Home | History | Annotate | Download | only in private 
      1 ###
      2 ### A domain for further sandboxing privileged apps.
      3 ###
      4 
      5 typeattribute priv_app coredomain;
      6 app_domain(priv_app)
      7 
      8 # Access the network.
      9 net_domain(priv_app)
     10 # Access bluetooth.
     11 bluetooth_domain(priv_app)
     12 
     13 # Allow the allocation and use of ptys
     14 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
     15 create_pty(priv_app)
     16 
     17 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
     18 allow priv_app self:process ptrace;
     19 
     20 # Some apps ship with shared libraries that they write out
     21 # to their sandbox directory and then dlopen().
     22 allow priv_app app_data_file:file execute;
     23 
     24 allow priv_app app_api_service:service_manager find;
     25 allow priv_app audioserver_service:service_manager find;
     26 allow priv_app cameraserver_service:service_manager find;
     27 allow priv_app drmserver_service:service_manager find;
     28 allow priv_app mediacodec_service:service_manager find;
     29 allow priv_app mediadrmserver_service:service_manager find;
     30 allow priv_app mediaextractor_service:service_manager find;
     31 allow priv_app mediametrics_service:service_manager find;
     32 allow priv_app mediaserver_service:service_manager find;
     33 allow priv_app network_watchlist_service:service_manager find;
     34 allow priv_app nfc_service:service_manager find;
     35 allow priv_app oem_lock_service:service_manager find;
     36 allow priv_app persistent_data_block_service:service_manager find;
     37 allow priv_app radio_service:service_manager find;
     38 allow priv_app recovery_service:service_manager find;
     39 allow priv_app stats_service:service_manager find;
     40 allow priv_app system_api_service:service_manager find;
     41 
     42 # Write to /cache.
     43 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
     44 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
     45 # /cache is a symlink to /data/cache on some devices. Allow reading the link.
     46 allow priv_app cache_file:lnk_file r_file_perms;
     47 
     48 # Write to /data/ota_package for OTA packages.
     49 allow priv_app ota_package_file:dir rw_dir_perms;
     50 allow priv_app ota_package_file:file create_file_perms;
     51 
     52 # Access to /data/media.
     53 allow priv_app media_rw_data_file:dir create_dir_perms;
     54 allow priv_app media_rw_data_file:file create_file_perms;
     55 
     56 # Used by Finsky / Android "Verify Apps" functionality when
     57 # running "adb install foo.apk".
     58 allow priv_app shell_data_file:file r_file_perms;
     59 allow priv_app shell_data_file:dir r_dir_perms;
     60 
     61 # Allow traceur to pass file descriptors through a content provider to betterbug
     62 allow priv_app trace_data_file:file { getattr read };
     63 
     64 # Allow verifier to access staged apks.
     65 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
     66 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
     67 
     68 # b/18504118: Allow reads from /data/anr/traces.txt
     69 allow priv_app anr_data_file:file r_file_perms;
     70 
     71 # Allow GMS core to access perfprofd output, which is stored
     72 # in /data/misc/perfprofd/. GMS core will need to list all
     73 # data stored in that directory to process them one by one.
     74 userdebug_or_eng(`
     75   allow priv_app perfprofd_data_file:file r_file_perms;
     76   allow priv_app perfprofd_data_file:dir r_dir_perms;
     77 ')
     78 
     79 # For AppFuse.
     80 allow priv_app vold:fd use;
     81 allow priv_app fuse_device:chr_file { read write };
     82 
     83 # /proc access
     84 allow priv_app {
     85   proc_vmstat
     86 }:file r_file_perms;
     87 
     88 allow priv_app sysfs_type:dir search;
     89 # Read access to /sys/class/net/wlan*/address
     90 r_dir_file(priv_app, sysfs_net)
     91 # Read access to /sys/block/zram*/mm_stat
     92 r_dir_file(priv_app, sysfs_zram)
     93 
     94 r_dir_file(priv_app, rootfs)
     95 
     96 # Allow GMS core to open kernel config for OTA matching through libvintf
     97 allow priv_app config_gz:file { open read getattr };
     98 
     99 # access the mac address
    100 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
    101 
    102 # Allow GMS core to communicate with update_engine for A/B update.
    103 binder_call(priv_app, update_engine)
    104 allow priv_app update_engine_service:service_manager find;
    105 
    106 # Allow GMS core to communicate with dumpsys storaged.
    107 binder_call(priv_app, storaged)
    108 allow priv_app storaged_service:service_manager find;
    109 
    110 # Allow GMS core to access system_update_service (e.g. to publish pending
    111 # system update info).
    112 allow priv_app system_update_service:service_manager find;
    113 
    114 # Allow GMS core to communicate with statsd.
    115 binder_call(priv_app, statsd)
    116 
    117 # Allow Phone to read/write cached ringtones (opened by system).
    118 allow priv_app ringtone_file:file { getattr read write };
    119 
    120 # Access to /data/preloads
    121 allow priv_app preloads_data_file:file r_file_perms;
    122 allow priv_app preloads_data_file:dir r_dir_perms;
    123 allow priv_app preloads_media_file:file r_file_perms;
    124 allow priv_app preloads_media_file:dir r_dir_perms;
    125 
    126 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
    127 allow priv_app keystore:keystore_key gen_unique_id;
    128 
    129 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
    130 allow priv_app selinuxfs:file r_file_perms;
    131 
    132 read_runtime_log_tags(priv_app)
    133 
    134 # Write app-specific trace data to the Perfetto traced damon. This requires
    135 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
    136 allow priv_app traced:fd use;
    137 allow priv_app traced_tmpfs:file { read write getattr map };
    138 unix_socket_connect(priv_app, traced_producer, traced)
    139 
    140 # suppress denials for non-API accesses.
    141 dontaudit priv_app exec_type:file getattr;
    142 dontaudit priv_app device:dir read;
    143 dontaudit priv_app fs_bpf:dir search;
    144 dontaudit priv_app net_dns_prop:file read;
    145 dontaudit priv_app proc:file read;
    146 dontaudit priv_app proc_interrupts:file read;
    147 dontaudit priv_app proc_modules:file read;
    148 dontaudit priv_app proc_stat:file read;
    149 dontaudit priv_app proc_version:file read;
    150 dontaudit priv_app sysfs:dir read;
    151 dontaudit priv_app sysfs_android_usb:file read;
    152 dontaudit priv_app wifi_prop:file read;
    153 dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
    154 
    155 # allow privileged apps to use UDP sockets provided by the system server but not
    156 # modify them other than to connect
    157 allow priv_app system_server:udp_socket {
    158         connect getattr read recvfrom sendto write getopt setopt };
    159 
    160 ###
    161 ### neverallow rules
    162 ###
    163 
    164 # Receive or send uevent messages.
    165 neverallow priv_app domain:netlink_kobject_uevent_socket *;
    166 
    167 # Receive or send generic netlink messages
    168 neverallow priv_app domain:netlink_socket *;
    169 
    170 # Too much leaky information in debugfs. It's a security
    171 # best practice to ensure these files aren't readable.
    172 neverallow priv_app debugfs:file read;
    173 
    174 # Do not allow privileged apps to register services.
    175 # Only trusted components of Android should be registering
    176 # services.
    177 neverallow priv_app service_manager_type:service_manager add;
    178 
    179 # Do not allow privileged apps to connect to the property service
    180 # or set properties. b/10243159
    181 neverallow priv_app property_socket:sock_file write;
    182 neverallow priv_app init:unix_stream_socket connectto;
    183 neverallow priv_app property_type:property_service set;
    184 
    185 # Do not allow priv_app to be assigned mlstrustedsubject.
    186 # This would undermine the per-user isolation model being
    187 # enforced via levelFrom=user in seapp_contexts and the mls
    188 # constraints.  As there is no direct way to specify a neverallow
    189 # on attribute assignment, this relies on the fact that fork
    190 # permission only makes sense within a domain (hence should
    191 # never be granted to any other domain within mlstrustedsubject)
    192 # and priv_app is allowed fork permission to itself.
    193 neverallow priv_app mlstrustedsubject:process fork;
    194 
    195 # Do not allow priv_app to hard link to any files.
    196 # In particular, if priv_app links to other app data
    197 # files, installd will not be able to guarantee the deletion
    198 # of the linked to file. Hard links also contribute to security
    199 # bugs, so we want to ensure priv_app never has this
    200 # capability.
    201 neverallow priv_app file_type:file link;
    202 
    203 # priv apps should not be able to open trace data files, they should depend
    204 # upon traceur to pass a file descriptor which they can then read
    205 neverallow priv_app trace_data_file:dir *;
    206 neverallow priv_app trace_data_file:file { no_w_file_perms open };
    207