1### 2### A domain for further sandboxing privileged apps. 3### 4 5typeattribute priv_app coredomain; 6app_domain(priv_app) 7 8# Access the network. 9net_domain(priv_app) 10# Access bluetooth. 11bluetooth_domain(priv_app) 12 13# Allow the allocation and use of ptys 14# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm 15create_pty(priv_app) 16 17# Allow loading executable code from writable priv-app home 18# directories. This is a W^X violation, however, it needs 19# to be supported for now for the following reasons. 20# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) 21# 1) com.android.opengl.shaders_cache 22# 2) com.android.skia.shaders_cache 23# 3) com.android.renderscript.cache 24# * /data/user_de/0/com.google.android.gms/app_chimera 25# TODO: Tighten (b/112357170) 26allow priv_app privapp_data_file:file execute; 27 28# Chrome Crashpad uses the the dynamic linker to load native executables 29# from an APK (b/112050209, crbug.com/928422) 30allow priv_app system_linker_exec:file execute_no_trans; 31 32allow priv_app privapp_data_file:lnk_file create_file_perms; 33 34# Priv apps can find services that expose both @SystemAPI and normal APIs. 35allow priv_app app_api_service:service_manager find; 36allow priv_app system_api_service:service_manager find; 37 38allow priv_app audioserver_service:service_manager find; 39allow priv_app cameraserver_service:service_manager find; 40allow priv_app drmserver_service:service_manager find; 41allow priv_app mediadrmserver_service:service_manager find; 42allow priv_app mediaextractor_service:service_manager find; 43allow priv_app mediametrics_service:service_manager find; 44allow priv_app mediaserver_service:service_manager find; 45allow priv_app network_watchlist_service:service_manager find; 46allow priv_app nfc_service:service_manager find; 47allow priv_app oem_lock_service:service_manager find; 48allow priv_app persistent_data_block_service:service_manager find; 49allow priv_app radio_service:service_manager find; 50allow priv_app recovery_service:service_manager find; 51allow priv_app stats_service:service_manager find; 52 53# Allow privileged apps to interact with gpuservice 54binder_call(priv_app, gpuservice) 55allow priv_app gpu_service:service_manager find; 56 57# Write to /cache. 58allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; 59allow priv_app { cache_file cache_recovery_file }:file create_file_perms; 60# /cache is a symlink to /data/cache on some devices. Allow reading the link. 61allow priv_app cache_file:lnk_file r_file_perms; 62 63# Access to /data/media. 64allow priv_app media_rw_data_file:dir create_dir_perms; 65allow priv_app media_rw_data_file:file create_file_perms; 66 67# Used by Finsky / Android "Verify Apps" functionality when 68# running "adb install foo.apk". 69allow priv_app shell_data_file:file r_file_perms; 70allow priv_app shell_data_file:dir r_dir_perms; 71 72# Allow traceur to pass file descriptors through a content provider to betterbug 73allow priv_app trace_data_file:file { getattr read }; 74 75# Allow verifier to access staged apks. 76allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 77allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 78 79# For AppFuse. 80allow priv_app vold:fd use; 81allow priv_app fuse_device:chr_file { read write }; 82 83# /proc access 84allow priv_app { 85 proc_vmstat 86}:file r_file_perms; 87 88allow priv_app sysfs_type:dir search; 89# Read access to /sys/class/net/wlan*/address 90r_dir_file(priv_app, sysfs_net) 91# Read access to /sys/block/zram*/mm_stat 92r_dir_file(priv_app, sysfs_zram) 93 94r_dir_file(priv_app, rootfs) 95 96# access the mac address 97allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; 98 99# Allow com.android.vending to communicate with statsd. 100binder_call(priv_app, statsd) 101 102# Allow Phone to read/write cached ringtones (opened by system). 103allow priv_app ringtone_file:file { getattr read write }; 104 105# Access to /data/preloads 106allow priv_app preloads_data_file:file r_file_perms; 107allow priv_app preloads_data_file:dir r_dir_perms; 108allow priv_app preloads_media_file:file r_file_perms; 109allow priv_app preloads_media_file:dir r_dir_perms; 110 111read_runtime_log_tags(priv_app) 112 113# Write app-specific trace data to the Perfetto traced damon. This requires 114# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 115perfetto_producer(priv_app) 116 117# Allow priv_apps to request and collect incident reports. 118# (Also requires DUMP and PACKAGE_USAGE_STATS permissions) 119allow priv_app incident_service:service_manager find; 120binder_call(priv_app, incidentd) 121allow priv_app incidentd:fifo_file { read write }; 122 123# Allow profiling if the app opts in by being marked profileable/debuggable. 124can_profile_heap(priv_app) 125can_profile_perf(priv_app) 126 127# Allow priv_apps to check whether Dynamic System Update is enabled 128get_prop(priv_app, dynamic_system_prop) 129 130# suppress denials for non-API accesses. 131dontaudit priv_app exec_type:file getattr; 132dontaudit priv_app device:dir read; 133dontaudit priv_app fs_bpf:dir search; 134dontaudit priv_app net_dns_prop:file read; 135dontaudit priv_app proc:file read; 136dontaudit priv_app proc_interrupts:file read; 137dontaudit priv_app proc_modules:file read; 138dontaudit priv_app proc_net:file read; 139dontaudit priv_app proc_stat:file read; 140dontaudit priv_app proc_version:file read; 141dontaudit priv_app sysfs:dir read; 142dontaudit priv_app sysfs:file read; 143dontaudit priv_app sysfs_android_usb:file read; 144dontaudit priv_app sysfs_dm:file r_file_perms; 145dontaudit priv_app wifi_prop:file read; 146dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; 147 148# allow privileged apps to use UDP sockets provided by the system server but not 149# modify them other than to connect 150allow priv_app system_server:udp_socket { 151 connect getattr read recvfrom sendto write getopt setopt }; 152 153# allow apps like Phonesky to check the file signature of an apk installed on 154# the Incremental File System, and fill missing blocks in the apk 155allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS }; 156 157# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System 158allow priv_app incremental_control_file:file { read getattr ioctl }; 159 160# allow apps like Phonesky to request permission to fill blocks of an apk file 161# on the Incremental File System. 162allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL; 163 164# Required for Phonesky to be able to read APEX files under /data/apex/active/. 165allow priv_app apex_data_file:dir search; 166allow priv_app staging_data_file:file r_file_perms; 167 168### 169### neverallow rules 170### 171 172# Receive or send uevent messages. 173neverallow priv_app domain:netlink_kobject_uevent_socket *; 174 175# Receive or send generic netlink messages 176neverallow priv_app domain:netlink_socket *; 177 178# Too much leaky information in debugfs. It's a security 179# best practice to ensure these files aren't readable. 180neverallow priv_app debugfs:file read; 181 182# Do not allow privileged apps to register services. 183# Only trusted components of Android should be registering 184# services. 185neverallow priv_app service_manager_type:service_manager add; 186 187# Do not allow privileged apps to connect to the property service 188# or set properties. b/10243159 189neverallow priv_app property_socket:sock_file write; 190neverallow priv_app init:unix_stream_socket connectto; 191neverallow priv_app property_type:property_service set; 192 193# Do not allow priv_app to be assigned mlstrustedsubject. 194# This would undermine the per-user isolation model being 195# enforced via levelFrom=user in seapp_contexts and the mls 196# constraints. As there is no direct way to specify a neverallow 197# on attribute assignment, this relies on the fact that fork 198# permission only makes sense within a domain (hence should 199# never be granted to any other domain within mlstrustedsubject) 200# and priv_app is allowed fork permission to itself. 201neverallow priv_app mlstrustedsubject:process fork; 202 203# Do not allow priv_app to hard link to any files. 204# In particular, if priv_app links to other app data 205# files, installd will not be able to guarantee the deletion 206# of the linked to file. Hard links also contribute to security 207# bugs, so we want to ensure priv_app never has this 208# capability. 209neverallow priv_app file_type:file link; 210 211# priv apps should not be able to open trace data files, they should depend 212# upon traceur to pass a file descriptor which they can then read 213neverallow priv_app trace_data_file:dir *; 214neverallow priv_app trace_data_file:file { no_w_file_perms open }; 215 216# Do not allow priv_app access to cgroups. 217neverallow priv_app cgroup:file *; 218 219# Do not allow loading executable code from non-privileged 220# application home directories. Code loading across a security boundary 221# is dangerous and allows a full compromise of a privileged process 222# by an unprivileged process. b/112357170 223neverallow priv_app app_data_file:file no_x_file_perms; 224 225# Do not follow untrusted app provided symlinks 226neverallow priv_app app_data_file:lnk_file { open read getattr }; 227