Home | History | Annotate | Download | only in private 
      1 ###
      2 ### Ephemeral apps.
      3 ###
      4 ### This file defines the security policy for apps with the ephemeral
      5 ### feature.
      6 ###
      7 ### The ephemeral_app domain is a reduced permissions sandbox allowing
      8 ### ephemeral applications to be safely installed and run. Non ephemeral
      9 ### applications may also opt-in to ephemeral to take advantage of the
     10 ### additional security features.
     11 ###
     12 ### PackageManager flags an app as ephemeral at install time.
     13 
     14 typeattribute ephemeral_app coredomain;
     15 
     16 net_domain(ephemeral_app)
     17 app_domain(ephemeral_app)
     18 
     19 # Allow ephemeral apps to read/write files in visible storage if provided fds
     20 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
     21 
     22 # Some apps ship with shared libraries and binaries that they write out
     23 # to their sandbox directory and then execute.
     24 allow ephemeral_app app_data_file:file {r_file_perms execute};
     25 
     26 # services
     27 allow ephemeral_app audioserver_service:service_manager find;
     28 allow ephemeral_app cameraserver_service:service_manager find;
     29 allow ephemeral_app mediaserver_service:service_manager find;
     30 allow ephemeral_app mediaextractor_service:service_manager find;
     31 allow ephemeral_app mediacodec_service:service_manager find;
     32 allow ephemeral_app mediametrics_service:service_manager find;
     33 allow ephemeral_app mediadrmserver_service:service_manager find;
     34 allow ephemeral_app drmserver_service:service_manager find;
     35 allow ephemeral_app radio_service:service_manager find;
     36 allow ephemeral_app ephemeral_app_api_service:service_manager find;
     37 
     38 # Write app-specific trace data to the Perfetto traced damon. This requires
     39 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
     40 allow ephemeral_app traced:fd use;
     41 allow ephemeral_app traced_tmpfs:file { read write getattr map };
     42 unix_socket_connect(ephemeral_app, traced_producer, traced)
     43 
     44 # allow ephemeral apps to use UDP sockets provided by the system server but not
     45 # modify them other than to connect
     46 allow ephemeral_app system_server:udp_socket {
     47         connect getattr read recvfrom sendto write getopt setopt };
     48 
     49 ###
     50 ### neverallow rules
     51 ###
     52 
     53 neverallow ephemeral_app app_data_file:file execute_no_trans;
     54 
     55 # Receive or send uevent messages.
     56 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
     57 
     58 # Receive or send generic netlink messages
     59 neverallow ephemeral_app domain:netlink_socket *;
     60 
     61 # Too much leaky information in debugfs. It's a security
     62 # best practice to ensure these files aren't readable.
     63 neverallow ephemeral_app debugfs:file read;
     64 
     65 # execute gpu_device
     66 neverallow ephemeral_app gpu_device:chr_file execute;
     67 
     68 # access files in /sys with the default sysfs label
     69 neverallow ephemeral_app sysfs:file *;
     70 
     71 # Avoid reads from generically labeled /proc files
     72 # Create a more specific label if needed
     73 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
     74 
     75 # Directly access external storage
     76 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
     77 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
     78 
     79 # Avoid reads to proc_net, it contains too much device wide information about
     80 # ongoing connections.
     81 neverallow ephemeral_app proc_net:file no_rw_file_perms;
     82