platform_system_sepolicy/priv_app.te
Felipe Leme 549ccf77e3 Creates a new permission for /cache/recovery
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2016-01-04 23:11:28 +00:00

119 lines
4.3 KiB
Text

###
### A domain for further sandboxing privileged apps.
###
type priv_app, domain, domain_deprecated;
app_domain(priv_app)
# Access the network.
net_domain(priv_app)
# Access bluetooth.
bluetooth_domain(priv_app)
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow priv_app app_data_file:file rx_file_perms;
# android.process.media uses /dev/mtp_usb
allow priv_app mtp_device:chr_file rw_file_perms;
# Allow the allocation and use of ptys
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
allow priv_app drmserver_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
allow priv_app mnt_media_rw_file:dir search;
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
auditallow priv_app cache_recovery_file:dir create_dir_perms;
auditallow priv_app cache_recovery_file:file create_file_perms;
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
# b/18504118: Allow reads from /data/anr/traces.txt
allow priv_app anr_data_file:file r_file_perms;
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
# data stored in that directory to process them one by one.
userdebug_or_eng(`
allow priv_app perfprofd_data_file:file r_file_perms;
allow priv_app perfprofd_data_file:dir r_dir_perms;
')
# Allow GMS core to stat files and executables on
# the system partition
allow priv_app exec_type:file getattr;
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
# /sys access
allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:file r_file_perms;
###
### neverallow rules
###
# Receive or send uevent messages.
neverallow priv_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow priv_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow priv_app debugfs:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow priv_app service_manager_type:service_manager add;
# Do not allow privileged apps to connect to the property service
# or set properties. b/10243159
neverallow priv_app property_socket:sock_file write;
neverallow priv_app init:unix_stream_socket connectto;
neverallow priv_app property_type:property_service set;
# Do not allow priv_app to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and priv_app is allowed fork permission to itself.
neverallow priv_app mlstrustedsubject:process fork;
# Do not allow priv_app to hard link to any files.
# In particular, if priv_app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure priv_app never has this
# capability.
neverallow priv_app file_type:file link;