1 ### 2 ### Domain for all zygote spawned apps 3 ### 4 ### This file is the base policy for all zygote spawned apps. 5 ### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6 ### extend from this policy. Only policies which should apply to ALL 7 ### zygote spawned apps should be added here. 8 ### 9 10 # Dalvik Compiler JIT Mapping. 11 allow appdomain self:process execmem; 12 allow appdomain ashmem_device:chr_file execute; 13 14 # Receive and use open file descriptors inherited from zygote. 15 allow appdomain zygote:fd use; 16 17 # gdbserver for ndk-gdb reads the zygote. 18 # valgrind needs mmap exec for zygote 19 allow appdomain zygote_exec:file rx_file_perms; 20 21 # gdbserver for ndk-gdb ptrace attaches to app process. 22 allow appdomain self:process ptrace; 23 24 # Read system properties managed by zygote. 25 allow appdomain zygote_tmpfs:file read; 26 27 # Notify zygote of death; 28 allow appdomain zygote:process sigchld; 29 30 # Notify shell and adbd of death when spawned via runas for ndk-gdb. 31 allow appdomain shell:process sigchld; 32 allow appdomain adbd:process sigchld; 33 34 # child shell or gdbserver pty access for runas. 35 allow appdomain devpts:chr_file { getattr read write ioctl }; 36 37 # Use pipes and sockets provided by system_server via binder or local socket. 38 allow appdomain system_server:fifo_file rw_file_perms; 39 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 40 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 41 42 # Communication with other apps via fifos 43 allow appdomain appdomain:fifo_file rw_file_perms; 44 45 # Communicate with surfaceflinger. 46 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 47 48 # App sandbox file accesses. 49 allow appdomain app_data_file:dir create_dir_perms; 50 allow appdomain app_data_file:notdevfile_class_set create_file_perms; 51 52 # lib subdirectory of /data/data dir is system-owned. 53 allow appdomain system_data_file:dir r_dir_perms; 54 allow appdomain system_data_file:file { execute execute_no_trans open execmod }; 55 56 # Keychain and user-trusted credentials 57 allow appdomain keychain_data_file:dir r_dir_perms; 58 allow appdomain keychain_data_file:file r_file_perms; 59 allow appdomain misc_user_data_file:dir r_dir_perms; 60 allow appdomain misc_user_data_file:file r_file_perms; 61 62 # Access to OEM provided data and apps 63 allow appdomain oemfs:dir r_dir_perms; 64 allow appdomain oemfs:file rx_file_perms; 65 66 # Execute the shell or other system executables. 67 allow appdomain shell_exec:file rx_file_perms; 68 allow appdomain system_file:file rx_file_perms; 69 70 # Execute dex2oat when apps call dexclassloader 71 allow appdomain dex2oat_exec:file rx_file_perms; 72 73 # Read/write wallpaper file (opened by system). 74 allow appdomain wallpaper_file:file { getattr read write }; 75 76 # Write to /data/anr/traces.txt. 77 allow appdomain anr_data_file:dir search; 78 allow appdomain anr_data_file:file { open append }; 79 80 # Allow apps to send dump information to dumpstate 81 allow appdomain dumpstate:fd use; 82 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 83 allow appdomain shell_data_file:file { write getattr }; 84 85 # Write to /proc/net/xt_qtaguid/ctrl file. 86 allow appdomain qtaguid_proc:file rw_file_perms; 87 # Everybody can read the xt_qtaguid resource tracking misc dev. 88 # So allow all apps to read from /dev/xt_qtaguid. 89 allow appdomain qtaguid_device:chr_file r_file_perms; 90 91 # Grant GPU access to all processes started by Zygote. 92 # They need that to render the standard UI. 93 allow appdomain gpu_device:chr_file { rw_file_perms execute }; 94 95 # Use the Binder. 96 binder_use(appdomain) 97 # Perform binder IPC to binder services. 98 binder_call(appdomain, binderservicedomain) 99 # Perform binder IPC to other apps. 100 binder_call(appdomain, appdomain) 101 102 # Already connected, unnamed sockets being passed over some other IPC 103 # hence no sock_file or connectto permission. This appears to be how 104 # Chrome works, may need to be updated as more apps using isolated services 105 # are examined. 106 allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 107 108 # Backup ability for every app. BMS opens and passes the fd 109 # to any app that has backup ability. Hence, no open permissions here. 110 allow appdomain backup_data_file:file { read write getattr }; 111 allow appdomain cache_backup_file:file { read write getattr }; 112 allow appdomain cache_backup_file:dir getattr; 113 # Backup ability using 'adb backup' 114 allow appdomain system_data_file:lnk_file getattr; 115 116 # Allow read/stat of /data/media files passed by Binder or local socket IPC. 117 allow appdomain media_rw_data_file:file { read getattr }; 118 119 # Read and write /data/data/com.android.providers.telephony files passed over Binder. 120 allow appdomain radio_data_file:file { read write getattr }; 121 122 # Read and write system app data files passed over Binder. 123 # Motivating case was /data/data/com.android.settings/cache/*.jpg for 124 # cropping or taking user photos. 125 allow untrusted_app system_app_data_file:file { read write getattr }; 126 127 # Access SDcard via the fuse mount. 128 allow appdomain fuse:dir create_dir_perms; 129 allow appdomain fuse:file create_file_perms; 130 131 # Access OBBs (vfat images) mounted by vold (b/17633509) 132 allow appdomain vfat:dir r_dir_perms; 133 allow appdomain vfat:file r_file_perms; 134 135 # Allow apps to use the USB Accessory interface. 136 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html 137 # 138 # USB devices are first opened by the system server (USBDeviceManagerService) 139 # and the file descriptor is passed to the right Activity via binder. 140 allow appdomain usb_device:chr_file { read write getattr ioctl }; 141 allow appdomain usbaccessory_device:chr_file { read write getattr }; 142 143 # For art. 144 allow appdomain dalvikcache_data_file:file execute; 145 allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 146 147 # /data/dalvik-cache/profiles 148 allow appdomain dalvikcache_profiles_data_file:dir { search getattr }; 149 allow appdomain dalvikcache_profiles_data_file:file rw_file_perms; 150 151 # Allow any app to read shared RELRO files. 152 allow appdomain shared_relro_file:dir search; 153 allow appdomain shared_relro_file:file r_file_perms; 154 155 # Allow apps to read/execute installed binaries 156 allow appdomain apk_data_file:dir r_dir_perms; 157 allow appdomain apk_data_file:file { rx_file_perms execmod }; 158 159 # /data/resource-cache 160 allow appdomain resourcecache_data_file:file r_file_perms; 161 allow appdomain resourcecache_data_file:dir r_dir_perms; 162 163 ### 164 ### CTS-specific rules 165 ### 166 167 # For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 168 # Reads /proc/pid/status and statm entries to check that 169 # no unexpected root processes are running. 170 # Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 171 # Reads /proc/pid/cmdline of vold. 172 allow appdomain domain:dir { open read search getattr }; 173 allow appdomain domain:{ file lnk_file } { open read getattr }; 174 175 # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 176 # testRunAsHasCorrectCapabilities 177 allow appdomain runas_exec:file getattr; 178 # Others are either allowed elsewhere or not desired. 179 180 # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 181 # Check SELinux policy and contexts. 182 selinux_check_access(appdomain) 183 selinux_check_context(appdomain) 184 # Validate that each process is running in the correct security context. 185 allow appdomain domain:process getattr; 186 187 # logd access 188 read_logd(appdomain) 189 control_logd(appdomain) 190 # application inherit logd write socket (urge is to deprecate this long term) 191 allow appdomain zygote:unix_dgram_socket write; 192 193 allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify }; 194 195 use_keystore(appdomain) 196 197 ### 198 ### Neverallow rules 199 ### 200 ### These are things that Android apps should NEVER be able to do 201 ### 202 203 # Superuser capabilities. 204 # bluetooth requires net_admin and wake_alarm. 205 neverallow { appdomain -bluetooth } self:capability *; 206 neverallow { appdomain -bluetooth } self:capability2 *; 207 208 # Block device access. 209 neverallow appdomain dev_type:blk_file { read write }; 210 211 # Access to any of the following character devices. 212 neverallow appdomain { 213 audio_device 214 camera_device 215 dm_device 216 radio_device 217 gps_device 218 rpmsg_device 219 }:chr_file { read write }; 220 221 # Note: Try expanding list of app domains in the future. 222 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 223 224 neverallow { appdomain -nfc } nfc_device:chr_file 225 { read write }; 226 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 227 { read write }; 228 neverallow appdomain tee_device:chr_file { read write }; 229 230 # Privileged netlink socket interfaces. 231 neverallow appdomain 232 domain:{ 233 netlink_firewall_socket 234 netlink_tcpdiag_socket 235 netlink_nflog_socket 236 netlink_xfrm_socket 237 netlink_audit_socket 238 netlink_ip6fw_socket 239 netlink_dnrt_socket 240 } *; 241 242 # These messages are broadcast messages from the kernel to userspace. 243 # Do not allow the writing of netlink messages, which has been a source 244 # of rooting vulns in the past. 245 neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; 246 247 # Sockets under /dev/socket that are not specifically typed. 248 neverallow appdomain socket_device:sock_file write; 249 250 # Unix domain sockets. 251 neverallow appdomain adbd_socket:sock_file write; 252 neverallow appdomain installd_socket:sock_file write; 253 neverallow { appdomain -bluetooth -radio -shell -system_app -nfc } 254 property_socket:sock_file write; 255 neverallow { appdomain -radio } rild_socket:sock_file write; 256 neverallow appdomain vold_socket:sock_file write; 257 neverallow appdomain zygote_socket:sock_file write; 258 259 # ptrace access to non-app domains. 260 neverallow appdomain { domain -appdomain }:process ptrace; 261 262 # Write access to /proc/pid entries for any non-app domain. 263 neverallow appdomain { domain -appdomain }:file write; 264 265 # signal access to non-app domains. 266 # sigchld allowed for parent death notification. 267 # signull allowed for kill(pid, 0) existence test. 268 # All others prohibited. 269 neverallow appdomain { domain -appdomain }:process 270 { sigkill sigstop signal }; 271 272 # Transition to a non-app domain. 273 # Exception for the shell domain, can transition to runas, etc. 274 neverallow { appdomain -shell } { domain -appdomain }:process 275 { transition dyntransition }; 276 277 # Write to rootfs. 278 neverallow appdomain rootfs:dir_file_class_set 279 { create write setattr relabelfrom relabelto append unlink link rename }; 280 281 # Write to /system. 282 neverallow appdomain system_file:dir_file_class_set 283 { create write setattr relabelfrom relabelto append unlink link rename }; 284 285 # Write to entrypoint executables. 286 neverallow appdomain exec_type:file 287 { create write setattr relabelfrom relabelto append unlink link rename }; 288 289 # Write to system-owned parts of /data. 290 # This is the default type for anything under /data not otherwise 291 # specified in file_contexts. Define a different type for portions 292 # that should be writable by apps. 293 # Exception for system_app for Settings. 294 neverallow { appdomain -system_app } 295 system_data_file:dir_file_class_set 296 { create write setattr relabelfrom relabelto append unlink link rename }; 297 298 # Write to various other parts of /data. 299 neverallow appdomain drm_data_file:dir_file_class_set 300 { create write setattr relabelfrom relabelto append unlink link rename }; 301 neverallow { appdomain -system_app } 302 gps_data_file:dir_file_class_set 303 { create write setattr relabelfrom relabelto append unlink link rename }; 304 neverallow { appdomain -platform_app } 305 apk_data_file:dir_file_class_set 306 { create write setattr relabelfrom relabelto append unlink link rename }; 307 neverallow { appdomain -platform_app } 308 apk_tmp_file:dir_file_class_set 309 { create write setattr relabelfrom relabelto append unlink link rename }; 310 neverallow { appdomain -platform_app } 311 apk_private_data_file:dir_file_class_set 312 { create write setattr relabelfrom relabelto append unlink link rename }; 313 neverallow { appdomain -platform_app } 314 apk_private_tmp_file:dir_file_class_set 315 { create write setattr relabelfrom relabelto append unlink link rename }; 316 neverallow { appdomain -shell } 317 shell_data_file:dir_file_class_set 318 { create setattr relabelfrom relabelto append unlink link rename }; 319 neverallow { appdomain -bluetooth } 320 bluetooth_data_file:dir_file_class_set 321 { create write setattr relabelfrom relabelto append unlink link rename }; 322 neverallow appdomain 323 keystore_data_file:dir_file_class_set 324 { create write setattr relabelfrom relabelto append unlink link rename }; 325 neverallow appdomain 326 systemkeys_data_file:dir_file_class_set 327 { create write setattr relabelfrom relabelto append unlink link rename }; 328 neverallow appdomain 329 wifi_data_file:dir_file_class_set 330 { create write setattr relabelfrom relabelto append unlink link rename }; 331 neverallow appdomain 332 dhcp_data_file:dir_file_class_set 333 { create write setattr relabelfrom relabelto append unlink link rename }; 334 335 # Access to factory files. 336 neverallow appdomain efs_file:dir_file_class_set write; 337 neverallow { appdomain -shell } efs_file:dir_file_class_set read; 338 339 # Write to various pseudo file systems. 340 neverallow { appdomain -bluetooth -nfc } 341 sysfs:dir_file_class_set write; 342 neverallow appdomain 343 proc:dir_file_class_set write; 344 345 # Access to syslog(2) or /proc/kmsg. 346 neverallow { appdomain -system_app } 347 kernel:system { syslog_mod syslog_console }; 348 neverallow { appdomain -system_app -shell } 349 kernel:system syslog_read; 350 351 # Ability to perform any filesystem operation other than statfs(2). 352 # i.e. no mount(2), unmount(2), etc. 353 neverallow appdomain fs_type:filesystem ~getattr; 354 355 # Ability to set system properties. 356 neverallow { appdomain -system_app -radio -shell -bluetooth -nfc } 357 property_type:property_service set; 358