platform_system_sepolicy/private/system_app.te

###
### Apps that run with the system UID, e.g. com.android.system.ui,
### com.android.settings.  These are not as privileged as the system
### server.
###

typeattribute system_app coredomain;

app_domain(system_app)
net_domain(system_app)
binder_service(system_app)

# android.ui and system.ui
allow system_app rootfs:dir getattr;

# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;

# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;

# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;

# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;

# Read icon file.
allow system_app icon_file:file r_file_perms;

# Write to properties
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;

# ctl interface
set_prop(system_app, ctl_default_prop)
set_prop(system_app, ctl_bugreport_prop)

# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;

# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;

# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)

allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;

allow system_app keystore:keystore_key {
    get_state
    get
    insert
    delete
    exist
    list
    reset
    password
    lock
    unlock
    is_empty
    sign
    verify
    grant
    duplicate
    clear_uid
    user_changed
};

# /sys access
r_dir_file(system_app, sysfs_type)

# settings app reads /proc/version and /proc/pagetypeinfo
allow system_app proc:file r_file_perms;

control_logd(system_app)
read_runtime_log_tags(system_app)

###
### Neverallow rules
###

# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96 2017-01-06 02:18:32 +01:00			`###`
			`### Apps that run with the system UID, e.g. com.android.system.ui,`
			`### com.android.settings. These are not as privileged as the system`
			`### server.`
			`###`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute system_app coredomain;`
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96 2017-01-06 02:18:32 +01:00
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665 2016-12-08 20:23:34 +01:00			`app_domain(system_app)`
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96 2017-01-06 02:18:32 +01:00			`net_domain(system_app)`
			`binder_service(system_app)`

domain_deprecated: remove rootfs access Grant audited permissions collected in logs. tcontext=platform_app avc: granted { getattr } for comm=496E666C6174657254687265616420 path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=system_app avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=update_engine avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0" ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file Bug: 28760354 Test: build Change-Id: I6135eea1d10b903a4a7e69da468097f495484665 2017-07-11 05:39:50 +02:00			`# android.ui and system.ui`
			`allow system_app rootfs:dir getattr;`

Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96 2017-01-06 02:18:32 +01:00			`# Read and write /data/data subdirectory.`
			`allow system_app system_app_data_file:dir create_dir_perms;`
			`allow system_app system_app_data_file:{ file lnk_file } create_file_perms;`

			`# Read and write to /data/misc/user.`
			`allow system_app misc_user_data_file:dir create_dir_perms;`
			`allow system_app misc_user_data_file:file create_file_perms;`

			`# Access to vold-mounted storage for measuring free space`
			`allow system_app mnt_media_rw_file:dir search;`

			`# Read wallpaper file.`
			`allow system_app wallpaper_file:file r_file_perms;`

			`# Read icon file.`
			`allow system_app icon_file:file r_file_perms;`

			`# Write to properties`
			`set_prop(system_app, bluetooth_prop)`
			`set_prop(system_app, debug_prop)`
			`set_prop(system_app, system_prop)`
			`set_prop(system_app, logd_prop)`
			`set_prop(system_app, net_radio_prop)`
			`set_prop(system_app, system_radio_prop)`
			`set_prop(system_app, log_tag_prop)`
			userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
			`auditallow system_app net_radio_prop:property_service set;`
			`auditallow system_app system_radio_prop:property_service set;`

			`# ctl interface`
			`set_prop(system_app, ctl_default_prop)`
			`set_prop(system_app, ctl_bugreport_prop)`

			`# Create /data/anr/traces.txt.`
			`allow system_app anr_data_file:dir ra_dir_perms;`
			`allow system_app anr_data_file:file create_file_perms;`

			`# Settings need to access app name and icon from asec`
			`allow system_app asec_apk_file:file r_file_perms;`

Add incident command and incidentd daemon se policy. Test: adb shell incident Bug: 31122534 Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906 2016-11-21 08:23:04 +01:00			`# Allow system apps to interact with incidentd`
			`binder_call(system_app, incidentd)`

Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96 2017-01-06 02:18:32 +01:00			`allow system_app servicemanager:service_manager list;`
			`# TODO: scope this down? Too broad?`
VR: Add sepolicy for VR HWC service VR HWC is being split out of VR Window Manager. It creates a HW binder interface used by SurfaceFlinger which implements the HWComposer HAL and a regular binder interface which will be used by a system app to receive the SurfaceFlinger output. Bug: b/36051907 Test: Ran in permissive mode and ensured no permission errors show in logcat. Change-Id: If1360bc8fa339a80100124c4e89e69c64b29d2ae 2017-03-14 21:26:17 +01:00			`allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;`
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96 2017-01-06 02:18:32 +01:00
			`allow system_app keystore:keystore_key {`
			`get_state`
			`get`
			`insert`
			`delete`
			`exist`
			`list`
			`reset`
			`password`
			`lock`
			`unlock`
			`is_empty`
			`sign`
			`verify`
			`grant`
			`duplicate`
			`clear_uid`
			`user_changed`
			`};`

			`# /sys access`
			`r_dir_file(system_app, sysfs_type)`

domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0 2017-07-26 01:43:49 +02:00			`# settings app reads /proc/version and /proc/pagetypeinfo`
			`allow system_app proc:file r_file_perms;`

Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96 2017-01-06 02:18:32 +01:00			`control_logd(system_app)`
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e 2016-11-08 00:11:39 +01:00			`read_runtime_log_tags(system_app)`
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d 2017-04-26 20:40:48 +02:00
			`###`
			`### Neverallow rules`
			`###`

			`# app domains which access /dev/fuse should not run as system_app`
			`neverallow system_app fuse_device:chr_file *;`