tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/ephemeral_app.te
Alex Klyubin baeac1fd26 Move ephemeral_app policy to private 
This leaves only the existence of ephemeral_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private. There are a few rules, defined by other domains'
files remaining in the public policy until the rules from these
domains also move to the private policy:

allow ephemeral_app_current appdomain:binder transfer;
allow ephemeral_app_current audioserver_current:binder transfer;
allow ephemeral_app_current drmserver_current:binder transfer;
allow ephemeral_app_current dumpstate_current:binder transfer;
allow ephemeral_app_current mediaserver_current:binder transfer;
allow ephemeral_app_current surfaceflinger_current:binder transfer;
allow ephemeral_app_current system_server_current:binder transfer;

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I98687181434a98a141469ef676c461fcd1db2d4e
2017-01-09 15:34:27 -08:00

130 lines
4.7 KiB
Text
Raw Blame History

###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.
net_domain(ephemeral_app)
# Define and allow access to our own type for ashmem regions.
# Label ashmem objects with our own unique type.
tmpfs_domain(ephemeral_app)
# TODO: deal with tmpfs_domain pub/priv split properly
# Map with PROT_EXEC.
allow ephemeral_app ephemeral_app_tmpfs:file execute;
# allow JITing
allow ephemeral_app self:process execmem;
allow ephemeral_app ashmem_device:chr_file execute;
# Send logcat messages to logd.
write_logd(ephemeral_app)
# Receive and use open file descriptors inherited from zygote.
allow ephemeral_app zygote:fd use;
# Notify zygote of death;
allow ephemeral_app zygote:process sigchld;
# application inherit logd write socket (urge is to deprecate this long term)
allow ephemeral_app zygote:unix_dgram_socket write;
# Read system properties managed by zygote.
allow ephemeral_app zygote_tmpfs:file read;
# App sandbox file accesses.
allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
# Keychain and user-trusted credentials
r_dir_file(ephemeral_app, keychain_data_file)
allow ephemeral_app misc_user_data_file:dir r_dir_perms;
allow ephemeral_app misc_user_data_file:file r_file_perms;
# Allow apps to read/execute installed binaries
allow ephemeral_app ephemeral_apk_data_file:dir search;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
# For art.
allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
allow ephemeral_app dalvikcache_data_file:dir getattr;
# Grant GPU access. ephemeral_app needs that to render the standard UI.
allow ephemeral_app gpu_device:chr_file rw_file_perms;
# Use the Binder.
binder_use(ephemeral_app)
# Perform binder IPC to binder services.
binder_call(ephemeral_app, surfaceflinger)
binder_call(ephemeral_app, system_server)
# Perform binder IPC to apps.
binder_call(ephemeral_app, appdomain)
# Allow read access to ion memory allocation device
allow ephemeral_app ion_device:chr_file { read open };
# Use pipes and sockets provided by system_server via binder or local socket.
allow ephemeral_app system_server:fifo_file rw_file_perms;
allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
# Inherit or receive open files from system_server.
allow ephemeral_app system_server:fd use;
# Communicate with surfaceflinger.
allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# Read files already opened under /data.
allow ephemeral_app system_data_file:file { getattr read };
allow ephemeral_app system_data_file:lnk_file read;
# System file accesses. Check for libraries
allow ephemeral_app system_file:dir getattr;
# services
allow ephemeral_app accessibility_service:service_manager find;
allow ephemeral_app activity_service:service_manager find;
allow ephemeral_app assetatlas_service:service_manager find;
allow ephemeral_app connectivity_service:service_manager find;
allow ephemeral_app display_service:service_manager find;
allow ephemeral_app graphicsstats_service:service_manager find;
allow ephemeral_app input_method_service:service_manager find;
allow ephemeral_app input_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app textservices_service:service_manager find;
###
### neverallow rules
###
# Executable content should never be loaded from an ephemeral app home directory.
neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow ephemeral_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow ephemeral_app debugfs:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
Reference in a new issue View git blame Copy permalink