platform_system_sepolicy/private/gmscore_app.te
Ricky Wai 5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00

124 lines
4.9 KiB
Text

###
### A domain for further sandboxing the PrebuiltGMSCore app.
###
typeattribute gmscore_app coredomain;
# Allow everything.
# TODO(b/142672293): remove when no selinux denials are triggered for this
# domain
# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
# `gmscore_app` and remove this line once we are confident about this having
# the right set of permissions.
userdebug_or_eng(`permissive gmscore_app;')
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(gmscore_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
r_dir_file(gmscore_app, rootfs)
# Allow GMS core to open kernel config for OTA matching through libvintf
allow gmscore_app config_gz:file { open read getattr };
# Allow GMS core to communicate with update_engine for A/B update.
binder_call(gmscore_app, update_engine)
allow gmscore_app update_engine_service:service_manager find;
# Allow GMS core to communicate with dumpsys storaged.
binder_call(gmscore_app, storaged)
allow gmscore_app storaged_service:service_manager find;
# Allow GMS core to access system_update_service (e.g. to publish pending
# system update info).
allow gmscore_app system_update_service:service_manager find;
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;
# suppress denials for non-API accesses.
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
dontaudit gmscore_app proc_modules:file r_file_perms;
dontaudit gmscore_app proc_net:file r_file_perms;
dontaudit gmscore_app proc_stat:file r_file_perms;
dontaudit gmscore_app proc_version:file r_file_perms;
dontaudit gmscore_app sysfs:dir r_dir_perms;
dontaudit gmscore_app sysfs:file r_file_perms;
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
dontaudit gmscore_app wifi_prop:file r_file_perms;
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
# denial to prevent apps from spamming the logs.
dontaudit gmscore_app system_data_file:dir write;
# suppress denials for scanning /data_mirror
dontaudit gmscore_app mirror_data_file:dir search;
# Access the network
net_domain(gmscore_app)
# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
allow gmscore_app self:process ptrace;
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
# 1) com.android.opengl.shaders_cache
# 2) com.android.skia.shaders_cache
# 3) com.android.renderscript.cache
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
allow gmscore_app proc_vmstat:file r_file_perms;
# Allow interaction with gpuservice
binder_call(gmscore_app, gpuservice)
allow gmscore_app gpu_service:service_manager find;
# find services that expose both @SystemAPI and normal APIs.
allow gmscore_app app_api_service:service_manager find;
allow gmscore_app system_api_service:service_manager find;
allow gmscore_app audioserver_service:service_manager find;
allow gmscore_app cameraserver_service:service_manager find;
allow gmscore_app drmserver_service:service_manager find;
allow gmscore_app mediadrmserver_service:service_manager find;
allow gmscore_app mediaextractor_service:service_manager find;
allow gmscore_app mediametrics_service:service_manager find;
allow gmscore_app mediaserver_service:service_manager find;
allow gmscore_app network_watchlist_service:service_manager find;
allow gmscore_app nfc_service:service_manager find;
allow gmscore_app oem_lock_service:service_manager find;
allow gmscore_app persistent_data_block_service:service_manager find;
allow gmscore_app radio_service:service_manager find;
allow gmscore_app recovery_service:service_manager find;
allow gmscore_app stats_service:service_manager find;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
allow gmscore_app shell_data_file:dir r_dir_perms;