1###
2### Domain for all zygote spawned apps
3###
4### This file is the base policy for all zygote spawned apps.
5### Other policy files, such as isolated_app.te, untrusted_app.te, etc
6### extend from this policy. Only policies which should apply to ALL
7### zygote spawned apps should be added here.
8###
9
10# Dalvik Compiler JIT Mapping.
11allow appdomain self:process execmem;
12allow appdomain ashmem_device:chr_file execute;
13
14# Receive and use open file descriptors inherited from zygote.
15allow appdomain zygote:fd use;
16
17# gdbserver for ndk-gdb reads the zygote.
18# valgrind needs mmap exec for zygote
19allow appdomain zygote_exec:file rx_file_perms;
20
21# gdbserver for ndk-gdb ptrace attaches to app process.
22allow appdomain self:process ptrace;
23
24# Read system properties managed by zygote.
25allow appdomain zygote_tmpfs:file read;
26
27# Notify zygote of death;
28allow appdomain zygote:process sigchld;
29
30# Notify shell and adbd of death when spawned via runas for ndk-gdb.
31allow appdomain shell:process sigchld;
32allow appdomain adbd:process sigchld;
33
34# child shell or gdbserver pty access for runas.
35allow appdomain devpts:chr_file { getattr read write ioctl };
36
37# Use pipes and sockets provided by system_server via binder or local socket.
38allow appdomain system_server:fifo_file rw_file_perms;
39allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
40allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
41
42# Communication with other apps via fifos
43allow appdomain appdomain:fifo_file rw_file_perms;
44
45# Communicate with surfaceflinger.
46allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
47
48# App sandbox file accesses.
49allow appdomain app_data_file:dir create_dir_perms;
50allow appdomain app_data_file:notdevfile_class_set create_file_perms;
51
52# lib subdirectory of /data/data dir is system-owned.
53allow appdomain system_data_file:dir r_dir_perms;
54allow appdomain system_data_file:file { execute execute_no_trans open execmod };
55
56# Keychain and user-trusted credentials
57allow appdomain keychain_data_file:dir r_dir_perms;
58allow appdomain keychain_data_file:file r_file_perms;
59allow appdomain misc_user_data_file:dir r_dir_perms;
60allow appdomain misc_user_data_file:file r_file_perms;
61
62# Access to OEM provided data and apps
63allow appdomain oemfs:dir r_dir_perms;
64allow appdomain oemfs:file rx_file_perms;
65
66# Execute the shell or other system executables.
67allow appdomain shell_exec:file rx_file_perms;
68allow appdomain system_file:file rx_file_perms;
69
70# Execute dex2oat when apps call dexclassloader
71allow appdomain dex2oat_exec:file rx_file_perms;
72
73# Read/write wallpaper file (opened by system).
74allow appdomain wallpaper_file:file { getattr read write };
75
76# Write to /data/anr/traces.txt.
77allow appdomain anr_data_file:dir search;
78allow appdomain anr_data_file:file { open append };
79
80# Allow apps to send dump information to dumpstate
81allow appdomain dumpstate:fd use;
82allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
83allow appdomain shell_data_file:file { write getattr };
84
85# Write to /proc/net/xt_qtaguid/ctrl file.
86allow appdomain qtaguid_proc:file rw_file_perms;
87# Everybody can read the xt_qtaguid resource tracking misc dev.
88# So allow all apps to read from /dev/xt_qtaguid.
89allow appdomain qtaguid_device:chr_file r_file_perms;
90
91# Grant GPU access to all processes started by Zygote.
92# They need that to render the standard UI.
93allow appdomain gpu_device:chr_file { rw_file_perms execute };
94
95# Use the Binder.
96binder_use(appdomain)
97# Perform binder IPC to binder services.
98binder_call(appdomain, binderservicedomain)
99# Perform binder IPC to other apps.
100binder_call(appdomain, appdomain)
101
102# Already connected, unnamed sockets being passed over some other IPC
103# hence no sock_file or connectto permission. This appears to be how
104# Chrome works, may need to be updated as more apps using isolated services
105# are examined.
106allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
107
108# Backup ability for every app. BMS opens and passes the fd
109# to any app that has backup ability. Hence, no open permissions here.
110allow appdomain backup_data_file:file { read write getattr };
111allow appdomain cache_backup_file:file { read write getattr };
112allow appdomain cache_backup_file:dir getattr;
113# Backup ability using 'adb backup'
114allow appdomain system_data_file:lnk_file getattr;
115
116# Allow read/stat of /data/media files passed by Binder or local socket IPC.
117allow appdomain media_rw_data_file:file { read getattr };
118
119# Read and write /data/data/com.android.providers.telephony files passed over Binder.
120allow appdomain radio_data_file:file { read write getattr };
121
122# Read and write system app data files passed over Binder.
123# Motivating case was /data/data/com.android.settings/cache/*.jpg for
124# cropping or taking user photos.
125allow untrusted_app system_app_data_file:file { read write getattr };
126
127# Access SDcard via the fuse mount.
128allow appdomain fuse:dir create_dir_perms;
129allow appdomain fuse:file create_file_perms;
130
131# Access OBBs (vfat images) mounted by vold (b/17633509)
132allow appdomain vfat:dir r_dir_perms;
133allow appdomain vfat:file r_file_perms;
134
135# Allow apps to use the USB Accessory interface.
136# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
137#
138# USB devices are first opened by the system server (USBDeviceManagerService)
139# and the file descriptor is passed to the right Activity via binder.
140allow appdomain usb_device:chr_file { read write getattr ioctl };
141allow appdomain usbaccessory_device:chr_file { read write getattr };
142
143# For art.
144allow appdomain dalvikcache_data_file:file execute;
145allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
146
147# /data/dalvik-cache/profiles
148allow appdomain dalvikcache_profiles_data_file:dir { search getattr };
149allow appdomain dalvikcache_profiles_data_file:file rw_file_perms;
150
151# Allow any app to read shared RELRO files.
152allow appdomain shared_relro_file:dir search;
153allow appdomain shared_relro_file:file r_file_perms;
154
155# Allow apps to read/execute installed binaries
156allow appdomain apk_data_file:dir r_dir_perms;
157allow appdomain apk_data_file:file { rx_file_perms execmod };
158
159# /data/resource-cache
160allow appdomain resourcecache_data_file:file r_file_perms;
161allow appdomain resourcecache_data_file:dir r_dir_perms;
162
163###
164### CTS-specific rules
165###
166
167# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
168# Reads /proc/pid/status and statm entries to check that
169# no unexpected root processes are running.
170# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
171# Reads /proc/pid/cmdline of vold.
172allow appdomain domain:dir { open read search getattr };
173allow appdomain domain:{ file lnk_file } { open read getattr };
174
175# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
176# testRunAsHasCorrectCapabilities
177allow appdomain runas_exec:file getattr;
178# Others are either allowed elsewhere or not desired.
179
180# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
181# Check SELinux policy and contexts.
182selinux_check_access(appdomain)
183selinux_check_context(appdomain)
184# Validate that each process is running in the correct security context.
185allow appdomain domain:process getattr;
186
187# logd access
188read_logd(appdomain)
189control_logd(appdomain)
190# application inherit logd write socket (urge is to deprecate this long term)
191allow appdomain zygote:unix_dgram_socket write;
192
193allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
194
195use_keystore(appdomain)
196
197###
198### Neverallow rules
199###
200### These are things that Android apps should NEVER be able to do
201###
202
203# Superuser capabilities.
204# bluetooth requires net_admin and wake_alarm.
205neverallow { appdomain -bluetooth } self:capability *;
206neverallow { appdomain -bluetooth } self:capability2 *;
207
208# Block device access.
209neverallow appdomain dev_type:blk_file { read write };
210
211# Access to any of the following character devices.
212neverallow appdomain {
213    audio_device
214    camera_device
215    dm_device
216    radio_device
217    gps_device
218    rpmsg_device
219}:chr_file { read write };
220
221# Note: Try expanding list of app domains in the future.
222neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
223
224neverallow { appdomain -nfc } nfc_device:chr_file
225    { read write };
226neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
227    { read write };
228neverallow appdomain tee_device:chr_file { read write };
229
230# Privileged netlink socket interfaces.
231neverallow appdomain
232    domain:{
233        netlink_firewall_socket
234        netlink_tcpdiag_socket
235        netlink_nflog_socket
236        netlink_xfrm_socket
237        netlink_audit_socket
238        netlink_ip6fw_socket
239        netlink_dnrt_socket
240    } *;
241
242# These messages are broadcast messages from the kernel to userspace.
243# Do not allow the writing of netlink messages, which has been a source
244# of rooting vulns in the past.
245neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
246
247# Sockets under /dev/socket that are not specifically typed.
248neverallow appdomain socket_device:sock_file write;
249
250# Unix domain sockets.
251neverallow appdomain adbd_socket:sock_file write;
252neverallow appdomain installd_socket:sock_file write;
253neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
254    property_socket:sock_file write;
255neverallow { appdomain -radio } rild_socket:sock_file write;
256neverallow appdomain vold_socket:sock_file write;
257neverallow appdomain zygote_socket:sock_file write;
258
259# ptrace access to non-app domains.
260neverallow appdomain { domain -appdomain }:process ptrace;
261
262# Write access to /proc/pid entries for any non-app domain.
263neverallow appdomain { domain -appdomain }:file write;
264
265# signal access to non-app domains.
266# sigchld allowed for parent death notification.
267# signull allowed for kill(pid, 0) existence test.
268# All others prohibited.
269neverallow appdomain { domain -appdomain }:process
270    { sigkill sigstop signal };
271
272# Transition to a non-app domain.
273# Exception for the shell domain, can transition to runas, etc.
274neverallow { appdomain -shell } { domain -appdomain }:process
275    { transition dyntransition };
276
277# Write to rootfs.
278neverallow appdomain rootfs:dir_file_class_set
279    { create write setattr relabelfrom relabelto append unlink link rename };
280
281# Write to /system.
282neverallow appdomain system_file:dir_file_class_set
283    { create write setattr relabelfrom relabelto append unlink link rename };
284
285# Write to entrypoint executables.
286neverallow appdomain exec_type:file
287    { create write setattr relabelfrom relabelto append unlink link rename };
288
289# Write to system-owned parts of /data.
290# This is the default type for anything under /data not otherwise
291# specified in file_contexts.  Define a different type for portions
292# that should be writable by apps.
293# Exception for system_app for Settings.
294neverallow { appdomain -system_app }
295    system_data_file:dir_file_class_set
296    { create write setattr relabelfrom relabelto append unlink link rename };
297
298# Write to various other parts of /data.
299neverallow appdomain drm_data_file:dir_file_class_set
300    { create write setattr relabelfrom relabelto append unlink link rename };
301neverallow { appdomain -system_app }
302    gps_data_file:dir_file_class_set
303    { create write setattr relabelfrom relabelto append unlink link rename };
304neverallow { appdomain -platform_app }
305    apk_data_file:dir_file_class_set
306    { create write setattr relabelfrom relabelto append unlink link rename };
307neverallow { appdomain -platform_app }
308    apk_tmp_file:dir_file_class_set
309    { create write setattr relabelfrom relabelto append unlink link rename };
310neverallow { appdomain -platform_app }
311    apk_private_data_file:dir_file_class_set
312    { create write setattr relabelfrom relabelto append unlink link rename };
313neverallow { appdomain -platform_app }
314    apk_private_tmp_file:dir_file_class_set
315    { create write setattr relabelfrom relabelto append unlink link rename };
316neverallow { appdomain -shell }
317    shell_data_file:dir_file_class_set
318    { create setattr relabelfrom relabelto append unlink link rename };
319neverallow { appdomain -bluetooth }
320    bluetooth_data_file:dir_file_class_set
321    { create write setattr relabelfrom relabelto append unlink link rename };
322neverallow appdomain
323    keystore_data_file:dir_file_class_set
324    { create write setattr relabelfrom relabelto append unlink link rename };
325neverallow appdomain
326    systemkeys_data_file:dir_file_class_set
327    { create write setattr relabelfrom relabelto append unlink link rename };
328neverallow appdomain
329    wifi_data_file:dir_file_class_set
330    { create write setattr relabelfrom relabelto append unlink link rename };
331neverallow appdomain
332    dhcp_data_file:dir_file_class_set
333    { create write setattr relabelfrom relabelto append unlink link rename };
334
335# Access to factory files.
336neverallow appdomain efs_file:dir_file_class_set write;
337neverallow { appdomain -shell } efs_file:dir_file_class_set read;
338
339# Write to various pseudo file systems.
340neverallow { appdomain -bluetooth -nfc }
341    sysfs:dir_file_class_set write;
342neverallow appdomain
343    proc:dir_file_class_set write;
344
345# Access to syslog(2) or /proc/kmsg.
346neverallow { appdomain -system_app }
347    kernel:system { syslog_mod syslog_console };
348neverallow { appdomain -system_app -shell }
349    kernel:system syslog_read;
350
351# Ability to perform any filesystem operation other than statfs(2).
352# i.e. no mount(2), unmount(2), etc.
353neverallow appdomain fs_type:filesystem ~getattr;
354
355# Ability to set system properties.
356neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
357    property_type:property_service set;
358