11153ef349
Change-Id: I91f6965dafad54e98e2f7deda956e86acf7d0c96
197 lines
No EOL
6.5 KiB
Text
197 lines
No EOL
6.5 KiB
Text
#
|
|
# Domains for apps that do not run with one of the predefined
|
|
# platform UIDs (system, radio, nfc, ...).
|
|
#
|
|
|
|
#
|
|
# Apps signed with the platform key.
|
|
#
|
|
type platform_app, domain;
|
|
app_domain(platform_app)
|
|
platform_app_domain(platform_app)
|
|
# Access the network.
|
|
net_domain(platform_app)
|
|
# Access bluetooth.
|
|
bluetooth_domain(platform_app)
|
|
# Write to /cache.
|
|
allow platform_app cache_file:dir rw_dir_perms;
|
|
allow platform_app cache_file:file create_file_perms;
|
|
# Read from /data/local.
|
|
allow platform_app shell_data_file:dir search;
|
|
allow platform_app shell_data_file:file { open getattr read };
|
|
allow platform_app shell_data_file:lnk_file read;
|
|
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
|
# created by system server.
|
|
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
|
|
allow platform_app apk_private_data_file:dir search;
|
|
# ASEC
|
|
allow platform_app asec_apk_file:dir create_dir_perms;
|
|
allow platform_app asec_apk_file:file create_file_perms;
|
|
allow platform_app download_file:file rw_file_perms;
|
|
|
|
# Apps signed with the media key.
|
|
type media_app, domain;
|
|
app_domain(media_app)
|
|
platform_app_domain(media_app)
|
|
# Access the network.
|
|
net_domain(media_app)
|
|
# Access /dev/mtp_usb.
|
|
allow media_app mtp_device:chr_file rw_file_perms;
|
|
# Write to /cache.
|
|
allow media_app cache_file:dir rw_dir_perms;
|
|
allow media_app cache_file:file create_file_perms;
|
|
# Stat /cache/lost+found
|
|
allow media_app unlabeled:file getattr;
|
|
allow media_app unlabeled:dir getattr;
|
|
# Stat /cache/backup
|
|
allow media_app cache_backup_file:file getattr;
|
|
allow media_app cache_backup_file:dir getattr;
|
|
# Read files in the rootdir
|
|
allow media_app rootfs:file r_file_perms;
|
|
# Allow platform apps to mark platform app data files as download files
|
|
allow media_app platform_app_data_file:dir relabelfrom;
|
|
allow media_app download_file:dir relabelto;
|
|
|
|
# Apps signed with the shared key.
|
|
type shared_app, domain;
|
|
app_domain(shared_app)
|
|
platform_app_domain(shared_app)
|
|
# Access the network.
|
|
net_domain(shared_app)
|
|
# Access bluetooth.
|
|
bluetooth_domain(shared_app)
|
|
# ASEC
|
|
r_dir_file(shared_app, asec_apk_file)
|
|
|
|
# Apps signed with the release key (testkey in AOSP).
|
|
type release_app, domain;
|
|
app_domain(release_app)
|
|
platform_app_domain(release_app)
|
|
# Access the network.
|
|
net_domain(release_app)
|
|
# Access bluetooth.
|
|
bluetooth_domain(release_app)
|
|
|
|
# Services with isolatedProcess=true in their manifest.
|
|
# In order for isolated_apps to interact with apps that have levelFromUid=true
|
|
# set it must be an mlstrustedsubject.
|
|
type isolated_app, domain, mlstrustedsubject;
|
|
app_domain(isolated_app)
|
|
|
|
#
|
|
# Rules for platform app domains.
|
|
#
|
|
|
|
# App sandbox file accesses.
|
|
allow platformappdomain platform_app_data_file:dir create_dir_perms;
|
|
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
|
|
# App sdcard file accesses
|
|
allow platformappdomain sdcard_type:dir create_dir_perms;
|
|
allow platformappdomain sdcard_type:file create_file_perms;
|
|
|
|
|
|
#
|
|
# Untrusted apps.
|
|
#
|
|
type untrusted_app, domain;
|
|
app_domain(untrusted_app)
|
|
net_domain(untrusted_app)
|
|
bluetooth_domain(untrusted_app)
|
|
allow untrusted_app tun_device:chr_file rw_file_perms;
|
|
|
|
# Internal SDCard rw access.
|
|
bool app_internal_sdcard_rw true;
|
|
if (app_internal_sdcard_rw) {
|
|
allow untrusted_app sdcard_internal:dir create_dir_perms;
|
|
allow untrusted_app sdcard_internal:file create_file_perms;
|
|
}
|
|
# External SDCard rw access.
|
|
bool app_external_sdcard_rw true;
|
|
if (app_external_sdcard_rw) {
|
|
allow untrusted_app sdcard_external:dir create_dir_perms;
|
|
allow untrusted_app sdcard_external:file create_file_perms;
|
|
}
|
|
|
|
#
|
|
# Rules for all app domains.
|
|
#
|
|
|
|
# Allow apps to connect to the keystore
|
|
unix_socket_connect(appdomain, keystore, keystore)
|
|
|
|
# Receive and use open file descriptors inherited from zygote.
|
|
allow appdomain zygote:fd use;
|
|
|
|
# Read system properties managed by zygote.
|
|
allow appdomain zygote_tmpfs:file read;
|
|
|
|
# Notify zygote of death;
|
|
allow appdomain zygote:process sigchld;
|
|
|
|
# Communicate over a FIFO or socket created by the system_server.
|
|
allow appdomain system:fifo_file rw_file_perms;
|
|
allow appdomain system:unix_stream_socket { read write setopt };
|
|
|
|
# Communicate over a socket created by surfaceflinger.
|
|
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
|
|
|
|
# App sandbox file accesses.
|
|
allow appdomain app_data_file:dir create_dir_perms;
|
|
allow appdomain app_data_file:notdevfile_class_set create_file_perms;
|
|
|
|
# Read/write data files created by the platform apps if they
|
|
# were passed to the app via binder or local IPC. Do not allow open.
|
|
allow appdomain platform_app_data_file:file { getattr read write };
|
|
|
|
# lib subdirectory of /data/data dir is system-owned.
|
|
allow appdomain system_data_file:dir r_dir_perms;
|
|
allow appdomain system_data_file:file { execute open };
|
|
|
|
# Execute the shell or other system executables.
|
|
allow appdomain shell_exec:file rx_file_perms;
|
|
allow appdomain system_file:file rx_file_perms;
|
|
|
|
# Read/write wallpaper file (opened by system).
|
|
allow appdomain wallpaper_file:file { read write };
|
|
|
|
# Write to /data/anr/traces.txt.
|
|
allow appdomain anr_data_file:dir search;
|
|
allow appdomain anr_data_file:file { open append };
|
|
|
|
# Write to /proc/net/xt_qtaguid/ctrl file.
|
|
allow appdomain qtaguid_proc:file rw_file_perms;
|
|
# Everybody can read the xt_qtaguid resource tracking misc dev.
|
|
# So allow all apps to read from /dev/xt_qtaguid.
|
|
allow appdomain qtaguid_device:chr_file r_file_perms;
|
|
|
|
# Use the Binder.
|
|
binder_use(appdomain)
|
|
# Perform binder IPC to binder services.
|
|
binder_call(appdomain, binderservicedomain)
|
|
# Perform binder IPC to other apps.
|
|
binder_call(appdomain, appdomain)
|
|
|
|
# Appdomain interaction with isolated apps
|
|
r_dir_file(appdomain, isolated_app)
|
|
|
|
# Already connected, unnamed sockets being passed over some other IPC
|
|
# hence no sock_file or connectto permission. This appears to be how
|
|
# Chrome works, may need to be updated as more apps using isolated services
|
|
# are examined.
|
|
allow appdomain isolated_app:unix_stream_socket { read write };
|
|
allow isolated_app appdomain:unix_stream_socket { read write };
|
|
|
|
# Backup ability for every app. BMS opens and passes the fd
|
|
# to any app that has backup ability. Hence, no open permissions here.
|
|
allow { appdomain isolated_app } backup_data_file:file { read write };
|
|
allow { appdomain isolated_app } cache_backup_file:file { read write };
|
|
# Backup ability using 'adb backup'
|
|
allow { appdomain isolated_app } system_data_file:lnk_file getattr;
|
|
|
|
# Allow all applications to read downloaded files
|
|
allow appdomain download_file:file r_file_perms;
|
|
file_type_auto_trans(appdomain, download_file, download_file)
|
|
|
|
# ASEC
|
|
allow untrusted_app asec_apk_file:dir { getattr };
|
|
allow untrusted_app asec_apk_file:file r_file_perms; |