diff options
Diffstat (limited to 'app.te')
| -rw-r--r-- | app.te | 409 |
1 files changed, 0 insertions, 409 deletions
@@ -1,409 +0,0 @@ -### -### Domain for all zygote spawned apps -### -### This file is the base policy for all zygote spawned apps. -### Other policy files, such as isolated_app.te, untrusted_app.te, etc -### extend from this policy. Only policies which should apply to ALL -### zygote spawned apps should be added here. -### - -# WebView and other application-specific JIT compilers -allow appdomain self:process execmem; - -allow appdomain ashmem_device:chr_file execute; - -# Receive and use open file descriptors inherited from zygote. -allow appdomain zygote:fd use; - -# gdbserver for ndk-gdb reads the zygote. -# valgrind needs mmap exec for zygote -allow appdomain zygote_exec:file rx_file_perms; - -# Read system properties managed by zygote. -allow appdomain zygote_tmpfs:file read; - -# Notify zygote of death; -allow appdomain zygote:process sigchld; - -# Place process into foreground / background -allow appdomain cgroup:dir { search write }; -allow appdomain cgroup:file w_file_perms; - -# Read /data/dalvik-cache. -allow appdomain dalvikcache_data_file:dir { search getattr }; -allow appdomain dalvikcache_data_file:file r_file_perms; - -# Read the /sdcard symlink -allow appdomain rootfs:lnk_file r_file_perms; - -# Search /storage/emulated tmpfs mount. -allow appdomain tmpfs:dir r_dir_perms; - -userdebug_or_eng(` - # Notify zygote of the wrapped process PID when using --invoke-with. - allow appdomain zygote:fifo_file write; - - # Allow apps to create and write method traces in /data/misc/trace. - allow appdomain method_trace_data_file:dir w_dir_perms; - allow appdomain method_trace_data_file:file { create w_file_perms }; -') - -# Notify shell and adbd of death when spawned via runas for ndk-gdb. -allow appdomain shell:process sigchld; -allow appdomain adbd:process sigchld; - -# child shell or gdbserver pty access for runas. -allow appdomain devpts:chr_file { getattr read write ioctl }; - -# Use pipes and sockets provided by system_server via binder or local socket. -allow appdomain system_server:fifo_file rw_file_perms; -allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; -allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; - -# Communication with other apps via fifos -allow appdomain appdomain:fifo_file rw_file_perms; - -# Communicate with surfaceflinger. -allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; - -# App sandbox file accesses. -allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; -allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; - -# lib subdirectory of /data/data dir is system-owned. -allow appdomain system_data_file:dir r_dir_perms; -allow appdomain system_data_file:file { execute execute_no_trans open execmod }; - -# Traverse into expanded storage -allow appdomain mnt_expand_file:dir r_dir_perms; - -# Keychain and user-trusted credentials -allow appdomain keychain_data_file:dir r_dir_perms; -allow appdomain keychain_data_file:file r_file_perms; -allow appdomain misc_user_data_file:dir r_dir_perms; -allow appdomain misc_user_data_file:file r_file_perms; - -# Access to OEM provided data and apps -allow appdomain oemfs:dir r_dir_perms; -allow appdomain oemfs:file rx_file_perms; - -# Execute the shell or other system executables. -allow appdomain shell_exec:file rx_file_perms; -allow appdomain system_file:file rx_file_perms; -allow appdomain toolbox_exec:file rx_file_perms; - -# Renderscript needs the ability to read directories on /system -r_dir_file(appdomain, system_file) - -# Execute dex2oat when apps call dexclassloader -allow appdomain dex2oat_exec:file rx_file_perms; - -# Read/write wallpaper file (opened by system). -allow appdomain wallpaper_file:file { getattr read write }; - -# Write to /data/anr/traces.txt. -allow appdomain anr_data_file:dir search; -allow appdomain anr_data_file:file { open append }; - -# Allow apps to send dump information to dumpstate -allow appdomain dumpstate:fd use; -allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; -allow appdomain shell_data_file:file { write getattr }; - -# Send heap dumps to system_server via an already open file descriptor -# % adb shell am set-watch-heap com.android.systemui 1048576 -# % adb shell dumpsys procstats --start-testing -# debuggable builds only. -userdebug_or_eng(` - allow appdomain heapdump_data_file:file append; -') - -# Write to /proc/net/xt_qtaguid/ctrl file. -allow appdomain qtaguid_proc:file rw_file_perms; -# Everybody can read the xt_qtaguid resource tracking misc dev. -# So allow all apps to read from /dev/xt_qtaguid. -allow appdomain qtaguid_device:chr_file r_file_perms; - -# Grant GPU access to all processes started by Zygote. -# They need that to render the standard UI. -allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; - -# Use the Binder. -binder_use(appdomain) -# Perform binder IPC to binder services. -binder_call(appdomain, binderservicedomain) -# Perform binder IPC to other apps. -binder_call(appdomain, appdomain) - -# Already connected, unnamed sockets being passed over some other IPC -# hence no sock_file or connectto permission. This appears to be how -# Chrome works, may need to be updated as more apps using isolated services -# are examined. -allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; - -# Backup ability for every app. BMS opens and passes the fd -# to any app that has backup ability. Hence, no open permissions here. -allow appdomain backup_data_file:file { read write getattr }; -allow appdomain cache_backup_file:file { read write getattr }; -allow appdomain cache_backup_file:dir getattr; -# Backup ability using 'adb backup' -allow appdomain system_data_file:lnk_file getattr; - -# Allow read/stat of /data/media files passed by Binder or local socket IPC. -allow appdomain media_rw_data_file:file { read getattr }; - -# Read and write /data/data/com.android.providers.telephony files passed over Binder. -allow appdomain radio_data_file:file { read write getattr }; - -# Allow access to external storage; we have several visible mount points under /storage -# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary -allow appdomain storage_file:dir r_dir_perms; -allow appdomain storage_file:lnk_file r_file_perms; -allow appdomain mnt_user_file:dir r_dir_perms; -allow appdomain mnt_user_file:lnk_file r_file_perms; - -# Read/write visible storage -allow appdomain fuse:dir create_dir_perms; -allow appdomain fuse:file create_file_perms; - -# Access OBBs (vfat images) mounted by vold (b/17633509) -# File write access allowed for FDs returned through Storage Access Framework -allow appdomain vfat:dir r_dir_perms; -allow appdomain vfat:file rw_file_perms; - -# Allow apps to use the USB Accessory interface. -# http://developer.android.com/guide/topics/connectivity/usb/accessory.html -# -# USB devices are first opened by the system server (USBDeviceManagerService) -# and the file descriptor is passed to the right Activity via binder. -allow appdomain usb_device:chr_file { read write getattr ioctl }; -allow appdomain usbaccessory_device:chr_file { read write getattr }; - -# For art. -allow appdomain dalvikcache_data_file:file execute; -allow appdomain dalvikcache_data_file:lnk_file r_file_perms; - -# Allow any app to read shared RELRO files. -allow appdomain shared_relro_file:dir search; -allow appdomain shared_relro_file:file r_file_perms; - -# Allow apps to read/execute installed binaries -allow appdomain apk_data_file:dir r_dir_perms; -allow appdomain apk_data_file:file { rx_file_perms execmod }; - -# /data/resource-cache -allow appdomain resourcecache_data_file:file r_file_perms; -allow appdomain resourcecache_data_file:dir r_dir_perms; - -# logd access -read_logd(appdomain) -control_logd(appdomain) -# application inherit logd write socket (urge is to deprecate this long term) -allow appdomain zygote:unix_dgram_socket write; - -allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; - -use_keystore({ appdomain -isolated_app }) - -allow appdomain console_device:chr_file { read write }; - -allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; - -# For app fuse. -allow appdomain app_fuse_file:file { getattr read append write }; - -### -### CTS-specific rules -### - -# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. -# testRunAsHasCorrectCapabilities -allow appdomain runas_exec:file getattr; -# Others are either allowed elsewhere or not desired. - -# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java -# Check SELinux policy and contexts. -selinux_check_access(appdomain) -selinux_check_context(appdomain) - -# Apps receive an open tun fd from the framework for -# device traffic. Do not allow untrusted app to directly open tun_device -allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; - -# Connect to adbd and use a socket transferred from it. -# This is used for e.g. adb backup/restore. -allow appdomain adbd:unix_stream_socket connectto; -allow appdomain adbd:fd use; -allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; - -allow appdomain cache_file:dir getattr; - -### -### Neverallow rules -### -### These are things that Android apps should NEVER be able to do -### - -# Superuser capabilities. -# bluetooth requires net_admin and wake_alarm. -neverallow { appdomain -bluetooth } self:capability *; -neverallow { appdomain -bluetooth } self:capability2 *; - -# Block device access. -neverallow appdomain dev_type:blk_file { read write }; - -# Access to any of the following character devices. -neverallow appdomain { - audio_device - video_device - dm_device - radio_device - gps_device - rpmsg_device -}:chr_file { read write }; - -# Note: Try expanding list of app domains in the future. -neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; - -neverallow { appdomain -nfc } nfc_device:chr_file - { read write }; -neverallow { appdomain -bluetooth } hci_attach_dev:chr_file - { read write }; -neverallow appdomain tee_device:chr_file { read write }; - -# Privileged netlink socket interfaces. -neverallow appdomain - domain:{ - netlink_firewall_socket - netlink_tcpdiag_socket - netlink_nflog_socket - netlink_xfrm_socket - netlink_audit_socket - netlink_ip6fw_socket - netlink_dnrt_socket - } *; - -# These messages are broadcast messages from the kernel to userspace. -# Do not allow the writing of netlink messages, which has been a source -# of rooting vulns in the past. -neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; - -# Sockets under /dev/socket that are not specifically typed. -neverallow appdomain socket_device:sock_file write; - -# Unix domain sockets. -neverallow appdomain adbd_socket:sock_file write; -neverallow appdomain installd_socket:sock_file write; -neverallow { appdomain -radio } rild_socket:sock_file write; -neverallow appdomain vold_socket:sock_file write; -neverallow appdomain zygote_socket:sock_file write; - -# ptrace access to non-app domains. -neverallow appdomain { domain -appdomain }:process ptrace; - -# Write access to /proc/pid entries for any non-app domain. -neverallow appdomain { domain -appdomain }:file write; - -# signal access to non-app domains. -# sigchld allowed for parent death notification. -# signull allowed for kill(pid, 0) existence test. -# All others prohibited. -neverallow appdomain { domain -appdomain }:process - { sigkill sigstop signal }; - -# Transition to a non-app domain. -# Exception for the shell domain and the su domain, can transition to runas, -# etc. -neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process - { transition dyntransition }; - -# Write to rootfs. -neverallow appdomain rootfs:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to /system. -neverallow appdomain system_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to entrypoint executables. -neverallow appdomain exec_type:file - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to system-owned parts of /data. -# This is the default type for anything under /data not otherwise -# specified in file_contexts. Define a different type for portions -# that should be writable by apps. -neverallow appdomain system_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to various other parts of /data. -neverallow appdomain drm_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -system_app } - gps_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_tmp_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_private_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_private_tmp_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -shell } - shell_data_file:dir_file_class_set - { create setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -bluetooth } - bluetooth_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - keystore_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - systemkeys_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - wifi_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - dhcp_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# access tmp apk files -neverallow { appdomain -platform_app -priv_app } - { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; - -# Access to factory files. -neverallow appdomain efs_file:dir_file_class_set write; -neverallow { appdomain -shell } efs_file:dir_file_class_set read; - -# Write to various pseudo file systems. -neverallow { appdomain -bluetooth -nfc } - sysfs:dir_file_class_set write; -neverallow appdomain - proc:dir_file_class_set write; - -# Access to syslog(2) or /proc/kmsg. -neverallow { appdomain -system_app } - kernel:system { syslog_mod syslog_console }; -neverallow { appdomain -system_app -shell } - kernel:system syslog_read; - -# Ability to perform any filesystem operation other than statfs(2). -# i.e. no mount(2), unmount(2), etc. -neverallow appdomain fs_type:filesystem ~getattr; - -# prevent creation/manipulation of globally readable symlinks -neverallow appdomain { - apk_data_file - cache_file - cache_recovery_file - dev_type - rootfs - system_file - tmpfs -}:lnk_file no_w_file_perms; |