| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # Allow apps to read the Test Harness Mode property. This property is used in |
| 2 | # the implementation of ActivityManager.isDeviceInTestHarnessMode() |
| 3 | get_prop(appdomain, test_harness_prop) |
| 4 | |
| 5 | get_prop(appdomain, boot_status_prop) |
| 6 | get_prop(appdomain, dalvik_config_prop) |
| 7 | get_prop(appdomain, media_config_prop) |
| 8 | get_prop(appdomain, packagemanager_config_prop) |
| 9 | get_prop(appdomain, radio_control_prop) |
| 10 | get_prop(appdomain, surfaceflinger_color_prop) |
| 11 | get_prop(appdomain, systemsound_config_prop) |
| 12 | get_prop(appdomain, telephony_config_prop) |
| 13 | get_prop(appdomain, userspace_reboot_config_prop) |
| 14 | get_prop(appdomain, vold_config_prop) |
| 15 | get_prop(appdomain, adbd_config_prop) |
| 16 | |
| 17 | # Allow ART to be configurable via device_config properties |
| 18 | # (ART "runs" inside the app process) |
| 19 | get_prop(appdomain, device_config_runtime_native_prop) |
| 20 | get_prop(appdomain, device_config_runtime_native_boot_prop) |
| 21 | |
| 22 | userdebug_or_eng(`perfetto_producer({ appdomain })') |
| 23 | |
| 24 | # Prevent apps from causing presubmit failures. |
| 25 | # Apps can cause selinux denials by accessing CE storage |
| 26 | # and/or external storage. In either case, the selinux denial is |
| 27 | # not the cause of the failure, but just a symptom that |
| 28 | # storage isn't ready. Many apps handle the failure appropriately. |
| 29 | # |
| 30 | # Apps cannot access external storage before it becomes available. |
| 31 | dontaudit appdomain storage_stub_file:dir getattr; |
| 32 | # Attempts to write to system_data_file is generally a sign |
| 33 | # that apps are attempting to access encrypted storage before |
| 34 | # the ACTION_USER_UNLOCKED intent is delivered. Apps are not |
| 35 | # allowed to write to CE storage before it's available. |
| 36 | # Attempting to do so will be blocked by both selinux and unix |
| 37 | # permissions. |
| 38 | dontaudit appdomain system_data_file:dir write; |
| 39 | # Apps should not be reading vendor-defined properties. |
| 40 | dontaudit appdomain vendor_default_prop:file read; |
| 41 | |
| 42 | # Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid) |
| 43 | allow appdomain mnt_media_rw_file:dir search; |
| 44 | |
| 45 | neverallow appdomain system_server:udp_socket { |
| 46 | accept append bind create ioctl listen lock name_bind |
| 47 | relabelfrom relabelto setattr shutdown }; |
| 48 | |
| 49 | # Transition to a non-app domain. |
| 50 | # Exception for the shell and su domains, can transition to runas, etc. |
| 51 | # Exception for crash_dump to allow for app crash reporting. |
| 52 | # Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc) |
| 53 | # to allow renderscript to create privileged executable files. |
| 54 | neverallow { appdomain -shell userdebug_or_eng(`-su') } |
| 55 | { domain -appdomain -crash_dump -rs }:process { transition }; |
| 56 | neverallow { appdomain -shell userdebug_or_eng(`-su') } |
| 57 | { domain -appdomain }:process { dyntransition }; |
| 58 | |
| 59 | # Don't allow regular apps access to storage configuration properties. |
| 60 | neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms; |
| 61 | |
| 62 | # Allow to read sendbug.preferred.domain |
| 63 | get_prop(appdomain, sendbug_config_prop) |
| 64 | |
| 65 | # Allow to read graphics related properties. |
| 66 | get_prop(appdomain, graphics_config_prop) |
| 67 | |
| 68 | # Allow to read persist.config.calibration_fac |
| 69 | get_prop(appdomain, camera_calibration_prop) |
| 70 | |
| 71 | # Allow to read db.log.detailed, db.log.slow_query_threshold* |
| 72 | get_prop(appdomain, sqlite_log_prop) |
| 73 | |
| 74 | # Allow font file read by apps. |
| 75 | allow appdomain font_data_file:file r_file_perms; |
| 76 | allow appdomain font_data_file:dir r_dir_perms; |
| 77 | |
| 78 | # Enter /data/misc/apexdata/ |
| 79 | allow appdomain apex_module_data_file:dir search; |
| 80 | # Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts. |
| 81 | allow appdomain apex_art_data_file:dir r_dir_perms; |
| 82 | allow appdomain apex_art_data_file:file rx_file_perms; |
| 83 | |
| 84 | # Allow access to tombstones if an fd to one is given to you. |
| 85 | # This is restricted by unix permissions, so an app must go through system_server to get one. |
| 86 | allow appdomain tombstone_data_file:file { getattr read }; |
| 87 | neverallow appdomain tombstone_data_file:file ~{ getattr read }; |
| 88 | |
| 89 | # Sensitive app domains are not allowed to execute from /data |
| 90 | # to prevent persistence attacks and ensure all code is executed |
| 91 | # from read-only locations. |
| 92 | neverallow { |
| 93 | bluetooth |
| 94 | isolated_app |
| 95 | nfc |
| 96 | radio |
| 97 | shared_relro |
| 98 | system_app |
| 99 | } { |
| 100 | data_file_type |
| 101 | -apex_art_data_file |
| 102 | -dalvikcache_data_file |
| 103 | -system_data_file # shared libs in apks |
| 104 | -apk_data_file |
| 105 | }:file no_x_file_perms; |