app.te revision e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1
1### 2### Domain for all zygote spawned apps 3### 4### This file is the base policy for all zygote spawned apps. 5### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6### extend from this policy. Only policies which should apply to ALL 7### zygote spawned apps should be added here. 8### 9 10# Dalvik Compiler JIT Mapping. 11allow appdomain self:process execmem; 12allow appdomain ashmem_device:chr_file execute; 13 14# Allow apps to connect to the keystore 15unix_socket_connect(appdomain, keystore, keystore) 16 17# Receive and use open file descriptors inherited from zygote. 18allow appdomain zygote:fd use; 19 20# Needed to close the zygote socket, which involves getopt / getattr 21# This should be deleted after b/12061011 is fixed 22allow appdomain zygote:unix_stream_socket { getopt getattr }; 23 24# gdbserver for ndk-gdb reads the zygote. 25allow appdomain zygote_exec:file r_file_perms; 26 27# gdbserver for ndk-gdb ptrace attaches to app process. 28allow appdomain self:process ptrace; 29 30# Read system properties managed by zygote. 31allow appdomain zygote_tmpfs:file read; 32 33# Notify zygote of death; 34allow appdomain zygote:process sigchld; 35 36# Notify shell and adbd of death when spawned via runas for ndk-gdb. 37allow appdomain shell:process sigchld; 38allow appdomain adbd:process sigchld; 39 40# child shell or gdbserver pty access for runas. 41allow appdomain devpts:chr_file { getattr read write ioctl }; 42 43# Communicate with system_server. 44allow appdomain system_server:fifo_file rw_file_perms; 45allow appdomain system_server:unix_stream_socket { read write setopt }; 46binder_call(appdomain, system_server) 47 48# Communication with other apps via fifos 49allow appdomain appdomain:fifo_file rw_file_perms; 50 51# Communicate with surfaceflinger. 52allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; 53binder_call(appdomain, surfaceflinger) 54 55# App sandbox file accesses. 56allow appdomain app_data_file:dir create_dir_perms; 57allow appdomain app_data_file:notdevfile_class_set create_file_perms; 58 59# Read/write data files created by the platform apps if they 60# were passed to the app via binder or local IPC. Do not allow open. 61allow appdomain platform_app_data_file:file { getattr read write }; 62 63# lib subdirectory of /data/data dir is system-owned. 64allow appdomain system_data_file:dir r_dir_perms; 65allow appdomain system_data_file:file { execute execute_no_trans open }; 66 67# Execute the shell or other system executables. 68allow appdomain shell_exec:file rx_file_perms; 69allow appdomain system_file:file rx_file_perms; 70allow appdomain ping_exec:file rx_file_perms; 71 72# Read/write wallpaper file (opened by system). 73allow appdomain wallpaper_file:file { read write }; 74 75# Write to /data/anr/traces.txt. 76allow appdomain anr_data_file:dir search; 77allow appdomain anr_data_file:file { open append }; 78 79# Allow apps to send dump information to dumpstate 80allow appdomain dumpstate:fd use; 81allow appdomain dumpstate:unix_stream_socket { read write getopt getattr }; 82 83# Write to /proc/net/xt_qtaguid/ctrl file. 84allow appdomain qtaguid_proc:file rw_file_perms; 85# Everybody can read the xt_qtaguid resource tracking misc dev. 86# So allow all apps to read from /dev/xt_qtaguid. 87allow appdomain qtaguid_device:chr_file r_file_perms; 88 89# Grant GPU access to all processes started by Zygote. 90# They need that to render the standard UI. 91allow appdomain gpu_device:chr_file { rw_file_perms execute }; 92 93# Use the Binder. 94binder_use(appdomain) 95# Perform binder IPC to binder services. 96binder_call(appdomain, binderservicedomain) 97# Perform binder IPC to other apps. 98binder_call(appdomain, appdomain) 99 100# Appdomain interaction with isolated apps 101r_dir_file(appdomain, isolated_app) 102 103# Already connected, unnamed sockets being passed over some other IPC 104# hence no sock_file or connectto permission. This appears to be how 105# Chrome works, may need to be updated as more apps using isolated services 106# are examined. 107allow appdomain isolated_app:unix_stream_socket { read write }; 108 109# Backup ability for every app. BMS opens and passes the fd 110# to any app that has backup ability. Hence, no open permissions here. 111allow appdomain backup_data_file:file { read write getattr }; 112allow appdomain cache_backup_file:file { read write getattr }; 113# Backup ability using 'adb backup' 114allow appdomain system_data_file:lnk_file getattr; 115 116# Allow all applications to read downloaded files 117allow appdomain download_file:dir search; 118allow appdomain download_file:file r_file_perms; 119 120# Allow applications to communicate with netd via /dev/socket/dnsproxyd 121# to do DNS resolution 122unix_socket_connect(appdomain, dnsproxyd, netd) 123 124# Allow applications to communicate with drmserver over binder 125binder_call(appdomain, drmserver) 126 127# Allow applications to communicate with mediaserver over binder 128binder_call(appdomain, mediaserver) 129 130# Allow applications to make outbound tcp connections to any port 131allow appdomain port_type:tcp_socket name_connect; 132 133# Allow apps to see changes to the routing table. 134allow appdomain self:netlink_route_socket { 135 read 136 bind 137 create 138 nlmsg_read 139 ioctl 140 getattr 141 setattr 142 getopt 143 setopt 144 shutdown 145}; 146 147# Allow apps to use rawip sockets. This is needed for apps which execute 148# /system/bin/ping, for example. 149allow appdomain self:rawip_socket create_socket_perms; 150 151# Allow apps to use the USB Accessory interface. 152# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 153# 154# USB devices are first opened by the system server (USBDeviceManagerService) 155# and the file descriptor is passed to the right Activity via binder. 156allow appdomain usb_device:chr_file { read write getattr ioctl }; 157allow appdomain usbaccessory_device:chr_file { read write getattr }; 158 159# For art. 160allow appdomain dalvikcache_data_file:file execute; 161 162### 163### CTS-specific rules 164### 165 166# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 167# Reads /proc/pid/status and statm entries to check that 168# no unexpected root processes are running. 169# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 170# Reads /proc/pid/cmdline of vold. 171allow appdomain domain:dir { open read search getattr }; 172allow appdomain domain:{ file lnk_file } { open read getattr }; 173 174# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 175# testRunAsHasCorrectCapabilities 176allow appdomain runas_exec:file getattr; 177# Others are either allowed elsewhere or not desired. 178 179# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 180# Check SELinux policy and contexts. 181selinux_check_access(appdomain) 182selinux_check_context(appdomain) 183# Validate that each process is running in the correct security context. 184allow appdomain domain:process getattr; 185 186### 187### Neverallow rules 188### 189### These are things that Android apps should NEVER be able to do 190### 191 192# Superuser capabilities. 193# bluetooth requires net_admin. 194neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; 195neverallow { appdomain -unconfineddomain } self:capability2 *; 196 197# Block device access. 198neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 199 200# Access to any character device that is not specifically typed. 201neverallow { appdomain -unconfineddomain } device:chr_file { read write }; 202 203# Access to any of the following character devices. 204neverallow { appdomain -unconfineddomain } { 205 audio_device 206 camera_device 207 dm_device 208 radio_device 209 gps_device 210 rpmsg_device 211}:chr_file { read write }; 212 213# Note: Try expanding list of app domains in the future. 214neverallow { untrusted_app isolated_app shell -unconfineddomain } 215 graphics_device:chr_file { read write }; 216 217neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file 218 { read write }; 219neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file 220 { read write }; 221neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; 222 223# Set SELinux enforcing mode, booleans or any other SELinux settings. 224neverallow { appdomain -unconfineddomain } kernel:security 225 { setenforce setbool setsecparam setcheckreqprot }; 226 227# Load security policy. 228neverallow appdomain kernel:security load_policy; 229 230# Privileged netlink socket interfaces. 231neverallow { appdomain -unconfineddomain } 232 self:{ 233 netlink_socket 234 netlink_firewall_socket 235 netlink_tcpdiag_socket 236 netlink_nflog_socket 237 netlink_xfrm_socket 238 netlink_audit_socket 239 netlink_ip6fw_socket 240 netlink_dnrt_socket 241 netlink_kobject_uevent_socket 242 } *; 243 244# Sockets under /dev/socket that are not specifically typed. 245neverallow { appdomain -unconfineddomain } socket_device:sock_file write; 246 247# Unix domain sockets. 248neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; 249neverallow { appdomain -unconfineddomain } bluetooth_socket:sock_file write; 250neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; 251neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } 252 property_socket:sock_file write; 253neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; 254neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; 255neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; 256 257# ptrace access to non-app domains. 258neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 259 260# Write access to /proc/pid entries for any non-app domain. 261neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; 262 263# signal access to non-app domains. 264# sigchld allowed for parent death notification. 265# signull allowed for kill(pid, 0) existence test. 266# All others prohibited. 267neverallow { appdomain -unconfineddomain } { domain -appdomain }:process 268 { sigkill sigstop signal }; 269 270# Transition to a non-app domain. 271# Exception for the shell domain, can transition to runas, ping, etc. 272neverallow { appdomain -shell -unconfineddomain } ~appdomain:process 273 { transition dyntransition }; 274 275# Map low memory. 276# Note: Take to domain.te and apply to all domains in the future. 277neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; 278 279# Write to rootfs. 280neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set 281 { create write setattr relabelfrom relabelto append unlink link rename }; 282 283# Write to /system. 284neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set 285 { create write setattr relabelfrom relabelto append unlink link rename }; 286 287# Write to entrypoint executables. 288neverallow { appdomain -unconfineddomain } exec_type:file 289 { create write setattr relabelfrom relabelto append unlink link rename }; 290 291# Write to system-owned parts of /data. 292# This is the default type for anything under /data not otherwise 293# specified in file_contexts. Define a different type for portions 294# that should be writable by apps. 295# Exception for system_app for Settings. 296neverallow { appdomain -unconfineddomain -system_app } 297 system_data_file:dir_file_class_set 298 { create write setattr relabelfrom relabelto append unlink link rename }; 299 300# Write to various other parts of /data. 301neverallow { appdomain -system_app -unconfineddomain } 302 security_file:dir_file_class_set 303 { create write setattr relabelfrom relabelto append unlink link rename }; 304neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set 305 { create write setattr relabelfrom relabelto append unlink link rename }; 306neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set 307 { create write setattr relabelfrom relabelto append unlink link rename }; 308neverallow { appdomain -platform_app -unconfineddomain } 309 apk_data_file:dir_file_class_set 310 { create write setattr relabelfrom relabelto append unlink link rename }; 311neverallow { appdomain -platform_app -unconfineddomain } 312 apk_tmp_file:dir_file_class_set 313 { create write setattr relabelfrom relabelto append unlink link rename }; 314neverallow { appdomain -platform_app -unconfineddomain } 315 apk_private_data_file:dir_file_class_set 316 { create write setattr relabelfrom relabelto append unlink link rename }; 317neverallow { appdomain -platform_app -unconfineddomain } 318 apk_private_tmp_file:dir_file_class_set 319 { create write setattr relabelfrom relabelto append unlink link rename }; 320neverallow { appdomain -shell -unconfineddomain } 321 shell_data_file:dir_file_class_set 322 { create write setattr relabelfrom relabelto append unlink link rename }; 323neverallow { appdomain -bluetooth -unconfineddomain } 324 bluetooth_data_file:dir_file_class_set 325 { create write setattr relabelfrom relabelto append unlink link rename }; 326neverallow { appdomain -unconfineddomain } 327 keystore_data_file:dir_file_class_set 328 { create write setattr relabelfrom relabelto append unlink link rename }; 329neverallow { appdomain -unconfineddomain } 330 systemkeys_data_file:dir_file_class_set 331 { create write setattr relabelfrom relabelto append unlink link rename }; 332neverallow { appdomain -unconfineddomain } 333 wifi_data_file:dir_file_class_set 334 { create write setattr relabelfrom relabelto append unlink link rename }; 335neverallow { appdomain -unconfineddomain } 336 dhcp_data_file:dir_file_class_set 337 { create write setattr relabelfrom relabelto append unlink link rename }; 338 339# Access to factory files. 340neverallow { appdomain -unconfineddomain } 341 efs_file:dir_file_class_set { read write }; 342 343# Write to various pseudo file systems. 344neverallow { appdomain -nfc -unconfineddomain } 345 sysfs:dir_file_class_set write; 346neverallow { appdomain -unconfineddomain } 347 proc:dir_file_class_set write; 348 349# Access to syslog(2) or /proc/kmsg. 350neverallow { appdomain -system_app -unconfineddomain } 351 kernel:system { syslog_read syslog_mod syslog_console }; 352 353# Ability to perform any filesystem operation other than statfs(2). 354# i.e. no mount(2), unmount(2), etc. 355neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; 356 357# Ability to set system properties. 358neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } 359 property_type:property_service set; 360