Home | History | Annotate | Download | only in sepolicy
      1 ###
      2 ### Untrusted apps.
      3 ###
      4 ### This file defines the rules for untrusted apps.
      5 ### Apps are labeled based on mac_permissions.xml (maps signer and
      6 ### optionally package name to seinfo value) and seapp_contexts (maps UID
      7 ### and optionally seinfo value to domain for process and type for data
      8 ### directory).  The untrusted_app domain is the default assignment in
      9 ### seapp_contexts for any app with UID between APP_AID (10000)
     10 ### and AID_ISOLATED_START (99000) if the app has no specific seinfo
     11 ### value as determined from mac_permissions.xml.  In current AOSP, this
     12 ### domain is assigned to all non-system apps as well as to any system apps
     13 ### that are not signed by the platform key.  To move
     14 ### a system app into a specific domain, add a signer entry for it to
     15 ### mac_permissions.xml and assign it one of the pre-existing seinfo values
     16 ### or define and use a new seinfo value in both mac_permissions.xml and
     17 ### seapp_contexts.
     18 ###
     19 ### untrusted_app includes all the appdomain rules, plus the
     20 ### additional following rules:
     21 ###
     22 
     23 type untrusted_app, domain;
     24 app_domain(untrusted_app)
     25 net_domain(untrusted_app)
     26 bluetooth_domain(untrusted_app)
     27 
     28 # Some apps ship with shared libraries and binaries that they write out
     29 # to their sandbox directory and then execute.
     30 allow untrusted_app app_data_file:file { rx_file_perms execmod };
     31 
     32 allow untrusted_app tun_device:chr_file rw_file_perms;
     33 
     34 # ASEC
     35 allow untrusted_app asec_apk_file:dir { getattr };
     36 allow untrusted_app asec_apk_file:file r_file_perms;
     37 # Execute libs in asec containers.
     38 allow untrusted_app asec_public_file:file { execute execmod };
     39 
     40 # Allow the allocation and use of ptys
     41 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
     42 create_pty(untrusted_app)
     43 
     44 # Used by Finsky / Android "Verify Apps" functionality when
     45 # running "adb install foo.apk".
     46 # TODO: Long term, we don't want apps probing into shell data files.
     47 # Figure out a way to remove these rules.
     48 allow untrusted_app shell_data_file:file r_file_perms;
     49 allow untrusted_app shell_data_file:dir r_dir_perms;
     50 
     51 #
     52 # Rules migrated from old app domains coalesced into untrusted_app.
     53 # This includes what used to be media_app, shared_app, and release_app.
     54 #
     55 
     56 # Access /dev/mtp_usb.
     57 allow untrusted_app mtp_device:chr_file rw_file_perms;
     58 
     59 # Access to /data/media.
     60 allow untrusted_app media_rw_data_file:dir create_dir_perms;
     61 allow untrusted_app media_rw_data_file:file create_file_perms;
     62 
     63 # Write to /cache.
     64 allow untrusted_app cache_file:dir create_dir_perms;
     65 allow untrusted_app cache_file:file create_file_perms;
     66 
     67 ###
     68 ### neverallow rules
     69 ###
     70 
     71 # Receive or send uevent messages.
     72 neverallow untrusted_app self:netlink_kobject_uevent_socket *;
     73 
     74 # Too much leaky information in debugfs. It's a security
     75 # best practice to ensure these files aren't readable.
     76 neverallow untrusted_app debugfs:file read;
     77 
     78 # Do not allow untrusted apps to register services.
     79 # Only trusted components of Android should be registering
     80 # services.
     81 neverallow untrusted_app service_manager_type:service_manager add;
     82 
     83 # Do not allow untrusted_apps to connect to the property service
     84 # or set properties. b/10243159
     85 neverallow untrusted_app property_socket:sock_file write;
     86 neverallow untrusted_app init:unix_stream_socket connectto;
     87 neverallow untrusted_app property_type:property_service set;
     88 
     89 # Allow verifier to access staged apks.
     90 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
     91 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
     92