1 ### 2 ### Domain for all zygote spawned apps 3 ### 4 ### This file is the base policy for all zygote spawned apps. 5 ### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6 ### extend from this policy. Only policies which should apply to ALL 7 ### zygote spawned apps should be added here. 8 ### 9 10 # TODO: deal with tmpfs_domain pub/priv split properly 11 # Read system properties managed by zygote. 12 allow appdomain zygote_tmpfs:file read; 13 14 # WebView and other application-specific JIT compilers 15 allow appdomain self:process execmem; 16 17 allow appdomain ashmem_device:chr_file execute; 18 19 # Receive and use open file descriptors inherited from zygote. 20 allow appdomain zygote:fd use; 21 22 # gdbserver for ndk-gdb reads the zygote. 23 # valgrind needs mmap exec for zygote 24 allow appdomain zygote_exec:file rx_file_perms; 25 26 # Notify zygote of death; 27 allow appdomain zygote:process sigchld; 28 29 # Place process into foreground / background 30 allow appdomain cgroup:dir { search write }; 31 allow appdomain cgroup:file rw_file_perms; 32 33 # Read /data/dalvik-cache. 34 allow appdomain dalvikcache_data_file:dir { search getattr }; 35 allow appdomain dalvikcache_data_file:file r_file_perms; 36 37 # Read the /sdcard and /mnt/sdcard symlinks 38 allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms; 39 allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms; 40 41 # Search /storage/emulated tmpfs mount. 42 allow appdomain tmpfs:dir r_dir_perms; 43 44 userdebug_or_eng(` 45 # Notify zygote of the wrapped process PID when using --invoke-with. 46 allow appdomain zygote:fifo_file write; 47 48 # Allow apps to create and write method traces in /data/misc/trace. 49 allow appdomain method_trace_data_file:dir w_dir_perms; 50 allow appdomain method_trace_data_file:file { create w_file_perms }; 51 ') 52 53 # Notify shell and adbd of death when spawned via runas for ndk-gdb. 54 allow appdomain shell:process sigchld; 55 allow appdomain adbd:process sigchld; 56 57 # child shell or gdbserver pty access for runas. 58 allow appdomain devpts:chr_file { getattr read write ioctl }; 59 60 # Use pipes and sockets provided by system_server via binder or local socket. 61 allow appdomain system_server:fd use; 62 allow appdomain system_server:fifo_file rw_file_perms; 63 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 64 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 65 66 # Communication with other apps via fifos 67 allow appdomain appdomain:fifo_file rw_file_perms; 68 69 # Communicate with surfaceflinger. 70 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 71 72 # Query whether a Surface supports wide color 73 allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; 74 75 # App sandbox file accesses. 76 allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; 77 allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; 78 79 # Traverse into expanded storage 80 allow appdomain mnt_expand_file:dir r_dir_perms; 81 82 # Keychain and user-trusted credentials 83 r_dir_file(appdomain, keychain_data_file) 84 allow appdomain misc_user_data_file:dir r_dir_perms; 85 allow appdomain misc_user_data_file:file r_file_perms; 86 87 # TextClassifier 88 r_dir_file({ appdomain -isolated_app }, textclassifier_data_file) 89 90 # Access to OEM provided data and apps 91 allow appdomain oemfs:dir r_dir_perms; 92 allow appdomain oemfs:file rx_file_perms; 93 94 # Execute the shell or other system executables. 95 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms; 96 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms; 97 allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms; 98 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;') 99 100 # Renderscript needs the ability to read directories on /system 101 allow appdomain system_file:dir r_dir_perms; 102 allow appdomain system_file:lnk_file { getattr open read }; 103 # Renderscript specific permissions to open /system/vendor/lib64. 104 not_full_treble(` 105 allow appdomain vendor_file_type:dir r_dir_perms; 106 allow appdomain vendor_file_type:lnk_file { getattr open read }; 107 ') 108 109 full_treble_only(` 110 # For looking up Renderscript vendor drivers 111 allow { appdomain -isolated_app } vendor_file:dir { open read }; 112 ') 113 114 # Allow apps access to /vendor/app except for privileged 115 # apps which cannot be in /vendor. 116 r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file) 117 allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute; 118 119 # Allow apps access to /vendor/overlay 120 r_dir_file(appdomain, vendor_overlay_file) 121 122 # Allow apps access to /vendor/framework 123 # for vendor provided libraries. 124 r_dir_file(appdomain, vendor_framework_file) 125 126 # Execute dex2oat when apps call dexclassloader 127 allow appdomain dex2oat_exec:file rx_file_perms; 128 129 # Read/write wallpaper file (opened by system). 130 allow appdomain wallpaper_file:file { getattr read write }; 131 132 # Read/write cached ringtones (opened by system). 133 allow appdomain ringtone_file:file { getattr read write }; 134 135 # Read ShortcutManager icon files (opened by system). 136 allow appdomain shortcut_manager_icons:file { getattr read }; 137 138 # Read icon file (opened by system). 139 allow appdomain icon_file:file { getattr read }; 140 141 # Write to /data/anr/traces.txt. 142 allow appdomain anr_data_file:dir search; 143 allow appdomain anr_data_file:file { open append }; 144 145 # Allow apps to send dump information to dumpstate 146 allow appdomain dumpstate:fd use; 147 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 148 allow appdomain dumpstate:fifo_file { write getattr }; 149 allow appdomain shell_data_file:file { write getattr }; 150 151 # Write profiles /data/misc/profiles 152 allow appdomain user_profile_data_file:dir { search write add_name }; 153 allow appdomain user_profile_data_file:file create_file_perms; 154 155 # Send heap dumps to system_server via an already open file descriptor 156 # % adb shell am set-watch-heap com.android.systemui 1048576 157 # % adb shell dumpsys procstats --start-testing 158 # debuggable builds only. 159 userdebug_or_eng(` 160 allow appdomain heapdump_data_file:file append; 161 ') 162 163 # Write to /proc/net/xt_qtaguid/ctrl file. 164 allow appdomain qtaguid_proc:file rw_file_perms; 165 # read /proc/net/xt_qtguid/stats 166 r_dir_file({ appdomain -ephemeral_app}, proc_net) 167 # Everybody can read the xt_qtaguid resource tracking misc dev. 168 # So allow all apps to read from /dev/xt_qtaguid. 169 allow appdomain qtaguid_device:chr_file r_file_perms; 170 171 # Grant GPU access to all processes started by Zygote. 172 # They need that to render the standard UI. 173 allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; 174 175 # Use the Binder. 176 binder_use(appdomain) 177 # Perform binder IPC to binder services. 178 binder_call(appdomain, binderservicedomain) 179 # Perform binder IPC to other apps. 180 binder_call(appdomain, appdomain) 181 # Perform binder IPC to ephemeral apps. 182 binder_call(appdomain, ephemeral_app) 183 184 # TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized 185 # as OMX HAL 186 hwbinder_use({ appdomain -isolated_app }) 187 allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find; 188 allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find; 189 190 # Talk with graphics composer fences 191 allow appdomain hal_graphics_composer:fd use; 192 193 # Already connected, unnamed sockets being passed over some other IPC 194 # hence no sock_file or connectto permission. This appears to be how 195 # Chrome works, may need to be updated as more apps using isolated services 196 # are examined. 197 allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 198 199 # Backup ability for every app. BMS opens and passes the fd 200 # to any app that has backup ability. Hence, no open permissions here. 201 allow appdomain backup_data_file:file { read write getattr }; 202 allow appdomain cache_backup_file:file { read write getattr }; 203 allow appdomain cache_backup_file:dir getattr; 204 # Backup ability using 'adb backup' 205 allow appdomain system_data_file:lnk_file r_file_perms; 206 allow appdomain system_data_file:file { getattr read }; 207 208 # Allow read/stat of /data/media files passed by Binder or local socket IPC. 209 allow { appdomain -isolated_app } media_rw_data_file:file { read getattr }; 210 211 # Read and write /data/data/com.android.providers.telephony files passed over Binder. 212 allow { appdomain -isolated_app } radio_data_file:file { read write getattr }; 213 214 # Allow access to external storage; we have several visible mount points under /storage 215 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 216 allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms; 217 allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms; 218 allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms; 219 allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms; 220 221 # Read/write visible storage 222 allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms; 223 allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms; 224 allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms; 225 allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms; 226 # This should be removed if sdcardfs is modified to alter the secontext for its 227 # accesses to the underlying FS. 228 allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms; 229 allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms; 230 231 # Access OBBs (vfat images) mounted by vold (b/17633509) 232 # File write access allowed for FDs returned through Storage Access Framework 233 allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms; 234 allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms; 235 236 # Allow apps to use the USB Accessory interface. 237 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html 238 # 239 # USB devices are first opened by the system server (USBDeviceManagerService) 240 # and the file descriptor is passed to the right Activity via binder. 241 allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl }; 242 allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr }; 243 244 # For art. 245 allow appdomain dalvikcache_data_file:file execute; 246 allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 247 248 # Allow any app to read shared RELRO files. 249 allow appdomain shared_relro_file:dir search; 250 allow appdomain shared_relro_file:file r_file_perms; 251 252 # Allow apps to read/execute installed binaries 253 allow appdomain apk_data_file:dir r_dir_perms; 254 allow appdomain apk_data_file:file rx_file_perms; 255 256 # /data/resource-cache 257 allow appdomain resourcecache_data_file:file r_file_perms; 258 allow appdomain resourcecache_data_file:dir r_dir_perms; 259 260 # logd access 261 read_logd(appdomain) 262 control_logd({ appdomain -ephemeral_app untrusted_v2_app }) 263 # application inherit logd write socket (urge is to deprecate this long term) 264 allow appdomain zygote:unix_dgram_socket write; 265 266 allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; 267 268 use_keystore({ appdomain -isolated_app -ephemeral_app }) 269 270 allow appdomain console_device:chr_file { read write }; 271 272 # only allow unprivileged socket ioctl commands 273 allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } 274 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 275 276 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; 277 # TODO is write really necessary ? 278 auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append }; 279 280 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx) 281 get_prop({ appdomain -isolated_app }, hwservicemanager_prop); 282 283 # Allow app access to mediacodec (IOMX HAL) 284 binder_call({ appdomain -isolated_app }, mediacodec) 285 286 # Allow AAudio apps to use shared memory file descriptors from the HAL 287 allow { appdomain -isolated_app } hal_audio:fd use; 288 289 # Allow app to access shared memory created by camera HAL1 290 allow { appdomain -isolated_app } hal_camera:fd use; 291 292 # RenderScript always-passthrough HAL 293 allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find; 294 295 # TODO: switch to meminfo service 296 allow appdomain proc_meminfo:file r_file_perms; 297 298 # For app fuse. 299 allow appdomain app_fuse_file:file { getattr read append write }; 300 301 pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client) 302 pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager) 303 pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync) 304 pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client) 305 # Apps do not directly open the IPC socket for bufferhubd. 306 pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client) 307 308 ### 309 ### CTS-specific rules 310 ### 311 312 # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 313 # testRunAsHasCorrectCapabilities 314 allow appdomain runas_exec:file getattr; 315 # Others are either allowed elsewhere or not desired. 316 317 # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 318 # Check SELinux policy and contexts. 319 selinux_check_access(appdomain) 320 selinux_check_context(appdomain) 321 322 # Apps receive an open tun fd from the framework for 323 # device traffic. Do not allow untrusted app to directly open tun_device 324 allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append }; 325 326 # Connect to adbd and use a socket transferred from it. 327 # This is used for e.g. adb backup/restore. 328 allow appdomain adbd:unix_stream_socket connectto; 329 allow appdomain adbd:fd use; 330 allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 331 332 allow appdomain cache_file:dir getattr; 333 334 ### 335 ### Neverallow rules 336 ### 337 ### These are things that Android apps should NEVER be able to do 338 ### 339 340 # Superuser capabilities. 341 # bluetooth requires net_admin and wake_alarm. 342 neverallow { appdomain -bluetooth } self:capability *; 343 neverallow { appdomain -bluetooth } self:capability2 *; 344 345 # Block device access. 346 neverallow appdomain dev_type:blk_file { read write }; 347 348 # Access to any of the following character devices. 349 neverallow appdomain { 350 audio_device 351 camera_device 352 dm_device 353 radio_device 354 rpmsg_device 355 video_device 356 }:chr_file { read write }; 357 358 # Note: Try expanding list of app domains in the future. 359 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 360 361 neverallow { appdomain -nfc } nfc_device:chr_file 362 { read write }; 363 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 364 { read write }; 365 neverallow appdomain tee_device:chr_file { read write }; 366 367 # Privileged netlink socket interfaces. 368 neverallow appdomain 369 domain:{ 370 netlink_tcpdiag_socket 371 netlink_nflog_socket 372 netlink_xfrm_socket 373 netlink_audit_socket 374 netlink_dnrt_socket 375 } *; 376 377 # These messages are broadcast messages from the kernel to userspace. 378 # Do not allow the writing of netlink messages, which has been a source 379 # of rooting vulns in the past. 380 neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; 381 382 # Sockets under /dev/socket that are not specifically typed. 383 neverallow appdomain socket_device:sock_file write; 384 385 # Unix domain sockets. 386 neverallow appdomain adbd_socket:sock_file write; 387 neverallow { appdomain -radio } rild_socket:sock_file write; 388 neverallow appdomain vold_socket:sock_file write; 389 neverallow appdomain zygote_socket:sock_file write; 390 391 # ptrace access to non-app domains. 392 neverallow appdomain { domain -appdomain }:process ptrace; 393 394 # Write access to /proc/pid entries for any non-app domain. 395 neverallow appdomain { domain -appdomain }:file write; 396 397 # signal access to non-app domains. 398 # sigchld allowed for parent death notification. 399 # signull allowed for kill(pid, 0) existence test. 400 # All others prohibited. 401 neverallow appdomain { domain -appdomain }:process 402 { sigkill sigstop signal }; 403 404 # Transition to a non-app domain. 405 # Exception for the shell and su domains, can transition to runas, etc. 406 # Exception for crash_dump. 407 neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process 408 { transition }; 409 neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process 410 { dyntransition }; 411 412 # Write to rootfs. 413 neverallow appdomain rootfs:dir_file_class_set 414 { create write setattr relabelfrom relabelto append unlink link rename }; 415 416 # Write to /system. 417 neverallow appdomain system_file:dir_file_class_set 418 { create write setattr relabelfrom relabelto append unlink link rename }; 419 420 # Write to entrypoint executables. 421 neverallow appdomain exec_type:file 422 { create write setattr relabelfrom relabelto append unlink link rename }; 423 424 # Write to system-owned parts of /data. 425 # This is the default type for anything under /data not otherwise 426 # specified in file_contexts. Define a different type for portions 427 # that should be writable by apps. 428 neverallow appdomain system_data_file:dir_file_class_set 429 { create write setattr relabelfrom relabelto append unlink link rename }; 430 431 # Write to various other parts of /data. 432 neverallow appdomain drm_data_file:dir_file_class_set 433 { create write setattr relabelfrom relabelto append unlink link rename }; 434 neverallow { appdomain -platform_app } 435 apk_data_file:dir_file_class_set 436 { create write setattr relabelfrom relabelto append unlink link rename }; 437 neverallow { appdomain -platform_app } 438 apk_tmp_file:dir_file_class_set 439 { create write setattr relabelfrom relabelto append unlink link rename }; 440 neverallow { appdomain -platform_app } 441 apk_private_data_file:dir_file_class_set 442 { create write setattr relabelfrom relabelto append unlink link rename }; 443 neverallow { appdomain -platform_app } 444 apk_private_tmp_file:dir_file_class_set 445 { create write setattr relabelfrom relabelto append unlink link rename }; 446 neverallow { appdomain -shell } 447 shell_data_file:dir_file_class_set 448 { create setattr relabelfrom relabelto append unlink link rename }; 449 neverallow { appdomain -bluetooth } 450 bluetooth_data_file:dir_file_class_set 451 { create write setattr relabelfrom relabelto append unlink link rename }; 452 neverallow appdomain 453 keystore_data_file:dir_file_class_set 454 { create write setattr relabelfrom relabelto append unlink link rename }; 455 neverallow appdomain 456 systemkeys_data_file:dir_file_class_set 457 { create write setattr relabelfrom relabelto append unlink link rename }; 458 neverallow appdomain 459 wifi_data_file:dir_file_class_set 460 { create write setattr relabelfrom relabelto append unlink link rename }; 461 neverallow appdomain 462 dhcp_data_file:dir_file_class_set 463 { create write setattr relabelfrom relabelto append unlink link rename }; 464 465 # access tmp apk files 466 neverallow { appdomain -platform_app -priv_app } 467 { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; 468 469 # Access to factory files. 470 neverallow appdomain efs_file:dir_file_class_set write; 471 neverallow { appdomain -shell } efs_file:dir_file_class_set read; 472 473 # Write to various pseudo file systems. 474 neverallow { appdomain -bluetooth -nfc } 475 sysfs:dir_file_class_set write; 476 neverallow appdomain 477 proc:dir_file_class_set write; 478 479 # Access to syslog(2) or /proc/kmsg. 480 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; 481 482 # Ability to perform any filesystem operation other than statfs(2). 483 # i.e. no mount(2), unmount(2), etc. 484 neverallow appdomain fs_type:filesystem ~getattr; 485 486 # prevent creation/manipulation of globally readable symlinks 487 neverallow appdomain { 488 apk_data_file 489 cache_file 490 cache_recovery_file 491 dev_type 492 rootfs 493 system_file 494 tmpfs 495 }:lnk_file no_w_file_perms; 496 497 # Blacklist app domains not allowed to execute from /data 498 neverallow { 499 bluetooth 500 isolated_app 501 nfc 502 radio 503 shared_relro 504 system_app 505 } { 506 data_file_type 507 -dalvikcache_data_file 508 -system_data_file # shared libs in apks 509 -apk_data_file 510 }:file no_x_file_perms; 511 512 # Applications should use the activity model for receiving events 513 neverallow { 514 appdomain 515 -shell # bugreport 516 } input_device:chr_file ~getattr; 517 518 # Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. 519 # neverallow rules for access to Bluetooth-related data files are above. 520 neverallow { 521 appdomain 522 -bluetooth 523 -system_app 524 } bluetooth_prop:file create_file_perms; 525