1### 2### Domain for all zygote spawned apps 3### 4### This file is the base policy for all zygote spawned apps. 5### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6### extend from this policy. Only policies which should apply to ALL 7### zygote spawned apps should be added here. 8### 9 10# Dalvik Compiler JIT Mapping. 11allow appdomain self:process execmem; 12allow appdomain ashmem_device:chr_file execute; 13 14# Receive and use open file descriptors inherited from zygote. 15allow appdomain zygote:fd use; 16 17# gdbserver for ndk-gdb reads the zygote. 18# valgrind needs mmap exec for zygote 19allow appdomain zygote_exec:file rx_file_perms; 20 21# gdbserver for ndk-gdb ptrace attaches to app process. 22allow appdomain self:process ptrace; 23 24# Read system properties managed by zygote. 25allow appdomain zygote_tmpfs:file read; 26 27# Notify zygote of death; 28allow appdomain zygote:process sigchld; 29 30# Notify zygote of the wrapped process PID when using --invoke-with. 31userdebug_or_eng(` 32 allow appdomain zygote:fifo_file write; 33') 34 35# Notify shell and adbd of death when spawned via runas for ndk-gdb. 36allow appdomain shell:process sigchld; 37allow appdomain adbd:process sigchld; 38 39# child shell or gdbserver pty access for runas. 40allow appdomain devpts:chr_file { getattr read write ioctl }; 41 42# Use pipes and sockets provided by system_server via binder or local socket. 43allow appdomain system_server:fifo_file rw_file_perms; 44allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 45allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 46 47# Communication with other apps via fifos 48allow appdomain appdomain:fifo_file rw_file_perms; 49 50# Communicate with surfaceflinger. 51allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 52 53# App sandbox file accesses. 54allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; 55allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; 56 57# lib subdirectory of /data/data dir is system-owned. 58allow appdomain system_data_file:dir r_dir_perms; 59allow appdomain system_data_file:file { execute execute_no_trans open execmod }; 60 61# Traverse into expanded storage 62allow appdomain mnt_expand_file:dir r_dir_perms; 63 64# Keychain and user-trusted credentials 65allow appdomain keychain_data_file:dir r_dir_perms; 66allow appdomain keychain_data_file:file r_file_perms; 67allow appdomain misc_user_data_file:dir r_dir_perms; 68allow appdomain misc_user_data_file:file r_file_perms; 69 70# Access to OEM provided data and apps 71allow appdomain oemfs:dir r_dir_perms; 72allow appdomain oemfs:file rx_file_perms; 73 74# Execute the shell or other system executables. 75allow appdomain shell_exec:file rx_file_perms; 76allow appdomain system_file:file rx_file_perms; 77 78# Execute dex2oat when apps call dexclassloader 79allow appdomain dex2oat_exec:file rx_file_perms; 80 81# Read/write wallpaper file (opened by system). 82allow appdomain wallpaper_file:file { getattr read write }; 83 84# Write to /data/anr/traces.txt. 85allow appdomain anr_data_file:dir search; 86allow appdomain anr_data_file:file { open append }; 87 88# Allow apps to send dump information to dumpstate 89allow appdomain dumpstate:fd use; 90allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 91allow appdomain shell_data_file:file { write getattr }; 92 93# Send heap dumps to system_server via an already open file descriptor 94# % adb shell am set-watch-heap com.android.systemui 1048576 95# % adb shell dumpsys procstats --start-testing 96# debuggable builds only. 97userdebug_or_eng(` 98 allow appdomain heapdump_data_file:file append; 99') 100 101# Write to /proc/net/xt_qtaguid/ctrl file. 102allow appdomain qtaguid_proc:file rw_file_perms; 103# Everybody can read the xt_qtaguid resource tracking misc dev. 104# So allow all apps to read from /dev/xt_qtaguid. 105allow appdomain qtaguid_device:chr_file r_file_perms; 106 107# Grant GPU access to all processes started by Zygote. 108# They need that to render the standard UI. 109allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute }; 110 111# Use the Binder. 112binder_use(appdomain) 113# Perform binder IPC to binder services. 114binder_call(appdomain, binderservicedomain) 115# Perform binder IPC to other apps. 116binder_call(appdomain, appdomain) 117 118# Already connected, unnamed sockets being passed over some other IPC 119# hence no sock_file or connectto permission. This appears to be how 120# Chrome works, may need to be updated as more apps using isolated services 121# are examined. 122allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 123 124# Backup ability for every app. BMS opens and passes the fd 125# to any app that has backup ability. Hence, no open permissions here. 126allow appdomain backup_data_file:file { read write getattr }; 127allow appdomain cache_backup_file:file { read write getattr }; 128allow appdomain cache_backup_file:dir getattr; 129# Backup ability using 'adb backup' 130allow appdomain system_data_file:lnk_file getattr; 131 132# Allow read/stat of /data/media files passed by Binder or local socket IPC. 133allow appdomain media_rw_data_file:file { read getattr }; 134 135# Read and write /data/data/com.android.providers.telephony files passed over Binder. 136allow appdomain radio_data_file:file { read write getattr }; 137 138# Allow access to external storage; we have several visible mount points under /storage 139# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 140allow appdomain storage_file:dir r_dir_perms; 141allow appdomain storage_file:lnk_file r_file_perms; 142allow appdomain mnt_user_file:dir r_dir_perms; 143allow appdomain mnt_user_file:lnk_file r_file_perms; 144 145# Read/write visible storage 146allow appdomain fuse:dir create_dir_perms; 147allow appdomain fuse:file create_file_perms; 148 149# Access OBBs (vfat images) mounted by vold (b/17633509) 150# File write access allowed for FDs returned through Storage Access Framework 151allow appdomain vfat:dir r_dir_perms; 152allow appdomain vfat:file rw_file_perms; 153 154# Allow apps to use the USB Accessory interface. 155# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 156# 157# USB devices are first opened by the system server (USBDeviceManagerService) 158# and the file descriptor is passed to the right Activity via binder. 159allow appdomain usb_device:chr_file { read write getattr ioctl }; 160allow appdomain usbaccessory_device:chr_file { read write getattr }; 161 162# For art. 163allow appdomain dalvikcache_data_file:file execute; 164allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 165 166# /data/dalvik-cache/profiles 167allow appdomain dalvikcache_profiles_data_file:dir { search getattr }; 168allow appdomain dalvikcache_profiles_data_file:file rw_file_perms; 169 170# Allow any app to read shared RELRO files. 171allow appdomain shared_relro_file:dir search; 172allow appdomain shared_relro_file:file r_file_perms; 173 174# Allow apps to read/execute installed binaries 175allow appdomain apk_data_file:dir r_dir_perms; 176allow appdomain apk_data_file:file { rx_file_perms execmod }; 177 178# /data/resource-cache 179allow appdomain resourcecache_data_file:file r_file_perms; 180allow appdomain resourcecache_data_file:dir r_dir_perms; 181 182# logd access 183read_logd(appdomain) 184control_logd(appdomain) 185# application inherit logd write socket (urge is to deprecate this long term) 186allow appdomain zygote:unix_dgram_socket write; 187 188allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; 189 190use_keystore({ appdomain -isolated_app }) 191 192allow appdomain console_device:chr_file { read write }; 193 194### 195### CTS-specific rules 196### 197 198# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 199# testRunAsHasCorrectCapabilities 200allow appdomain runas_exec:file getattr; 201# Others are either allowed elsewhere or not desired. 202 203# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 204# Check SELinux policy and contexts. 205selinux_check_access(appdomain) 206selinux_check_context(appdomain) 207 208### 209### Neverallow rules 210### 211### These are things that Android apps should NEVER be able to do 212### 213 214# Superuser capabilities. 215# bluetooth requires net_admin and wake_alarm. 216neverallow { appdomain -bluetooth } self:capability *; 217neverallow { appdomain -bluetooth } self:capability2 *; 218 219# Block device access. 220neverallow appdomain dev_type:blk_file { read write }; 221 222# Access to any of the following character devices. 223neverallow appdomain { 224 audio_device 225 camera_device 226 dm_device 227 radio_device 228 gps_device 229 rpmsg_device 230}:chr_file { read write }; 231 232# Note: Try expanding list of app domains in the future. 233neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 234 235neverallow { appdomain -nfc } nfc_device:chr_file 236 { read write }; 237neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 238 { read write }; 239neverallow appdomain tee_device:chr_file { read write }; 240 241# Privileged netlink socket interfaces. 242neverallow appdomain 243 domain:{ 244 netlink_firewall_socket 245 netlink_tcpdiag_socket 246 netlink_nflog_socket 247 netlink_xfrm_socket 248 netlink_audit_socket 249 netlink_ip6fw_socket 250 netlink_dnrt_socket 251 } *; 252 253# These messages are broadcast messages from the kernel to userspace. 254# Do not allow the writing of netlink messages, which has been a source 255# of rooting vulns in the past. 256neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; 257 258# Sockets under /dev/socket that are not specifically typed. 259neverallow appdomain socket_device:sock_file write; 260 261# Unix domain sockets. 262neverallow appdomain adbd_socket:sock_file write; 263neverallow appdomain installd_socket:sock_file write; 264neverallow { appdomain -bluetooth -radio -shell -system_app -nfc } 265 property_socket:sock_file write; 266neverallow { appdomain -radio } rild_socket:sock_file write; 267neverallow appdomain vold_socket:sock_file write; 268neverallow appdomain zygote_socket:sock_file write; 269 270# ptrace access to non-app domains. 271neverallow appdomain { domain -appdomain }:process ptrace; 272 273# Write access to /proc/pid entries for any non-app domain. 274neverallow appdomain { domain -appdomain }:file write; 275 276# signal access to non-app domains. 277# sigchld allowed for parent death notification. 278# signull allowed for kill(pid, 0) existence test. 279# All others prohibited. 280neverallow appdomain { domain -appdomain }:process 281 { sigkill sigstop signal }; 282 283# Transition to a non-app domain. 284# Exception for the shell domain and the su domain, can transition to runas, 285# etc. 286neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process 287 { transition dyntransition }; 288 289# Write to rootfs. 290neverallow appdomain rootfs:dir_file_class_set 291 { create write setattr relabelfrom relabelto append unlink link rename }; 292 293# Write to /system. 294neverallow appdomain system_file:dir_file_class_set 295 { create write setattr relabelfrom relabelto append unlink link rename }; 296 297# Write to entrypoint executables. 298neverallow appdomain exec_type:file 299 { create write setattr relabelfrom relabelto append unlink link rename }; 300 301# Write to system-owned parts of /data. 302# This is the default type for anything under /data not otherwise 303# specified in file_contexts. Define a different type for portions 304# that should be writable by apps. 305# Exception for system_app for Settings. 306neverallow { appdomain -system_app } 307 system_data_file:dir_file_class_set 308 { create write setattr relabelfrom relabelto append unlink link rename }; 309 310# Write to various other parts of /data. 311neverallow appdomain drm_data_file:dir_file_class_set 312 { create write setattr relabelfrom relabelto append unlink link rename }; 313neverallow { appdomain -system_app } 314 gps_data_file:dir_file_class_set 315 { create write setattr relabelfrom relabelto append unlink link rename }; 316neverallow { appdomain -platform_app } 317 apk_data_file:dir_file_class_set 318 { create write setattr relabelfrom relabelto append unlink link rename }; 319neverallow { appdomain -platform_app } 320 apk_tmp_file:dir_file_class_set 321 { create write setattr relabelfrom relabelto append unlink link rename }; 322neverallow { appdomain -platform_app } 323 apk_private_data_file:dir_file_class_set 324 { create write setattr relabelfrom relabelto append unlink link rename }; 325neverallow { appdomain -platform_app } 326 apk_private_tmp_file:dir_file_class_set 327 { create write setattr relabelfrom relabelto append unlink link rename }; 328neverallow { appdomain -shell } 329 shell_data_file:dir_file_class_set 330 { create setattr relabelfrom relabelto append unlink link rename }; 331neverallow { appdomain -bluetooth } 332 bluetooth_data_file:dir_file_class_set 333 { create write setattr relabelfrom relabelto append unlink link rename }; 334neverallow appdomain 335 keystore_data_file:dir_file_class_set 336 { create write setattr relabelfrom relabelto append unlink link rename }; 337neverallow appdomain 338 systemkeys_data_file:dir_file_class_set 339 { create write setattr relabelfrom relabelto append unlink link rename }; 340neverallow appdomain 341 wifi_data_file:dir_file_class_set 342 { create write setattr relabelfrom relabelto append unlink link rename }; 343neverallow appdomain 344 dhcp_data_file:dir_file_class_set 345 { create write setattr relabelfrom relabelto append unlink link rename }; 346 347# Access to factory files. 348neverallow appdomain efs_file:dir_file_class_set write; 349neverallow { appdomain -shell } efs_file:dir_file_class_set read; 350 351# Write to various pseudo file systems. 352neverallow { appdomain -bluetooth -nfc } 353 sysfs:dir_file_class_set write; 354neverallow appdomain 355 proc:dir_file_class_set write; 356 357# Access to syslog(2) or /proc/kmsg. 358neverallow { appdomain -system_app } 359 kernel:system { syslog_mod syslog_console }; 360neverallow { appdomain -system_app -shell } 361 kernel:system syslog_read; 362 363# Ability to perform any filesystem operation other than statfs(2). 364# i.e. no mount(2), unmount(2), etc. 365neverallow appdomain fs_type:filesystem ~getattr; 366 367# Ability to set system properties. 368neverallow { appdomain -system_app -radio -shell -bluetooth -nfc } 369 property_type:property_service set; 370