platform_system_sepolicy/platform_app.te

###
### Apps signed with the platform key.
###

type platform_app, domain;
app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;

# Access to /data/media.
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;

# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;

# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
allow platform_app vfat:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;

allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f 2013-07-13 01:33:29 +02:00			`###`
			`### Apps signed with the platform key.`
			`###`

			`type platform_app, domain;`
			`app_domain(platform_app)`
			`# Access the network.`
			`net_domain(platform_app)`
			`# Access bluetooth.`
			`bluetooth_domain(platform_app)`
Clean up, unify, and deduplicate app domain rules. Coalesce a number of allow rules replicated among multiple app domains. Get rid of duplicated rules already covered by domain, appdomain, or platformappdomain rules. Split the platformappdomain rules to their own platformappdomain.te file, document them more fully, and note the inheritance in each of the relevant *_app.te files. Generalize isolated app unix_stream_socket rules to all app domains to resolve denials such as: avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket Change-Id: I770d7d51d498b15447219083739153265d951fe5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-06 22:03:48 +01:00			`# Read from /data/local/tmp or /data/data/com.android.shell.`
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-23 19:12:55 +02:00			`allow platform_app shell_data_file:dir search;`
			`allow platform_app shell_data_file:file { open getattr read };`
			`# Populate /data/app/vmdl.tmp, /data/app-private/vmdl.tmp files`
			`# created by system server.`
Let DCS read staged APK clusters. DCS is DefaultContainerService. avc: denied { getattr } for path="/data/app/vmdl2.tmp" dev="mmcblk0p28" ino=162910 scontext=u:r:platform_app:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir Bug: 14975160 Change-Id: Ifca9afb4e74ebbfbeb8c01e1e9ea65f5b55e9375 2014-07-09 23:58:46 +02:00			`allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;`
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-23 19:12:55 +02:00			`allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;`
			`allow platform_app apk_private_data_file:dir search;`
			`# ASEC`
			`allow platform_app asec_apk_file:dir create_dir_perms;`
			`allow platform_app asec_apk_file:file create_file_perms;`

Coalesce shared_app, media_app, release_app into untrusted_app. This change folds the shared_app, media_app, and release_app domains into untrusted_app, reducing the set of app domains down to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth, nfc, radio), a single domain for apps signed by the platform key (platform_app), and a single domain for all other apps (untrusted_app). Thus, SELinux only distinguishes when already distinguished by a predefined Android ID (AID) or by the platform certificate (which get the signature-only Android permissions and thus may require special OS-level accesses). It is still possible to introduce specific app domains for specific apps by adding signer and package stanzas to mac_permissions.xml, but this can be done on an as-needed basis for specialized apps that require particular OS-level permissions outside the usual set. As there is now only a single platform app domains, get rid of the platformappdomain attribute and platform_app_domain() macro. We used to add mlstrustedsubject to those domains but drop this since we are not using MLS in AOSP presently; we can revisit which domains need it if/when we use MLS. Since we are dropping the shared, media, and release seinfo entries from seapp_contexts, drop them from mac_permissions.xml as well. However, we leave the keys.conf entries in case someone wants to add a signer entry in the future for specific apps signed by those keys to mac_permissions.xml. Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-04-04 15:09:25 +02:00			`# Access to /data/media.`
			`allow platform_app media_rw_data_file:dir create_dir_perms;`
			`allow platform_app media_rw_data_file:file create_file_perms;`

			`# Write to /cache.`
			`allow platform_app cache_file:dir create_dir_perms;`
			`allow platform_app cache_file:file create_file_perms;`
Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964 2014-07-07 22:56:27 +02:00
Grant platform apps access to /mnt/media_rw. Raw physical storage devices are mounted by vold under /mnt/media_rw and then wrapped in a FUSE daemon that presents them under /storage. Normal apps only have access through /storage, but platform apps (such as ExternalStorageProvider) often bypass the FUSE daemon for performance reasons. avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file Bug: 19993667 Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad 2015-04-18 22:34:30 +02:00			`# Direct access to vold-mounted storage under /mnt/media_rw`
			`# This is a performance optimization that allows platform apps to bypass the FUSE layer`
			`allow platform_app mnt_media_rw_file:dir r_dir_perms;`
			`allow platform_app vfat:dir create_dir_perms;`
			`allow platform_app vfat:file create_file_perms;`

Allow find access to drmserver_service from nfc and platform_app. Address the following denials: SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manage SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager Bug: 18831075 Change-Id: I2c162f58f4adae9f6c544f9d9c6a9300877b4f36 2014-12-23 02:32:44 +01:00			`allow platform_app drmserver_service:service_manager find;`
Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a 2014-12-12 01:01:27 +01:00			`allow platform_app mediaserver_service:service_manager find;`
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: network_management network_score notification package permission persistent power print processinfo procstats Bug: 18106000 Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c 2015-04-08 22:04:59 +02:00			`allow platform_app persistent_data_block_service:service_manager find;`
Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a 2014-12-12 01:01:27 +01:00			`allow platform_app radio_service:service_manager find;`
			`allow platform_app surfaceflinger_service:service_manager find;`
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b 2015-04-03 01:50:08 +02:00			`allow platform_app app_api_service:service_manager find;`
			`allow platform_app system_api_service:service_manager find;`