platform_system_sepolicy/private/platform_app.te

83 lines
3.1 KiB
Text
Raw Normal View History

###
### Apps signed with the platform key.
###
typeattribute platform_app coredomain;
app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app icon_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;
# Access to /data/media.
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
allow platform_app sdcard_type:dir create_dir_perms;
allow platform_app sdcard_type:file create_file_perms;
# com.android.systemui
allow platform_app rootfs:dir getattr;
domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
2017-07-26 01:43:49 +02:00
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
proc_vmstat
}:file r_file_perms;
domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
2017-07-26 01:43:49 +02:00
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediametrics_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
allow platform_app mediacodec_service:service_manager find;
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app thermal_service:service_manager find;
allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
allow platform_app preloads_media_file:file r_file_perms;
allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
# allow platform apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow platform_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
###
# app domains which access /dev/fuse should not run as platform_app
neverallow platform_app fuse_device:chr_file *;