2017-01-06 00:44:32 +01:00
|
|
|
###
|
|
|
|
### A domain for further sandboxing privileged apps.
|
|
|
|
###
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
typeattribute priv_app coredomain;
|
2016-12-08 20:23:34 +01:00
|
|
|
app_domain(priv_app)
|
2016-10-12 23:58:09 +02:00
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
# Access the network.
|
|
|
|
net_domain(priv_app)
|
|
|
|
# Access bluetooth.
|
|
|
|
bluetooth_domain(priv_app)
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# Allow the allocation and use of ptys
|
|
|
|
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
|
|
|
|
create_pty(priv_app)
|
2017-01-06 00:44:32 +01:00
|
|
|
|
2018-10-28 00:20:38 +02:00
|
|
|
# Allow loading executable code from writable priv-app home
|
|
|
|
# directories. This is a W^X violation, however, it needs
|
|
|
|
# to be supported for now for the following reasons.
|
|
|
|
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
|
|
|
|
# 1) com.android.opengl.shaders_cache
|
|
|
|
# 2) com.android.skia.shaders_cache
|
|
|
|
# 3) com.android.renderscript.cache
|
|
|
|
# * /data/user_de/0/com.google.android.gms/app_chimera
|
|
|
|
# TODO: Tighten (b/112357170)
|
|
|
|
allow priv_app privapp_data_file:file execute;
|
2017-01-06 00:44:32 +01:00
|
|
|
|
2021-02-10 19:07:45 +01:00
|
|
|
# Chrome Crashpad uses the the dynamic linker to load native executables
|
|
|
|
# from an APK (b/112050209, crbug.com/928422)
|
|
|
|
allow priv_app system_linker_exec:file execute_no_trans;
|
|
|
|
|
2019-01-24 22:05:03 +01:00
|
|
|
allow priv_app privapp_data_file:lnk_file create_file_perms;
|
|
|
|
|
2019-03-22 00:52:30 +01:00
|
|
|
# Priv apps can find services that expose both @SystemAPI and normal APIs.
|
2018-01-09 20:27:36 +01:00
|
|
|
allow priv_app app_api_service:service_manager find;
|
2019-03-22 00:52:30 +01:00
|
|
|
allow priv_app system_api_service:service_manager find;
|
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
allow priv_app audioserver_service:service_manager find;
|
|
|
|
allow priv_app cameraserver_service:service_manager find;
|
|
|
|
allow priv_app drmserver_service:service_manager find;
|
|
|
|
allow priv_app mediadrmserver_service:service_manager find;
|
|
|
|
allow priv_app mediaextractor_service:service_manager find;
|
2018-01-09 20:27:36 +01:00
|
|
|
allow priv_app mediametrics_service:service_manager find;
|
2017-01-06 00:44:32 +01:00
|
|
|
allow priv_app mediaserver_service:service_manager find;
|
2020-09-18 09:47:05 +02:00
|
|
|
allow priv_app music_recognition_service:service_manager find;
|
2017-11-13 18:52:05 +01:00
|
|
|
allow priv_app network_watchlist_service:service_manager find;
|
2017-01-06 00:44:32 +01:00
|
|
|
allow priv_app nfc_service:service_manager find;
|
2017-02-17 14:51:32 +01:00
|
|
|
allow priv_app oem_lock_service:service_manager find;
|
2017-01-06 00:44:32 +01:00
|
|
|
allow priv_app persistent_data_block_service:service_manager find;
|
2018-01-09 20:27:36 +01:00
|
|
|
allow priv_app radio_service:service_manager find;
|
2017-01-06 00:44:32 +01:00
|
|
|
allow priv_app recovery_service:service_manager find;
|
2018-01-09 20:27:36 +01:00
|
|
|
allow priv_app stats_service:service_manager find;
|
2019-02-08 00:00:55 +01:00
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
# Write to /cache.
|
|
|
|
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
|
|
|
|
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
|
2017-01-24 07:19:06 +01:00
|
|
|
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
|
|
|
|
allow priv_app cache_file:lnk_file r_file_perms;
|
2017-01-06 00:44:32 +01:00
|
|
|
|
|
|
|
# Access to /data/media.
|
|
|
|
allow priv_app media_rw_data_file:dir create_dir_perms;
|
|
|
|
allow priv_app media_rw_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Used by Finsky / Android "Verify Apps" functionality when
|
|
|
|
# running "adb install foo.apk".
|
|
|
|
allow priv_app shell_data_file:file r_file_perms;
|
|
|
|
allow priv_app shell_data_file:dir r_dir_perms;
|
|
|
|
|
2018-03-13 17:56:27 +01:00
|
|
|
# Allow traceur to pass file descriptors through a content provider to betterbug
|
|
|
|
allow priv_app trace_data_file:file { getattr read };
|
|
|
|
|
2021-03-17 18:45:52 +01:00
|
|
|
# Allow betterbug to read profile reports generated by profcollect.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow priv_app profcollectd_data_file:file r_file_perms;
|
|
|
|
')
|
|
|
|
|
2021-01-07 18:12:21 +01:00
|
|
|
# Allow the bug reporting frontend to read the presence and timestamp of the
|
|
|
|
# trace attached to the bugreport (but not its contents, which will go in the
|
|
|
|
# usual bugreport .zip file). This is used by the bug reporting UI to tell if
|
|
|
|
# the bugreport will contain a system trace or not while the bugreport is still
|
|
|
|
# in progress.
|
2021-11-25 14:57:24 +01:00
|
|
|
allow priv_app wm_trace_data_file:dir r_dir_perms;
|
|
|
|
allow priv_app wm_trace_data_file:file getattr;
|
2021-01-07 18:12:21 +01:00
|
|
|
allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
|
|
|
|
allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
|
2021-01-18 10:26:57 +01:00
|
|
|
# Required to traverse the parent dir (/data/misc/perfetto-traces).
|
|
|
|
allow priv_app perfetto_traces_data_file:dir { search };
|
2021-01-07 18:12:21 +01:00
|
|
|
|
2021-12-10 22:50:44 +01:00
|
|
|
# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
|
|
|
|
# the framework (i.e. TracingServiceProxy) and sendfile them into their private
|
|
|
|
# directories for reporting when network and battery conditions are
|
|
|
|
# appropriate.
|
|
|
|
allow priv_app perfetto:fd use;
|
|
|
|
allow priv_app perfetto_traces_data_file:file { read getattr };
|
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
# Allow verifier to access staged apks.
|
|
|
|
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
|
|
|
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
|
|
|
|
|
|
|
# For AppFuse.
|
|
|
|
allow priv_app vold:fd use;
|
|
|
|
allow priv_app fuse_device:chr_file { read write };
|
|
|
|
|
2017-12-09 00:37:01 +01:00
|
|
|
# /proc access
|
|
|
|
allow priv_app {
|
|
|
|
proc_vmstat
|
|
|
|
}:file r_file_perms;
|
|
|
|
|
|
|
|
allow priv_app sysfs_type:dir search;
|
|
|
|
# Read access to /sys/block/zram*/mm_stat
|
|
|
|
r_dir_file(priv_app, sysfs_zram)
|
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
r_dir_file(priv_app, rootfs)
|
|
|
|
|
2019-12-13 22:30:53 +01:00
|
|
|
# Allow com.android.vending to communicate with statsd.
|
2018-01-09 20:27:36 +01:00
|
|
|
binder_call(priv_app, statsd)
|
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
# Allow Phone to read/write cached ringtones (opened by system).
|
|
|
|
allow priv_app ringtone_file:file { getattr read write };
|
|
|
|
|
|
|
|
# Access to /data/preloads
|
|
|
|
allow priv_app preloads_data_file:file r_file_perms;
|
|
|
|
allow priv_app preloads_data_file:dir r_dir_perms;
|
2017-03-14 19:42:03 +01:00
|
|
|
allow priv_app preloads_media_file:file r_file_perms;
|
|
|
|
allow priv_app preloads_media_file:dir r_dir_perms;
|
2017-01-06 00:44:32 +01:00
|
|
|
|
2016-11-08 00:11:39 +01:00
|
|
|
read_runtime_log_tags(priv_app)
|
|
|
|
|
2017-12-21 03:51:15 +01:00
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
2019-10-08 17:15:14 +02:00
|
|
|
perfetto_producer(priv_app)
|
2017-12-21 03:51:15 +01:00
|
|
|
|
2019-03-16 23:45:45 +01:00
|
|
|
# Allow priv_apps to request and collect incident reports.
|
|
|
|
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
|
|
|
|
allow priv_app incident_service:service_manager find;
|
|
|
|
binder_call(priv_app, incidentd)
|
|
|
|
allow priv_app incidentd:fifo_file { read write };
|
|
|
|
|
2020-01-22 20:16:13 +01:00
|
|
|
# Allow profiling if the app opts in by being marked profileable/debuggable.
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
can_profile_heap(priv_app)
|
2020-01-22 20:16:13 +01:00
|
|
|
can_profile_perf(priv_app)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
|
2019-04-26 10:14:52 +02:00
|
|
|
# Allow priv_apps to check whether Dynamic System Update is enabled
|
|
|
|
get_prop(priv_app, dynamic_system_prop)
|
|
|
|
|
2018-01-18 17:55:02 +01:00
|
|
|
# suppress denials for non-API accesses.
|
2017-09-26 21:58:29 +02:00
|
|
|
dontaudit priv_app exec_type:file getattr;
|
2017-10-20 22:35:42 +02:00
|
|
|
dontaudit priv_app device:dir read;
|
2018-04-21 00:27:21 +02:00
|
|
|
dontaudit priv_app fs_bpf:dir search;
|
2018-04-04 23:36:13 +02:00
|
|
|
dontaudit priv_app net_dns_prop:file read;
|
2017-12-09 00:37:01 +01:00
|
|
|
dontaudit priv_app proc:file read;
|
2017-10-20 22:35:42 +02:00
|
|
|
dontaudit priv_app proc_interrupts:file read;
|
|
|
|
dontaudit priv_app proc_modules:file read;
|
2019-05-10 01:14:04 +02:00
|
|
|
dontaudit priv_app proc_net:file read;
|
2018-01-30 05:50:59 +01:00
|
|
|
dontaudit priv_app proc_stat:file read;
|
2018-01-18 17:55:02 +01:00
|
|
|
dontaudit priv_app proc_version:file read;
|
2018-04-04 23:36:13 +02:00
|
|
|
dontaudit priv_app sysfs:dir read;
|
2018-06-29 20:04:24 +02:00
|
|
|
dontaudit priv_app sysfs:file read;
|
2018-04-04 23:36:13 +02:00
|
|
|
dontaudit priv_app sysfs_android_usb:file read;
|
2019-10-25 11:01:40 +02:00
|
|
|
dontaudit priv_app sysfs_dm:file r_file_perms;
|
2020-06-25 14:20:42 +02:00
|
|
|
dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
|
2017-09-26 21:58:29 +02:00
|
|
|
|
2017-12-15 03:20:30 +01:00
|
|
|
# allow privileged apps to use UDP sockets provided by the system server but not
|
|
|
|
# modify them other than to connect
|
2018-03-27 15:34:54 +02:00
|
|
|
allow priv_app system_server:udp_socket {
|
|
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
2017-12-15 03:20:30 +01:00
|
|
|
|
2020-02-13 17:38:36 +01:00
|
|
|
# allow apps like Phonesky to check the file signature of an apk installed on
|
2021-02-09 23:33:24 +01:00
|
|
|
# the Incremental File System, fill missing blocks and get the app status and loading progress
|
2021-01-15 06:01:25 +01:00
|
|
|
allowxperm priv_app apk_data_file:file ioctl {
|
|
|
|
INCFS_IOCTL_READ_SIGNATURE
|
|
|
|
INCFS_IOCTL_FILL_BLOCKS
|
|
|
|
INCFS_IOCTL_GET_BLOCK_COUNT
|
2021-02-09 23:33:24 +01:00
|
|
|
INCFS_IOCTL_GET_FILLED_BLOCKS
|
2021-01-15 06:01:25 +01:00
|
|
|
};
|
2020-02-13 17:38:36 +01:00
|
|
|
|
2020-02-22 02:41:40 +01:00
|
|
|
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
|
2020-03-18 02:30:34 +01:00
|
|
|
allow priv_app incremental_control_file:file { read getattr ioctl };
|
|
|
|
|
|
|
|
# allow apps like Phonesky to request permission to fill blocks of an apk file
|
|
|
|
# on the Incremental File System.
|
|
|
|
allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
|
2020-02-22 02:41:40 +01:00
|
|
|
|
2021-02-04 23:41:41 +01:00
|
|
|
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
|
|
|
|
get_prop(priv_app, incremental_prop)
|
|
|
|
|
2020-04-22 01:04:04 +02:00
|
|
|
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
|
|
|
|
allow priv_app apex_data_file:dir search;
|
|
|
|
allow priv_app staging_data_file:file r_file_perms;
|
2020-12-10 22:48:51 +01:00
|
|
|
# Required for Phonesky to be able to read staged files under /data/app-staging.
|
|
|
|
allow priv_app staging_data_file:dir r_dir_perms;
|
2020-04-22 01:04:04 +02:00
|
|
|
|
2022-10-04 00:32:09 +02:00
|
|
|
# Allow com.android.vending to access files under vendor/apex as well as system apex files.
|
|
|
|
# This is required for com.android.vending to handle APEXes for e.g. delta patch optimization.
|
|
|
|
allow priv_app vendor_apex_file:dir r_dir_perms;
|
|
|
|
allow priv_app vendor_apex_file:file r_file_perms;
|
|
|
|
|
2020-06-17 11:57:25 +02:00
|
|
|
# allow priv app to access the system app data files for ContentProvider case.
|
|
|
|
allow priv_app system_app_data_file:file { read getattr };
|
|
|
|
|
2021-06-09 18:36:39 +02:00
|
|
|
# Allow the renderscript compiler to be run.
|
|
|
|
domain_auto_trans(priv_app, rs_exec, rs)
|
|
|
|
|
|
|
|
# Allow loading and deleting executable shared libraries
|
|
|
|
# within an application home directory. Such shared libraries would be
|
|
|
|
# created by things like renderscript or via other mechanisms.
|
|
|
|
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
|
|
|
|
|
2022-10-24 13:32:34 +02:00
|
|
|
# Allow privileged apps to create a VM. Note that access is still
|
|
|
|
# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
|
|
|
|
# permission.
|
|
|
|
virtualizationservice_use(priv_app)
|
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# Receive or send uevent messages.
|
|
|
|
neverallow priv_app domain:netlink_kobject_uevent_socket *;
|
|
|
|
|
|
|
|
# Receive or send generic netlink messages
|
|
|
|
neverallow priv_app domain:netlink_socket *;
|
|
|
|
|
2020-10-27 12:28:00 +01:00
|
|
|
# Read or write kernel printk buffer
|
|
|
|
neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
|
|
|
|
|
2017-01-06 00:44:32 +01:00
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
|
|
# best practice to ensure these files aren't readable.
|
|
|
|
neverallow priv_app debugfs:file read;
|
|
|
|
|
|
|
|
# Do not allow privileged apps to register services.
|
|
|
|
# Only trusted components of Android should be registering
|
|
|
|
# services.
|
|
|
|
neverallow priv_app service_manager_type:service_manager add;
|
|
|
|
|
|
|
|
# Do not allow privileged apps to connect to the property service
|
|
|
|
# or set properties. b/10243159
|
|
|
|
neverallow priv_app property_socket:sock_file write;
|
|
|
|
neverallow priv_app init:unix_stream_socket connectto;
|
|
|
|
neverallow priv_app property_type:property_service set;
|
|
|
|
|
|
|
|
# Do not allow priv_app to be assigned mlstrustedsubject.
|
|
|
|
# This would undermine the per-user isolation model being
|
|
|
|
# enforced via levelFrom=user in seapp_contexts and the mls
|
|
|
|
# constraints. As there is no direct way to specify a neverallow
|
|
|
|
# on attribute assignment, this relies on the fact that fork
|
|
|
|
# permission only makes sense within a domain (hence should
|
|
|
|
# never be granted to any other domain within mlstrustedsubject)
|
|
|
|
# and priv_app is allowed fork permission to itself.
|
|
|
|
neverallow priv_app mlstrustedsubject:process fork;
|
|
|
|
|
|
|
|
# Do not allow priv_app to hard link to any files.
|
|
|
|
# In particular, if priv_app links to other app data
|
|
|
|
# files, installd will not be able to guarantee the deletion
|
|
|
|
# of the linked to file. Hard links also contribute to security
|
|
|
|
# bugs, so we want to ensure priv_app never has this
|
|
|
|
# capability.
|
|
|
|
neverallow priv_app file_type:file link;
|
2018-03-13 17:56:27 +01:00
|
|
|
|
|
|
|
# priv apps should not be able to open trace data files, they should depend
|
|
|
|
# upon traceur to pass a file descriptor which they can then read
|
|
|
|
neverallow priv_app trace_data_file:dir *;
|
|
|
|
neverallow priv_app trace_data_file:file { no_w_file_perms open };
|
2018-10-11 00:48:15 +02:00
|
|
|
|
|
|
|
# Do not allow priv_app access to cgroups.
|
|
|
|
neverallow priv_app cgroup:file *;
|
2021-02-12 00:18:11 +01:00
|
|
|
neverallow priv_app cgroup_v2:file *;
|
2018-10-28 00:20:38 +02:00
|
|
|
|
|
|
|
# Do not allow loading executable code from non-privileged
|
|
|
|
# application home directories. Code loading across a security boundary
|
|
|
|
# is dangerous and allows a full compromise of a privileged process
|
|
|
|
# by an unprivileged process. b/112357170
|
|
|
|
neverallow priv_app app_data_file:file no_x_file_perms;
|
2019-01-24 22:05:03 +01:00
|
|
|
|
|
|
|
# Do not follow untrusted app provided symlinks
|
|
|
|
neverallow priv_app app_data_file:lnk_file { open read getattr };
|
2021-09-24 11:52:08 +02:00
|
|
|
|
|
|
|
# Do not allow getting permission-protected network information from sysfs.
|
|
|
|
neverallow priv_app sysfs_net:file *;
|
|
|
|
|
|
|
|
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
|
|
|
|
# ioctl permission, or 3. disallow the socket class.
|
|
|
|
neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
|
|
|
neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
|
|
|
|
neverallow priv_app *:{
|
|
|
|
socket netlink_socket packet_socket key_socket appletalk_socket
|
|
|
|
netlink_tcpdiag_socket netlink_nflog_socket
|
|
|
|
netlink_xfrm_socket netlink_audit_socket
|
|
|
|
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
|
|
|
|
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
|
|
|
|
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
|
|
|
|
netlink_rdma_socket netlink_crypto_socket sctp_socket
|
|
|
|
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
|
|
|
|
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
|
|
|
|
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
|
|
|
|
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
|
|
|
|
} *;
|
2022-02-04 19:49:30 +01:00
|
|
|
|
|
|
|
# Allow priv apps to report off body events to keystore2.
|
|
|
|
allow priv_app keystore:keystore2 report_off_body;
|