priv_app.te revision 7aed1b253f53705c7e9d16657199cdfac9463a17
1### 2### A domain for further sandboxing privileged apps. 3### 4type priv_app, domain, domain_deprecated; 5app_domain(priv_app) 6# Access the network. 7net_domain(priv_app) 8# Access bluetooth. 9bluetooth_domain(priv_app) 10 11# Some apps ship with shared libraries and binaries that they write out 12# to their sandbox directory and then execute. 13allow priv_app app_data_file:file rx_file_perms; 14 15# android.process.media uses /dev/mtp_usb 16allow priv_app mtp_device:chr_file rw_file_perms; 17 18# Allow the allocation and use of ptys 19# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm 20create_pty(priv_app) 21 22allow priv_app audioserver_service:service_manager find; 23allow priv_app cameraserver_service:service_manager find; 24allow priv_app drmserver_service:service_manager find; 25allow priv_app mediacodec_service:service_manager find; 26allow priv_app mediadrmserver_service:service_manager find; 27allow priv_app mediaextractor_service:service_manager find; 28allow priv_app mediaserver_service:service_manager find; 29allow priv_app nfc_service:service_manager find; 30allow priv_app radio_service:service_manager find; 31allow priv_app surfaceflinger_service:service_manager find; 32allow priv_app app_api_service:service_manager find; 33allow priv_app system_api_service:service_manager find; 34allow priv_app persistent_data_block_service:service_manager find; 35allow priv_app recovery_service:service_manager find; 36 37# Traverse into /mnt/media_rw for bypassing FUSE daemon 38# TODO: narrow this to just MediaProvider 39allow priv_app mnt_media_rw_file:dir search; 40 41# Write to /cache. 42allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; 43allow priv_app { cache_file cache_recovery_file }:file create_file_perms; 44 45# Access to /data/media. 46allow priv_app media_rw_data_file:dir create_dir_perms; 47allow priv_app media_rw_data_file:file create_file_perms; 48 49# Used by Finsky / Android "Verify Apps" functionality when 50# running "adb install foo.apk". 51allow priv_app shell_data_file:file r_file_perms; 52allow priv_app shell_data_file:dir r_dir_perms; 53 54# Allow verifier to access staged apks. 55allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 56allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 57 58# b/18504118: Allow reads from /data/anr/traces.txt 59allow priv_app anr_data_file:file r_file_perms; 60 61# Allow GMS core to access perfprofd output, which is stored 62# in /data/misc/perfprofd/. GMS core will need to list all 63# data stored in that directory to process them one by one. 64userdebug_or_eng(` 65 allow priv_app perfprofd_data_file:file r_file_perms; 66 allow priv_app perfprofd_data_file:dir r_dir_perms; 67') 68 69# Allow GMS core to stat files and executables on 70# the system partition 71allow priv_app exec_type:file getattr; 72 73# For AppFuse. 74allow priv_app vold:fd use; 75allow priv_app fuse_device:chr_file { read write }; 76allow priv_app app_fuse_file:dir rw_dir_perms; 77allow priv_app app_fuse_file:file rw_file_perms; 78 79# /sys access 80allow priv_app sysfs_zram:dir search; 81allow priv_app sysfs_zram:file r_file_perms; 82 83# access the mac address 84allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; 85 86# Allow GMS core to communicate with update_engine for A/B update. 87binder_call(priv_app, update_engine) 88allow priv_app update_engine_service:service_manager find; 89 90# Allow Phone to read/write cached ringtones (opened by system). 91allow priv_app ringtone_file:file { getattr read write }; 92 93### 94### neverallow rules 95### 96 97# Receive or send uevent messages. 98neverallow priv_app domain:netlink_kobject_uevent_socket *; 99 100# Receive or send generic netlink messages 101neverallow priv_app domain:netlink_socket *; 102 103# Too much leaky information in debugfs. It's a security 104# best practice to ensure these files aren't readable. 105neverallow priv_app debugfs:file read; 106 107# Do not allow privileged apps to register services. 108# Only trusted components of Android should be registering 109# services. 110neverallow priv_app service_manager_type:service_manager add; 111 112# Do not allow privileged apps to connect to the property service 113# or set properties. b/10243159 114neverallow priv_app property_socket:sock_file write; 115neverallow priv_app init:unix_stream_socket connectto; 116neverallow priv_app property_type:property_service set; 117 118# Do not allow priv_app to be assigned mlstrustedsubject. 119# This would undermine the per-user isolation model being 120# enforced via levelFrom=user in seapp_contexts and the mls 121# constraints. As there is no direct way to specify a neverallow 122# on attribute assignment, this relies on the fact that fork 123# permission only makes sense within a domain (hence should 124# never be granted to any other domain within mlstrustedsubject) 125# and priv_app is allowed fork permission to itself. 126neverallow priv_app mlstrustedsubject:process fork; 127 128# Do not allow priv_app to hard link to any files. 129# In particular, if priv_app links to other app data 130# files, installd will not be able to guarantee the deletion 131# of the linked to file. Hard links also contribute to security 132# bugs, so we want to ensure priv_app never has this 133# capability. 134neverallow priv_app file_type:file link; 135