1*e4a36f41SAndroid Build Coastguard Worker# Allow apps to read the Test Harness Mode property. This property is used in 2*e4a36f41SAndroid Build Coastguard Worker# the implementation of ActivityManager.isDeviceInTestHarnessMode() 3*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, test_harness_prop) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, boot_status_prop) 6*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, dalvik_config_prop) 7*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, media_config_prop) 8*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, packagemanager_config_prop) 9*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, radio_control_prop) 10*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, surfaceflinger_color_prop) 11*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, systemsound_config_prop) 12*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, telephony_config_prop) 13*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, userspace_reboot_config_prop) 14*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, vold_config_prop) 15*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, adbd_config_prop) 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# Allow ART to be configurable via device_config properties 18*e4a36f41SAndroid Build Coastguard Worker# (ART "runs" inside the app process) 19*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, device_config_runtime_native_prop) 20*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, device_config_runtime_native_boot_prop) 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`perfetto_producer({ appdomain })') 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# Prevent apps from causing presubmit failures. 25*e4a36f41SAndroid Build Coastguard Worker# Apps can cause selinux denials by accessing CE storage 26*e4a36f41SAndroid Build Coastguard Worker# and/or external storage. In either case, the selinux denial is 27*e4a36f41SAndroid Build Coastguard Worker# not the cause of the failure, but just a symptom that 28*e4a36f41SAndroid Build Coastguard Worker# storage isn't ready. Many apps handle the failure appropriately. 29*e4a36f41SAndroid Build Coastguard Worker# 30*e4a36f41SAndroid Build Coastguard Worker# Apps cannot access external storage before it becomes available. 31*e4a36f41SAndroid Build Coastguard Workerdontaudit appdomain storage_stub_file:dir getattr; 32*e4a36f41SAndroid Build Coastguard Worker# Attempts to write to system_data_file is generally a sign 33*e4a36f41SAndroid Build Coastguard Worker# that apps are attempting to access encrypted storage before 34*e4a36f41SAndroid Build Coastguard Worker# the ACTION_USER_UNLOCKED intent is delivered. Apps are not 35*e4a36f41SAndroid Build Coastguard Worker# allowed to write to CE storage before it's available. 36*e4a36f41SAndroid Build Coastguard Worker# Attempting to do so will be blocked by both selinux and unix 37*e4a36f41SAndroid Build Coastguard Worker# permissions. 38*e4a36f41SAndroid Build Coastguard Workerdontaudit appdomain system_data_file:dir write; 39*e4a36f41SAndroid Build Coastguard Worker# Apps should not be reading vendor-defined properties. 40*e4a36f41SAndroid Build Coastguard Workerdontaudit appdomain vendor_default_prop:file read; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid) 43*e4a36f41SAndroid Build Coastguard Workerallow appdomain mnt_media_rw_file:dir search; 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Workerneverallow appdomain system_server:udp_socket { 46*e4a36f41SAndroid Build Coastguard Worker accept append bind create ioctl listen lock name_bind 47*e4a36f41SAndroid Build Coastguard Worker relabelfrom relabelto setattr shutdown }; 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker# Transition to a non-app domain. 50*e4a36f41SAndroid Build Coastguard Worker# Exception for the shell and su domains, can transition to runas, etc. 51*e4a36f41SAndroid Build Coastguard Worker# Exception for crash_dump to allow for app crash reporting. 52*e4a36f41SAndroid Build Coastguard Worker# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc) 53*e4a36f41SAndroid Build Coastguard Worker# to allow renderscript to create privileged executable files. 54*e4a36f41SAndroid Build Coastguard Workerneverallow { appdomain -shell userdebug_or_eng(`-su') } 55*e4a36f41SAndroid Build Coastguard Worker { domain -appdomain -crash_dump -rs }:process { transition }; 56*e4a36f41SAndroid Build Coastguard Workerneverallow { appdomain -shell userdebug_or_eng(`-su') } 57*e4a36f41SAndroid Build Coastguard Worker { domain -appdomain }:process { dyntransition }; 58*e4a36f41SAndroid Build Coastguard Worker 59*e4a36f41SAndroid Build Coastguard Worker# Don't allow regular apps access to storage configuration properties. 60*e4a36f41SAndroid Build Coastguard Workerneverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms; 61*e4a36f41SAndroid Build Coastguard Worker 62*e4a36f41SAndroid Build Coastguard Worker# Allow to read sendbug.preferred.domain 63*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, sendbug_config_prop) 64*e4a36f41SAndroid Build Coastguard Worker 65*e4a36f41SAndroid Build Coastguard Worker# Allow to read graphics related properties. 66*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, graphics_config_prop) 67*e4a36f41SAndroid Build Coastguard Worker 68*e4a36f41SAndroid Build Coastguard Worker# Allow to read persist.config.calibration_fac 69*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, camera_calibration_prop) 70*e4a36f41SAndroid Build Coastguard Worker 71*e4a36f41SAndroid Build Coastguard Worker# Allow to read db.log.detailed, db.log.slow_query_threshold* 72*e4a36f41SAndroid Build Coastguard Workerget_prop(appdomain, sqlite_log_prop) 73*e4a36f41SAndroid Build Coastguard Worker 74*e4a36f41SAndroid Build Coastguard Worker# Allow font file read by apps. 75*e4a36f41SAndroid Build Coastguard Workerallow appdomain font_data_file:file r_file_perms; 76*e4a36f41SAndroid Build Coastguard Workerallow appdomain font_data_file:dir r_dir_perms; 77*e4a36f41SAndroid Build Coastguard Worker 78*e4a36f41SAndroid Build Coastguard Worker# Enter /data/misc/apexdata/ 79*e4a36f41SAndroid Build Coastguard Workerallow appdomain apex_module_data_file:dir search; 80*e4a36f41SAndroid Build Coastguard Worker# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts. 81*e4a36f41SAndroid Build Coastguard Workerallow appdomain apex_art_data_file:dir r_dir_perms; 82*e4a36f41SAndroid Build Coastguard Workerallow appdomain apex_art_data_file:file rx_file_perms; 83*e4a36f41SAndroid Build Coastguard Worker 84*e4a36f41SAndroid Build Coastguard Worker# Allow access to tombstones if an fd to one is given to you. 85*e4a36f41SAndroid Build Coastguard Worker# This is restricted by unix permissions, so an app must go through system_server to get one. 86*e4a36f41SAndroid Build Coastguard Workerallow appdomain tombstone_data_file:file { getattr read }; 87*e4a36f41SAndroid Build Coastguard Workerneverallow appdomain tombstone_data_file:file ~{ getattr read }; 88*e4a36f41SAndroid Build Coastguard Worker 89*e4a36f41SAndroid Build Coastguard Worker# Sensitive app domains are not allowed to execute from /data 90*e4a36f41SAndroid Build Coastguard Worker# to prevent persistence attacks and ensure all code is executed 91*e4a36f41SAndroid Build Coastguard Worker# from read-only locations. 92*e4a36f41SAndroid Build Coastguard Workerneverallow { 93*e4a36f41SAndroid Build Coastguard Worker bluetooth 94*e4a36f41SAndroid Build Coastguard Worker isolated_app 95*e4a36f41SAndroid Build Coastguard Worker nfc 96*e4a36f41SAndroid Build Coastguard Worker radio 97*e4a36f41SAndroid Build Coastguard Worker shared_relro 98*e4a36f41SAndroid Build Coastguard Worker system_app 99*e4a36f41SAndroid Build Coastguard Worker} { 100*e4a36f41SAndroid Build Coastguard Worker data_file_type 101*e4a36f41SAndroid Build Coastguard Worker -apex_art_data_file 102*e4a36f41SAndroid Build Coastguard Worker -dalvikcache_data_file 103*e4a36f41SAndroid Build Coastguard Worker -system_data_file # shared libs in apks 104*e4a36f41SAndroid Build Coastguard Worker -apk_data_file 105*e4a36f41SAndroid Build Coastguard Worker}:file no_x_file_perms; 106