174 netlink_selinux_socket 175 netlink_audit_socket 176 netlink_ip6fw_socket 177 netlink_dnrt_socket 178 netlink_kobject_uevent_socket 179 } *; 180 181# Sockets under /dev/socket that are not specifically typed. 182neverallow { appdomain -unconfineddomain } socket_device:sock_file write; 183 184# Unix domain sockets. 185neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; 186neverallow { appdomain -unconfineddomain } bluetooth_socket:sock_file write; 187neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; 188neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } 189 property_socket:sock_file write; 190neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; 191neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; 192neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; 193 194# ptrace access to non-app domains. 195neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 196 197# Write access to /proc/pid entries for any non-app domain. 198neverallow { appdomain -unconfineddomain } { domain - appdomain }:file write; 199 200# signal access to non-app domains. 201# sigchld allowed for parent death notification. 202# signull allowed for kill(pid, 0) existence test. 203# All others prohibited. 204neverallow { appdomain -unconfineddomain } { domain -appdomain }:process 205 { sigkill sigstop signal }; 206 207# Transition to a non-app domain. 208neverallow { appdomain -unconfineddomain } ~appdomain:process 209 { transition dyntransition }; 210 211# Map low memory. 212# Note: Take to domain.te and apply to all domains in the future. 213neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; 214 215# Write to rootfs. 216neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set 217 { create write setattr relabelfrom relabelto append unlink link rename }; 218 219# Write to /system. 220neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set 221 { create write setattr relabelfrom relabelto append unlink link rename }; 222 223# Write to entrypoint executables. 224neverallow { appdomain -unconfineddomain } exec_type:file 225 { create write setattr relabelfrom relabelto append unlink link rename }; 226 227# Write to system-owned parts of /data. 228# This is the default type for anything under /data not otherwise 229# specified in file_contexts. Define a different type for portions 230# that should be writable by apps. 231# Exception for system_app for Settings. 232neverallow { appdomain -unconfineddomain -system_app } 233 system_data_file:dir_file_class_set 234 { create write setattr relabelfrom relabelto append unlink link rename }; 235 236# Write to various other parts of /data. 237neverallow { appdomain -system_app -unconfineddomain } 238 security_file:dir_file_class_set 239 { create write setattr relabelfrom relabelto append unlink link rename }; 240neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set 241 { create write setattr relabelfrom relabelto append unlink link rename }; 242neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set 243 { create write setattr relabelfrom relabelto append unlink link rename }; 244neverallow { appdomain -platform_app -unconfineddomain } 245 apk_data_file:dir_file_class_set 246 { create write setattr relabelfrom relabelto append unlink link rename }; 247neverallow { appdomain -platform_app -unconfineddomain } 248 apk_tmp_file:dir_file_class_set 249 { create write setattr relabelfrom relabelto append unlink link rename }; 250neverallow { appdomain -platform_app -unconfineddomain } 251 apk_private_data_file:dir_file_class_set 252 { create write setattr relabelfrom relabelto append unlink link rename }; 253neverallow { appdomain -platform_app -unconfineddomain } 254 apk_private_tmp_file:dir_file_class_set 255 { create write setattr relabelfrom relabelto append unlink link rename }; 256neverallow { appdomain -shell -unconfineddomain } 257 shell_data_file:dir_file_class_set 258 { create write setattr relabelfrom relabelto append unlink link rename }; 259neverallow { appdomain -bluetooth -unconfineddomain } 260 bluetooth_data_file:dir_file_class_set 261 { create write setattr relabelfrom relabelto append unlink link rename }; 262neverallow { appdomain -unconfineddomain } 263 keystore_data_file:dir_file_class_set 264 { create write setattr relabelfrom relabelto append unlink link rename }; 265neverallow { appdomain -unconfineddomain } 266 systemkeys_data_file:dir_file_class_set 267 { create write setattr relabelfrom relabelto append unlink link rename }; 268neverallow { appdomain -unconfineddomain } 269 wifi_data_file:dir_file_class_set 270 { create write setattr relabelfrom relabelto append unlink link rename }; 271neverallow { appdomain -unconfineddomain } 272 dhcp_data_file:dir_file_class_set 273 { create write setattr relabelfrom relabelto append unlink link rename }; 274 275# Access to factory files. 276neverallow { appdomain -unconfineddomain } 277 efs_file:dir_file_class_set { read write }; 278 279# Write to various pseudo file systems. 280neverallow { appdomain -nfc -unconfineddomain } 281 sysfs:dir_file_class_set write; 282neverallow { appdomain -system_app -unconfineddomain } 283 selinuxfs:dir_file_class_set write; 284neverallow { appdomain -unconfineddomain } 285 proc:dir_file_class_set write; 286 287# Access to syslog(2) or /proc/kmsg. 288neverallow { appdomain -system_app -unconfineddomain } 289 kernel:system { syslog_read syslog_mod syslog_console }; 290 291# Ability to perform any filesystem operation other than statfs(2). 292# i.e. no mount(2), unmount(2), etc. 293neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; 294 295# Ability to set system properties. 296neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } 297 property_type:property_service set; 298