Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 510ffa3dc7b604725a2d8e73a2a1695e290d51a8 / . / private / ephemeral_app.te
blob: 23b1e78c6baba834d7088fd13e74c456e561cafd [file] [log] [blame]
Alex Klyubinbaeac1f2017-01-09 15:34:27 -0800[diff] [blame]1###
2### Ephemeral apps.
3###
4### This file defines the security policy for apps with the ephemeral
5### feature.
6###
7### The ephemeral_app domain is a reduced permissions sandbox allowing
8### ephemeral applications to be safely installed and run. Non ephemeral
9### applications may also opt-in to ephemeral to take advantage of the
10### additional security features.
11###
12### PackageManager flags an app as ephemeral at install time.
13
14net_domain(ephemeral_app)
15
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]16# Define and allow access to our own type for ashmem regions.
17# Label ashmem objects with our own unique type.
Chad Brubaker06cf31e2016-10-06 13:15:44 -0700[diff] [blame]18tmpfs_domain(ephemeral_app)
Alex Klyubinbaeac1f2017-01-09 15:34:27 -0800[diff] [blame]19
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]20# TODO: deal with tmpfs_domain pub/priv split properly
21# Map with PROT_EXEC.
22allow ephemeral_app ephemeral_app_tmpfs:file execute;
23
Alex Klyubinbaeac1f2017-01-09 15:34:27 -0800[diff] [blame]24# allow JITing
25allow ephemeral_app self:process execmem;
26allow ephemeral_app ashmem_device:chr_file execute;
27
28# Send logcat messages to logd.
29write_logd(ephemeral_app)
30
31# Receive and use open file descriptors inherited from zygote.
32allow ephemeral_app zygote:fd use;
33
34# Notify zygote of death;
35allow ephemeral_app zygote:process sigchld;
36
37# application inherit logd write socket (urge is to deprecate this long term)
38allow ephemeral_app zygote:unix_dgram_socket write;
39
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]40# Read system properties managed by zygote.
41allow ephemeral_app zygote_tmpfs:file read;
Alex Klyubinbaeac1f2017-01-09 15:34:27 -0800[diff] [blame]42
43# App sandbox file accesses.
44allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
45allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
46
47# Keychain and user-trusted credentials
48r_dir_file(ephemeral_app, keychain_data_file)
49allow ephemeral_app misc_user_data_file:dir r_dir_perms;
50allow ephemeral_app misc_user_data_file:file r_file_perms;
51
52# Allow apps to read/execute installed binaries
53allow ephemeral_app ephemeral_apk_data_file:dir search;
54allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
55
56# For art.
57allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
58allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
59allow ephemeral_app dalvikcache_data_file:dir getattr;
60
61# Grant GPU access. ephemeral_app needs that to render the standard UI.
62allow ephemeral_app gpu_device:chr_file rw_file_perms;
63
64# Use the Binder.
65binder_use(ephemeral_app)
66# Perform binder IPC to binder services.
67binder_call(ephemeral_app, surfaceflinger)
68binder_call(ephemeral_app, system_server)
69# Perform binder IPC to apps.
70binder_call(ephemeral_app, appdomain)
71
72# Allow read access to ion memory allocation device
73allow ephemeral_app ion_device:chr_file { read open };
74
75# Use pipes and sockets provided by system_server via binder or local socket.
76allow ephemeral_app system_server:fifo_file rw_file_perms;
77allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
78allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
79
80# Inherit or receive open files from system_server.
81allow ephemeral_app system_server:fd use;
82
83# Communicate with surfaceflinger.
84allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
85
86# Read files already opened under /data.
87allow ephemeral_app system_data_file:file { getattr read };
88allow ephemeral_app system_data_file:lnk_file read;
89
90# System file accesses. Check for libraries
91allow ephemeral_app system_file:dir getattr;
92
93# services
94allow ephemeral_app accessibility_service:service_manager find;
95allow ephemeral_app activity_service:service_manager find;
96allow ephemeral_app assetatlas_service:service_manager find;
97allow ephemeral_app connectivity_service:service_manager find;
98allow ephemeral_app display_service:service_manager find;
99allow ephemeral_app graphicsstats_service:service_manager find;
100allow ephemeral_app input_method_service:service_manager find;
101allow ephemeral_app input_service:service_manager find;
102allow ephemeral_app surfaceflinger_service:service_manager find;
103allow ephemeral_app textservices_service:service_manager find;
104
105###
106### neverallow rules
107###
108
109# Executable content should never be loaded from an ephemeral app home directory.
110neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
111
112# Receive or send uevent messages.
113neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
114
115# Receive or send generic netlink messages
116neverallow ephemeral_app domain:netlink_socket *;
117
118# Too much leaky information in debugfs. It's a security
119# best practice to ensure these files aren't readable.
120neverallow ephemeral_app debugfs:file read;
121
122# execute gpu_device
123neverallow ephemeral_app gpu_device:chr_file execute;
124
125# access files in /sys with the default sysfs label
126neverallow ephemeral_app sysfs:file *;
127
128# Avoid reads from generically labeled /proc files
129# Create a more specific label if needed
130neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };