1### 2### Ephemeral apps. 3### 4### This file defines the security policy for apps with the ephemeral 5### feature. 6### 7### The ephemeral_app domain is a reduced permissions sandbox allowing 8### ephemeral applications to be safely installed and run. Non ephemeral 9### applications may also opt-in to ephemeral to take advantage of the 10### additional security features. 11### 12### PackageManager flags an app as ephemeral at install time. 13 14typeattribute ephemeral_app coredomain; 15 16net_domain(ephemeral_app) 17app_domain(ephemeral_app) 18 19# Allow ephemeral apps to read/write files in visible storage if provided fds 20allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; 21 22# services 23allow ephemeral_app audioserver_service:service_manager find; 24allow ephemeral_app cameraserver_service:service_manager find; 25allow ephemeral_app mediaserver_service:service_manager find; 26allow ephemeral_app mediaextractor_service:service_manager find; 27allow ephemeral_app mediacodec_service:service_manager find; 28allow ephemeral_app mediametrics_service:service_manager find; 29allow ephemeral_app mediadrmserver_service:service_manager find; 30allow ephemeral_app mediacasserver_service:service_manager find; 31allow ephemeral_app surfaceflinger_service:service_manager find; 32allow ephemeral_app radio_service:service_manager find; 33allow ephemeral_app ephemeral_app_api_service:service_manager find; 34 35### 36### neverallow rules 37### 38 39# Executable content should never be loaded from an ephemeral app home directory. 40neverallow ephemeral_app app_data_file:file { execute execute_no_trans }; 41 42# Receive or send uevent messages. 43neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 44 45# Receive or send generic netlink messages 46neverallow ephemeral_app domain:netlink_socket *; 47 48# Too much leaky information in debugfs. It's a security 49# best practice to ensure these files aren't readable. 50neverallow ephemeral_app debugfs:file read; 51 52# execute gpu_device 53neverallow ephemeral_app gpu_device:chr_file execute; 54 55# access files in /sys with the default sysfs label 56neverallow ephemeral_app sysfs:file *; 57 58# Avoid reads from generically labeled /proc files 59# Create a more specific label if needed 60neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 61 62# Directly access external storage 63neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; 64neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search; 65 66# Avoid reads to proc_net, it contains too much device wide information about 67# ongoing connections. 68neverallow ephemeral_app proc_net:file no_rw_file_perms; 69