1###
2### Domain for all zygote spawned apps
3###
4### This file is the base policy for all zygote spawned apps.
5### Other policy files, such as isolated_app.te, untrusted_app.te, etc
6### extend from this policy. Only policies which should apply to ALL
7### zygote spawned apps should be added here.
8###
9
10# WebView and other application-specific JIT compilers
11allow appdomain self:process execmem;
12
13allow appdomain ashmem_device:chr_file execute;
14
15# Receive and use open file descriptors inherited from zygote.
16allow appdomain zygote:fd use;
17
18# gdbserver for ndk-gdb reads the zygote.
19# valgrind needs mmap exec for zygote
20allow appdomain zygote_exec:file rx_file_perms;
21
22# Read system properties managed by zygote.
23allow appdomain zygote_tmpfs:file read;
24
25# Notify zygote of death;
26allow appdomain zygote:process sigchld;
27
28# Place process into foreground / background
29allow appdomain cgroup:dir { search write };
30allow appdomain cgroup:file rw_file_perms;
31
32# Read /data/dalvik-cache.
33allow appdomain dalvikcache_data_file:dir { search getattr };
34allow appdomain dalvikcache_data_file:file r_file_perms;
35
36# Read the /sdcard and /mnt/sdcard symlinks
37allow appdomain rootfs:lnk_file r_file_perms;
38allow appdomain tmpfs:lnk_file r_file_perms;
39
40# Search /storage/emulated tmpfs mount.
41allow appdomain tmpfs:dir r_dir_perms;
42
43userdebug_or_eng(`
44  # Notify zygote of the wrapped process PID when using --invoke-with.
45  allow appdomain zygote:fifo_file write;
46
47  # Allow apps to create and write method traces in /data/misc/trace.
48  allow appdomain method_trace_data_file:dir w_dir_perms;
49  allow appdomain method_trace_data_file:file { create w_file_perms };
50')
51
52# Notify shell and adbd of death when spawned via runas for ndk-gdb.
53allow appdomain shell:process sigchld;
54allow appdomain adbd:process sigchld;
55
56# child shell or gdbserver pty access for runas.
57allow appdomain devpts:chr_file { getattr read write ioctl };
58
59# Use pipes and sockets provided by system_server via binder or local socket.
60allow appdomain system_server:fifo_file rw_file_perms;
61allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
62allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
63
64# Communication with other apps via fifos
65allow appdomain appdomain:fifo_file rw_file_perms;
66
67# Communicate with surfaceflinger.
68allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
69
70# App sandbox file accesses.
71allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
72allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
73
74# lib subdirectory of /data/data dir is system-owned.
75allow appdomain system_data_file:dir r_dir_perms;
76allow appdomain system_data_file:file { execute execute_no_trans open execmod };
77
78# Traverse into expanded storage
79allow appdomain mnt_expand_file:dir r_dir_perms;
80
81# Keychain and user-trusted credentials
82allow appdomain keychain_data_file:dir r_dir_perms;
83allow appdomain keychain_data_file:file r_file_perms;
84allow appdomain misc_user_data_file:dir r_dir_perms;
85allow appdomain misc_user_data_file:file r_file_perms;
86
87# Access to OEM provided data and apps
88allow appdomain oemfs:dir r_dir_perms;
89allow appdomain oemfs:file rx_file_perms;
90
91# Execute the shell or other system executables.
92allow appdomain shell_exec:file rx_file_perms;
93allow appdomain system_file:file rx_file_perms;
94allow appdomain toolbox_exec:file rx_file_perms;
95
96# Renderscript needs the ability to read directories on /system
97r_dir_file(appdomain, system_file)
98
99# Execute dex2oat when apps call dexclassloader
100allow appdomain dex2oat_exec:file rx_file_perms;
101
102# Read/write wallpaper file (opened by system).
103allow appdomain wallpaper_file:file { getattr read write };
104
105# Read/write cached ringtones (opened by system).
106allow appdomain ringtone_file:file { getattr read write };
107
108# Read ShortcutManager icon files (opened by system).
109allow appdomain shortcut_manager_icons:file { getattr read };
110
111# Read icon file (opened by system).
112allow appdomain icon_file:file { getattr read };
113
114# Write to /data/anr/traces.txt.
115allow appdomain anr_data_file:dir search;
116allow appdomain anr_data_file:file { open append };
117
118# Allow apps to send dump information to dumpstate
119allow appdomain dumpstate:fd use;
120allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
121allow appdomain dumpstate:fifo_file { write getattr };
122allow appdomain shell_data_file:file { write getattr };
123
124# Write profiles /data/misc/profiles
125allow appdomain user_profile_data_file:dir { search write add_name };
126allow appdomain user_profile_data_file:file create_file_perms;
127# Profiles for foreign dex files are just markers and only need create permissions.
128allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
129allow appdomain user_profile_foreign_dex_data_file:file create;
130# There is no way to create user_profile_foreign_dex_data_file without
131# generating open/read denials. These permissions should not be granted and the
132# denial is harmless. dontaudit to suppress the denial.
133dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
134
135# Send heap dumps to system_server via an already open file descriptor
136# % adb shell am set-watch-heap com.android.systemui 1048576
137# % adb shell dumpsys procstats --start-testing
138# debuggable builds only.
139userdebug_or_eng(`
140  allow appdomain heapdump_data_file:file append;
141')
142
143# Write to /proc/net/xt_qtaguid/ctrl file.
144allow appdomain qtaguid_proc:file rw_file_perms;
145# Everybody can read the xt_qtaguid resource tracking misc dev.
146# So allow all apps to read from /dev/xt_qtaguid.
147allow appdomain qtaguid_device:chr_file r_file_perms;
148
149# Grant GPU access to all processes started by Zygote.
150# They need that to render the standard UI.
151allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
152
153# Use the Binder.
154binder_use(appdomain)
155# Perform binder IPC to binder services.
156binder_call(appdomain, binderservicedomain)
157# Perform binder IPC to other apps.
158binder_call(appdomain, appdomain)
159
160# Already connected, unnamed sockets being passed over some other IPC
161# hence no sock_file or connectto permission. This appears to be how
162# Chrome works, may need to be updated as more apps using isolated services
163# are examined.
164allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
165
166# Backup ability for every app. BMS opens and passes the fd
167# to any app that has backup ability. Hence, no open permissions here.
168allow appdomain backup_data_file:file { read write getattr };
169allow appdomain cache_backup_file:file { read write getattr };
170allow appdomain cache_backup_file:dir getattr;
171# Backup ability using 'adb backup'
172allow appdomain system_data_file:lnk_file getattr;
173
174# Allow read/stat of /data/media files passed by Binder or local socket IPC.
175allow appdomain media_rw_data_file:file { read getattr };
176
177# Read and write /data/data/com.android.providers.telephony files passed over Binder.
178allow appdomain radio_data_file:file { read write getattr };
179
180# Allow access to external storage; we have several visible mount points under /storage
181# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
182allow appdomain storage_file:dir r_dir_perms;
183allow appdomain storage_file:lnk_file r_file_perms;
184allow appdomain mnt_user_file:dir r_dir_perms;
185allow appdomain mnt_user_file:lnk_file r_file_perms;
186
187# Read/write visible storage
188allow appdomain fuse:dir create_dir_perms;
189allow appdomain fuse:file create_file_perms;
190allow appdomain sdcardfs:dir create_dir_perms;
191allow appdomain sdcardfs:file create_file_perms;
192
193# Access OBBs (vfat images) mounted by vold (b/17633509)
194# File write access allowed for FDs returned through Storage Access Framework
195allow appdomain vfat:dir r_dir_perms;
196allow appdomain vfat:file rw_file_perms;
197
198# Allow apps to use the USB Accessory interface.
199# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
200#
201# USB devices are first opened by the system server (USBDeviceManagerService)
202# and the file descriptor is passed to the right Activity via binder.
203allow appdomain usb_device:chr_file { read write getattr ioctl };
204allow appdomain usbaccessory_device:chr_file { read write getattr };
205
206# For art.
207allow appdomain dalvikcache_data_file:file execute;
208allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
209
210# Allow any app to read shared RELRO files.
211allow appdomain shared_relro_file:dir search;
212allow appdomain shared_relro_file:file r_file_perms;
213
214# Allow apps to read/execute installed binaries
215allow appdomain apk_data_file:dir r_dir_perms;
216allow appdomain apk_data_file:file { rx_file_perms execmod };
217
218# /data/resource-cache
219allow appdomain resourcecache_data_file:file r_file_perms;
220allow appdomain resourcecache_data_file:dir r_dir_perms;
221
222# logd access
223read_logd(appdomain)
224control_logd(appdomain)
225# application inherit logd write socket (urge is to deprecate this long term)
226allow appdomain zygote:unix_dgram_socket write;
227
228allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
229
230use_keystore({ appdomain -isolated_app })
231
232allow appdomain console_device:chr_file { read write };
233
234# only allow unprivileged socket ioctl commands
235allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
236  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
237
238allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
239
240# For app fuse.
241allow appdomain app_fuse_file:file { getattr read append write };
242
243###
244### CTS-specific rules
245###
246
247# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
248# testRunAsHasCorrectCapabilities
249allow appdomain runas_exec:file getattr;
250# Others are either allowed elsewhere or not desired.
251
252# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
253# Check SELinux policy and contexts.
254selinux_check_access(appdomain)
255selinux_check_context(appdomain)
256
257# Apps receive an open tun fd from the framework for
258# device traffic. Do not allow untrusted app to directly open tun_device
259allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
260
261# Connect to adbd and use a socket transferred from it.
262# This is used for e.g. adb backup/restore.
263allow appdomain adbd:unix_stream_socket connectto;
264allow appdomain adbd:fd use;
265allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
266
267allow appdomain cache_file:dir getattr;
268
269###
270### Neverallow rules
271###
272### These are things that Android apps should NEVER be able to do
273###
274
275# Superuser capabilities.
276# bluetooth requires net_admin and wake_alarm.
277neverallow { appdomain -bluetooth } self:capability *;
278neverallow { appdomain -bluetooth } self:capability2 *;
279
280# Block device access.
281neverallow appdomain dev_type:blk_file { read write };
282
283# Access to any of the following character devices.
284neverallow appdomain {
285    audio_device
286    camera_device
287    dm_device
288    gps_device
289    radio_device
290    rpmsg_device
291    video_device
292}:chr_file { read write };
293
294# Note: Try expanding list of app domains in the future.
295neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
296
297neverallow { appdomain -nfc } nfc_device:chr_file
298    { read write };
299neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
300    { read write };
301neverallow appdomain tee_device:chr_file { read write };
302
303# Privileged netlink socket interfaces.
304neverallow appdomain
305    domain:{
306        netlink_firewall_socket
307        netlink_tcpdiag_socket
308        netlink_nflog_socket
309        netlink_xfrm_socket
310        netlink_audit_socket
311        netlink_ip6fw_socket
312        netlink_dnrt_socket
313    } *;
314
315# These messages are broadcast messages from the kernel to userspace.
316# Do not allow the writing of netlink messages, which has been a source
317# of rooting vulns in the past.
318neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
319
320# Sockets under /dev/socket that are not specifically typed.
321neverallow appdomain socket_device:sock_file write;
322
323# Unix domain sockets.
324neverallow appdomain adbd_socket:sock_file write;
325neverallow appdomain installd_socket:sock_file write;
326neverallow { appdomain -radio } rild_socket:sock_file write;
327neverallow appdomain vold_socket:sock_file write;
328neverallow appdomain zygote_socket:sock_file write;
329
330# ptrace access to non-app domains.
331neverallow appdomain { domain -appdomain }:process ptrace;
332
333# Write access to /proc/pid entries for any non-app domain.
334neverallow appdomain { domain -appdomain }:file write;
335
336# signal access to non-app domains.
337# sigchld allowed for parent death notification.
338# signull allowed for kill(pid, 0) existence test.
339# All others prohibited.
340neverallow appdomain { domain -appdomain }:process
341    { sigkill sigstop signal };
342
343# Transition to a non-app domain.
344# Exception for the shell domain and the su domain, can transition to runas,
345# etc.
346neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
347    { transition dyntransition };
348
349# Write to rootfs.
350neverallow appdomain rootfs:dir_file_class_set
351    { create write setattr relabelfrom relabelto append unlink link rename };
352
353# Write to /system.
354neverallow appdomain system_file:dir_file_class_set
355    { create write setattr relabelfrom relabelto append unlink link rename };
356
357# Write to entrypoint executables.
358neverallow appdomain exec_type:file
359    { create write setattr relabelfrom relabelto append unlink link rename };
360
361# Write to system-owned parts of /data.
362# This is the default type for anything under /data not otherwise
363# specified in file_contexts.  Define a different type for portions
364# that should be writable by apps.
365neverallow appdomain system_data_file:dir_file_class_set
366    { create write setattr relabelfrom relabelto append unlink link rename };
367
368# Write to various other parts of /data.
369neverallow appdomain drm_data_file:dir_file_class_set
370    { create write setattr relabelfrom relabelto append unlink link rename };
371neverallow { appdomain -system_app }
372    gps_data_file:dir_file_class_set
373    { create write setattr relabelfrom relabelto append unlink link rename };
374neverallow { appdomain -platform_app }
375    apk_data_file:dir_file_class_set
376    { create write setattr relabelfrom relabelto append unlink link rename };
377neverallow { appdomain -platform_app }
378    apk_tmp_file:dir_file_class_set
379    { create write setattr relabelfrom relabelto append unlink link rename };
380neverallow { appdomain -platform_app }
381    apk_private_data_file:dir_file_class_set
382    { create write setattr relabelfrom relabelto append unlink link rename };
383neverallow { appdomain -platform_app }
384    apk_private_tmp_file:dir_file_class_set
385    { create write setattr relabelfrom relabelto append unlink link rename };
386neverallow { appdomain -shell }
387    shell_data_file:dir_file_class_set
388    { create setattr relabelfrom relabelto append unlink link rename };
389neverallow { appdomain -bluetooth }
390    bluetooth_data_file:dir_file_class_set
391    { create write setattr relabelfrom relabelto append unlink link rename };
392neverallow appdomain
393    keystore_data_file:dir_file_class_set
394    { create write setattr relabelfrom relabelto append unlink link rename };
395neverallow appdomain
396    systemkeys_data_file:dir_file_class_set
397    { create write setattr relabelfrom relabelto append unlink link rename };
398neverallow appdomain
399    wifi_data_file:dir_file_class_set
400    { create write setattr relabelfrom relabelto append unlink link rename };
401neverallow appdomain
402    dhcp_data_file:dir_file_class_set
403    { create write setattr relabelfrom relabelto append unlink link rename };
404
405# access tmp apk files
406neverallow { appdomain -platform_app -priv_app }
407    { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
408
409# Access to factory files.
410neverallow appdomain efs_file:dir_file_class_set write;
411neverallow { appdomain -shell } efs_file:dir_file_class_set read;
412
413# Write to various pseudo file systems.
414neverallow { appdomain -bluetooth -nfc }
415    sysfs:dir_file_class_set write;
416neverallow appdomain
417    proc:dir_file_class_set write;
418
419# Access to syslog(2) or /proc/kmsg.
420neverallow { appdomain -system_app }
421    kernel:system { syslog_mod syslog_console };
422neverallow { appdomain -system_app -shell }
423    kernel:system syslog_read;
424
425# Ability to perform any filesystem operation other than statfs(2).
426# i.e. no mount(2), unmount(2), etc.
427neverallow appdomain fs_type:filesystem ~getattr;
428
429# prevent creation/manipulation of globally readable symlinks
430neverallow appdomain {
431  apk_data_file
432  cache_file
433  cache_recovery_file
434  dev_type
435  rootfs
436  system_file
437  security_file
438  tmpfs
439}:lnk_file no_w_file_perms;
440
441# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
442neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
443neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
444