app.te revision e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1 
1###
2### Domain for all zygote spawned apps
3###
4### This file is the base policy for all zygote spawned apps.
5### Other policy files, such as isolated_app.te, untrusted_app.te, etc
6### extend from this policy. Only policies which should apply to ALL
7### zygote spawned apps should be added here.
8###
9
10# Dalvik Compiler JIT Mapping.
11allow appdomain self:process execmem;
12allow appdomain ashmem_device:chr_file execute;
13
14# Allow apps to connect to the keystore
15unix_socket_connect(appdomain, keystore, keystore)
16
17# Receive and use open file descriptors inherited from zygote.
18allow appdomain zygote:fd use;
19
20# Needed to close the zygote socket, which involves getopt / getattr
21# This should be deleted after b/12061011 is fixed
22allow appdomain zygote:unix_stream_socket { getopt getattr };
23
24# gdbserver for ndk-gdb reads the zygote.
25allow appdomain zygote_exec:file r_file_perms;
26
27# gdbserver for ndk-gdb ptrace attaches to app process.
28allow appdomain self:process ptrace;
29
30# Read system properties managed by zygote.
31allow appdomain zygote_tmpfs:file read;
32
33# Notify zygote of death;
34allow appdomain zygote:process sigchld;
35
36# Notify shell and adbd of death when spawned via runas for ndk-gdb.
37allow appdomain shell:process sigchld;
38allow appdomain adbd:process sigchld;
39
40# child shell or gdbserver pty access for runas.
41allow appdomain devpts:chr_file { getattr read write ioctl };
42
43# Communicate with system_server.
44allow appdomain system_server:fifo_file rw_file_perms;
45allow appdomain system_server:unix_stream_socket { read write setopt };
46binder_call(appdomain, system_server)
47
48# Communication with other apps via fifos
49allow appdomain appdomain:fifo_file rw_file_perms;
50
51# Communicate with surfaceflinger.
52allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
53binder_call(appdomain, surfaceflinger)
54
55# App sandbox file accesses.
56allow appdomain app_data_file:dir create_dir_perms;
57allow appdomain app_data_file:notdevfile_class_set create_file_perms;
58
59# Read/write data files created by the platform apps if they
60# were passed to the app via binder or local IPC.  Do not allow open.
61allow appdomain platform_app_data_file:file { getattr read write };
62
63# lib subdirectory of /data/data dir is system-owned.
64allow appdomain system_data_file:dir r_dir_perms;
65allow appdomain system_data_file:file { execute execute_no_trans open };
66
67# Execute the shell or other system executables.
68allow appdomain shell_exec:file rx_file_perms;
69allow appdomain system_file:file rx_file_perms;
70allow appdomain ping_exec:file rx_file_perms;
71
72# Read/write wallpaper file (opened by system).
73allow appdomain wallpaper_file:file { read write };
74
75# Write to /data/anr/traces.txt.
76allow appdomain anr_data_file:dir search;
77allow appdomain anr_data_file:file { open append };
78
79# Allow apps to send dump information to dumpstate
80allow appdomain dumpstate:fd use;
81allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
82
83# Write to /proc/net/xt_qtaguid/ctrl file.
84allow appdomain qtaguid_proc:file rw_file_perms;
85# Everybody can read the xt_qtaguid resource tracking misc dev.
86# So allow all apps to read from /dev/xt_qtaguid.
87allow appdomain qtaguid_device:chr_file r_file_perms;
88
89# Grant GPU access to all processes started by Zygote.
90# They need that to render the standard UI.
91allow appdomain gpu_device:chr_file { rw_file_perms execute };
92
93# Use the Binder.
94binder_use(appdomain)
95# Perform binder IPC to binder services.
96binder_call(appdomain, binderservicedomain)
97# Perform binder IPC to other apps.
98binder_call(appdomain, appdomain)
99
100# Appdomain interaction with isolated apps
101r_dir_file(appdomain, isolated_app)
102
103# Already connected, unnamed sockets being passed over some other IPC
104# hence no sock_file or connectto permission. This appears to be how
105# Chrome works, may need to be updated as more apps using isolated services
106# are examined.
107allow appdomain isolated_app:unix_stream_socket { read write };
108
109# Backup ability for every app. BMS opens and passes the fd
110# to any app that has backup ability. Hence, no open permissions here.
111allow appdomain backup_data_file:file { read write getattr };
112allow appdomain cache_backup_file:file { read write getattr };
113# Backup ability using 'adb backup'
114allow appdomain system_data_file:lnk_file getattr;
115
116# Allow all applications to read downloaded files
117allow appdomain download_file:dir search;
118allow appdomain download_file:file r_file_perms;
119
120# Allow applications to communicate with netd via /dev/socket/dnsproxyd
121# to do DNS resolution
122unix_socket_connect(appdomain, dnsproxyd, netd)
123
124# Allow applications to communicate with drmserver over binder
125binder_call(appdomain, drmserver)
126
127# Allow applications to communicate with mediaserver over binder
128binder_call(appdomain, mediaserver)
129
130# Allow applications to make outbound tcp connections to any port
131allow appdomain port_type:tcp_socket name_connect;
132
133# Allow apps to see changes to the routing table.
134allow appdomain self:netlink_route_socket {
135    read
136    bind
137    create
138    nlmsg_read
139    ioctl
140    getattr
141    setattr
142    getopt
143    setopt
144    shutdown
145};
146
147# Allow apps to use rawip sockets. This is needed for apps which execute
148# /system/bin/ping, for example.
149allow appdomain self:rawip_socket create_socket_perms;
150
151# Allow apps to use the USB Accessory interface.
152# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
153#
154# USB devices are first opened by the system server (USBDeviceManagerService)
155# and the file descriptor is passed to the right Activity via binder.
156allow appdomain usb_device:chr_file { read write getattr ioctl };
157allow appdomain usbaccessory_device:chr_file { read write getattr };
158
159# For art.
160allow appdomain dalvikcache_data_file:file execute;
161
162###
163### CTS-specific rules
164###
165
166# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
167# Reads /proc/pid/status and statm entries to check that
168# no unexpected root processes are running.
169# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
170# Reads /proc/pid/cmdline of vold.
171allow appdomain domain:dir { open read search getattr };
172allow appdomain domain:{ file lnk_file } { open read getattr };
173
174# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
175# testRunAsHasCorrectCapabilities
176allow appdomain runas_exec:file getattr;
177# Others are either allowed elsewhere or not desired.
178
179# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
180# Check SELinux policy and contexts.
181selinux_check_access(appdomain)
182selinux_check_context(appdomain)
183# Validate that each process is running in the correct security context.
184allow appdomain domain:process getattr;
185
186###
187### Neverallow rules
188###
189### These are things that Android apps should NEVER be able to do
190###
191
192# Superuser capabilities.
193# bluetooth requires net_admin.
194neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
195neverallow { appdomain -unconfineddomain } self:capability2 *;
196
197# Block device access.
198neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
199
200# Access to any character device that is not specifically typed.
201neverallow { appdomain -unconfineddomain } device:chr_file { read write };
202
203# Access to any of the following character devices.
204neverallow { appdomain -unconfineddomain } {
205    audio_device
206    camera_device
207    dm_device
208    radio_device
209    gps_device
210    rpmsg_device
211}:chr_file { read write };
212
213# Note: Try expanding list of app domains in the future.
214neverallow { untrusted_app isolated_app shell -unconfineddomain }
215    graphics_device:chr_file { read write };
216
217neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
218    { read write };
219neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
220    { read write };
221neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
222
223# Set SELinux enforcing mode, booleans or any other SELinux settings.
224neverallow { appdomain -unconfineddomain } kernel:security
225    { setenforce setbool setsecparam setcheckreqprot };
226
227# Load security policy.
228neverallow appdomain kernel:security load_policy;
229
230# Privileged netlink socket interfaces.
231neverallow { appdomain -unconfineddomain }
232    self:{
233        netlink_socket
234        netlink_firewall_socket
235        netlink_tcpdiag_socket
236        netlink_nflog_socket
237        netlink_xfrm_socket
238        netlink_audit_socket
239        netlink_ip6fw_socket
240        netlink_dnrt_socket
241        netlink_kobject_uevent_socket
242    } *;
243
244# Sockets under /dev/socket that are not specifically typed.
245neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
246
247# Unix domain sockets.
248neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
249neverallow { appdomain -unconfineddomain } bluetooth_socket:sock_file write;
250neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
251neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
252    property_socket:sock_file write;
253neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
254neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
255neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
256
257# ptrace access to non-app domains.
258neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
259
260# Write access to /proc/pid entries for any non-app domain.
261neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
262
263# signal access to non-app domains.
264# sigchld allowed for parent death notification.
265# signull allowed for kill(pid, 0) existence test.
266# All others prohibited.
267neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
268    { sigkill sigstop signal };
269
270# Transition to a non-app domain.
271# Exception for the shell domain, can transition to runas, ping, etc.
272neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
273    { transition dyntransition };
274
275# Map low memory.
276# Note: Take to domain.te and apply to all domains in the future.
277neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
278
279# Write to rootfs.
280neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set
281    { create write setattr relabelfrom relabelto append unlink link rename };
282
283# Write to /system.
284neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set
285    { create write setattr relabelfrom relabelto append unlink link rename };
286
287# Write to entrypoint executables.
288neverallow { appdomain -unconfineddomain } exec_type:file
289    { create write setattr relabelfrom relabelto append unlink link rename };
290
291# Write to system-owned parts of /data.
292# This is the default type for anything under /data not otherwise
293# specified in file_contexts.  Define a different type for portions
294# that should be writable by apps.
295# Exception for system_app for Settings.
296neverallow { appdomain -unconfineddomain -system_app }
297    system_data_file:dir_file_class_set
298    { create write setattr relabelfrom relabelto append unlink link rename };
299
300# Write to various other parts of /data.
301neverallow { appdomain -system_app -unconfineddomain }
302    security_file:dir_file_class_set
303    { create write setattr relabelfrom relabelto append unlink link rename };
304neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
305    { create write setattr relabelfrom relabelto append unlink link rename };
306neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set
307    { create write setattr relabelfrom relabelto append unlink link rename };
308neverallow { appdomain -platform_app -unconfineddomain }
309    apk_data_file:dir_file_class_set
310    { create write setattr relabelfrom relabelto append unlink link rename };
311neverallow { appdomain -platform_app -unconfineddomain }
312    apk_tmp_file:dir_file_class_set
313    { create write setattr relabelfrom relabelto append unlink link rename };
314neverallow { appdomain -platform_app -unconfineddomain }
315    apk_private_data_file:dir_file_class_set
316    { create write setattr relabelfrom relabelto append unlink link rename };
317neverallow { appdomain -platform_app -unconfineddomain }
318    apk_private_tmp_file:dir_file_class_set
319    { create write setattr relabelfrom relabelto append unlink link rename };
320neverallow { appdomain -shell -unconfineddomain }
321    shell_data_file:dir_file_class_set
322    { create write setattr relabelfrom relabelto append unlink link rename };
323neverallow { appdomain -bluetooth -unconfineddomain }
324    bluetooth_data_file:dir_file_class_set
325    { create write setattr relabelfrom relabelto append unlink link rename };
326neverallow { appdomain -unconfineddomain }
327    keystore_data_file:dir_file_class_set
328    { create write setattr relabelfrom relabelto append unlink link rename };
329neverallow { appdomain -unconfineddomain }
330    systemkeys_data_file:dir_file_class_set
331    { create write setattr relabelfrom relabelto append unlink link rename };
332neverallow { appdomain -unconfineddomain }
333    wifi_data_file:dir_file_class_set
334    { create write setattr relabelfrom relabelto append unlink link rename };
335neverallow { appdomain -unconfineddomain }
336    dhcp_data_file:dir_file_class_set
337    { create write setattr relabelfrom relabelto append unlink link rename };
338
339# Access to factory files.
340neverallow { appdomain -unconfineddomain }
341    efs_file:dir_file_class_set { read write };
342
343# Write to various pseudo file systems.
344neverallow { appdomain -nfc -unconfineddomain }
345    sysfs:dir_file_class_set write;
346neverallow { appdomain -unconfineddomain }
347    proc:dir_file_class_set write;
348
349# Access to syslog(2) or /proc/kmsg.
350neverallow { appdomain -system_app -unconfineddomain }
351    kernel:system { syslog_read syslog_mod syslog_console };
352
353# Ability to perform any filesystem operation other than statfs(2).
354# i.e. no mount(2), unmount(2), etc.
355neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
356
357# Ability to set system properties.
358neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
359    property_type:property_service set;
360