1 ### 2 ### Domain for all zygote spawned apps 3 ### 4 ### This file is the base policy for all zygote spawned apps. 5 ### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6 ### extend from this policy. Only policies which should apply to ALL 7 ### zygote spawned apps should be added here. 8 ### 9 10 # WebView and other application-specific JIT compilers 11 allow appdomain self:process execmem; 12 13 allow appdomain ashmem_device:chr_file execute; 14 15 # Receive and use open file descriptors inherited from zygote. 16 allow appdomain zygote:fd use; 17 18 # gdbserver for ndk-gdb reads the zygote. 19 # valgrind needs mmap exec for zygote 20 allow appdomain zygote_exec:file rx_file_perms; 21 22 # Read system properties managed by zygote. 23 allow appdomain zygote_tmpfs:file read; 24 25 # Notify zygote of death; 26 allow appdomain zygote:process sigchld; 27 28 # Place process into foreground / background 29 allow appdomain cgroup:dir { search write }; 30 allow appdomain cgroup:file rw_file_perms; 31 32 # Read /data/dalvik-cache. 33 allow appdomain dalvikcache_data_file:dir { search getattr }; 34 allow appdomain dalvikcache_data_file:file r_file_perms; 35 36 # Read the /sdcard and /mnt/sdcard symlinks 37 allow appdomain rootfs:lnk_file r_file_perms; 38 allow appdomain tmpfs:lnk_file r_file_perms; 39 40 # Search /storage/emulated tmpfs mount. 41 allow appdomain tmpfs:dir r_dir_perms; 42 43 userdebug_or_eng(` 44 # Notify zygote of the wrapped process PID when using --invoke-with. 45 allow appdomain zygote:fifo_file write; 46 47 # Allow apps to create and write method traces in /data/misc/trace. 48 allow appdomain method_trace_data_file:dir w_dir_perms; 49 allow appdomain method_trace_data_file:file { create w_file_perms }; 50 ') 51 52 # Notify shell and adbd of death when spawned via runas for ndk-gdb. 53 allow appdomain shell:process sigchld; 54 allow appdomain adbd:process sigchld; 55 56 # child shell or gdbserver pty access for runas. 57 allow appdomain devpts:chr_file { getattr read write ioctl }; 58 59 # Use pipes and sockets provided by system_server via binder or local socket. 60 allow appdomain system_server:fifo_file rw_file_perms; 61 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 62 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 63 64 # Communication with other apps via fifos 65 allow appdomain appdomain:fifo_file rw_file_perms; 66 67 # Communicate with surfaceflinger. 68 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 69 70 # App sandbox file accesses. 71 allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; 72 allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; 73 74 # lib subdirectory of /data/data dir is system-owned. 75 allow appdomain system_data_file:dir r_dir_perms; 76 allow appdomain system_data_file:file { execute execute_no_trans open execmod }; 77 78 # Traverse into expanded storage 79 allow appdomain mnt_expand_file:dir r_dir_perms; 80 81 # Keychain and user-trusted credentials 82 allow appdomain keychain_data_file:dir r_dir_perms; 83 allow appdomain keychain_data_file:file r_file_perms; 84 allow appdomain misc_user_data_file:dir r_dir_perms; 85 allow appdomain misc_user_data_file:file r_file_perms; 86 87 # Access to OEM provided data and apps 88 allow appdomain oemfs:dir r_dir_perms; 89 allow appdomain oemfs:file rx_file_perms; 90 91 # Execute the shell or other system executables. 92 allow appdomain shell_exec:file rx_file_perms; 93 allow appdomain system_file:file rx_file_perms; 94 allow appdomain toolbox_exec:file rx_file_perms; 95 96 # Renderscript needs the ability to read directories on /system 97 r_dir_file(appdomain, system_file) 98 99 # Execute dex2oat when apps call dexclassloader 100 allow appdomain dex2oat_exec:file rx_file_perms; 101 102 # Read/write wallpaper file (opened by system). 103 allow appdomain wallpaper_file:file { getattr read write }; 104 105 # Read/write cached ringtones (opened by system). 106 allow appdomain ringtone_file:file { getattr read write }; 107 108 # Read ShortcutManager icon files (opened by system). 109 allow appdomain shortcut_manager_icons:file { getattr read }; 110 111 # Read icon file (opened by system). 112 allow appdomain icon_file:file { getattr read }; 113 114 # Write to /data/anr/traces.txt. 115 allow appdomain anr_data_file:dir search; 116 allow appdomain anr_data_file:file { open append }; 117 118 # Allow apps to send dump information to dumpstate 119 allow appdomain dumpstate:fd use; 120 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 121 allow appdomain dumpstate:fifo_file { write getattr }; 122 allow appdomain shell_data_file:file { write getattr }; 123 124 # Write profiles /data/misc/profiles 125 allow appdomain user_profile_data_file:dir { search write add_name }; 126 allow appdomain user_profile_data_file:file create_file_perms; 127 # Profiles for foreign dex files are just markers and only need create permissions. 128 allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name }; 129 allow appdomain user_profile_foreign_dex_data_file:file create; 130 # There is no way to create user_profile_foreign_dex_data_file without 131 # generating open/read denials. These permissions should not be granted and the 132 # denial is harmless. dontaudit to suppress the denial. 133 dontaudit appdomain user_profile_foreign_dex_data_file:file { open read }; 134 135 # Send heap dumps to system_server via an already open file descriptor 136 # % adb shell am set-watch-heap com.android.systemui 1048576 137 # % adb shell dumpsys procstats --start-testing 138 # debuggable builds only. 139 userdebug_or_eng(` 140 allow appdomain heapdump_data_file:file append; 141 ') 142 143 # Write to /proc/net/xt_qtaguid/ctrl file. 144 allow appdomain qtaguid_proc:file rw_file_perms; 145 # Everybody can read the xt_qtaguid resource tracking misc dev. 146 # So allow all apps to read from /dev/xt_qtaguid. 147 allow appdomain qtaguid_device:chr_file r_file_perms; 148 149 # Grant GPU access to all processes started by Zygote. 150 # They need that to render the standard UI. 151 allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; 152 153 # Use the Binder. 154 binder_use(appdomain) 155 # Perform binder IPC to binder services. 156 binder_call(appdomain, binderservicedomain) 157 # Perform binder IPC to other apps. 158 binder_call(appdomain, appdomain) 159 160 # Already connected, unnamed sockets being passed over some other IPC 161 # hence no sock_file or connectto permission. This appears to be how 162 # Chrome works, may need to be updated as more apps using isolated services 163 # are examined. 164 allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 165 166 # Backup ability for every app. BMS opens and passes the fd 167 # to any app that has backup ability. Hence, no open permissions here. 168 allow appdomain backup_data_file:file { read write getattr }; 169 allow appdomain cache_backup_file:file { read write getattr }; 170 allow appdomain cache_backup_file:dir getattr; 171 # Backup ability using 'adb backup' 172 allow appdomain system_data_file:lnk_file getattr; 173 174 # Allow read/stat of /data/media files passed by Binder or local socket IPC. 175 allow appdomain media_rw_data_file:file { read getattr }; 176 177 # Read and write /data/data/com.android.providers.telephony files passed over Binder. 178 allow appdomain radio_data_file:file { read write getattr }; 179 180 # Allow access to external storage; we have several visible mount points under /storage 181 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 182 allow appdomain storage_file:dir r_dir_perms; 183 allow appdomain storage_file:lnk_file r_file_perms; 184 allow appdomain mnt_user_file:dir r_dir_perms; 185 allow appdomain mnt_user_file:lnk_file r_file_perms; 186 187 # Read/write visible storage 188 allow appdomain fuse:dir create_dir_perms; 189 allow appdomain fuse:file create_file_perms; 190 allow appdomain sdcardfs:dir create_dir_perms; 191 allow appdomain sdcardfs:file create_file_perms; 192 193 # Access OBBs (vfat images) mounted by vold (b/17633509) 194 # File write access allowed for FDs returned through Storage Access Framework 195 allow appdomain vfat:dir r_dir_perms; 196 allow appdomain vfat:file rw_file_perms; 197 198 # Allow apps to use the USB Accessory interface. 199 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html 200 # 201 # USB devices are first opened by the system server (USBDeviceManagerService) 202 # and the file descriptor is passed to the right Activity via binder. 203 allow appdomain usb_device:chr_file { read write getattr ioctl }; 204 allow appdomain usbaccessory_device:chr_file { read write getattr }; 205 206 # For art. 207 allow appdomain dalvikcache_data_file:file execute; 208 allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 209 210 # Allow any app to read shared RELRO files. 211 allow appdomain shared_relro_file:dir search; 212 allow appdomain shared_relro_file:file r_file_perms; 213 214 # Allow apps to read/execute installed binaries 215 allow appdomain apk_data_file:dir r_dir_perms; 216 allow appdomain apk_data_file:file { rx_file_perms execmod }; 217 218 # /data/resource-cache 219 allow appdomain resourcecache_data_file:file r_file_perms; 220 allow appdomain resourcecache_data_file:dir r_dir_perms; 221 222 # logd access 223 read_logd(appdomain) 224 control_logd(appdomain) 225 # application inherit logd write socket (urge is to deprecate this long term) 226 allow appdomain zygote:unix_dgram_socket write; 227 228 allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; 229 230 use_keystore({ appdomain -isolated_app }) 231 232 allow appdomain console_device:chr_file { read write }; 233 234 # only allow unprivileged socket ioctl commands 235 allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } 236 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 237 238 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; 239 240 # For app fuse. 241 allow appdomain app_fuse_file:file { getattr read append write }; 242 243 ### 244 ### CTS-specific rules 245 ### 246 247 # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 248 # testRunAsHasCorrectCapabilities 249 allow appdomain runas_exec:file getattr; 250 # Others are either allowed elsewhere or not desired. 251 252 # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 253 # Check SELinux policy and contexts. 254 selinux_check_access(appdomain) 255 selinux_check_context(appdomain) 256 257 # Apps receive an open tun fd from the framework for 258 # device traffic. Do not allow untrusted app to directly open tun_device 259 allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; 260 261 # Connect to adbd and use a socket transferred from it. 262 # This is used for e.g. adb backup/restore. 263 allow appdomain adbd:unix_stream_socket connectto; 264 allow appdomain adbd:fd use; 265 allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 266 267 allow appdomain cache_file:dir getattr; 268 269 ### 270 ### Neverallow rules 271 ### 272 ### These are things that Android apps should NEVER be able to do 273 ### 274 275 # Superuser capabilities. 276 # bluetooth requires net_admin and wake_alarm. 277 neverallow { appdomain -bluetooth } self:capability *; 278 neverallow { appdomain -bluetooth } self:capability2 *; 279 280 # Block device access. 281 neverallow appdomain dev_type:blk_file { read write }; 282 283 # Access to any of the following character devices. 284 neverallow appdomain { 285 audio_device 286 camera_device 287 dm_device 288 gps_device 289 radio_device 290 rpmsg_device 291 video_device 292 }:chr_file { read write }; 293 294 # Note: Try expanding list of app domains in the future. 295 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 296 297 neverallow { appdomain -nfc } nfc_device:chr_file 298 { read write }; 299 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 300 { read write }; 301 neverallow appdomain tee_device:chr_file { read write }; 302 303 # Privileged netlink socket interfaces. 304 neverallow appdomain 305 domain:{ 306 netlink_firewall_socket 307 netlink_tcpdiag_socket 308 netlink_nflog_socket 309 netlink_xfrm_socket 310 netlink_audit_socket 311 netlink_ip6fw_socket 312 netlink_dnrt_socket 313 } *; 314 315 # These messages are broadcast messages from the kernel to userspace. 316 # Do not allow the writing of netlink messages, which has been a source 317 # of rooting vulns in the past. 318 neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; 319 320 # Sockets under /dev/socket that are not specifically typed. 321 neverallow appdomain socket_device:sock_file write; 322 323 # Unix domain sockets. 324 neverallow appdomain adbd_socket:sock_file write; 325 neverallow appdomain installd_socket:sock_file write; 326 neverallow { appdomain -radio } rild_socket:sock_file write; 327 neverallow appdomain vold_socket:sock_file write; 328 neverallow appdomain zygote_socket:sock_file write; 329 330 # ptrace access to non-app domains. 331 neverallow appdomain { domain -appdomain }:process ptrace; 332 333 # Write access to /proc/pid entries for any non-app domain. 334 neverallow appdomain { domain -appdomain }:file write; 335 336 # signal access to non-app domains. 337 # sigchld allowed for parent death notification. 338 # signull allowed for kill(pid, 0) existence test. 339 # All others prohibited. 340 neverallow appdomain { domain -appdomain }:process 341 { sigkill sigstop signal }; 342 343 # Transition to a non-app domain. 344 # Exception for the shell domain and the su domain, can transition to runas, 345 # etc. 346 neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process 347 { transition dyntransition }; 348 349 # Write to rootfs. 350 neverallow appdomain rootfs:dir_file_class_set 351 { create write setattr relabelfrom relabelto append unlink link rename }; 352 353 # Write to /system. 354 neverallow appdomain system_file:dir_file_class_set 355 { create write setattr relabelfrom relabelto append unlink link rename }; 356 357 # Write to entrypoint executables. 358 neverallow appdomain exec_type:file 359 { create write setattr relabelfrom relabelto append unlink link rename }; 360 361 # Write to system-owned parts of /data. 362 # This is the default type for anything under /data not otherwise 363 # specified in file_contexts. Define a different type for portions 364 # that should be writable by apps. 365 neverallow appdomain system_data_file:dir_file_class_set 366 { create write setattr relabelfrom relabelto append unlink link rename }; 367 368 # Write to various other parts of /data. 369 neverallow appdomain drm_data_file:dir_file_class_set 370 { create write setattr relabelfrom relabelto append unlink link rename }; 371 neverallow { appdomain -system_app } 372 gps_data_file:dir_file_class_set 373 { create write setattr relabelfrom relabelto append unlink link rename }; 374 neverallow { appdomain -platform_app } 375 apk_data_file:dir_file_class_set 376 { create write setattr relabelfrom relabelto append unlink link rename }; 377 neverallow { appdomain -platform_app } 378 apk_tmp_file:dir_file_class_set 379 { create write setattr relabelfrom relabelto append unlink link rename }; 380 neverallow { appdomain -platform_app } 381 apk_private_data_file:dir_file_class_set 382 { create write setattr relabelfrom relabelto append unlink link rename }; 383 neverallow { appdomain -platform_app } 384 apk_private_tmp_file:dir_file_class_set 385 { create write setattr relabelfrom relabelto append unlink link rename }; 386 neverallow { appdomain -shell } 387 shell_data_file:dir_file_class_set 388 { create setattr relabelfrom relabelto append unlink link rename }; 389 neverallow { appdomain -bluetooth } 390 bluetooth_data_file:dir_file_class_set 391 { create write setattr relabelfrom relabelto append unlink link rename }; 392 neverallow appdomain 393 keystore_data_file:dir_file_class_set 394 { create write setattr relabelfrom relabelto append unlink link rename }; 395 neverallow appdomain 396 systemkeys_data_file:dir_file_class_set 397 { create write setattr relabelfrom relabelto append unlink link rename }; 398 neverallow appdomain 399 wifi_data_file:dir_file_class_set 400 { create write setattr relabelfrom relabelto append unlink link rename }; 401 neverallow appdomain 402 dhcp_data_file:dir_file_class_set 403 { create write setattr relabelfrom relabelto append unlink link rename }; 404 405 # access tmp apk files 406 neverallow { appdomain -platform_app -priv_app } 407 { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; 408 409 # Access to factory files. 410 neverallow appdomain efs_file:dir_file_class_set write; 411 neverallow { appdomain -shell } efs_file:dir_file_class_set read; 412 413 # Write to various pseudo file systems. 414 neverallow { appdomain -bluetooth -nfc } 415 sysfs:dir_file_class_set write; 416 neverallow appdomain 417 proc:dir_file_class_set write; 418 419 # Access to syslog(2) or /proc/kmsg. 420 neverallow { appdomain -system_app } 421 kernel:system { syslog_mod syslog_console }; 422 neverallow { appdomain -system_app -shell } 423 kernel:system syslog_read; 424 425 # Ability to perform any filesystem operation other than statfs(2). 426 # i.e. no mount(2), unmount(2), etc. 427 neverallow appdomain fs_type:filesystem ~getattr; 428 429 # prevent creation/manipulation of globally readable symlinks 430 neverallow appdomain { 431 apk_data_file 432 cache_file 433 cache_recovery_file 434 dev_type 435 rootfs 436 system_file 437 security_file 438 tmpfs 439 }:lnk_file no_w_file_perms; 440 441 # Blacklist app domains not allowed to execute from /data 442 neverallow { 443 bluetooth 444 isolated_app 445 nfc 446 radio 447 shared_relro 448 system_app 449 } { 450 data_file_type 451 -dalvikcache_data_file 452 -system_data_file # shared libs in apks 453 -apk_data_file 454 }:file no_x_file_perms; 455 456 # Foreign dex profiles are just markers. Prevent apps to do anything but touch them. 457 neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms; 458 neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name }; 459
