1748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 2748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### Untrusted apps. 3748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 4d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### This file defines the rules for untrusted apps. 5d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### Apps are labeled based on mac_permissions.xml (maps signer and 6d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### optionally package name to seinfo value) and seapp_contexts (maps UID 7d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and optionally seinfo value to domain for process and type for data 8d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### directory). The untrusted_app domain is the default assignment in 9d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts for any app with UID between APP_AID (10000) 10d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### and AID_ISOLATED_START (99000) if the app has no specific seinfo 11d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### value as determined from mac_permissions.xml. In current AOSP, this 12d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### domain is assigned to all non-system apps as well as to any system apps 139ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley### that are not signed by the platform key. To move 14d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### a system app into a specific domain, add a signer entry for it to 15d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### mac_permissions.xml and assign it one of the pre-existing seinfo values 16d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### or define and use a new seinfo value in both mac_permissions.xml and 17d823f83e5466b53521b098c0865b89c7f12025faStephen Smalley### seapp_contexts. 18748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 19748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### untrusted_app includes all the appdomain rules, plus the 20748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### additional following rules: 21748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 22748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich 23cbf7ba18db3c607834d3f8d0745dae99f3e2a4ecdcashmantype untrusted_app, domain; 24748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichapp_domain(untrusted_app) 25748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichnet_domain(untrusted_app) 26748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichbluetooth_domain(untrusted_app) 276634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 2865317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# Some apps ship with shared libraries and binaries that they write out 2965317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley# to their sandbox directory and then execute. 3078706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app app_data_file:file { rx_file_perms execmod }; 3165317124a0bb7db4829f78e74c7bfe18e27f1c43Stephen Smalley 326634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# ASEC 336634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow untrusted_app asec_apk_file:file r_file_perms; 34addd3c9fba67b8df998a3aa61113b4a0c5cffdf9dcashmanallow untrusted_app asec_apk_file:dir r_dir_perms; 3548b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig# Execute libs in asec containers. 3678706f9ef6d917fe2ec85ecb6b0f47fbc5efde57Nick Kralevichallow untrusted_app asec_public_file:file { execute execmod }; 376634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich 386634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Allow the allocation and use of ptys 396634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevich# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 402dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleycreate_pty(untrusted_app) 418a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich 428a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Used by Finsky / Android "Verify Apps" functionality when 438a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# running "adb install foo.apk". 448a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# TODO: Long term, we don't want apps probing into shell data files. 458a2ebe3477837b21b728135cd8780ffd528696afNick Kralevich# Figure out a way to remove these rules. 462f40a17a42d19b6d92944c78c1d6a9c9517a725bNick Kralevichallow untrusted_app shell_data_file:file r_file_perms; 478a2ebe3477837b21b728135cd8780ffd528696afNick Kralevichallow untrusted_app shell_data_file:dir r_dir_perms; 489ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 498be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Read and write system app data files passed over Binder. 508be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# Motivating case was /data/data/com.android.settings/cache/*.jpg for 518be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich# cropping or taking user photos. 528be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevichallow untrusted_app system_app_data_file:file { read write getattr }; 538be3e77986e573751cb74634f58c4fbacb0bcd11Nick Kralevich 549ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 559ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Rules migrated from old app domains coalesced into untrusted_app. 569ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# This includes what used to be media_app, shared_app, and release_app. 579ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# 589ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 599ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley# Access to /data/media. 609ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:dir create_dir_perms; 619ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalleyallow untrusted_app media_rw_data_file:file create_file_perms; 629ba844fea12a0b08770e870d63f3d3c375c7c9b5Stephen Smalley 636e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey# Traverse into /mnt/media_rw for bypassing FUSE daemon 646e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey# TODO: narrow this to just MediaProvider 656e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkeyallow untrusted_app mnt_media_rw_file:dir search; 666e1f405c8b8b5d91a350ff14d1100930d7bff844Jeff Sharkey 670b764ae98a7fe452690616b7d722a63bb7cd5fa8dcashman# allow cts to query all services 680b764ae98a7fe452690616b7d722a63bb7cd5fa8dcashmanallow untrusted_app servicemanager:service_manager list; 690b764ae98a7fe452690616b7d722a63bb7cd5fa8dcashman 70b03831fe58be86cfd94c31b91def6ae53ebd614fMarco Nelissenallow untrusted_app audioserver_service:service_manager find; 71e0378303b5ec8a4440fcdea38cca7ebf695dc2b3Chien-Yu Chenallow untrusted_app cameraserver_service:service_manager find; 72cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app drmserver_service:service_manager find; 73cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app mediaserver_service:service_manager find; 740f754edf7b72582ed28d062a9c8f1b911d57a6f3Marco Nelissenallow untrusted_app mediaextractor_service:service_manager find; 75c3ba2e5130d28a0025f798f8b739ee86084fe9daMarco Nelissenallow untrusted_app mediacodec_service:service_manager find; 760d5bac13e1a98a942689f3b2183ed6f7ff66b976Jeff Tinkerallow untrusted_app mediadrmserver_service:service_manager find; 77cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app nfc_service:service_manager find; 78cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app radio_service:service_manager find; 79cd82557d4069c20bda8e18aa7f72fc0521a3ae32dcashmanallow untrusted_app surfaceflinger_service:service_manager find; 80d12993f0846744ae8188a299cb1bb135014f626adcashmanallow untrusted_app app_api_service:service_manager find; 81d12993f0846744ae8188a299cb1bb135014f626adcashman 8234a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# Allow GMS core to access perfprofd output, which is stored 8334a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# in /data/misc/perfprofd/. GMS core will need to list all 8434a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen# data stored in that directory to process them one by one. 8534a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chenuserdebug_or_eng(` 8634a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen allow untrusted_app perfprofd_data_file:file r_file_perms; 8734a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen allow untrusted_app perfprofd_data_file:dir r_dir_perms; 8834a468fad2c0b624b0cf383671384d0452dd83e6Dehao Chen') 89f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich 90de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# gdbserver for ndk-gdb ptrace attaches to app process. 91de11f5017c53aabba212425406962d21148fd2f6Nick Kralevichallow untrusted_app self:process ptrace; 92de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich 93f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich# Programs routinely attempt to scan through /system, looking 94f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich# for files. Suppress the denials when they occur. 95f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevichdontaudit untrusted_app exec_type:file getattr; 96f6d12c6979128843a0bddee8de8f61f8ed1b646fNick Kralevich 97971aeeda2138b27e3f8850f2fd7c95f60508154cdcashman# TODO: switch to meminfo service 98971aeeda2138b27e3f8850f2fd7c95f60508154cdcashmanallow untrusted_app proc_meminfo:file r_file_perms; 99971aeeda2138b27e3f8850f2fd7c95f60508154cdcashman 100a8a1faae7b36ab6ffd23900ca97f342afaf27702dcashman# https://code.google.com/p/chromium/issues/detail?id=586021 101971aeeda2138b27e3f8850f2fd7c95f60508154cdcashmanallow untrusted_app proc:file r_file_perms; 1025833e3f5ca04e88629e3bd76331fa0ab42d568f4dcashman# access /proc/net/xt_qtguid/stats 1035833e3f5ca04e88629e3bd76331fa0ab42d568f4dcashmanr_dir_file(untrusted_app, proc_net) 1042193f766bc1c7f997906a365238eb80839eb2617dcashman 10585c0f8affa4d3aa3c50331e272327e360eb8bed9dcashman# Cts: HwRngTest 10685c0f8affa4d3aa3c50331e272327e360eb8bed9dcashmanallow untrusted_app sysfs_hwrandom:dir search; 10785c0f8affa4d3aa3c50331e272327e360eb8bed9dcashmanallow untrusted_app sysfs_hwrandom:file r_file_perms; 10885c0f8affa4d3aa3c50331e272327e360eb8bed9dcashman 109e01654f98258461448d1761914e32bdad491ec6fAmith Yamasani# Allow apps to view preloaded content 110e01654f98258461448d1761914e32bdad491ec6fAmith Yamasaniallow untrusted_app preloads_data_file:dir r_dir_perms; 111e01654f98258461448d1761914e32bdad491ec6fAmith Yamasaniallow untrusted_app preloads_data_file:file r_file_perms; 112e01654f98258461448d1761914e32bdad491ec6fAmith Yamasani 1134bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1144bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### neverallow rules 1154bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich### 1164bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich 117642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich# Receive or send uevent messages. 118d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_kobject_uevent_socket *; 119d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich 120d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevich# Receive or send generic netlink messages 121d31936f89c49bc5c54b84bd5095f3c417da14935Nick Kralevichneverallow untrusted_app domain:netlink_socket *; 122642b80427ec2e95eb13cf03a74d814f240813e71Nick Kralevich 1234bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# Too much leaky information in debugfs. It's a security 1244bdd13e4c3632587c72b487a16d6c71a7a30714fNick Kralevich# best practice to ensure these files aren't readable. 12596b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevichneverallow untrusted_app debugfs_type:file read; 12676206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn 12776206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Do not allow untrusted apps to register services. 12876206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Only trusted components of Android should be registering 12976206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# services. 13076206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahnneverallow untrusted_app service_manager_type:service_manager add; 13199d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich 132f58356661632d4c08870122f2cf944ea4edfe810Nick Kralevich# Do not allow untrusted_apps to connect to the property service 13399d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevich# or set properties. b/10243159 13499d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_socket:sock_file write; 13599d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app init:unix_stream_socket connectto; 13699d86c7a77d402a106a1b3fe57af06dbb231c750Nick Kralevichneverallow untrusted_app property_type:property_service set; 137eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley 138eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# Do not allow untrusted_app to be assigned mlstrustedsubject. 139eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# This would undermine the per-user isolation model being 140eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# enforced via levelFrom=user in seapp_contexts and the mls 141eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# constraints. As there is no direct way to specify a neverallow 142eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# on attribute assignment, this relies on the fact that fork 143eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# permission only makes sense within a domain (hence should 144eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# never be granted to any other domain within mlstrustedsubject) 145eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalley# and untrusted_app is allowed fork permission to itself. 146eaece936f297e1c77939c0ff0ad4d741de6990b4Stephen Smalleyneverallow untrusted_app mlstrustedsubject:process fork; 14785ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich 14885ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# Do not allow untrusted_app to hard link to any files. 14985ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# In particular, if untrusted_app links to other app data 15085ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# files, installd will not be able to guarantee the deletion 15185ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# of the linked to file. Hard links also contribute to security 15285ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# bugs, so we want to ensure untrusted_app never has this 15385ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevich# capability. 15485ce2c706e95f96c95b3af418b7bda0bfe9918f4Nick Kralevichneverallow untrusted_app file_type:file link; 155e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoep 156e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoep# Do not allow untrusted_app to access network MAC address file 157e45cad770c6ffcc46ca834320d7892d744d0693bJeff Vander Stoepneverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; 158de53051a8282ec59fdd21667850997bc4096f8d2Jeff Vander Stoep 15932333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 16032333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep# ioctl permission, or 3. disallow the socket class. 161a8d89c31025caa594dae28d528f8a97cfbc3cc79Jeff Vander Stoepneverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 16232333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoepneverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; 16332333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoepneverallow untrusted_app *:{ 16432333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep socket netlink_socket packet_socket key_socket appletalk_socket 16532333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket 16632333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket 16732333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 16832333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 16932333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 17032333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_rdma_socket netlink_crypto_socket 17132333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep} *; 1723a0ce49b8623299ac7458306b30bda6adda12383Jeff Vander Stoep 17368748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoep# Do not allow untrusted_app access to /cache 174549ccf77e3fd23bb6c690da7023441c1007c4fd8Felipe Lemeneverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; 175549ccf77e3fd23bb6c690da7023441c1007c4fd8Felipe Lemeneverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; 1760d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestig 1770d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestig# Do not allow untrusted_app to set system properties. 1780d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestigneverallow untrusted_app property_socket:sock_file write; 1790d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestigneverallow untrusted_app property_type:property_service set; 180db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts 181db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts# Do not allow untrusted_app to create/unlink files outside of its sandbox, 182db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts# internal storage or sdcard. 183db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts# World accessible data locations allow application to fill the device 184db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts# with unaccounted for data. This data will not get removed during 185db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts# application un-installation. 186db664c9ed37f933753bc29c335b70cee7e707caaWilliam Robertsneverallow untrusted_app { 187db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts fs_type 188db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts -fuse # sdcard 18947fb4b9fc46fe2675b509874da340797fc43a947Daniel Rosenberg -sdcardfs # sdcard 190320a0f54a14ef992bacaa9d399cf3b54ced66ac7Eric Bae -vfat 191db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts file_type 192db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts -app_data_file # The apps sandbox itself 193db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts -media_rw_data_file # Internal storage. Known that apps can 194db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts # leave artfacts here after uninstall. 19589625c9a6488d01466e5b21856f8fdede047f128Calin Juravle -user_profile_data_file # Access to profile files 196837bc42f5f52760c511140b5ae146898ea75cba8Calin Juravle -user_profile_foreign_dex_data_file # Access to profile files 197db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts userdebug_or_eng(` 198db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts -method_trace_data_file # only on ro.debuggable=1 199db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts -coredump_file # userdebug/eng only 200db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts ') 201db664c9ed37f933753bc29c335b70cee7e707caaWilliam Roberts}:dir_file_class_set { create unlink }; 202ba12da95726e08c1c72ff3e6533899a062131d39Nick Kralevich 203ba12da95726e08c1c72ff3e6533899a062131d39Nick Kralevich# Do not allow untrusted_app to directly open tun_device 204ba12da95726e08c1c72ff3e6533899a062131d39Nick Kralevichneverallow untrusted_app tun_device:chr_file open; 2050e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevich 2060e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevich# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 2070e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevichneverallow untrusted_app anr_data_file:file ~{ open append }; 2080e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevichneverallow untrusted_app anr_data_file:dir ~search; 209