Home | History | Annotate | Download | only in sepolicy 
      1 ###
      2 ### Domain for all zygote spawned apps
      3 ###
      4 ### This file is the base policy for all zygote spawned apps.
      5 ### Other policy files, such as isolated_app.te, untrusted_app.te, etc
      6 ### extend from this policy. Only policies which should apply to ALL
      7 ### zygote spawned apps should be added here.
      8 ###
      9 
     10 # Allow apps to connect to the keystore
     11 unix_socket_connect(appdomain, keystore, keystore)
     12 
     13 # Receive and use open file descriptors inherited from zygote.
     14 allow appdomain zygote:fd use;
     15 
     16 # Read system properties managed by zygote.
     17 allow appdomain zygote_tmpfs:file read;
     18 
     19 # Notify zygote of death;
     20 allow appdomain zygote:process sigchld;
     21 
     22 # Communicate with system_server.
     23 allow appdomain system:fifo_file rw_file_perms;
     24 allow appdomain system:unix_stream_socket { read write setopt };
     25 binder_call(appdomain, system)
     26 
     27 # Communicate with surfaceflinger.
     28 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
     29 binder_call(appdomain, surfaceflinger)
     30 
     31 # App sandbox file accesses.
     32 allow appdomain app_data_file:dir create_dir_perms;
     33 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
     34 
     35 # Read/write data files created by the platform apps if they
     36 # were passed to the app via binder or local IPC.  Do not allow open.
     37 allow appdomain platform_app_data_file:file { getattr read write };
     38 
     39 # lib subdirectory of /data/data dir is system-owned.
     40 allow appdomain system_data_file:dir r_dir_perms;
     41 allow appdomain system_data_file:file { execute open };
     42 
     43 # Execute the shell or other system executables.
     44 allow appdomain shell_exec:file rx_file_perms;
     45 allow appdomain system_file:file rx_file_perms;
     46 
     47 # Read/write wallpaper file (opened by system).
     48 allow appdomain wallpaper_file:file { read write };
     49 
     50 # Write to /data/anr/traces.txt.
     51 allow appdomain anr_data_file:dir search;
     52 allow appdomain anr_data_file:file { open append };
     53 
     54 # Write to /proc/net/xt_qtaguid/ctrl file.
     55 allow appdomain qtaguid_proc:file rw_file_perms;
     56 # Everybody can read the xt_qtaguid resource tracking misc dev.
     57 # So allow all apps to read from /dev/xt_qtaguid.
     58 allow appdomain qtaguid_device:chr_file r_file_perms;
     59 
     60 # Use the Binder.
     61 binder_use(appdomain)
     62 # Perform binder IPC to binder services.
     63 binder_call(appdomain, binderservicedomain)
     64 # Perform binder IPC to other apps.
     65 binder_call(appdomain, appdomain)
     66 
     67 # Appdomain interaction with isolated apps
     68 r_dir_file(appdomain, isolated_app)
     69 binder_call(appdomain, isolated_app)
     70 
     71 # Already connected, unnamed sockets being passed over some other IPC
     72 # hence no sock_file or connectto permission. This appears to be how
     73 # Chrome works, may need to be updated as more apps using isolated services
     74 # are examined.
     75 allow appdomain isolated_app:unix_stream_socket { read write };
     76 
     77 # Backup ability for every app. BMS opens and passes the fd
     78 # to any app that has backup ability. Hence, no open permissions here.
     79 allow appdomain backup_data_file:file { read write };
     80 allow appdomain  cache_backup_file:file { read write };
     81 # Backup ability using 'adb backup'
     82 allow appdomain system_data_file:lnk_file getattr;
     83 
     84 # Allow all applications to read downloaded files
     85 allow appdomain download_file:file r_file_perms;
     86 file_type_auto_trans(appdomain, download_file, download_file)
     87 
     88 # Allow applications to communicate with netd via /dev/socket/dnsproxyd
     89 # to do DNS resolution
     90 unix_socket_connect(appdomain, dnsproxyd, netd)
     91 
     92 # Allow applications to communicate with drmserver over binder
     93 binder_call(appdomain, drmserver)
     94 
     95 # Allow applications to communicate with mediaserver over binder
     96 binder_call(appdomain, mediaserver)
     97 
     98 # Allow applications to make outbound tcp connections to any port
     99 allow appdomain port_type:tcp_socket name_connect;
    100 
    101 # Allow apps to see changes to the routing table.
    102 allow appdomain self:netlink_route_socket {
    103     read
    104     bind
    105     create
    106     nlmsg_read
    107     ioctl
    108     getattr
    109     setattr
    110     getopt
    111     setopt
    112     shutdown
    113 };
    114 
    115 # Allow apps to use rawip sockets. This is needed for apps which execute
    116 # /system/bin/ping, for example.
    117 allow appdomain self:rawip_socket create_socket_perms;
    118 
    119 ###
    120 ### Neverallow rules
    121 ###
    122 ### These are things that Android apps should NEVER be able to do
    123 ###
    124 
    125 # Superuser capabilities.
    126 # Only exception is sys_nice for binder, might not be necessary.
    127 neverallow { appdomain -unconfineddomain } self:capability ~sys_nice;
    128 neverallow { appdomain -unconfineddomain } self:capability2 *;
    129 
    130 # Block device access.
    131 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
    132 
    133 # Kernel memory access.
    134 neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
    135 
    136 # Setting SELinux enforcing status or booleans.
    137 # Conditionally allowed to system_app for SEAndroidManager.
    138 neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
    139 
    140 # Load security policy.
    141 neverallow appdomain kernel:security load_policy;
    142 
    143 # Privileged netlink socket interfaces.
    144 neverallow { appdomain -unconfineddomain }
    145     self:{
    146         netlink_socket
    147         netlink_firewall_socket
    148         netlink_tcpdiag_socket
    149         netlink_nflog_socket
    150         netlink_xfrm_socket
    151         netlink_selinux_socket
    152         netlink_audit_socket
    153         netlink_ip6fw_socket
    154         netlink_dnrt_socket
    155         netlink_kobject_uevent_socket
    156     } *;
    157 
    158 # ptrace access to non-app domains.
    159 neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
    160 
    161 # Transition to a non-app domain.
    162 neverallow { appdomain -unconfineddomain } ~appdomain:process { transition dyntransition };
    163 
    164 # Write to /system.
    165 neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set write;
    166 
    167 # Write to system-owned parts of /data.
    168 # This is the default type for anything under /data not otherwise
    169 # specified in file_contexts.  Define a different type for portions
    170 # that should be writable by apps.
    171 # Exception for system_app for Settings.
    172 neverallow { appdomain -unconfineddomain -system_app } system_data_file:dir_file_class_set write;
    173