1### 2### A domain for further sandboxing privileged apps. 3### 4 5typeattribute priv_app coredomain; 6app_domain(priv_app) 7 8# Access the network. 9net_domain(priv_app) 10# Access bluetooth. 11bluetooth_domain(priv_app) 12 13# Allow the allocation and use of ptys 14# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm 15create_pty(priv_app) 16 17# Allow loading executable code from writable priv-app home 18# directories. This is a W^X violation, however, it needs 19# to be supported for now for the following reasons. 20# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) 21# 1) com.android.opengl.shaders_cache 22# 2) com.android.skia.shaders_cache 23# 3) com.android.renderscript.cache 24# * /data/user_de/0/com.google.android.gms/app_chimera 25# TODO: Tighten (b/112357170) 26allow priv_app privapp_data_file:file execute; 27 28allow priv_app privapp_data_file:lnk_file create_file_perms; 29 30# Priv apps can find services that expose both @SystemAPI and normal APIs. 31allow priv_app app_api_service:service_manager find; 32allow priv_app system_api_service:service_manager find; 33 34allow priv_app audioserver_service:service_manager find; 35allow priv_app cameraserver_service:service_manager find; 36allow priv_app drmserver_service:service_manager find; 37allow priv_app mediadrmserver_service:service_manager find; 38allow priv_app mediaextractor_service:service_manager find; 39allow priv_app mediametrics_service:service_manager find; 40allow priv_app mediaserver_service:service_manager find; 41allow priv_app network_watchlist_service:service_manager find; 42allow priv_app nfc_service:service_manager find; 43allow priv_app oem_lock_service:service_manager find; 44allow priv_app persistent_data_block_service:service_manager find; 45allow priv_app radio_service:service_manager find; 46allow priv_app recovery_service:service_manager find; 47allow priv_app stats_service:service_manager find; 48 49# Allow privileged apps to interact with gpuservice 50binder_call(priv_app, gpuservice) 51allow priv_app gpu_service:service_manager find; 52 53# Write to /cache. 54allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; 55allow priv_app { cache_file cache_recovery_file }:file create_file_perms; 56# /cache is a symlink to /data/cache on some devices. Allow reading the link. 57allow priv_app cache_file:lnk_file r_file_perms; 58 59# Access to /data/media. 60allow priv_app media_rw_data_file:dir create_dir_perms; 61allow priv_app media_rw_data_file:file create_file_perms; 62 63# Used by Finsky / Android "Verify Apps" functionality when 64# running "adb install foo.apk". 65allow priv_app shell_data_file:file r_file_perms; 66allow priv_app shell_data_file:dir r_dir_perms; 67 68# Allow traceur to pass file descriptors through a content provider to betterbug 69allow priv_app trace_data_file:file { getattr read }; 70 71# Allow verifier to access staged apks. 72allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 73allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 74 75# For AppFuse. 76allow priv_app vold:fd use; 77allow priv_app fuse_device:chr_file { read write }; 78 79# /proc access 80allow priv_app { 81 proc_vmstat 82}:file r_file_perms; 83 84allow priv_app sysfs_type:dir search; 85# Read access to /sys/class/net/wlan*/address 86r_dir_file(priv_app, sysfs_net) 87# Read access to /sys/block/zram*/mm_stat 88r_dir_file(priv_app, sysfs_zram) 89 90r_dir_file(priv_app, rootfs) 91 92# access the mac address 93allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; 94 95# Allow com.android.vending to communicate with statsd. 96binder_call(priv_app, statsd) 97 98# Allow Phone to read/write cached ringtones (opened by system). 99allow priv_app ringtone_file:file { getattr read write }; 100 101# Access to /data/preloads 102allow priv_app preloads_data_file:file r_file_perms; 103allow priv_app preloads_data_file:dir r_dir_perms; 104allow priv_app preloads_media_file:file r_file_perms; 105allow priv_app preloads_media_file:dir r_dir_perms; 106 107read_runtime_log_tags(priv_app) 108 109# Write app-specific trace data to the Perfetto traced damon. This requires 110# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 111perfetto_producer(priv_app) 112 113# Allow priv_apps to request and collect incident reports. 114# (Also requires DUMP and PACKAGE_USAGE_STATS permissions) 115allow priv_app incident_service:service_manager find; 116binder_call(priv_app, incidentd) 117allow priv_app incidentd:fifo_file { read write }; 118 119# Allow profiling if the app opts in by being marked profileable/debuggable. 120can_profile_heap(priv_app) 121can_profile_perf(priv_app) 122 123# Allow priv_apps to check whether Dynamic System Update is enabled 124get_prop(priv_app, dynamic_system_prop) 125 126# suppress denials for non-API accesses. 127dontaudit priv_app exec_type:file getattr; 128dontaudit priv_app device:dir read; 129dontaudit priv_app fs_bpf:dir search; 130dontaudit priv_app net_dns_prop:file read; 131dontaudit priv_app proc:file read; 132dontaudit priv_app proc_interrupts:file read; 133dontaudit priv_app proc_modules:file read; 134dontaudit priv_app proc_net:file read; 135dontaudit priv_app proc_stat:file read; 136dontaudit priv_app proc_version:file read; 137dontaudit priv_app sysfs:dir read; 138dontaudit priv_app sysfs:file read; 139dontaudit priv_app sysfs_android_usb:file read; 140dontaudit priv_app sysfs_dm:file r_file_perms; 141dontaudit priv_app wifi_prop:file read; 142dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; 143 144# allow privileged apps to use UDP sockets provided by the system server but not 145# modify them other than to connect 146allow priv_app system_server:udp_socket { 147 connect getattr read recvfrom sendto write getopt setopt }; 148 149# allow apps like Phonesky to check the file signature of an apk installed on 150# the Incremental File System, and fill missing blocks in the apk 151allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS }; 152 153# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System 154allow priv_app incremental_control_file:file { read getattr ioctl }; 155 156# allow apps like Phonesky to request permission to fill blocks of an apk file 157# on the Incremental File System. 158allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL; 159 160# Required for Phonesky to be able to read APEX files under /data/apex/active/. 161allow priv_app apex_data_file:dir search; 162allow priv_app staging_data_file:file r_file_perms; 163 164### 165### neverallow rules 166### 167 168# Receive or send uevent messages. 169neverallow priv_app domain:netlink_kobject_uevent_socket *; 170 171# Receive or send generic netlink messages 172neverallow priv_app domain:netlink_socket *; 173 174# Too much leaky information in debugfs. It's a security 175# best practice to ensure these files aren't readable. 176neverallow priv_app debugfs:file read; 177 178# Do not allow privileged apps to register services. 179# Only trusted components of Android should be registering 180# services. 181neverallow priv_app service_manager_type:service_manager add; 182 183# Do not allow privileged apps to connect to the property service 184# or set properties. b/10243159 185neverallow priv_app property_socket:sock_file write; 186neverallow priv_app init:unix_stream_socket connectto; 187neverallow priv_app property_type:property_service set; 188 189# Do not allow priv_app to be assigned mlstrustedsubject. 190# This would undermine the per-user isolation model being 191# enforced via levelFrom=user in seapp_contexts and the mls 192# constraints. As there is no direct way to specify a neverallow 193# on attribute assignment, this relies on the fact that fork 194# permission only makes sense within a domain (hence should 195# never be granted to any other domain within mlstrustedsubject) 196# and priv_app is allowed fork permission to itself. 197neverallow priv_app mlstrustedsubject:process fork; 198 199# Do not allow priv_app to hard link to any files. 200# In particular, if priv_app links to other app data 201# files, installd will not be able to guarantee the deletion 202# of the linked to file. Hard links also contribute to security 203# bugs, so we want to ensure priv_app never has this 204# capability. 205neverallow priv_app file_type:file link; 206 207# priv apps should not be able to open trace data files, they should depend 208# upon traceur to pass a file descriptor which they can then read 209neverallow priv_app trace_data_file:dir *; 210neverallow priv_app trace_data_file:file { no_w_file_perms open }; 211 212# Do not allow priv_app access to cgroups. 213neverallow priv_app cgroup:file *; 214 215# Do not allow loading executable code from non-privileged 216# application home directories. Code loading across a security boundary 217# is dangerous and allows a full compromise of a privileged process 218# by an unprivileged process. b/112357170 219neverallow priv_app app_data_file:file no_x_file_perms; 220 221# Do not follow untrusted app provided symlinks 222neverallow priv_app app_data_file:lnk_file { open read getattr }; 223