Rename autoplay_app to ephemeral_app
Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
diff --git a/private/autoplay_app.te b/private/ephemeral_app.te
similarity index 89%
rename from private/autoplay_app.te
rename to private/ephemeral_app.te
index 2e0ec0e..939737b 100644
--- a/private/autoplay_app.te
+++ b/private/ephemeral_app.te
@@ -2,4 +2,4 @@
# public, but conceptually should go with this
# Define and allow access to our own type for ashmem regions.
# Label ashmem objects with our own unique type.
-tmpfs_domain(autoplay_app)
+tmpfs_domain(ephemeral_app)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 5d5ad75..6349a97 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -1,6 +1,6 @@
# Input selectors:
# isSystemServer (boolean)
-# isAutoPlayApp (boolean)
+# isEphemeralApp (boolean)
# isOwner (boolean)
# user (string)
# seinfo (string)
@@ -9,7 +9,7 @@
# isPrivApp (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
-# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
+# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
@@ -24,7 +24,7 @@
#
# Precedence rules:
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
# (3) Specified isOwner= before unspecified isOwner= boolean.
# (4) Specified user= string before unspecified user= string.
# (5) Fixed user= string before user= prefix (i.e. ending in *).
@@ -82,8 +82,8 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
-# AutoPlay Apps must run in the autoplay_app domain
-neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
+# Ephemeral Apps must run in the ephemeral_app domain
+neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -94,6 +94,6 @@
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
+user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/public/adbd.te b/public/adbd.te
index 450bc1d..675219a 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -80,9 +80,9 @@
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd { app_data_file autoplay_data_file }:dir search;
-allow adbd { app_data_file autoplay_data_file }:sock_file write;
-allow adbd { appdomain autoplay_app }:unix_stream_socket connectto;
+allow adbd { app_data_file ephemeral_data_file }:dir search;
+allow adbd { app_data_file ephemeral_data_file }:sock_file write;
+allow adbd { appdomain ephemeral_app }:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
diff --git a/public/audioserver.te b/public/audioserver.te
index dab4ea5..b1a84a2 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -6,7 +6,7 @@
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, { appdomain autoplay_app })
+binder_call(audioserver, { appdomain ephemeral_app })
binder_service(audioserver)
r_dir_file(audioserver, proc)
diff --git a/public/autoplay_app.te b/public/autoplay_app.te
deleted file mode 100644
index 5fe1000..0000000
--- a/public/autoplay_app.te
+++ /dev/null
@@ -1,106 +0,0 @@
-###
-### AutoPlay apps.
-###
-### This file defines the security policy for apps with the autoplay
-### feature.
-###
-### The autoplay_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to autoplay to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as autoplay at install time.
-type autoplay_app, domain;
-
-# allow JITing
-allow autoplay_app self:process execmem;
-allow autoplay_app ashmem_device:chr_file execute;
-
-# Map with PROT_EXEC.
-allow autoplay_app autoplay_app_tmpfs:file execute;
-
-# Read system properties managed by zygote.
-allow autoplay_app zygote_tmpfs:file read;
-
-# Send logcat messages to logd.
-write_logd(autoplay_app)
-
-# Receive and use open file descriptors inherited from zygote.
-allow autoplay_app zygote:fd use;
-
-# Notify zygote of death;
-allow autoplay_app zygote:process sigchld;
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow autoplay_app zygote:unix_dgram_socket write;
-
-# App sandbox file accesses.
-allow autoplay_app autoplay_data_file:dir create_dir_perms;
-allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;
-
-# For art.
-allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
-allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
-allow autoplay_app dalvikcache_data_file:dir getattr;
-
-# Grant GPU access. autoplay_app needs that to render the standard UI.
-allow autoplay_app gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(autoplay_app)
-# Perform binder IPC to binder services.
-binder_call(autoplay_app, surfaceflinger)
-binder_call(autoplay_app, system_server)
-
-# Allow read access to ion memory allocation device
-allow autoplay_app ion_device:chr_file { read open };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow autoplay_app system_server:fifo_file rw_file_perms;
-allow autoplay_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow autoplay_app system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Inherit or receive open files from system_server.
-allow autoplay_app system_server:fd use;
-
-# Communicate with surfaceflinger.
-allow autoplay_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Read files already opened under /data.
-allow autoplay_app system_data_file:file { getattr read };
-allow autoplay_app system_data_file:lnk_file read;
-
-# System file accesses. Check for libraries
-allow autoplay_app system_file:dir getattr;
-
-# services
-allow autoplay_app accessibility_service:service_manager find;
-allow autoplay_app activity_service:service_manager find;
-allow autoplay_app assetatlas_service:service_manager find;
-allow autoplay_app connectivity_service:service_manager find;
-allow autoplay_app display_service:service_manager find;
-allow autoplay_app graphicsstats_service:service_manager find;
-allow autoplay_app input_method_service:service_manager find;
-allow autoplay_app input_service:service_manager find;
-allow autoplay_app surfaceflinger_service:service_manager find;
-allow autoplay_app textservices_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow autoplay_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow autoplay_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow autoplay_app debugfs:file read;
-
-# execute gpu_device
-neverallow autoplay_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow autoplay_app sysfs:file *;
diff --git a/public/domain.te b/public/domain.te
index fcd33af..b464fc6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -299,7 +299,7 @@
neverallow {
domain
-appdomain
- -autoplay_app
+ -ephemeral_app
-dumpstate
-shell
userdebug_or_eng(`-su')
diff --git a/public/drmserver.te b/public/drmserver.te
index 66cc432..6512915 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -9,7 +9,7 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
-binder_call(drmserver, { appdomain autoplay_app })
+binder_call(drmserver, { appdomain ephemeral_app })
binder_service(drmserver)
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
@@ -21,7 +21,7 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file autoplay_data_file}:file { read write getattr };
+allow drmserver { app_data_file ephemeral_data_file}:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 17764c3..690e843 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -49,7 +49,7 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain autoplay_app system_server }:process signal;
+allow dumpstate { appdomain ephemeral_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
@@ -97,7 +97,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain autoplay_app netd wificond })
+binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
new file mode 100644
index 0000000..200d78f
--- /dev/null
+++ b/public/ephemeral_app.te
@@ -0,0 +1,106 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+type ephemeral_app, domain;
+
+# allow JITing
+allow ephemeral_app self:process execmem;
+allow ephemeral_app ashmem_device:chr_file execute;
+
+# Map with PROT_EXEC.
+allow ephemeral_app ephemeral_app_tmpfs:file execute;
+
+# Read system properties managed by zygote.
+allow ephemeral_app zygote_tmpfs:file read;
+
+# Send logcat messages to logd.
+write_logd(ephemeral_app)
+
+# Receive and use open file descriptors inherited from zygote.
+allow ephemeral_app zygote:fd use;
+
+# Notify zygote of death;
+allow ephemeral_app zygote:process sigchld;
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow ephemeral_app zygote:unix_dgram_socket write;
+
+# App sandbox file accesses.
+allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
+allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
+
+# For art.
+allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
+allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
+allow ephemeral_app dalvikcache_data_file:dir getattr;
+
+# Grant GPU access. ephemeral_app needs that to render the standard UI.
+allow ephemeral_app gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(ephemeral_app)
+# Perform binder IPC to binder services.
+binder_call(ephemeral_app, surfaceflinger)
+binder_call(ephemeral_app, system_server)
+
+# Allow read access to ion memory allocation device
+allow ephemeral_app ion_device:chr_file { read open };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow ephemeral_app system_server:fifo_file rw_file_perms;
+allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Inherit or receive open files from system_server.
+allow ephemeral_app system_server:fd use;
+
+# Communicate with surfaceflinger.
+allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# Read files already opened under /data.
+allow ephemeral_app system_data_file:file { getattr read };
+allow ephemeral_app system_data_file:lnk_file read;
+
+# System file accesses. Check for libraries
+allow ephemeral_app system_file:dir getattr;
+
+# services
+allow ephemeral_app accessibility_service:service_manager find;
+allow ephemeral_app activity_service:service_manager find;
+allow ephemeral_app assetatlas_service:service_manager find;
+allow ephemeral_app connectivity_service:service_manager find;
+allow ephemeral_app display_service:service_manager find;
+allow ephemeral_app graphicsstats_service:service_manager find;
+allow ephemeral_app input_method_service:service_manager find;
+allow ephemeral_app input_service:service_manager find;
+allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app textservices_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
diff --git a/public/file.te b/public/file.te
index 7c6c5a8..529ab15 100644
--- a/public/file.te
+++ b/public/file.te
@@ -171,7 +171,7 @@
typealias audio_data_file alias audio_firmware_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
-type autoplay_data_file, file_type, data_file_type;
+type ephemeral_data_file, file_type, data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
diff --git a/public/installd.te b/public/installd.te
index ead36c1..a544d5b 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -86,7 +86,7 @@
radio_data_file
shell_data_file
app_data_file
- autoplay_data_file
+ ephemeral_data_file
}:dir { create_dir_perms relabelfrom relabelto };
allow installd {
@@ -96,7 +96,7 @@
radio_data_file
shell_data_file
app_data_file
- autoplay_data_file
+ ephemeral_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Similar for the files under /data/misc/profiles/
diff --git a/public/lmkd.te b/public/lmkd.te
index 316036f..8e3c61a 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -14,8 +14,8 @@
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
-r_dir_file(lmkd, autoplay_app)
-allow lmkd autoplay_app:file write;
+r_dir_file(lmkd, ephemeral_app)
+allow lmkd ephemeral_app:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 9e062b8..94566e0 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -22,7 +22,7 @@
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, { appdomain autoplay_app })
+binder_call(mediaserver, { appdomain ephemeral_app })
binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
@@ -48,7 +48,7 @@
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
-allow mediaserver { appdomain autoplay_app }:fifo_file { getattr read write };
+allow mediaserver { appdomain ephemeral_app }:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 5175f83..2afb7d1 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -7,7 +7,7 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, { appdomain autoplay_app })
+binder_call(surfaceflinger, { appdomain ephemeral_app })
binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger)
@@ -16,7 +16,7 @@
# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, { appdomain autoplay_app })
+r_dir_file(surfaceflinger, { appdomain ephemeral_app })
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -37,7 +37,7 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
-allow surfaceflinger { appdomain autoplay_app }:fd use;
+allow surfaceflinger { appdomain ephemeral_app }:fd use;
allow surfaceflinger app_data_file:file { read write };
# Allow a dumpstate triggered screenshot
diff --git a/public/system_server.te b/public/system_server.te
index 69a1943..2d479af 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -87,10 +87,10 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server { appdomain autoplay_app }:process { sigkill signal };
+allow system_server { appdomain ephemeral_app }:process { sigkill signal };
# Set scheduling info for apps.
-allow system_server { appdomain autoplay_app }:process { getsched setsched };
+allow system_server { appdomain ephemeral_app }:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
@@ -150,7 +150,7 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
binder_call(system_server, fingerprintd)
-binder_call(system_server, { appdomain autoplay_app })
+binder_call(system_server, { appdomain ephemeral_app })
binder_call(system_server, dumpstate)
binder_call(system_server, netd)
binder_call(system_server, wificond)
@@ -289,7 +289,7 @@
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file autoplay_data_file }:dir { getattr read search };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file ephemeral_data_file }:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
@@ -384,8 +384,8 @@
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
-allow system_server { appdomain autoplay_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server { appdomain autoplay_app }:{ fifo_file unix_stream_socket } { getattr read write };
+allow system_server { appdomain ephemeral_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server { appdomain ephemeral_app }:{ fifo_file unix_stream_socket } { getattr read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
diff --git a/public/zygote.te b/public/zygote.te
index 94081ef..bb411e8 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -10,13 +10,13 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
-allow zygote { appdomain autoplay_app }:process dyntransition;
+allow zygote { appdomain ephemeral_app }:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872)
-allow zygote { appdomain autoplay_app }:dir { getattr search };
-allow zygote { appdomain autoplay_app }:file { r_file_perms };
+allow zygote { appdomain ephemeral_app }:dir { getattr search };
+allow zygote { appdomain ephemeral_app }:file { r_file_perms };
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
-allow zygote { appdomain autoplay_app }:process { getpgid setpgid };
+allow zygote { appdomain ephemeral_app }:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
@@ -98,7 +98,7 @@
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
-neverallow zygote ~{ appdomain autoplay_app system_server }:process dyntransition;
+neverallow zygote ~{ appdomain ephemeral_app system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 35e6238..230eccf 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -202,7 +202,7 @@
key_map rules[] = {
/*Inputs*/
{ .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
- { .name = "isAutoPlayApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isEphemeralApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "user", .dir = dir_in, },
{ .name = "seinfo", .dir = dir_in, },