1 ### 2 ### Ephemeral apps. 3 ### 4 ### This file defines the security policy for apps with the ephemeral 5 ### feature. 6 ### 7 ### The ephemeral_app domain is a reduced permissions sandbox allowing 8 ### ephemeral applications to be safely installed and run. Non ephemeral 9 ### applications may also opt-in to ephemeral to take advantage of the 10 ### additional security features. 11 ### 12 ### PackageManager flags an app as ephemeral at install time. 13 14 typeattribute ephemeral_app coredomain; 15 16 net_domain(ephemeral_app) 17 app_domain(ephemeral_app) 18 19 # Allow ephemeral apps to read/write files in visible storage if provided fds 20 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; 21 22 # Some apps ship with shared libraries and binaries that they write out 23 # to their sandbox directory and then execute. 24 allow ephemeral_app app_data_file:file {r_file_perms execute}; 25 26 # services 27 allow ephemeral_app audioserver_service:service_manager find; 28 allow ephemeral_app cameraserver_service:service_manager find; 29 allow ephemeral_app mediaserver_service:service_manager find; 30 allow ephemeral_app mediaextractor_service:service_manager find; 31 allow ephemeral_app mediacodec_service:service_manager find; 32 allow ephemeral_app mediametrics_service:service_manager find; 33 allow ephemeral_app mediadrmserver_service:service_manager find; 34 allow ephemeral_app drmserver_service:service_manager find; 35 allow ephemeral_app radio_service:service_manager find; 36 allow ephemeral_app ephemeral_app_api_service:service_manager find; 37 38 # Write app-specific trace data to the Perfetto traced damon. This requires 39 # connecting to its producer socket and obtaining a (per-process) tmpfs fd. 40 allow ephemeral_app traced:fd use; 41 allow ephemeral_app traced_tmpfs:file { read write getattr map }; 42 unix_socket_connect(ephemeral_app, traced_producer, traced) 43 44 # allow ephemeral apps to use UDP sockets provided by the system server but not 45 # modify them other than to connect 46 allow ephemeral_app system_server:udp_socket { 47 connect getattr read recvfrom sendto write getopt setopt }; 48 49 ### 50 ### neverallow rules 51 ### 52 53 neverallow ephemeral_app app_data_file:file execute_no_trans; 54 55 # Receive or send uevent messages. 56 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 57 58 # Receive or send generic netlink messages 59 neverallow ephemeral_app domain:netlink_socket *; 60 61 # Too much leaky information in debugfs. It's a security 62 # best practice to ensure these files aren't readable. 63 neverallow ephemeral_app debugfs:file read; 64 65 # execute gpu_device 66 neverallow ephemeral_app gpu_device:chr_file execute; 67 68 # access files in /sys with the default sysfs label 69 neverallow ephemeral_app sysfs:file *; 70 71 # Avoid reads from generically labeled /proc files 72 # Create a more specific label if needed 73 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 74 75 # Directly access external storage 76 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; 77 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search; 78 79 # Avoid reads to proc_net, it contains too much device wide information about 80 # ongoing connections. 81 neverallow ephemeral_app proc_net:file no_rw_file_perms; 82