1 ### 2 ### Domain for all zygote spawned apps 3 ### 4 ### This file is the base policy for all zygote spawned apps. 5 ### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6 ### extend from this policy. Only policies which should apply to ALL 7 ### zygote spawned apps should be added here. 8 ### 9 10 # Dalvik Compiler JIT Mapping. 11 allow appdomain self:process execmem; 12 allow appdomain ashmem_device:chr_file execute; 13 14 # Receive and use open file descriptors inherited from zygote. 15 allow appdomain zygote:fd use; 16 17 # gdbserver for ndk-gdb reads the zygote. 18 # valgrind needs mmap exec for zygote 19 allow appdomain zygote_exec:file rx_file_perms; 20 21 # gdbserver for ndk-gdb ptrace attaches to app process. 22 allow appdomain self:process ptrace; 23 24 # Read system properties managed by zygote. 25 allow appdomain zygote_tmpfs:file read; 26 27 # Notify zygote of death; 28 allow appdomain zygote:process sigchld; 29 30 # Notify shell and adbd of death when spawned via runas for ndk-gdb. 31 allow appdomain shell:process sigchld; 32 allow appdomain adbd:process sigchld; 33 34 # child shell or gdbserver pty access for runas. 35 allow appdomain devpts:chr_file { getattr read write ioctl }; 36 37 # Use pipes and sockets provided by system_server via binder or local socket. 38 allow appdomain system_server:fifo_file rw_file_perms; 39 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 40 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 41 42 # Communication with other apps via fifos 43 allow appdomain appdomain:fifo_file rw_file_perms; 44 45 # Communicate with surfaceflinger. 46 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 47 48 # App sandbox file accesses. 49 allow appdomain app_data_file:dir create_dir_perms; 50 allow appdomain app_data_file:notdevfile_class_set create_file_perms; 51 52 # lib subdirectory of /data/data dir is system-owned. 53 allow appdomain system_data_file:dir r_dir_perms; 54 allow appdomain system_data_file:file { execute execute_no_trans open execmod }; 55 56 # Keychain and user-trusted credentials 57 allow appdomain keychain_data_file:dir r_dir_perms; 58 allow appdomain keychain_data_file:file r_file_perms; 59 allow appdomain misc_user_data_file:dir r_dir_perms; 60 allow appdomain misc_user_data_file:file r_file_perms; 61 62 # Access to OEM provided data and apps 63 allow appdomain oemfs:dir r_dir_perms; 64 allow appdomain oemfs:file rx_file_perms; 65 66 # Execute the shell or other system executables. 67 allow appdomain shell_exec:file rx_file_perms; 68 allow appdomain system_file:file rx_file_perms; 69 70 # Execute dex2oat when apps call dexclassloader 71 allow appdomain dex2oat_exec:file rx_file_perms; 72 73 # Read/write wallpaper file (opened by system). 74 allow appdomain wallpaper_file:file { getattr read write }; 75 76 # Write to /data/anr/traces.txt. 77 allow appdomain anr_data_file:dir search; 78 allow appdomain anr_data_file:file { open append }; 79 80 # Allow apps to send dump information to dumpstate 81 allow appdomain dumpstate:fd use; 82 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 83 allow appdomain shell_data_file:file { write getattr }; 84 85 # Write to /proc/net/xt_qtaguid/ctrl file. 86 allow appdomain qtaguid_proc:file rw_file_perms; 87 # Everybody can read the xt_qtaguid resource tracking misc dev. 88 # So allow all apps to read from /dev/xt_qtaguid. 89 allow appdomain qtaguid_device:chr_file r_file_perms; 90 91 # Grant GPU access to all processes started by Zygote. 92 # They need that to render the standard UI. 93 allow appdomain gpu_device:chr_file { rw_file_perms execute }; 94 95 # Use the Binder. 96 binder_use(appdomain) 97 # Perform binder IPC to binder services. 98 binder_call(appdomain, binderservicedomain) 99 # Perform binder IPC to other apps. 100 binder_call(appdomain, appdomain) 101 102 # Already connected, unnamed sockets being passed over some other IPC 103 # hence no sock_file or connectto permission. This appears to be how 104 # Chrome works, may need to be updated as more apps using isolated services 105 # are examined. 106 allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 107 108 # Backup ability for every app. BMS opens and passes the fd 109 # to any app that has backup ability. Hence, no open permissions here. 110 allow appdomain backup_data_file:file { read write getattr }; 111 allow appdomain cache_backup_file:file { read write getattr }; 112 allow appdomain cache_backup_file:dir getattr; 113 # Backup ability using 'adb backup' 114 allow appdomain system_data_file:lnk_file getattr; 115 116 # Allow read/stat of /data/media files passed by Binder or local socket IPC. 117 allow appdomain media_rw_data_file:file { read getattr }; 118 119 # Read and write /data/data/com.android.providers.telephony files passed over Binder. 120 allow appdomain radio_data_file:file { read write getattr }; 121 122 # Read and write system app data files passed over Binder. 123 # Motivating case was /data/data/com.android.settings/cache/*.jpg for 124 # cropping or taking user photos. 125 allow untrusted_app system_app_data_file:file { read write getattr }; 126 127 # Access SDcard via the fuse mount. 128 allow appdomain fuse:dir create_dir_perms; 129 allow appdomain fuse:file create_file_perms; 130 131 # Access OBBs (vfat images) mounted by vold (b/17633509) 132 allow appdomain vfat:dir r_dir_perms; 133 allow appdomain vfat:file r_file_perms; 134 135 # Allow apps to use the USB Accessory interface. 136 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html 137 # 138 # USB devices are first opened by the system server (USBDeviceManagerService) 139 # and the file descriptor is passed to the right Activity via binder. 140 allow appdomain usb_device:chr_file { read write getattr ioctl }; 141 allow appdomain usbaccessory_device:chr_file { read write getattr }; 142 143 # For art. 144 allow appdomain dalvikcache_data_file:file execute; 145 146 # /data/dalvik-cache/profiles 147 allow appdomain dalvikcache_profiles_data_file:dir { search getattr }; 148 allow appdomain dalvikcache_profiles_data_file:file rw_file_perms; 149 150 # Allow any app to read shared RELRO files. 151 allow appdomain shared_relro_file:dir search; 152 allow appdomain shared_relro_file:file r_file_perms; 153 154 # Allow apps to read/execute installed binaries 155 allow appdomain apk_data_file:dir r_dir_perms; 156 allow appdomain apk_data_file:file { rx_file_perms execmod }; 157 158 # /data/resource-cache 159 allow appdomain resourcecache_data_file:file r_file_perms; 160 allow appdomain resourcecache_data_file:dir r_dir_perms; 161 162 ### 163 ### CTS-specific rules 164 ### 165 166 # For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 167 # Reads /proc/pid/status and statm entries to check that 168 # no unexpected root processes are running. 169 # Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 170 # Reads /proc/pid/cmdline of vold. 171 allow appdomain domain:dir { open read search getattr }; 172 allow appdomain domain:{ file lnk_file } { open read getattr }; 173 174 # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 175 # testRunAsHasCorrectCapabilities 176 allow appdomain runas_exec:file getattr; 177 # Others are either allowed elsewhere or not desired. 178 179 # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 180 # Check SELinux policy and contexts. 181 selinux_check_access(appdomain) 182 selinux_check_context(appdomain) 183 # Validate that each process is running in the correct security context. 184 allow appdomain domain:process getattr; 185 186 # logd access 187 read_logd(appdomain) 188 control_logd(appdomain) 189 # application inherit logd write socket (urge is to deprecate this long term) 190 allow appdomain zygote:unix_dgram_socket write; 191 192 allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify }; 193 194 use_keystore(appdomain) 195 196 ### 197 ### Neverallow rules 198 ### 199 ### These are things that Android apps should NEVER be able to do 200 ### 201 202 # Superuser capabilities. 203 # bluetooth requires net_admin and wake_alarm. 204 neverallow { appdomain -bluetooth } self:capability *; 205 neverallow { appdomain -bluetooth } self:capability2 *; 206 207 # Block device access. 208 neverallow appdomain dev_type:blk_file { read write }; 209 210 # Access to any of the following character devices. 211 neverallow appdomain { 212 audio_device 213 camera_device 214 dm_device 215 radio_device 216 gps_device 217 rpmsg_device 218 }:chr_file { read write }; 219 220 # Note: Try expanding list of app domains in the future. 221 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 222 223 neverallow { appdomain -nfc } nfc_device:chr_file 224 { read write }; 225 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 226 { read write }; 227 neverallow appdomain tee_device:chr_file { read write }; 228 229 # Privileged netlink socket interfaces. 230 neverallow appdomain 231 self:{ 232 netlink_socket 233 netlink_firewall_socket 234 netlink_tcpdiag_socket 235 netlink_nflog_socket 236 netlink_xfrm_socket 237 netlink_audit_socket 238 netlink_ip6fw_socket 239 netlink_dnrt_socket 240 } *; 241 242 # These messages are broadcast messages from the kernel to userspace. 243 # Do not allow the writing of netlink messages, which has been a source 244 # of rooting vulns in the past. 245 neverallow appdomain self:netlink_kobject_uevent_socket { write append }; 246 247 # Sockets under /dev/socket that are not specifically typed. 248 neverallow appdomain socket_device:sock_file write; 249 250 # Unix domain sockets. 251 neverallow appdomain adbd_socket:sock_file write; 252 neverallow appdomain installd_socket:sock_file write; 253 neverallow { appdomain -bluetooth -radio -shell -system_app -nfc } 254 property_socket:sock_file write; 255 neverallow { appdomain -radio } rild_socket:sock_file write; 256 neverallow appdomain vold_socket:sock_file write; 257 neverallow appdomain zygote_socket:sock_file write; 258 259 # ptrace access to non-app domains. 260 neverallow appdomain { domain -appdomain }:process ptrace; 261 262 # Write access to /proc/pid entries for any non-app domain. 263 neverallow appdomain { domain -appdomain }:file write; 264 265 # signal access to non-app domains. 266 # sigchld allowed for parent death notification. 267 # signull allowed for kill(pid, 0) existence test. 268 # All others prohibited. 269 neverallow appdomain { domain -appdomain }:process 270 { sigkill sigstop signal }; 271 272 # Transition to a non-app domain. 273 # Exception for the shell domain, can transition to runas, etc. 274 neverallow { appdomain -shell } { domain -appdomain }:process 275 { transition dyntransition }; 276 277 # Write to rootfs. 278 neverallow appdomain rootfs:dir_file_class_set 279 { create write setattr relabelfrom relabelto append unlink link rename }; 280 281 # Write to /system. 282 neverallow appdomain system_file:dir_file_class_set 283 { create write setattr relabelfrom relabelto append unlink link rename }; 284 285 # Write to entrypoint executables. 286 neverallow appdomain exec_type:file 287 { create write setattr relabelfrom relabelto append unlink link rename }; 288 289 # Write to system-owned parts of /data. 290 # This is the default type for anything under /data not otherwise 291 # specified in file_contexts. Define a different type for portions 292 # that should be writable by apps. 293 # Exception for system_app for Settings. 294 neverallow { appdomain -system_app } 295 system_data_file:dir_file_class_set 296 { create write setattr relabelfrom relabelto append unlink link rename }; 297 298 # Write to various other parts of /data. 299 neverallow appdomain drm_data_file:dir_file_class_set 300 { create write setattr relabelfrom relabelto append unlink link rename }; 301 neverallow { appdomain -system_app } 302 gps_data_file:dir_file_class_set 303 { create write setattr relabelfrom relabelto append unlink link rename }; 304 neverallow { appdomain -platform_app } 305 apk_data_file:dir_file_class_set 306 { create write setattr relabelfrom relabelto append unlink link rename }; 307 neverallow { appdomain -platform_app } 308 apk_tmp_file:dir_file_class_set 309 { create write setattr relabelfrom relabelto append unlink link rename }; 310 neverallow { appdomain -platform_app } 311 apk_private_data_file:dir_file_class_set 312 { create write setattr relabelfrom relabelto append unlink link rename }; 313 neverallow { appdomain -platform_app } 314 apk_private_tmp_file:dir_file_class_set 315 { create write setattr relabelfrom relabelto append unlink link rename }; 316 neverallow { appdomain -shell } 317 shell_data_file:dir_file_class_set 318 { create setattr relabelfrom relabelto append unlink link rename }; 319 neverallow { appdomain -bluetooth } 320 bluetooth_data_file:dir_file_class_set 321 { create write setattr relabelfrom relabelto append unlink link rename }; 322 neverallow appdomain 323 keystore_data_file:dir_file_class_set 324 { create write setattr relabelfrom relabelto append unlink link rename }; 325 neverallow appdomain 326 systemkeys_data_file:dir_file_class_set 327 { create write setattr relabelfrom relabelto append unlink link rename }; 328 neverallow appdomain 329 wifi_data_file:dir_file_class_set 330 { create write setattr relabelfrom relabelto append unlink link rename }; 331 neverallow appdomain 332 dhcp_data_file:dir_file_class_set 333 { create write setattr relabelfrom relabelto append unlink link rename }; 334 335 # Access to factory files. 336 neverallow appdomain efs_file:dir_file_class_set write; 337 neverallow { appdomain -shell } efs_file:dir_file_class_set read; 338 339 # Write to various pseudo file systems. 340 neverallow { appdomain -bluetooth -nfc } 341 sysfs:dir_file_class_set write; 342 neverallow appdomain 343 proc:dir_file_class_set write; 344 345 # Access to syslog(2) or /proc/kmsg. 346 neverallow { appdomain -system_app } 347 kernel:system { syslog_mod syslog_console }; 348 neverallow { appdomain -system_app -shell } 349 kernel:system syslog_read; 350 351 # Ability to perform any filesystem operation other than statfs(2). 352 # i.e. no mount(2), unmount(2), etc. 353 neverallow appdomain fs_type:filesystem ~getattr; 354 355 # Ability to set system properties. 356 neverallow { appdomain -system_app -radio -shell -bluetooth -nfc } 357 property_type:property_service set; 358