Home | History | Annotate | Download | only in sepolicy 
      1 ###
      2 ### A domain for further sandboxing privileged apps.
      3 ###
      4 type priv_app, domain, domain_deprecated;
      5 app_domain(priv_app)
      6 # Access the network.
      7 net_domain(priv_app)
      8 # Access bluetooth.
      9 bluetooth_domain(priv_app)
     10 
     11 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
     12 allow priv_app self:process ptrace;
     13 
     14 # Some apps ship with shared libraries and binaries that they write out
     15 # to their sandbox directory and then execute.
     16 allow priv_app app_data_file:file rx_file_perms;
     17 
     18 # android.process.media uses /dev/mtp_usb
     19 allow priv_app mtp_device:chr_file rw_file_perms;
     20 
     21 # Allow the allocation and use of ptys
     22 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
     23 create_pty(priv_app)
     24 
     25 allow priv_app audioserver_service:service_manager find;
     26 allow priv_app cameraserver_service:service_manager find;
     27 allow priv_app drmserver_service:service_manager find;
     28 allow priv_app mediacodec_service:service_manager find;
     29 allow priv_app mediadrmserver_service:service_manager find;
     30 allow priv_app mediaextractor_service:service_manager find;
     31 allow priv_app mediaserver_service:service_manager find;
     32 allow priv_app nfc_service:service_manager find;
     33 allow priv_app radio_service:service_manager find;
     34 allow priv_app surfaceflinger_service:service_manager find;
     35 allow priv_app app_api_service:service_manager find;
     36 allow priv_app system_api_service:service_manager find;
     37 allow priv_app persistent_data_block_service:service_manager find;
     38 allow priv_app recovery_service:service_manager find;
     39 
     40 # Traverse into /mnt/media_rw for bypassing FUSE daemon
     41 # TODO: narrow this to just MediaProvider
     42 allow priv_app mnt_media_rw_file:dir search;
     43 
     44 # Write to /cache.
     45 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
     46 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
     47 
     48 # Write to /data/ota_package for OTA packages.
     49 allow priv_app ota_package_file:dir rw_dir_perms;
     50 allow priv_app ota_package_file:file create_file_perms;
     51 
     52 # Access to /data/media.
     53 allow priv_app media_rw_data_file:dir create_dir_perms;
     54 allow priv_app media_rw_data_file:file create_file_perms;
     55 
     56 # Used by Finsky / Android "Verify Apps" functionality when
     57 # running "adb install foo.apk".
     58 allow priv_app shell_data_file:file r_file_perms;
     59 allow priv_app shell_data_file:dir r_dir_perms;
     60 
     61 # Allow verifier to access staged apks.
     62 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
     63 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
     64 
     65 # b/18504118: Allow reads from /data/anr/traces.txt
     66 allow priv_app anr_data_file:file r_file_perms;
     67 
     68 # Allow GMS core to access perfprofd output, which is stored
     69 # in /data/misc/perfprofd/. GMS core will need to list all
     70 # data stored in that directory to process them one by one.
     71 userdebug_or_eng(`
     72   allow priv_app perfprofd_data_file:file r_file_perms;
     73   allow priv_app perfprofd_data_file:dir r_dir_perms;
     74 ')
     75 
     76 # Allow GMS core to scan executables on the system partition
     77 allow priv_app exec_type:file { getattr read open };
     78 
     79 # For AppFuse.
     80 allow priv_app vold:fd use;
     81 allow priv_app fuse_device:chr_file { read write };
     82 allow priv_app app_fuse_file:dir rw_dir_perms;
     83 allow priv_app app_fuse_file:file rw_file_perms;
     84 
     85 # /sys access
     86 allow priv_app sysfs_zram:dir search;
     87 allow priv_app sysfs_zram:file r_file_perms;
     88 
     89 # access the mac address
     90 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
     91 
     92 # Allow GMS core to communicate with update_engine for A/B update.
     93 binder_call(priv_app, update_engine)
     94 allow priv_app update_engine_service:service_manager find;
     95 
     96 # Allow Phone to read/write cached ringtones (opened by system).
     97 allow priv_app ringtone_file:file { getattr read write };
     98 
     99 # Access to /data/preloads
    100 allow priv_app preloads_data_file:file r_file_perms;
    101 allow priv_app preloads_data_file:dir r_dir_perms;
    102 
    103 ###
    104 ### neverallow rules
    105 ###
    106 
    107 # Receive or send uevent messages.
    108 neverallow priv_app domain:netlink_kobject_uevent_socket *;
    109 
    110 # Receive or send generic netlink messages
    111 neverallow priv_app domain:netlink_socket *;
    112 
    113 # Too much leaky information in debugfs. It's a security
    114 # best practice to ensure these files aren't readable.
    115 neverallow priv_app debugfs:file read;
    116 
    117 # Do not allow privileged apps to register services.
    118 # Only trusted components of Android should be registering
    119 # services.
    120 neverallow priv_app service_manager_type:service_manager add;
    121 
    122 # Do not allow privileged apps to connect to the property service
    123 # or set properties. b/10243159
    124 neverallow priv_app property_socket:sock_file write;
    125 neverallow priv_app init:unix_stream_socket connectto;
    126 neverallow priv_app property_type:property_service set;
    127 
    128 # Do not allow priv_app to be assigned mlstrustedsubject.
    129 # This would undermine the per-user isolation model being
    130 # enforced via levelFrom=user in seapp_contexts and the mls
    131 # constraints.  As there is no direct way to specify a neverallow
    132 # on attribute assignment, this relies on the fact that fork
    133 # permission only makes sense within a domain (hence should
    134 # never be granted to any other domain within mlstrustedsubject)
    135 # and priv_app is allowed fork permission to itself.
    136 neverallow priv_app mlstrustedsubject:process fork;
    137 
    138 # Do not allow priv_app to hard link to any files.
    139 # In particular, if priv_app links to other app data
    140 # files, installd will not be able to guarantee the deletion
    141 # of the linked to file. Hard links also contribute to security
    142 # bugs, so we want to ensure priv_app never has this
    143 # capability.
    144 neverallow priv_app file_type:file link;
    145