1*e4a36f41SAndroid Build Coastguard Worker### 2*e4a36f41SAndroid Build Coastguard Worker### Ephemeral apps. 3*e4a36f41SAndroid Build Coastguard Worker### 4*e4a36f41SAndroid Build Coastguard Worker### This file defines the security policy for apps with the ephemeral 5*e4a36f41SAndroid Build Coastguard Worker### feature. 6*e4a36f41SAndroid Build Coastguard Worker### 7*e4a36f41SAndroid Build Coastguard Worker### The ephemeral_app domain is a reduced permissions sandbox allowing 8*e4a36f41SAndroid Build Coastguard Worker### ephemeral applications to be safely installed and run. Non ephemeral 9*e4a36f41SAndroid Build Coastguard Worker### applications may also opt-in to ephemeral to take advantage of the 10*e4a36f41SAndroid Build Coastguard Worker### additional security features. 11*e4a36f41SAndroid Build Coastguard Worker### 12*e4a36f41SAndroid Build Coastguard Worker### PackageManager flags an app as ephemeral at install time. 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Workertypeattribute ephemeral_app coredomain; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Workernet_domain(ephemeral_app) 17*e4a36f41SAndroid Build Coastguard Workerapp_domain(ephemeral_app) 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Allow ephemeral apps to read/write files in visible storage if provided fds 20*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append}; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# Some apps ship with shared libraries and binaries that they write out 23*e4a36f41SAndroid Build Coastguard Worker# to their sandbox directory and then execute. 24*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app privapp_data_file:file { r_file_perms execute }; 25*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app app_data_file:file { r_file_perms execute }; 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker# Follow priv-app symlinks. This is used for dynamite functionality. 28*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app privapp_data_file:lnk_file r_file_perms; 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker# Allow the renderscript compiler to be run. 31*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(ephemeral_app, rs_exec, rs) 32*e4a36f41SAndroid Build Coastguard Worker 33*e4a36f41SAndroid Build Coastguard Worker# Allow loading and deleting shared libraries created by trusted system 34*e4a36f41SAndroid Build Coastguard Worker# components within an application home directory. 35*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink }; 36*e4a36f41SAndroid Build Coastguard Worker 37*e4a36f41SAndroid Build Coastguard Worker# services 38*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app audioserver_service:service_manager find; 39*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app cameraserver_service:service_manager find; 40*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app mediaserver_service:service_manager find; 41*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app mediaextractor_service:service_manager find; 42*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app mediametrics_service:service_manager find; 43*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app mediadrmserver_service:service_manager find; 44*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app drmserver_service:service_manager find; 45*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app radio_service:service_manager find; 46*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app ephemeral_app_api_service:service_manager find; 47*e4a36f41SAndroid Build Coastguard Worker 48*e4a36f41SAndroid Build Coastguard Worker# allow ephemeral apps to use UDP sockets provided by the system server but not 49*e4a36f41SAndroid Build Coastguard Worker# modify them other than to connect 50*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app system_server:udp_socket { 51*e4a36f41SAndroid Build Coastguard Worker connect getattr read recvfrom sendto write getopt setopt }; 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Workerallow ephemeral_app ashmem_device:chr_file rw_file_perms; 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Worker### 56*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 57*e4a36f41SAndroid Build Coastguard Worker### 58*e4a36f41SAndroid Build Coastguard Worker 59*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app app_data_file_type:file execute_no_trans; 60*e4a36f41SAndroid Build Coastguard Worker 61*e4a36f41SAndroid Build Coastguard Worker# Receive or send uevent messages. 62*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 63*e4a36f41SAndroid Build Coastguard Worker 64*e4a36f41SAndroid Build Coastguard Worker# Receive or send generic netlink messages 65*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app domain:netlink_socket *; 66*e4a36f41SAndroid Build Coastguard Worker 67*e4a36f41SAndroid Build Coastguard Worker# Too much leaky information in debugfs. It's a security 68*e4a36f41SAndroid Build Coastguard Worker# best practice to ensure these files aren't readable. 69*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app debugfs_type:file read; 70*e4a36f41SAndroid Build Coastguard Worker 71*e4a36f41SAndroid Build Coastguard Worker# execute gpu_device 72*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app gpu_device:chr_file execute; 73*e4a36f41SAndroid Build Coastguard Worker 74*e4a36f41SAndroid Build Coastguard Worker# access files in /sys with the default sysfs label 75*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app sysfs:file *; 76*e4a36f41SAndroid Build Coastguard Worker 77*e4a36f41SAndroid Build Coastguard Worker# Avoid reads from generically labeled /proc files 78*e4a36f41SAndroid Build Coastguard Worker# Create a more specific label if needed 79*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Worker# Directly access external storage 82*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create}; 83*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search; 84*e4a36f41SAndroid Build Coastguard Worker 85*e4a36f41SAndroid Build Coastguard Worker# Avoid reads to proc_net, it contains too much device wide information about 86*e4a36f41SAndroid Build Coastguard Worker# ongoing connections. 87*e4a36f41SAndroid Build Coastguard Workerneverallow ephemeral_app proc_net:file no_rw_file_perms; 88