1# /proc/net access. 2# TODO(b/9496886) Audit access for removal. 3# proc_net access for the negated domains below is granted (or not) in their 4# individual .te files. 5r_dir_file({ 6 appdomain 7 -ephemeral_app 8 -isolated_app 9 -platform_app 10 -priv_app 11 -shell 12 -sdk_sandbox 13 -system_app 14 -untrusted_app_all 15}, proc_net_type) 16# audit access for all these non-core app domains. 17userdebug_or_eng(` 18 auditallow { 19 appdomain 20 -ephemeral_app 21 -isolated_app 22 -platform_app 23 -priv_app 24 -shell 25 -su 26 -sdk_sandbox 27 -system_app 28 -untrusted_app_all 29 } proc_net_type:{ dir file lnk_file } { getattr open read }; 30') 31 32# Allow apps to read the Test Harness Mode property. This property is used in 33# the implementation of ActivityManager.isDeviceInTestHarnessMode() 34get_prop(appdomain, test_harness_prop) 35 36get_prop(appdomain, boot_status_prop) 37get_prop(appdomain, dalvik_config_prop) 38get_prop(appdomain, media_config_prop) 39get_prop(appdomain, packagemanager_config_prop) 40get_prop(appdomain, radio_control_prop) 41get_prop(appdomain, surfaceflinger_color_prop) 42get_prop(appdomain, systemsound_config_prop) 43get_prop(appdomain, telephony_config_prop) 44get_prop(appdomain, userspace_reboot_config_prop) 45get_prop(appdomain, vold_config_prop) 46get_prop(appdomain, adbd_config_prop) 47get_prop(appdomain, dck_prop) 48get_prop(appdomain, persist_wm_debug_prop) 49 50# Allow ART to be configurable via device_config properties 51# (ART "runs" inside the app process) 52get_prop(appdomain, device_config_runtime_native_prop) 53get_prop(appdomain, device_config_runtime_native_boot_prop) 54 55userdebug_or_eng(`perfetto_producer({ appdomain })') 56 57# Allow the heap dump ART plugin to the count of sessions waiting for OOME 58get_prop(appdomain, traced_oome_heap_session_count_prop) 59 60# Prevent apps from causing presubmit failures. 61# Apps can cause selinux denials by accessing CE storage 62# and/or external storage. In either case, the selinux denial is 63# not the cause of the failure, but just a symptom that 64# storage isn't ready. Many apps handle the failure appropriately. 65# 66# Apps cannot access external storage before it becomes available. 67dontaudit appdomain storage_stub_file:dir getattr; 68# Attempts to write to system_data_file is generally a sign 69# that apps are attempting to access encrypted storage before 70# the ACTION_USER_UNLOCKED intent is delivered. Apps are not 71# allowed to write to CE storage before it's available. 72# Attempting to do so will be blocked by both selinux and unix 73# permissions. 74dontaudit appdomain system_data_file:dir write; 75# Apps should not be reading vendor-defined properties. 76dontaudit appdomain vendor_default_prop:file read; 77 78# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid) 79allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search; 80 81# allow apps to use UDP sockets provided by the system server but not 82# modify them other than to connect 83allow appdomain system_server:udp_socket { 84 connect getattr read recvfrom sendto write getopt setopt }; 85 86neverallow appdomain system_server:udp_socket { 87 accept append bind create ioctl listen lock name_bind 88 relabelfrom relabelto setattr shutdown }; 89 90# Transition to a non-app domain. 91# Exception for the shell and su domains, can transition to runas, etc. 92# Exception for crash_dump to allow for app crash reporting. 93# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc) 94# to allow renderscript to create privileged executable files. 95neverallow { appdomain -shell userdebug_or_eng(`-su') } 96 { domain -appdomain -crash_dump -rs }:process { transition }; 97neverallow { appdomain -shell userdebug_or_eng(`-su') } 98 { domain -appdomain }:process { dyntransition }; 99 100# Don't allow regular apps access to storage configuration properties. 101neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms; 102 103# Allow to read sendbug.preferred.domain 104get_prop(appdomain, sendbug_config_prop) 105 106# Allow to read graphics related properties. 107get_prop(appdomain, graphics_config_prop) 108 109# Allow to read persist.config.calibration_fac 110get_prop(appdomain, camera_calibration_prop) 111 112# Allow to read db.log.detailed, db.log.slow_query_threshold* 113get_prop(appdomain, sqlite_log_prop) 114 115# Allow font file read by apps. 116allow appdomain font_data_file:file r_file_perms; 117allow appdomain font_data_file:dir r_dir_perms; 118 119# Enter /data/misc/apexdata/ 120allow appdomain apex_module_data_file:dir search; 121# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts. 122allow appdomain apex_art_data_file:dir r_dir_perms; 123allow appdomain apex_art_data_file:file rx_file_perms; 124 125# Allow access to tombstones if an fd to one is given to you. 126# This is restricted by unix permissions, so an app must go through system_server to get one. 127allow appdomain tombstone_data_file:file { getattr read }; 128neverallow appdomain tombstone_data_file:file ~{ getattr read }; 129 130# Execute the shell or other system executables. 131allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms; 132allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms; 133not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;') 134 135# Allow apps access to /vendor/app except for privileged 136# apps which cannot be in /vendor. 137r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file) 138allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute; 139 140# Perform binder IPC to sdk sandbox. 141binder_call(appdomain, sdk_sandbox) 142 143# Allow access to external storage; we have several visible mount points under /storage 144# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 145allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms; 146allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms; 147allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms; 148allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms; 149 150# Read/write visible storage 151allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms; 152allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms; 153# This should be removed if sdcardfs is modified to alter the secontext for its 154# accesses to the underlying FS. 155allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms; 156allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms; 157 158# Allow apps to use the USB Accessory interface. 159# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 160# 161# USB devices are first opened by the system server (USBDeviceManagerService) 162# and the file descriptor is passed to the right Activity via binder. 163allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl }; 164allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr }; 165 166#logd access 167control_logd({ appdomain -ephemeral_app -sdk_sandbox }) 168 169# application inherit logd write socket (urge is to deprecate this long term) 170allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify }; 171allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update }; 172 173allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find; 174allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state; 175 176use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }) 177 178use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }) 179 180# For app fuse. 181pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client) 182pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager) 183pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync) 184pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client) 185# Apps do not directly open the IPC socket for bufferhubd. 186pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client) 187 188# Apps receive an open tun fd from the framework for 189# device traffic. Do not allow untrusted app to directly open tun_device 190allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl }; 191allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF; 192 193 194# WebView and other application-specific JIT compilers 195allow appdomain self:process execmem; 196 197allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute; 198 199# Receive and use open file descriptors inherited from zygote. 200allow appdomain zygote:fd use; 201 202# Receive and use open file descriptors inherited from app zygote. 203allow appdomain app_zygote:fd use; 204 205# gdbserver for ndk-gdb reads the zygote. 206# valgrind needs mmap exec for zygote 207allow appdomain zygote_exec:file rx_file_perms; 208 209# Notify zygote of death; 210allow appdomain zygote:process sigchld; 211 212# Read /data/dalvik-cache. 213allow appdomain dalvikcache_data_file:dir { search getattr }; 214allow appdomain dalvikcache_data_file:file r_file_perms; 215 216# Read the /sdcard and /mnt/sdcard symlinks 217allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms; 218allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms; 219 220# Search /storage/emulated tmpfs mount. 221allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms; 222 223# Notify zygote of the wrapped process PID when using --invoke-with. 224allow appdomain zygote:fifo_file write; 225 226userdebug_or_eng(` 227 # Allow apps to create and write method traces in /data/misc/trace. 228 allow appdomain method_trace_data_file:dir w_dir_perms; 229 allow appdomain method_trace_data_file:file { create w_file_perms }; 230') 231 232# Notify shell and adbd of death when spawned via runas for ndk-gdb. 233allow appdomain shell:process sigchld; 234allow appdomain adbd:process sigchld; 235 236# child shell or gdbserver pty access for runas. 237allow appdomain devpts:chr_file { getattr read write ioctl }; 238 239# Use pipes and sockets provided by system_server via binder or local socket. 240allow appdomain system_server:fd use; 241allow appdomain system_server:fifo_file rw_file_perms; 242allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 243allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 244 245# For AppFuse. 246allow appdomain vold:fd use; 247 248# Communication with other apps via fifos 249allow appdomain appdomain:fifo_file rw_file_perms; 250 251# Communicate with surfaceflinger. 252allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 253 254# App sandbox file accesses. 255allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms; 256allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms; 257 258# Access via already open fds is ok even for mlstrustedsubject. 259allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; 260 261# Traverse into expanded storage 262allow appdomain mnt_expand_file:dir r_dir_perms; 263 264# Keychain and user-trusted credentials 265r_dir_file(appdomain, keychain_data_file) 266allow appdomain misc_user_data_file:dir r_dir_perms; 267allow appdomain misc_user_data_file:file r_file_perms; 268 269# TextClassifier 270r_dir_file({ appdomain -isolated_app }, textclassifier_data_file) 271 272# Access to OEM provided data and apps 273allow appdomain oemfs:dir r_dir_perms; 274allow appdomain oemfs:file rx_file_perms; 275 276allow appdomain system_file:file x_file_perms; 277 278# Renderscript needs the ability to read directories on /system 279allow appdomain system_file:dir r_dir_perms; 280allow appdomain system_file:lnk_file { getattr open read }; 281# Renderscript specific permissions to open /system/vendor/lib64. 282not_full_treble(` 283 allow appdomain vendor_file_type:dir r_dir_perms; 284 allow appdomain vendor_file_type:lnk_file { getattr open read }; 285') 286 287full_treble_only(` 288 # For looking up Renderscript vendor drivers 289 allow { appdomain -isolated_app } vendor_file:dir { open read }; 290') 291 292# Allow apps access to /vendor/overlay 293r_dir_file(appdomain, vendor_overlay_file) 294 295# Allow apps access to /vendor/framework 296# for vendor provided libraries. 297r_dir_file(appdomain, vendor_framework_file) 298 299# Allow apps read / execute access to vendor public libraries. 300allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms; 301allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map }; 302 303# Read/write wallpaper file (opened by system). 304allow appdomain wallpaper_file:file { getattr read write map }; 305 306# Read/write cached ringtones (opened by system). 307allow appdomain ringtone_file:file { getattr read write map }; 308 309# Read ShortcutManager icon files (opened by system). 310allow appdomain shortcut_manager_icons:file { getattr read map }; 311 312# Read icon file (opened by system). 313allow appdomain icon_file:file { getattr read map }; 314 315# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). 316# 317# TODO: All of these permissions except for anr_data_file:file append can be 318# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548 319# and the rules below. 320allow appdomain anr_data_file:dir search; 321allow appdomain anr_data_file:file { open append }; 322 323# New stack dumping scheme : request an output FD from tombstoned via a unix 324# domain socket. 325# 326# Allow apps to connect and write to the tombstoned java trace socket in 327# order to dump their traces. Also allow them to append traces to pipes 328# created by dumptrace. (Also see the rules below where they are given 329# additional permissions to dumpstate pipes for other aspects of bug report 330# creation). 331unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned) 332allow appdomain tombstoned:fd use; 333allow appdomain dumpstate:fifo_file append; 334allow appdomain incidentd:fifo_file append; 335 336# Allow apps to send dump information to dumpstate 337allow appdomain dumpstate:fd use; 338allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 339allow appdomain dumpstate:fifo_file { write getattr }; 340allow appdomain shell_data_file:file { write getattr }; 341 342# Allow apps to send dump information to incidentd 343allow appdomain incidentd:fd use; 344allow appdomain incidentd:fifo_file { write getattr }; 345 346# Allow apps to send information to statsd socket. 347unix_socket_send(appdomain, statsdw, statsd) 348 349# Write profiles /data/misc/profiles 350allow appdomain user_profile_root_file:dir search; 351allow appdomain user_profile_data_file:dir { search write add_name }; 352allow appdomain user_profile_data_file:file create_file_perms; 353 354# Send heap dumps to system_server via an already open file descriptor 355# % adb shell am set-watch-heap com.android.systemui 1048576 356# % adb shell dumpsys procstats --start-testing 357# debuggable builds only. 358userdebug_or_eng(` 359 allow appdomain heapdump_data_file:file append; 360') 361 362# Grant GPU access to all processes started by Zygote. 363# They need that to render the standard UI. 364allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; 365allow { appdomain -isolated_app } gpu_device:dir r_dir_perms; 366allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms; 367 368 369# Use the Binder. 370binder_use(appdomain) 371# Perform binder IPC to binder services. 372binder_call(appdomain, binderservicedomain) 373# Perform binder IPC to other apps. 374binder_call(appdomain, appdomain) 375# Perform binder IPC to ephemeral apps. 376binder_call(appdomain, ephemeral_app) 377# Perform binder IPC to gpuservice. 378binder_call({ appdomain -isolated_app }, gpuservice) 379 380# Talk with graphics composer fences 381allow appdomain hal_graphics_composer:fd use; 382 383# Already connected, unnamed sockets being passed over some other IPC 384# hence no sock_file or connectto permission. This appears to be how 385# Chrome works, may need to be updated as more apps using isolated services 386# are examined. 387allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 388 389# Backup ability for every app. BMS opens and passes the fd 390# to any app that has backup ability. Hence, no open permissions here. 391allow appdomain backup_data_file:file { read write getattr map }; 392allow appdomain cache_backup_file:file { read write getattr map }; 393allow appdomain cache_backup_file:dir getattr; 394# Backup ability using 'adb backup' 395allow appdomain system_data_file:lnk_file r_file_perms; 396allow appdomain system_data_file:file { getattr read map }; 397 398# Allow read/stat of /data/media files passed by Binder or local socket IPC. 399allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr }; 400 401# Read and write /data/data/com.android.providers.telephony files passed over Binder. 402allow { appdomain -isolated_app } radio_data_file:file { read write getattr }; 403 404# For art. 405allow appdomain dalvikcache_data_file:file execute; 406allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 407 408# Allow any app to read shared RELRO files. 409allow appdomain shared_relro_file:dir search; 410allow appdomain shared_relro_file:file r_file_perms; 411 412# Allow apps to read/execute installed binaries 413allow appdomain apk_data_file:dir r_dir_perms; 414allow appdomain apk_data_file:file rx_file_perms; 415 416# /data/resource-cache 417allow appdomain resourcecache_data_file:file r_file_perms; 418allow appdomain resourcecache_data_file:dir r_dir_perms; 419 420# logd access 421read_logd(appdomain) 422 423allow appdomain zygote:unix_dgram_socket write; 424 425allow appdomain console_device:chr_file { read write }; 426 427# only allow unprivileged socket ioctl commands 428allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } 429 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 430 431allow { appdomain -isolated_app } ion_device:chr_file r_file_perms; 432allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms; 433allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms; 434 435# Allow AAudio apps to use shared memory file descriptors from the HAL 436allow { appdomain -isolated_app } hal_audio:fd use; 437 438# Allow app to access shared memory created by camera HAL1 439allow { appdomain -isolated_app } hal_camera:fd use; 440 441# Allow apps to access shared memory file descriptor from the tuner HAL 442allow {appdomain -isolated_app} hal_tv_tuner_server:fd use; 443 444# RenderScript always-passthrough HAL 445allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find; 446allow appdomain same_process_hal_file:file { execute read open getattr map }; 447 448# TODO: switch to meminfo service 449allow appdomain proc_meminfo:file r_file_perms; 450 451# For app fuse. 452allow appdomain app_fuse_file:file { getattr read append write map }; 453 454### 455### CTS-specific rules 456### 457 458# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 459# testRunAsHasCorrectCapabilities 460allow appdomain runas_exec:file getattr; 461# Others are either allowed elsewhere or not desired. 462 463# Connect to adbd and use a socket transferred from it. 464# This is used for e.g. adb backup/restore. 465allow appdomain adbd:unix_stream_socket connectto; 466allow appdomain adbd:fd use; 467allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 468 469allow appdomain cache_file:dir getattr; 470 471# Allow apps to run with asanwrapper. 472with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;') 473 474# Read access to FDs from the DropboxManagerService. 475allow appdomain dropbox_data_file:file { getattr read }; 476 477# Read tmpfs types from these processes. 478allow appdomain audioserver_tmpfs:file { getattr map read write }; 479allow appdomain system_server_tmpfs:file { getattr map read write }; 480allow appdomain zygote_tmpfs:file { map read }; 481 482# Sensitive app domains are not allowed to execute from /data 483# to prevent persistence attacks and ensure all code is executed 484# from read-only locations. 485neverallow { 486 bluetooth 487 isolated_app 488 nfc 489 radio 490 shared_relro 491 sdk_sandbox 492 system_app 493} { 494 data_file_type 495 -apex_art_data_file 496 -dalvikcache_data_file 497 -system_data_file # shared libs in apks 498 -apk_data_file 499}:file no_x_file_perms; 500 501# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin 502neverallow { appdomain -gmscore_app } checkin_data_file:dir *; 503neverallow { appdomain -gmscore_app } checkin_data_file:file *; 504