### ### Domain for all zygote spawned apps ### ### This file is the base policy for all zygote spawned apps. ### Other policy files, such as isolated_app.te, untrusted_app.te, etc ### extend from this policy. Only policies which should apply to ALL ### zygote spawned apps should be added here. ### # Allow apps to connect to the keystore unix_socket_connect(appdomain, keystore, keystore) # Receive and use open file descriptors inherited from zygote. allow appdomain zygote:fd use; # gdbserver for ndk-gdb reads the zygote. allow appdomain zygote_exec:file r_file_perms; # gdbserver for ndk-gdb ptrace attaches to app process. allow appdomain self:process ptrace; # Read system properties managed by zygote. allow appdomain zygote_tmpfs:file read; # Notify zygote of death; allow appdomain zygote:process sigchld; # Notify shell and adbd of death when spawned via runas for ndk-gdb. allow appdomain shell:process sigchld; allow appdomain adbd:process sigchld; # child shell or gdbserver pty access for runas. allow appdomain devpts:chr_file { getattr read write ioctl }; # Communicate with system_server. allow appdomain system_server:fifo_file rw_file_perms; allow appdomain system_server:unix_stream_socket { read write setopt }; binder_call(appdomain, system_server) # Communication with other apps via fifos allow appdomain appdomain:fifo_file rw_file_perms; # Communicate with surfaceflinger. allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; binder_call(appdomain, surfaceflinger) # App sandbox file accesses. allow appdomain app_data_file:dir create_dir_perms; allow appdomain app_data_file:notdevfile_class_set create_file_perms; # Read/write data files created by the platform apps if they # were passed to the app via binder or local IPC. Do not allow open. allow appdomain platform_app_data_file:file { getattr read write }; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:file { execute execute_no_trans open }; # Execute the shell or other system executables. allow appdomain shell_exec:file rx_file_perms; allow appdomain system_file:file rx_file_perms; allow appdomain ping_exec:file rx_file_perms; # Read/write wallpaper file (opened by system). allow appdomain wallpaper_file:file { read write }; # Write to /data/anr/traces.txt. allow appdomain anr_data_file:dir search; allow appdomain anr_data_file:file { open append }; # Write to /proc/net/xt_qtaguid/ctrl file. allow appdomain qtaguid_proc:file rw_file_perms; # Everybody can read the xt_qtaguid resource tracking misc dev. # So allow all apps to read from /dev/xt_qtaguid. allow appdomain qtaguid_device:chr_file r_file_perms; # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. allow appdomain gpu_device:chr_file { rw_file_perms execute }; # Use the Binder. binder_use(appdomain) # Perform binder IPC to binder services. binder_call(appdomain, binderservicedomain) # Perform binder IPC to other apps. binder_call(appdomain, appdomain) # Appdomain interaction with isolated apps r_dir_file(appdomain, isolated_app) # Already connected, unnamed sockets being passed over some other IPC # hence no sock_file or connectto permission. This appears to be how # Chrome works, may need to be updated as more apps using isolated services # are examined. allow appdomain isolated_app:unix_stream_socket { read write }; # Backup ability for every app. BMS opens and passes the fd # to any app that has backup ability. Hence, no open permissions here. allow appdomain backup_data_file:file { read write getattr }; allow appdomain cache_backup_file:file { read write getattr }; # Backup ability using 'adb backup' allow appdomain system_data_file:lnk_file getattr; # Allow all applications to read downloaded files allow appdomain download_file:dir search; allow appdomain download_file:file r_file_perms; # Allow applications to communicate with netd via /dev/socket/dnsproxyd # to do DNS resolution unix_socket_connect(appdomain, dnsproxyd, netd) # Allow applications to communicate with drmserver over binder binder_call(appdomain, drmserver) # Allow applications to communicate with mediaserver over binder binder_call(appdomain, mediaserver) # Allow applications to make outbound tcp connections to any port allow appdomain port_type:tcp_socket name_connect; # Allow apps to see changes to the routing table. allow appdomain self:netlink_route_socket { read bind create nlmsg_read ioctl getattr setattr getopt setopt shutdown }; # Allow apps to use rawip sockets. This is needed for apps which execute # /system/bin/ping, for example. allow appdomain self:rawip_socket create_socket_perms; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html # # USB devices are first opened by the system server (USBDeviceManagerService) # and the file descriptor is passed to the right Activity via binder. allow appdomain usb_device:chr_file { read write getattr ioctl }; allow appdomain usbaccessory_device:chr_file { read write getattr }; ### ### Neverallow rules ### ### These are things that Android apps should NEVER be able to do ### # Superuser capabilities. # bluetooth requires net_admin. neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; neverallow { appdomain -unconfineddomain } self:capability2 *; # Block device access. neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; # Access to any character device that is not specifically typed. neverallow { appdomain -unconfineddomain } device:chr_file { read write }; # Access to any of the following character devices. neverallow { appdomain -unconfineddomain } { audio_device camera_device dm_device radio_device gps_device rpmsg_device }:chr_file { read write }; # Note: Try expanding list of app domains in the future. neverallow { untrusted_app isolated_app shell -unconfineddomain } graphics_device:chr_file { read write }; neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file { read write }; neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file { read write }; neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; # Set SELinux enforcing mode, booleans or any other SELinux settings. neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool setsecparam setcheckreqprot }; # Load security policy. neverallow appdomain kernel:security load_policy; # Privileged netlink socket interfaces. neverallow { appdomain -unconfineddomain } self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *; # Sockets under /dev/socket that are not specifically typed. neverallow { appdomain -unconfineddomain } socket_device:sock_file write; # Unix domain sockets. neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; neverallow { appdomain -unconfineddomain } bluetooth_socket:sock_file write; neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } property_socket:sock_file write; neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; # ptrace access to non-app domains. neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; # Write access to /proc/pid entries for any non-app domain. neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; # signal access to non-app domains. # sigchld allowed for parent death notification. # signull allowed for kill(pid, 0) existence test. # All others prohibited. neverallow { appdomain -unconfineddomain } { domain -appdomain }:process { sigkill sigstop signal }; # Transition to a non-app domain. # Exception for the shell domain, can transition to runas, ping, etc. neverallow { appdomain -shell -unconfineddomain } ~appdomain:process { transition dyntransition }; # Map low memory. # Note: Take to domain.te and apply to all domains in the future. neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; # Write to rootfs. neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Write to /system. neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Write to entrypoint executables. neverallow { appdomain -unconfineddomain } exec_type:file { create write setattr relabelfrom relabelto append unlink link rename }; # Write to system-owned parts of /data. # This is the default type for anything under /data not otherwise # specified in file_contexts. Define a different type for portions # that should be writable by apps. # Exception for system_app for Settings. neverallow { appdomain -unconfineddomain -system_app } system_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Write to various other parts of /data. neverallow { appdomain -system_app -unconfineddomain } security_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_tmp_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_private_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_private_tmp_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -shell -unconfineddomain } shell_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -bluetooth -unconfineddomain } bluetooth_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } keystore_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } systemkeys_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } wifi_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } dhcp_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Access to factory files. neverallow { appdomain -unconfineddomain } efs_file:dir_file_class_set { read write }; # Write to various pseudo file systems. neverallow { appdomain -nfc -unconfineddomain } sysfs:dir_file_class_set write; neverallow { appdomain -system_app -unconfineddomain } selinuxfs:dir_file_class_set write; neverallow { appdomain -unconfineddomain } proc:dir_file_class_set write; # Access to syslog(2) or /proc/kmsg. neverallow { appdomain -system_app -unconfineddomain } kernel:system { syslog_read syslog_mod syslog_console }; # Ability to perform any filesystem operation other than statfs(2). # i.e. no mount(2), unmount(2), etc. neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; # Ability to set system properties. neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } property_type:property_service set;