1 ### 2 ### A domain for further sandboxing privileged apps. 3 ### 4 5 typeattribute priv_app coredomain; 6 app_domain(priv_app) 7 8 # Access the network. 9 net_domain(priv_app) 10 # Access bluetooth. 11 bluetooth_domain(priv_app) 12 13 # Allow the allocation and use of ptys 14 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm 15 create_pty(priv_app) 16 17 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) 18 allow priv_app self:process ptrace; 19 20 # Some apps ship with shared libraries that they write out 21 # to their sandbox directory and then dlopen(). 22 allow priv_app app_data_file:file execute; 23 24 allow priv_app app_api_service:service_manager find; 25 allow priv_app audioserver_service:service_manager find; 26 allow priv_app cameraserver_service:service_manager find; 27 allow priv_app drmserver_service:service_manager find; 28 allow priv_app mediacodec_service:service_manager find; 29 allow priv_app mediadrmserver_service:service_manager find; 30 allow priv_app mediaextractor_service:service_manager find; 31 allow priv_app mediametrics_service:service_manager find; 32 allow priv_app mediaserver_service:service_manager find; 33 allow priv_app network_watchlist_service:service_manager find; 34 allow priv_app nfc_service:service_manager find; 35 allow priv_app oem_lock_service:service_manager find; 36 allow priv_app persistent_data_block_service:service_manager find; 37 allow priv_app radio_service:service_manager find; 38 allow priv_app recovery_service:service_manager find; 39 allow priv_app stats_service:service_manager find; 40 allow priv_app system_api_service:service_manager find; 41 42 # Write to /cache. 43 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; 44 allow priv_app { cache_file cache_recovery_file }:file create_file_perms; 45 # /cache is a symlink to /data/cache on some devices. Allow reading the link. 46 allow priv_app cache_file:lnk_file r_file_perms; 47 48 # Write to /data/ota_package for OTA packages. 49 allow priv_app ota_package_file:dir rw_dir_perms; 50 allow priv_app ota_package_file:file create_file_perms; 51 52 # Access to /data/media. 53 allow priv_app media_rw_data_file:dir create_dir_perms; 54 allow priv_app media_rw_data_file:file create_file_perms; 55 56 # Used by Finsky / Android "Verify Apps" functionality when 57 # running "adb install foo.apk". 58 allow priv_app shell_data_file:file r_file_perms; 59 allow priv_app shell_data_file:dir r_dir_perms; 60 61 # Allow traceur to pass file descriptors through a content provider to betterbug 62 allow priv_app trace_data_file:file { getattr read }; 63 64 # Allow verifier to access staged apks. 65 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 66 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 67 68 # b/18504118: Allow reads from /data/anr/traces.txt 69 allow priv_app anr_data_file:file r_file_perms; 70 71 # Allow GMS core to access perfprofd output, which is stored 72 # in /data/misc/perfprofd/. GMS core will need to list all 73 # data stored in that directory to process them one by one. 74 userdebug_or_eng(` 75 allow priv_app perfprofd_data_file:file r_file_perms; 76 allow priv_app perfprofd_data_file:dir r_dir_perms; 77 ') 78 79 # For AppFuse. 80 allow priv_app vold:fd use; 81 allow priv_app fuse_device:chr_file { read write }; 82 83 # /proc access 84 allow priv_app { 85 proc_vmstat 86 }:file r_file_perms; 87 88 allow priv_app sysfs_type:dir search; 89 # Read access to /sys/class/net/wlan*/address 90 r_dir_file(priv_app, sysfs_net) 91 # Read access to /sys/block/zram*/mm_stat 92 r_dir_file(priv_app, sysfs_zram) 93 94 r_dir_file(priv_app, rootfs) 95 96 # Allow GMS core to open kernel config for OTA matching through libvintf 97 allow priv_app config_gz:file { open read getattr }; 98 99 # access the mac address 100 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; 101 102 # Allow GMS core to communicate with update_engine for A/B update. 103 binder_call(priv_app, update_engine) 104 allow priv_app update_engine_service:service_manager find; 105 106 # Allow GMS core to communicate with dumpsys storaged. 107 binder_call(priv_app, storaged) 108 allow priv_app storaged_service:service_manager find; 109 110 # Allow GMS core to access system_update_service (e.g. to publish pending 111 # system update info). 112 allow priv_app system_update_service:service_manager find; 113 114 # Allow GMS core to communicate with statsd. 115 binder_call(priv_app, statsd) 116 117 # Allow Phone to read/write cached ringtones (opened by system). 118 allow priv_app ringtone_file:file { getattr read write }; 119 120 # Access to /data/preloads 121 allow priv_app preloads_data_file:file r_file_perms; 122 allow priv_app preloads_data_file:dir r_dir_perms; 123 allow priv_app preloads_media_file:file r_file_perms; 124 allow priv_app preloads_media_file:dir r_dir_perms; 125 126 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs 127 allow priv_app keystore:keystore_key gen_unique_id; 128 129 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check 130 allow priv_app selinuxfs:file r_file_perms; 131 132 read_runtime_log_tags(priv_app) 133 134 # Write app-specific trace data to the Perfetto traced damon. This requires 135 # connecting to its producer socket and obtaining a (per-process) tmpfs fd. 136 allow priv_app traced:fd use; 137 allow priv_app traced_tmpfs:file { read write getattr map }; 138 unix_socket_connect(priv_app, traced_producer, traced) 139 140 # suppress denials for non-API accesses. 141 dontaudit priv_app exec_type:file getattr; 142 dontaudit priv_app device:dir read; 143 dontaudit priv_app fs_bpf:dir search; 144 dontaudit priv_app net_dns_prop:file read; 145 dontaudit priv_app proc:file read; 146 dontaudit priv_app proc_interrupts:file read; 147 dontaudit priv_app proc_modules:file read; 148 dontaudit priv_app proc_stat:file read; 149 dontaudit priv_app proc_version:file read; 150 dontaudit priv_app sysfs:dir read; 151 dontaudit priv_app sysfs_android_usb:file read; 152 dontaudit priv_app wifi_prop:file read; 153 dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; 154 155 # allow privileged apps to use UDP sockets provided by the system server but not 156 # modify them other than to connect 157 allow priv_app system_server:udp_socket { 158 connect getattr read recvfrom sendto write getopt setopt }; 159 160 ### 161 ### neverallow rules 162 ### 163 164 # Receive or send uevent messages. 165 neverallow priv_app domain:netlink_kobject_uevent_socket *; 166 167 # Receive or send generic netlink messages 168 neverallow priv_app domain:netlink_socket *; 169 170 # Too much leaky information in debugfs. It's a security 171 # best practice to ensure these files aren't readable. 172 neverallow priv_app debugfs:file read; 173 174 # Do not allow privileged apps to register services. 175 # Only trusted components of Android should be registering 176 # services. 177 neverallow priv_app service_manager_type:service_manager add; 178 179 # Do not allow privileged apps to connect to the property service 180 # or set properties. b/10243159 181 neverallow priv_app property_socket:sock_file write; 182 neverallow priv_app init:unix_stream_socket connectto; 183 neverallow priv_app property_type:property_service set; 184 185 # Do not allow priv_app to be assigned mlstrustedsubject. 186 # This would undermine the per-user isolation model being 187 # enforced via levelFrom=user in seapp_contexts and the mls 188 # constraints. As there is no direct way to specify a neverallow 189 # on attribute assignment, this relies on the fact that fork 190 # permission only makes sense within a domain (hence should 191 # never be granted to any other domain within mlstrustedsubject) 192 # and priv_app is allowed fork permission to itself. 193 neverallow priv_app mlstrustedsubject:process fork; 194 195 # Do not allow priv_app to hard link to any files. 196 # In particular, if priv_app links to other app data 197 # files, installd will not be able to guarantee the deletion 198 # of the linked to file. Hard links also contribute to security 199 # bugs, so we want to ensure priv_app never has this 200 # capability. 201 neverallow priv_app file_type:file link; 202 203 # priv apps should not be able to open trace data files, they should depend 204 # upon traceur to pass a file descriptor which they can then read 205 neverallow priv_app trace_data_file:dir *; 206 neverallow priv_app trace_data_file:file { no_w_file_perms open }; 207