1*e4a36f41SAndroid Build Coastguard Worker# Allow apps to read the Test Harness Mode property. This property is used in 2*e4a36f41SAndroid Build Coastguard Worker# the implementation of ActivityManager.isDeviceInTestHarnessMode() 3*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, test_harness_prop) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`perfetto_producer({ appdomain })') 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# Prevent apps from causing presubmit failures. 8*e4a36f41SAndroid Build Coastguard Worker# Apps can cause selinux denials by accessing CE storage 9*e4a36f41SAndroid Build Coastguard Worker# and/or external storage. In either case, the selinux denial is 10*e4a36f41SAndroid Build Coastguard Worker# not the cause of the failure, but just a symptom that 11*e4a36f41SAndroid Build Coastguard Worker# storage isn't ready. Many apps handle the failure appropriately. 12*e4a36f41SAndroid Build Coastguard Worker# 13*e4a36f41SAndroid Build Coastguard Worker# Apps cannot access external storage before it becomes available. 14*e4a36f41SAndroid Build Coastguard Workerdontaudit appdomain storage_stub_file:dir getattr; 15*e4a36f41SAndroid Build Coastguard Worker# Attempts to write to system_data_file is generally a sign 16*e4a36f41SAndroid Build Coastguard Worker# that apps are attempting to access encrypted storage before 17*e4a36f41SAndroid Build Coastguard Worker# the ACTION_USER_UNLOCKED intent is delivered. Apps are not 18*e4a36f41SAndroid Build Coastguard Worker# allowed to write to CE storage before it's available. 19*e4a36f41SAndroid Build Coastguard Worker# Attempting to do so will be blocked by both selinux and unix 20*e4a36f41SAndroid Build Coastguard Worker# permissions. 21*e4a36f41SAndroid Build Coastguard Workerdontaudit appdomain system_data_file:dir write; 22*e4a36f41SAndroid Build Coastguard Worker# Apps should not be reading vendor-defined properties. 23*e4a36f41SAndroid Build Coastguard Workerdontaudit appdomain vendor_default_prop:file read; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Workerneverallow appdomain system_server:udp_socket { 26*e4a36f41SAndroid Build Coastguard Worker accept append bind create ioctl listen lock name_bind 27*e4a36f41SAndroid Build Coastguard Worker relabelfrom relabelto setattr shutdown }; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Transition to a non-app domain. 30*e4a36f41SAndroid Build Coastguard Worker# Exception for the shell and su domains, can transition to runas, etc. 31*e4a36f41SAndroid Build Coastguard Worker# Exception for crash_dump to allow for app crash reporting. 32*e4a36f41SAndroid Build Coastguard Worker# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc) 33*e4a36f41SAndroid Build Coastguard Worker# to allow renderscript to create privileged executable files. 34*e4a36f41SAndroid Build Coastguard Workerneverallow { appdomain -shell userdebug_or_eng(`-su') } 35*e4a36f41SAndroid Build Coastguard Worker { domain -appdomain -crash_dump -rs }:process { transition }; 36*e4a36f41SAndroid Build Coastguard Workerneverallow { appdomain -shell userdebug_or_eng(`-su') } 37*e4a36f41SAndroid Build Coastguard Worker { domain -appdomain }:process { dyntransition }; 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# Don't allow regular apps access to storage configuration properties. 40*e4a36f41SAndroid Build Coastguard Workerneverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# Allow to read graphics related properties. 43*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, graphics_config_prop) 44