Home | History | Annotate | Download | only in sepolicy 
      1 ###
      2 ### Domain for all zygote spawned apps
      3 ###
      4 ### This file is the base policy for all zygote spawned apps.
      5 ### Other policy files, such as isolated_app.te, untrusted_app.te, etc
      6 ### extend from this policy. Only policies which should apply to ALL
      7 ### zygote spawned apps should be added here.
      8 ###
      9 
     10 # Dalvik Compiler JIT Mapping.
     11 allow appdomain self:process execmem;
     12 allow appdomain ashmem_device:chr_file execute;
     13 
     14 # Receive and use open file descriptors inherited from zygote.
     15 allow appdomain zygote:fd use;
     16 
     17 # gdbserver for ndk-gdb reads the zygote.
     18 # valgrind needs mmap exec for zygote
     19 allow appdomain zygote_exec:file rx_file_perms;
     20 
     21 # gdbserver for ndk-gdb ptrace attaches to app process.
     22 allow appdomain self:process ptrace;
     23 
     24 # Read system properties managed by zygote.
     25 allow appdomain zygote_tmpfs:file read;
     26 
     27 # Notify zygote of death;
     28 allow appdomain zygote:process sigchld;
     29 
     30 # Notify shell and adbd of death when spawned via runas for ndk-gdb.
     31 allow appdomain shell:process sigchld;
     32 allow appdomain adbd:process sigchld;
     33 
     34 # child shell or gdbserver pty access for runas.
     35 allow appdomain devpts:chr_file { getattr read write ioctl };
     36 
     37 # Use pipes and sockets provided by system_server via binder or local socket.
     38 allow appdomain system_server:fifo_file rw_file_perms;
     39 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
     40 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
     41 
     42 # Communication with other apps via fifos
     43 allow appdomain appdomain:fifo_file rw_file_perms;
     44 
     45 # Communicate with surfaceflinger.
     46 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
     47 
     48 # App sandbox file accesses.
     49 allow appdomain app_data_file:dir create_dir_perms;
     50 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
     51 
     52 # lib subdirectory of /data/data dir is system-owned.
     53 allow appdomain system_data_file:dir r_dir_perms;
     54 allow appdomain system_data_file:file { execute execute_no_trans open execmod };
     55 
     56 # Keychain and user-trusted credentials
     57 allow appdomain keychain_data_file:dir r_dir_perms;
     58 allow appdomain keychain_data_file:file r_file_perms;
     59 allow appdomain misc_user_data_file:dir r_dir_perms;
     60 allow appdomain misc_user_data_file:file r_file_perms;
     61 
     62 # Access to OEM provided data and apps
     63 allow appdomain oemfs:dir r_dir_perms;
     64 allow appdomain oemfs:file rx_file_perms;
     65 
     66 # Execute the shell or other system executables.
     67 allow appdomain shell_exec:file rx_file_perms;
     68 allow appdomain system_file:file rx_file_perms;
     69 
     70 # Execute dex2oat when apps call dexclassloader
     71 allow appdomain dex2oat_exec:file rx_file_perms;
     72 
     73 # Read/write wallpaper file (opened by system).
     74 allow appdomain wallpaper_file:file { getattr read write };
     75 
     76 # Write to /data/anr/traces.txt.
     77 allow appdomain anr_data_file:dir search;
     78 allow appdomain anr_data_file:file { open append };
     79 
     80 # Allow apps to send dump information to dumpstate
     81 allow appdomain dumpstate:fd use;
     82 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
     83 allow appdomain shell_data_file:file { write getattr };
     84 
     85 # Write to /proc/net/xt_qtaguid/ctrl file.
     86 allow appdomain qtaguid_proc:file rw_file_perms;
     87 # Everybody can read the xt_qtaguid resource tracking misc dev.
     88 # So allow all apps to read from /dev/xt_qtaguid.
     89 allow appdomain qtaguid_device:chr_file r_file_perms;
     90 
     91 # Grant GPU access to all processes started by Zygote.
     92 # They need that to render the standard UI.
     93 allow appdomain gpu_device:chr_file { rw_file_perms execute };
     94 
     95 # Use the Binder.
     96 binder_use(appdomain)
     97 # Perform binder IPC to binder services.
     98 binder_call(appdomain, binderservicedomain)
     99 # Perform binder IPC to other apps.
    100 binder_call(appdomain, appdomain)
    101 
    102 # Already connected, unnamed sockets being passed over some other IPC
    103 # hence no sock_file or connectto permission. This appears to be how
    104 # Chrome works, may need to be updated as more apps using isolated services
    105 # are examined.
    106 allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
    107 
    108 # Backup ability for every app. BMS opens and passes the fd
    109 # to any app that has backup ability. Hence, no open permissions here.
    110 allow appdomain backup_data_file:file { read write getattr };
    111 allow appdomain cache_backup_file:file { read write getattr };
    112 allow appdomain cache_backup_file:dir getattr;
    113 # Backup ability using 'adb backup'
    114 allow appdomain system_data_file:lnk_file getattr;
    115 
    116 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
    117 allow appdomain media_rw_data_file:file { read getattr };
    118 
    119 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
    120 allow appdomain radio_data_file:file { read write getattr };
    121 
    122 # Read and write system app data files passed over Binder.
    123 # Motivating case was /data/data/com.android.settings/cache/*.jpg for
    124 # cropping or taking user photos.
    125 allow untrusted_app system_app_data_file:file { read write getattr };
    126 
    127 # Access SDcard via the fuse mount.
    128 allow appdomain fuse:dir create_dir_perms;
    129 allow appdomain fuse:file create_file_perms;
    130 
    131 # Access OBBs (vfat images) mounted by vold (b/17633509)
    132 allow appdomain vfat:dir r_dir_perms;
    133 allow appdomain vfat:file r_file_perms;
    134 
    135 # Allow apps to use the USB Accessory interface.
    136 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
    137 #
    138 # USB devices are first opened by the system server (USBDeviceManagerService)
    139 # and the file descriptor is passed to the right Activity via binder.
    140 allow appdomain usb_device:chr_file { read write getattr ioctl };
    141 allow appdomain usbaccessory_device:chr_file { read write getattr };
    142 
    143 # For art.
    144 allow appdomain dalvikcache_data_file:file execute;
    145 
    146 # /data/dalvik-cache/profiles
    147 allow appdomain dalvikcache_profiles_data_file:dir { search getattr };
    148 allow appdomain dalvikcache_profiles_data_file:file rw_file_perms;
    149 
    150 # Allow any app to read shared RELRO files.
    151 allow appdomain shared_relro_file:dir search;
    152 allow appdomain shared_relro_file:file r_file_perms;
    153 
    154 # Allow apps to read/execute installed binaries
    155 allow appdomain apk_data_file:dir r_dir_perms;
    156 allow appdomain apk_data_file:file { rx_file_perms execmod };
    157 
    158 # /data/resource-cache
    159 allow appdomain resourcecache_data_file:file r_file_perms;
    160 allow appdomain resourcecache_data_file:dir r_dir_perms;
    161 
    162 ###
    163 ### CTS-specific rules
    164 ###
    165 
    166 # For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
    167 # Reads /proc/pid/status and statm entries to check that
    168 # no unexpected root processes are running.
    169 # Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
    170 # Reads /proc/pid/cmdline of vold.
    171 allow appdomain domain:dir { open read search getattr };
    172 allow appdomain domain:{ file lnk_file } { open read getattr };
    173 
    174 # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
    175 # testRunAsHasCorrectCapabilities
    176 allow appdomain runas_exec:file getattr;
    177 # Others are either allowed elsewhere or not desired.
    178 
    179 # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
    180 # Check SELinux policy and contexts.
    181 selinux_check_access(appdomain)
    182 selinux_check_context(appdomain)
    183 # Validate that each process is running in the correct security context.
    184 allow appdomain domain:process getattr;
    185 
    186 # logd access
    187 read_logd(appdomain)
    188 control_logd(appdomain)
    189 # application inherit logd write socket (urge is to deprecate this long term)
    190 allow appdomain zygote:unix_dgram_socket write;
    191 
    192 allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
    193 
    194 use_keystore(appdomain)
    195 
    196 ###
    197 ### Neverallow rules
    198 ###
    199 ### These are things that Android apps should NEVER be able to do
    200 ###
    201 
    202 # Superuser capabilities.
    203 # bluetooth requires net_admin and wake_alarm.
    204 neverallow { appdomain -bluetooth } self:capability *;
    205 neverallow { appdomain -bluetooth } self:capability2 *;
    206 
    207 # Block device access.
    208 neverallow appdomain dev_type:blk_file { read write };
    209 
    210 # Access to any of the following character devices.
    211 neverallow appdomain {
    212     audio_device
    213     camera_device
    214     dm_device
    215     radio_device
    216     gps_device
    217     rpmsg_device
    218 }:chr_file { read write };
    219 
    220 # Note: Try expanding list of app domains in the future.
    221 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
    222 
    223 neverallow { appdomain -nfc } nfc_device:chr_file
    224     { read write };
    225 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
    226     { read write };
    227 neverallow appdomain tee_device:chr_file { read write };
    228 
    229 # Privileged netlink socket interfaces.
    230 neverallow appdomain
    231     self:{
    232         netlink_socket
    233         netlink_firewall_socket
    234         netlink_tcpdiag_socket
    235         netlink_nflog_socket
    236         netlink_xfrm_socket
    237         netlink_audit_socket
    238         netlink_ip6fw_socket
    239         netlink_dnrt_socket
    240     } *;
    241 
    242 # These messages are broadcast messages from the kernel to userspace.
    243 # Do not allow the writing of netlink messages, which has been a source
    244 # of rooting vulns in the past.
    245 neverallow appdomain self:netlink_kobject_uevent_socket { write append };
    246 
    247 # Sockets under /dev/socket that are not specifically typed.
    248 neverallow appdomain socket_device:sock_file write;
    249 
    250 # Unix domain sockets.
    251 neverallow appdomain adbd_socket:sock_file write;
    252 neverallow appdomain installd_socket:sock_file write;
    253 neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
    254     property_socket:sock_file write;
    255 neverallow { appdomain -radio } rild_socket:sock_file write;
    256 neverallow appdomain vold_socket:sock_file write;
    257 neverallow appdomain zygote_socket:sock_file write;
    258 
    259 # ptrace access to non-app domains.
    260 neverallow appdomain { domain -appdomain }:process ptrace;
    261 
    262 # Write access to /proc/pid entries for any non-app domain.
    263 neverallow appdomain { domain -appdomain }:file write;
    264 
    265 # signal access to non-app domains.
    266 # sigchld allowed for parent death notification.
    267 # signull allowed for kill(pid, 0) existence test.
    268 # All others prohibited.
    269 neverallow appdomain { domain -appdomain }:process
    270     { sigkill sigstop signal };
    271 
    272 # Transition to a non-app domain.
    273 # Exception for the shell domain, can transition to runas, etc.
    274 neverallow { appdomain -shell } { domain -appdomain }:process
    275     { transition dyntransition };
    276 
    277 # Write to rootfs.
    278 neverallow appdomain rootfs:dir_file_class_set
    279     { create write setattr relabelfrom relabelto append unlink link rename };
    280 
    281 # Write to /system.
    282 neverallow appdomain system_file:dir_file_class_set
    283     { create write setattr relabelfrom relabelto append unlink link rename };
    284 
    285 # Write to entrypoint executables.
    286 neverallow appdomain exec_type:file
    287     { create write setattr relabelfrom relabelto append unlink link rename };
    288 
    289 # Write to system-owned parts of /data.
    290 # This is the default type for anything under /data not otherwise
    291 # specified in file_contexts.  Define a different type for portions
    292 # that should be writable by apps.
    293 # Exception for system_app for Settings.
    294 neverallow { appdomain -system_app }
    295     system_data_file:dir_file_class_set
    296     { create write setattr relabelfrom relabelto append unlink link rename };
    297 
    298 # Write to various other parts of /data.
    299 neverallow appdomain drm_data_file:dir_file_class_set
    300     { create write setattr relabelfrom relabelto append unlink link rename };
    301 neverallow { appdomain -system_app }
    302     gps_data_file:dir_file_class_set
    303     { create write setattr relabelfrom relabelto append unlink link rename };
    304 neverallow { appdomain -platform_app }
    305     apk_data_file:dir_file_class_set
    306     { create write setattr relabelfrom relabelto append unlink link rename };
    307 neverallow { appdomain -platform_app }
    308     apk_tmp_file:dir_file_class_set
    309     { create write setattr relabelfrom relabelto append unlink link rename };
    310 neverallow { appdomain -platform_app }
    311     apk_private_data_file:dir_file_class_set
    312     { create write setattr relabelfrom relabelto append unlink link rename };
    313 neverallow { appdomain -platform_app }
    314     apk_private_tmp_file:dir_file_class_set
    315     { create write setattr relabelfrom relabelto append unlink link rename };
    316 neverallow { appdomain -shell }
    317     shell_data_file:dir_file_class_set
    318     { create setattr relabelfrom relabelto append unlink link rename };
    319 neverallow { appdomain -bluetooth }
    320     bluetooth_data_file:dir_file_class_set
    321     { create write setattr relabelfrom relabelto append unlink link rename };
    322 neverallow appdomain
    323     keystore_data_file:dir_file_class_set
    324     { create write setattr relabelfrom relabelto append unlink link rename };
    325 neverallow appdomain
    326     systemkeys_data_file:dir_file_class_set
    327     { create write setattr relabelfrom relabelto append unlink link rename };
    328 neverallow appdomain
    329     wifi_data_file:dir_file_class_set
    330     { create write setattr relabelfrom relabelto append unlink link rename };
    331 neverallow appdomain
    332     dhcp_data_file:dir_file_class_set
    333     { create write setattr relabelfrom relabelto append unlink link rename };
    334 
    335 # Access to factory files.
    336 neverallow appdomain efs_file:dir_file_class_set write;
    337 neverallow { appdomain -shell } efs_file:dir_file_class_set read;
    338 
    339 # Write to various pseudo file systems.
    340 neverallow { appdomain -bluetooth -nfc }
    341     sysfs:dir_file_class_set write;
    342 neverallow appdomain
    343     proc:dir_file_class_set write;
    344 
    345 # Access to syslog(2) or /proc/kmsg.
    346 neverallow { appdomain -system_app }
    347     kernel:system { syslog_mod syslog_console };
    348 neverallow { appdomain -system_app -shell }
    349     kernel:system syslog_read;
    350 
    351 # Ability to perform any filesystem operation other than statfs(2).
    352 # i.e. no mount(2), unmount(2), etc.
    353 neverallow appdomain fs_type:filesystem ~getattr;
    354 
    355 # Ability to set system properties.
    356 neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
    357     property_type:property_service set;
    358