2013-07-13 01:33:29 +02:00
|
|
|
###
|
|
|
|
### Domain for all zygote spawned apps
|
|
|
|
###
|
|
|
|
### This file is the base policy for all zygote spawned apps.
|
|
|
|
### Other policy files, such as isolated_app.te, untrusted_app.te, etc
|
|
|
|
### extend from this policy. Only policies which should apply to ALL
|
|
|
|
### zygote spawned apps should be added here.
|
|
|
|
###
|
|
|
|
|
2015-09-12 10:35:44 +02:00
|
|
|
# WebView and other application-specific JIT compilers
|
2013-12-20 14:24:12 +01:00
|
|
|
allow appdomain self:process execmem;
|
2015-09-12 10:35:44 +02:00
|
|
|
|
2013-12-23 22:18:55 +01:00
|
|
|
allow appdomain ashmem_device:chr_file execute;
|
2013-12-20 14:24:12 +01:00
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Receive and use open file descriptors inherited from zygote.
|
|
|
|
allow appdomain zygote:fd use;
|
|
|
|
|
2013-10-29 19:42:39 +01:00
|
|
|
# gdbserver for ndk-gdb reads the zygote.
|
2014-05-23 00:00:25 +02:00
|
|
|
# valgrind needs mmap exec for zygote
|
|
|
|
allow appdomain zygote_exec:file rx_file_perms;
|
2013-10-29 19:42:39 +01:00
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Read system properties managed by zygote.
|
|
|
|
allow appdomain zygote_tmpfs:file read;
|
|
|
|
|
|
|
|
# Notify zygote of death;
|
|
|
|
allow appdomain zygote:process sigchld;
|
|
|
|
|
2015-12-01 19:26:33 +01:00
|
|
|
# Place process into foreground / background
|
|
|
|
allow appdomain cgroup:dir { search write };
|
|
|
|
allow appdomain cgroup:file w_file_perms;
|
|
|
|
|
2015-12-02 01:28:28 +01:00
|
|
|
# Read /data/dalvik-cache.
|
|
|
|
allow appdomain dalvikcache_data_file:dir { search getattr };
|
|
|
|
allow appdomain dalvikcache_data_file:file r_file_perms;
|
|
|
|
|
|
|
|
# Read the /sdcard symlink
|
|
|
|
allow appdomain rootfs:lnk_file r_file_perms;
|
|
|
|
|
|
|
|
# Search /storage/emulated tmpfs mount.
|
|
|
|
allow appdomain tmpfs:dir r_dir_perms;
|
|
|
|
|
2015-03-15 01:35:19 +01:00
|
|
|
userdebug_or_eng(`
|
2015-11-10 19:49:57 +01:00
|
|
|
# Notify zygote of the wrapped process PID when using --invoke-with.
|
2015-03-15 01:35:19 +01:00
|
|
|
allow appdomain zygote:fifo_file write;
|
2015-11-10 19:49:57 +01:00
|
|
|
|
|
|
|
# Allow apps to create and write method traces in /data/misc/trace.
|
|
|
|
allow appdomain method_trace_data_file:dir w_dir_perms;
|
|
|
|
allow appdomain method_trace_data_file:file { create w_file_perms };
|
2015-03-15 01:35:19 +01:00
|
|
|
')
|
|
|
|
|
2013-10-29 19:42:39 +01:00
|
|
|
# Notify shell and adbd of death when spawned via runas for ndk-gdb.
|
|
|
|
allow appdomain shell:process sigchld;
|
|
|
|
allow appdomain adbd:process sigchld;
|
|
|
|
|
|
|
|
# child shell or gdbserver pty access for runas.
|
|
|
|
allow appdomain devpts:chr_file { getattr read write ioctl };
|
|
|
|
|
2014-03-05 15:50:08 +01:00
|
|
|
# Use pipes and sockets provided by system_server via binder or local socket.
|
2013-09-14 00:59:04 +02:00
|
|
|
allow appdomain system_server:fifo_file rw_file_perms;
|
2014-03-05 15:50:08 +01:00
|
|
|
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
|
|
|
|
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
2013-12-06 22:31:16 +01:00
|
|
|
# Communication with other apps via fifos
|
|
|
|
allow appdomain appdomain:fifo_file rw_file_perms;
|
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Communicate with surfaceflinger.
|
2014-03-06 22:03:48 +01:00
|
|
|
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
|
|
|
# App sandbox file accesses.
|
2014-11-21 18:28:42 +01:00
|
|
|
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
|
|
|
|
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
|
|
|
# lib subdirectory of /data/data dir is system-owned.
|
|
|
|
allow appdomain system_data_file:dir r_dir_perms;
|
2014-06-02 23:49:10 +02:00
|
|
|
allow appdomain system_data_file:file { execute execute_no_trans open execmod };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
2015-04-07 01:21:54 +02:00
|
|
|
# Traverse into expanded storage
|
|
|
|
allow appdomain mnt_expand_file:dir r_dir_perms;
|
|
|
|
|
2014-10-13 13:10:08 +02:00
|
|
|
# Keychain and user-trusted credentials
|
|
|
|
allow appdomain keychain_data_file:dir r_dir_perms;
|
|
|
|
allow appdomain keychain_data_file:file r_file_perms;
|
|
|
|
allow appdomain misc_user_data_file:dir r_dir_perms;
|
|
|
|
allow appdomain misc_user_data_file:file r_file_perms;
|
|
|
|
|
2014-04-24 22:31:29 +02:00
|
|
|
# Access to OEM provided data and apps
|
|
|
|
allow appdomain oemfs:dir r_dir_perms;
|
|
|
|
allow appdomain oemfs:file rx_file_perms;
|
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Execute the shell or other system executables.
|
|
|
|
allow appdomain shell_exec:file rx_file_perms;
|
|
|
|
allow appdomain system_file:file rx_file_perms;
|
2015-08-25 17:38:29 +02:00
|
|
|
allow appdomain toolbox_exec:file rx_file_perms;
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
2014-07-03 07:59:19 +02:00
|
|
|
# Execute dex2oat when apps call dexclassloader
|
|
|
|
allow appdomain dex2oat_exec:file rx_file_perms;
|
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Read/write wallpaper file (opened by system).
|
2014-01-23 16:05:28 +01:00
|
|
|
allow appdomain wallpaper_file:file { getattr read write };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
|
|
|
# Write to /data/anr/traces.txt.
|
|
|
|
allow appdomain anr_data_file:dir search;
|
|
|
|
allow appdomain anr_data_file:file { open append };
|
|
|
|
|
2013-12-14 07:19:45 +01:00
|
|
|
# Allow apps to send dump information to dumpstate
|
|
|
|
allow appdomain dumpstate:fd use;
|
2014-03-06 22:03:48 +01:00
|
|
|
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
|
2014-01-11 08:05:25 +01:00
|
|
|
allow appdomain shell_data_file:file { write getattr };
|
2013-12-14 07:19:45 +01:00
|
|
|
|
2015-04-08 01:40:44 +02:00
|
|
|
# Send heap dumps to system_server via an already open file descriptor
|
|
|
|
# % adb shell am set-watch-heap com.android.systemui 1048576
|
|
|
|
# % adb shell dumpsys procstats --start-testing
|
|
|
|
# debuggable builds only.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow appdomain heapdump_data_file:file append;
|
|
|
|
')
|
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Write to /proc/net/xt_qtaguid/ctrl file.
|
|
|
|
allow appdomain qtaguid_proc:file rw_file_perms;
|
|
|
|
# Everybody can read the xt_qtaguid resource tracking misc dev.
|
|
|
|
# So allow all apps to read from /dev/xt_qtaguid.
|
|
|
|
allow appdomain qtaguid_device:chr_file r_file_perms;
|
|
|
|
|
2013-12-12 15:09:53 +01:00
|
|
|
# Grant GPU access to all processes started by Zygote.
|
|
|
|
# They need that to render the standard UI.
|
2016-01-08 00:22:12 +01:00
|
|
|
allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
|
2013-12-12 15:09:53 +01:00
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Use the Binder.
|
|
|
|
binder_use(appdomain)
|
|
|
|
# Perform binder IPC to binder services.
|
|
|
|
binder_call(appdomain, binderservicedomain)
|
|
|
|
# Perform binder IPC to other apps.
|
|
|
|
binder_call(appdomain, appdomain)
|
|
|
|
|
|
|
|
# Already connected, unnamed sockets being passed over some other IPC
|
|
|
|
# hence no sock_file or connectto permission. This appears to be how
|
|
|
|
# Chrome works, may need to be updated as more apps using isolated services
|
|
|
|
# are examined.
|
2014-03-06 22:03:48 +01:00
|
|
|
allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
|
|
|
# Backup ability for every app. BMS opens and passes the fd
|
|
|
|
# to any app that has backup ability. Hence, no open permissions here.
|
2013-08-30 22:02:30 +02:00
|
|
|
allow appdomain backup_data_file:file { read write getattr };
|
|
|
|
allow appdomain cache_backup_file:file { read write getattr };
|
Coalesce shared_app, media_app, release_app into untrusted_app.
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).
It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.
As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro. We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.
Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well. However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.
Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-04 15:09:25 +02:00
|
|
|
allow appdomain cache_backup_file:dir getattr;
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Backup ability using 'adb backup'
|
|
|
|
allow appdomain system_data_file:lnk_file getattr;
|
|
|
|
|
2014-03-04 19:44:01 +01:00
|
|
|
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
|
|
|
|
allow appdomain media_rw_data_file:file { read getattr };
|
|
|
|
|
2014-05-05 20:04:12 +02:00
|
|
|
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
|
|
|
|
allow appdomain radio_data_file:file { read write getattr };
|
2014-03-27 14:45:26 +01:00
|
|
|
|
2015-04-03 01:14:40 +02:00
|
|
|
# Allow access to external storage; we have several visible mount points under /storage
|
|
|
|
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
allow appdomain storage_file:dir r_dir_perms;
|
2015-04-03 01:14:40 +02:00
|
|
|
allow appdomain storage_file:lnk_file r_file_perms;
|
2015-04-03 18:52:02 +02:00
|
|
|
allow appdomain mnt_user_file:dir r_dir_perms;
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
allow appdomain mnt_user_file:lnk_file r_file_perms;
|
|
|
|
|
|
|
|
# Read/write visible storage
|
2014-07-08 20:45:09 +02:00
|
|
|
allow appdomain fuse:dir create_dir_perms;
|
|
|
|
allow appdomain fuse:file create_file_perms;
|
2014-03-06 22:03:48 +01:00
|
|
|
|
2014-09-25 00:18:08 +02:00
|
|
|
# Access OBBs (vfat images) mounted by vold (b/17633509)
|
2015-04-18 23:27:22 +02:00
|
|
|
# File write access allowed for FDs returned through Storage Access Framework
|
2014-09-25 00:18:08 +02:00
|
|
|
allow appdomain vfat:dir r_dir_perms;
|
2015-04-18 23:27:22 +02:00
|
|
|
allow appdomain vfat:file rw_file_perms;
|
2014-09-25 00:18:08 +02:00
|
|
|
|
2013-10-09 21:27:27 +02:00
|
|
|
# Allow apps to use the USB Accessory interface.
|
|
|
|
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
|
|
|
|
#
|
|
|
|
# USB devices are first opened by the system server (USBDeviceManagerService)
|
|
|
|
# and the file descriptor is passed to the right Activity via binder.
|
|
|
|
allow appdomain usb_device:chr_file { read write getattr ioctl };
|
|
|
|
allow appdomain usbaccessory_device:chr_file { read write getattr };
|
|
|
|
|
2013-12-23 20:48:02 +01:00
|
|
|
# For art.
|
|
|
|
allow appdomain dalvikcache_data_file:file execute;
|
2014-11-12 00:42:43 +01:00
|
|
|
allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
|
2013-12-23 20:48:02 +01:00
|
|
|
|
2014-05-23 12:01:58 +02:00
|
|
|
# Allow any app to read shared RELRO files.
|
|
|
|
allow appdomain shared_relro_file:dir search;
|
|
|
|
allow appdomain shared_relro_file:file r_file_perms;
|
|
|
|
|
2014-05-31 00:21:22 +02:00
|
|
|
# Allow apps to read/execute installed binaries
|
2014-08-27 19:14:18 +02:00
|
|
|
allow appdomain apk_data_file:dir r_dir_perms;
|
2014-05-31 00:21:22 +02:00
|
|
|
allow appdomain apk_data_file:file { rx_file_perms execmod };
|
|
|
|
|
2014-06-16 23:19:31 +02:00
|
|
|
# /data/resource-cache
|
|
|
|
allow appdomain resourcecache_data_file:file r_file_perms;
|
|
|
|
allow appdomain resourcecache_data_file:dir r_dir_perms;
|
|
|
|
|
2015-03-13 21:42:42 +01:00
|
|
|
# logd access
|
|
|
|
read_logd(appdomain)
|
|
|
|
control_logd(appdomain)
|
|
|
|
# application inherit logd write socket (urge is to deprecate this long term)
|
|
|
|
allow appdomain zygote:unix_dgram_socket write;
|
|
|
|
|
2015-05-13 23:39:48 +02:00
|
|
|
allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
2015-03-13 21:42:42 +01:00
|
|
|
|
|
|
|
use_keystore({ appdomain -isolated_app })
|
|
|
|
|
2015-04-01 20:17:20 +02:00
|
|
|
allow appdomain console_device:chr_file { read write };
|
|
|
|
|
2013-12-16 14:55:24 +01:00
|
|
|
###
|
|
|
|
### CTS-specific rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
|
|
|
|
# testRunAsHasCorrectCapabilities
|
|
|
|
allow appdomain runas_exec:file getattr;
|
|
|
|
# Others are either allowed elsewhere or not desired.
|
|
|
|
|
|
|
|
# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
|
|
|
|
# Check SELinux policy and contexts.
|
|
|
|
selinux_check_access(appdomain)
|
|
|
|
selinux_check_context(appdomain)
|
|
|
|
|
2015-12-10 22:26:42 +01:00
|
|
|
# appdomain should not be accessing information on /sys
|
|
|
|
auditallow appdomain sysfs:dir { open getattr read ioctl };
|
|
|
|
auditallow appdomain sysfs:file r_file_perms;
|
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
### These are things that Android apps should NEVER be able to do
|
|
|
|
###
|
|
|
|
|
|
|
|
# Superuser capabilities.
|
2014-06-29 19:45:03 +02:00
|
|
|
# bluetooth requires net_admin and wake_alarm.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -bluetooth } self:capability *;
|
|
|
|
neverallow { appdomain -bluetooth } self:capability2 *;
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
|
|
|
# Block device access.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain dev_type:blk_file { read write };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
2013-09-27 16:55:59 +02:00
|
|
|
# Access to any of the following character devices.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain {
|
2013-09-27 16:55:59 +02:00
|
|
|
audio_device
|
|
|
|
camera_device
|
|
|
|
dm_device
|
|
|
|
radio_device
|
|
|
|
gps_device
|
|
|
|
rpmsg_device
|
|
|
|
}:chr_file { read write };
|
|
|
|
|
|
|
|
# Note: Try expanding list of app domains in the future.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
|
2013-09-27 16:55:59 +02:00
|
|
|
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -nfc } nfc_device:chr_file
|
2013-09-27 16:55:59 +02:00
|
|
|
{ read write };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
|
2013-09-27 16:55:59 +02:00
|
|
|
{ read write };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain tee_device:chr_file { read write };
|
2013-09-27 16:55:59 +02:00
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Privileged netlink socket interfaces.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain
|
2015-01-29 02:46:30 +01:00
|
|
|
domain:{
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
netlink_firewall_socket
|
|
|
|
netlink_tcpdiag_socket
|
|
|
|
netlink_nflog_socket
|
|
|
|
netlink_xfrm_socket
|
|
|
|
netlink_audit_socket
|
|
|
|
netlink_ip6fw_socket
|
|
|
|
netlink_dnrt_socket
|
|
|
|
} *;
|
|
|
|
|
2014-09-22 08:35:24 +02:00
|
|
|
# These messages are broadcast messages from the kernel to userspace.
|
|
|
|
# Do not allow the writing of netlink messages, which has been a source
|
|
|
|
# of rooting vulns in the past.
|
2015-01-29 02:46:30 +01:00
|
|
|
neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
|
2014-09-22 08:35:24 +02:00
|
|
|
|
2013-09-27 16:55:59 +02:00
|
|
|
# Sockets under /dev/socket that are not specifically typed.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain socket_device:sock_file write;
|
2013-09-27 16:55:59 +02:00
|
|
|
|
|
|
|
# Unix domain sockets.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain adbd_socket:sock_file write;
|
|
|
|
neverallow appdomain installd_socket:sock_file write;
|
2014-09-26 00:13:41 +02:00
|
|
|
neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
|
2013-09-27 16:55:59 +02:00
|
|
|
property_socket:sock_file write;
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -radio } rild_socket:sock_file write;
|
|
|
|
neverallow appdomain vold_socket:sock_file write;
|
|
|
|
neverallow appdomain zygote_socket:sock_file write;
|
2013-09-27 16:55:59 +02:00
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# ptrace access to non-app domains.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain { domain -appdomain }:process ptrace;
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
2013-09-27 16:55:59 +02:00
|
|
|
# Write access to /proc/pid entries for any non-app domain.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain { domain -appdomain }:file write;
|
2013-09-27 16:55:59 +02:00
|
|
|
|
|
|
|
# signal access to non-app domains.
|
|
|
|
# sigchld allowed for parent death notification.
|
|
|
|
# signull allowed for kill(pid, 0) existence test.
|
|
|
|
# All others prohibited.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain { domain -appdomain }:process
|
2013-09-27 16:55:59 +02:00
|
|
|
{ sigkill sigstop signal };
|
|
|
|
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
# Transition to a non-app domain.
|
2015-01-29 21:11:55 +01:00
|
|
|
# Exception for the shell domain and the su domain, can transition to runas,
|
|
|
|
# etc.
|
|
|
|
neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
|
2013-09-27 16:55:59 +02:00
|
|
|
{ transition dyntransition };
|
|
|
|
|
|
|
|
# Write to rootfs.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain rootfs:dir_file_class_set
|
2013-09-27 16:55:59 +02:00
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
|
|
|
# Write to /system.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain system_file:dir_file_class_set
|
2013-09-27 16:55:59 +02:00
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
|
|
|
|
|
|
|
# Write to entrypoint executables.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain exec_type:file
|
2013-09-27 16:55:59 +02:00
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21
with extensive modifications, some of which are included below.
* Allow communication with netd/dnsproxyd, to allow netd to handle
dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
the DAC allows access.
In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.
This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.
Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
|
|
|
|
|
|
|
# Write to system-owned parts of /data.
|
|
|
|
# This is the default type for anything under /data not otherwise
|
|
|
|
# specified in file_contexts. Define a different type for portions
|
|
|
|
# that should be writable by apps.
|
|
|
|
# Exception for system_app for Settings.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -system_app }
|
2013-09-27 16:55:59 +02:00
|
|
|
system_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
|
|
|
|
|
|
|
# Write to various other parts of /data.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain drm_data_file:dir_file_class_set
|
2013-09-27 16:55:59 +02:00
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-10-17 00:00:19 +02:00
|
|
|
neverallow { appdomain -system_app }
|
|
|
|
gps_data_file:dir_file_class_set
|
2013-09-27 16:55:59 +02:00
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -platform_app }
|
2013-09-27 16:55:59 +02:00
|
|
|
apk_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -platform_app }
|
2013-09-27 16:55:59 +02:00
|
|
|
apk_tmp_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -platform_app }
|
2013-09-27 16:55:59 +02:00
|
|
|
apk_private_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -platform_app }
|
2013-09-27 16:55:59 +02:00
|
|
|
apk_private_tmp_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -shell }
|
2013-09-27 16:55:59 +02:00
|
|
|
shell_data_file:dir_file_class_set
|
2014-01-11 08:05:25 +01:00
|
|
|
{ create setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -bluetooth }
|
2013-09-27 16:55:59 +02:00
|
|
|
bluetooth_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain
|
2013-09-27 16:55:59 +02:00
|
|
|
keystore_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain
|
2013-09-27 16:55:59 +02:00
|
|
|
systemkeys_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain
|
2013-09-27 16:55:59 +02:00
|
|
|
wifi_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain
|
2013-09-27 16:55:59 +02:00
|
|
|
dhcp_data_file:dir_file_class_set
|
|
|
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
|
|
|
|
2015-10-19 19:45:27 +02:00
|
|
|
# access tmp apk files
|
|
|
|
neverallow { appdomain -platform_app -priv_app }
|
|
|
|
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
|
|
|
|
|
2013-09-27 16:55:59 +02:00
|
|
|
# Access to factory files.
|
2014-09-23 00:41:38 +02:00
|
|
|
neverallow appdomain efs_file:dir_file_class_set write;
|
|
|
|
neverallow { appdomain -shell } efs_file:dir_file_class_set read;
|
2013-09-27 16:55:59 +02:00
|
|
|
|
|
|
|
# Write to various pseudo file systems.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow { appdomain -bluetooth -nfc }
|
2013-09-27 16:55:59 +02:00
|
|
|
sysfs:dir_file_class_set write;
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain
|
2013-09-27 16:55:59 +02:00
|
|
|
proc:dir_file_class_set write;
|
|
|
|
|
|
|
|
# Access to syslog(2) or /proc/kmsg.
|
2014-05-28 22:48:52 +02:00
|
|
|
neverallow { appdomain -system_app }
|
2014-05-28 01:49:59 +02:00
|
|
|
kernel:system { syslog_mod syslog_console };
|
2014-06-11 13:10:09 +02:00
|
|
|
neverallow { appdomain -system_app -shell }
|
2014-05-28 01:49:59 +02:00
|
|
|
kernel:system syslog_read;
|
2013-09-27 16:55:59 +02:00
|
|
|
|
|
|
|
# Ability to perform any filesystem operation other than statfs(2).
|
|
|
|
# i.e. no mount(2), unmount(2), etc.
|
2014-07-04 19:12:13 +02:00
|
|
|
neverallow appdomain fs_type:filesystem ~getattr;
|
2013-09-27 16:55:59 +02:00
|
|
|
|
|
|
|
# Ability to set system properties.
|
2014-09-26 00:13:41 +02:00
|
|
|
neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
|
2013-09-27 16:55:59 +02:00
|
|
|
property_type:property_service set;
|
2015-07-15 01:23:12 +02:00
|
|
|
|
|
|
|
# prevent creation/manipulation of globally readable symlinks
|
|
|
|
neverallow appdomain {
|
|
|
|
apk_data_file
|
|
|
|
cache_file
|
2015-12-22 21:37:17 +01:00
|
|
|
cache_recovery_file
|
2015-07-15 01:23:12 +02:00
|
|
|
dev_type
|
|
|
|
rootfs
|
|
|
|
system_file
|
|
|
|
security_file
|
|
|
|
tmpfs
|
|
|
|
}:lnk_file no_w_file_perms;
|
2015-12-04 00:56:04 +01:00
|
|
|
|
|
|
|
# Do not allow Apps to directly open tun_device
|
|
|
|
neverallow appdomain tun_device:chr_file open;
|