Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9a06d551c6a67b8cfc1283e2d738c69369134b3d / . / private / priv_app.te
blob: e12cce7657c350106016dd82ef317837cfd51b16 [file] [log] [blame]
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]1###
2### A domain for further sandboxing privileged apps.
3###
4
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]5typeattribute priv_app coredomain;
dcashman3e8dbf02016-12-08 11:23:34 -0800[diff] [blame]6app_domain(priv_app)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]7
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]8# Access the network.
9net_domain(priv_app)
10# Access bluetooth.
11bluetooth_domain(priv_app)
12
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]13# Allow the allocation and use of ptys
14# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
15create_pty(priv_app)
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]16
17# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
18allow priv_app self:process ptrace;
19
20# Some apps ship with shared libraries that they write out
21# to their sandbox directory and then dlopen().
Nick Kralevich23c9d912018-08-02 15:54:23 -0700[diff] [blame]22allow priv_app { app_data_file privapp_data_file }:file execute;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]23
yro31b11d82018-01-09 11:27:36 -0800[diff] [blame]24allow priv_app app_api_service:service_manager find;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]25allow priv_app audioserver_service:service_manager find;
26allow priv_app cameraserver_service:service_manager find;
27allow priv_app drmserver_service:service_manager find;
28allow priv_app mediacodec_service:service_manager find;
29allow priv_app mediadrmserver_service:service_manager find;
30allow priv_app mediaextractor_service:service_manager find;
yro31b11d82018-01-09 11:27:36 -0800[diff] [blame]31allow priv_app mediametrics_service:service_manager find;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]32allow priv_app mediaserver_service:service_manager find;
Ricky Waic6352972017-11-13 17:52:05 +0000[diff] [blame]33allow priv_app network_watchlist_service:service_manager find;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]34allow priv_app nfc_service:service_manager find;
Andrew Scull37174242017-02-17 13:51:32 +0000[diff] [blame]35allow priv_app oem_lock_service:service_manager find;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]36allow priv_app persistent_data_block_service:service_manager find;
yro31b11d82018-01-09 11:27:36 -0800[diff] [blame]37allow priv_app radio_service:service_manager find;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]38allow priv_app recovery_service:service_manager find;
yro31b11d82018-01-09 11:27:36 -0800[diff] [blame]39allow priv_app stats_service:service_manager find;
40allow priv_app system_api_service:service_manager find;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]41
42# Write to /cache.
43allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
44allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
Nick Kralevich21cb0452017-01-23 22:19:06 -0800[diff] [blame]45# /cache is a symlink to /data/cache on some devices. Allow reading the link.
46allow priv_app cache_file:lnk_file r_file_perms;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]47
48# Write to /data/ota_package for OTA packages.
49allow priv_app ota_package_file:dir rw_dir_perms;
50allow priv_app ota_package_file:file create_file_perms;
51
52# Access to /data/media.
53allow priv_app media_rw_data_file:dir create_dir_perms;
54allow priv_app media_rw_data_file:file create_file_perms;
55
56# Used by Finsky / Android "Verify Apps" functionality when
57# running "adb install foo.apk".
58allow priv_app shell_data_file:file r_file_perms;
59allow priv_app shell_data_file:dir r_dir_perms;
60
Max Bires715e2ae2018-03-13 09:56:27 -0700[diff] [blame]61# Allow traceur to pass file descriptors through a content provider to betterbug
62allow priv_app trace_data_file:file { getattr read };
63
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]64# Allow verifier to access staged apks.
65allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
66allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
67
68# b/18504118: Allow reads from /data/anr/traces.txt
69allow priv_app anr_data_file:file r_file_perms;
70
71# Allow GMS core to access perfprofd output, which is stored
72# in /data/misc/perfprofd/. GMS core will need to list all
73# data stored in that directory to process them one by one.
74userdebug_or_eng(`
75 allow priv_app perfprofd_data_file:file r_file_perms;
76 allow priv_app perfprofd_data_file:dir r_dir_perms;
77')
78
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]79# For AppFuse.
80allow priv_app vold:fd use;
81allow priv_app fuse_device:chr_file { read write };
82
Tri Vof92cfb92017-12-08 15:37:01 -0800[diff] [blame]83# /proc access
84allow priv_app {
85 proc_vmstat
86}:file r_file_perms;
87
Jeff Vander Stoep7a4af302018-04-10 12:47:48 -0700[diff] [blame]88# /proc/net access.
89# TODO(b/9496886) Audit access for removal.
90r_dir_file(priv_app, proc_net_type)
91userdebug_or_eng(`
92 auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
93')
Jeff Vander Stoep7a4af302018-04-10 12:47:48 -0700[diff] [blame]94
Tri Vof92cfb92017-12-08 15:37:01 -0800[diff] [blame]95allow priv_app sysfs_type:dir search;
96# Read access to /sys/class/net/wlan*/address
97r_dir_file(priv_app, sysfs_net)
98# Read access to /sys/block/zram*/mm_stat
99r_dir_file(priv_app, sysfs_zram)
100
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]101r_dir_file(priv_app, rootfs)
102
Sandeep Patil04654422017-04-19 11:35:15 -0700[diff] [blame]103# Allow GMS core to open kernel config for OTA matching through libvintf
104allow priv_app config_gz:file { open read getattr };
105
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]106# access the mac address
107allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
108
109# Allow GMS core to communicate with update_engine for A/B update.
110binder_call(priv_app, update_engine)
111allow priv_app update_engine_service:service_manager find;
112
Jin Qian00a17892017-04-12 17:38:11 -0700[diff] [blame]113# Allow GMS core to communicate with dumpsys storaged.
114binder_call(priv_app, storaged)
115allow priv_app storaged_service:service_manager find;
116
Tao Baod7d9cfc2017-10-16 21:57:12 -0700[diff] [blame]117# Allow GMS core to access system_update_service (e.g. to publish pending
118# system update info).
119allow priv_app system_update_service:service_manager find;
120
yro31b11d82018-01-09 11:27:36 -0800[diff] [blame]121# Allow GMS core to communicate with statsd.
122binder_call(priv_app, statsd)
123
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]124# Allow Phone to read/write cached ringtones (opened by system).
125allow priv_app ringtone_file:file { getattr read write };
126
127# Access to /data/preloads
128allow priv_app preloads_data_file:file r_file_perms;
129allow priv_app preloads_data_file:dir r_dir_perms;
Fyodor Kupolovb238fe62017-03-14 11:42:03 -0700[diff] [blame]130allow priv_app preloads_media_file:file r_file_perms;
131allow priv_app preloads_media_file:dir r_dir_perms;
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]132
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]133# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
134allow priv_app keystore:keystore_key gen_unique_id;
135
Dan Cashman91d398d2017-09-26 12:58:29 -0700[diff] [blame]136# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
137allow priv_app selinuxfs:file r_file_perms;
138
Mark Salyzynd33a9a12016-11-07 15:11:39 -0800[diff] [blame]139read_runtime_log_tags(priv_app)
140
Primiano Tuccic80f9e02017-12-21 03:51:15 +0100[diff] [blame]141# Write app-specific trace data to the Perfetto traced damon. This requires
142# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
143allow priv_app traced:fd use;
144allow priv_app traced_tmpfs:file { read write getattr map };
145unix_socket_connect(priv_app, traced_producer, traced)
146
Jeff Vander Stoep6d8a8762018-01-18 08:55:02 -0800[diff] [blame]147# suppress denials for non-API accesses.
Dan Cashman91d398d2017-09-26 12:58:29 -0700[diff] [blame]148dontaudit priv_app exec_type:file getattr;
Jeff Vander Stoep62338482017-10-20 13:35:42 -0700[diff] [blame]149dontaudit priv_app device:dir read;
Joel Galenson9ec59f62018-04-20 15:27:21 -0700[diff] [blame]150dontaudit priv_app fs_bpf:dir search;
Jeff Vander Stoep9dc1d532018-04-04 14:36:13 -0700[diff] [blame]151dontaudit priv_app net_dns_prop:file read;
Tri Vof92cfb92017-12-08 15:37:01 -0800[diff] [blame]152dontaudit priv_app proc:file read;
Jeff Vander Stoep62338482017-10-20 13:35:42 -0700[diff] [blame]153dontaudit priv_app proc_interrupts:file read;
154dontaudit priv_app proc_modules:file read;
Jeff Vander Stoepe88d6492018-01-29 20:50:59 -0800[diff] [blame]155dontaudit priv_app proc_stat:file read;
Jeff Vander Stoep6d8a8762018-01-18 08:55:02 -0800[diff] [blame]156dontaudit priv_app proc_version:file read;
Jeff Vander Stoep9dc1d532018-04-04 14:36:13 -0700[diff] [blame]157dontaudit priv_app sysfs:dir read;
Jeff Vander Stoep4894d9f2018-06-29 11:04:24 -0700[diff] [blame]158dontaudit priv_app sysfs:file read;
Jeff Vander Stoep9dc1d532018-04-04 14:36:13 -0700[diff] [blame]159dontaudit priv_app sysfs_android_usb:file read;
Jeff Vander Stoep6d8a8762018-01-18 08:55:02 -0800[diff] [blame]160dontaudit priv_app wifi_prop:file read;
Jaekyun Seok224921d2018-04-09 12:07:32 +0900[diff] [blame]161dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
Dan Cashman91d398d2017-09-26 12:58:29 -0700[diff] [blame]162
Nathan Haroldee268642017-12-14 18:20:30 -0800[diff] [blame]163# allow privileged apps to use UDP sockets provided by the system server but not
164# modify them other than to connect
Nathan Harold252b0152018-03-27 06:34:54 -0700[diff] [blame]165allow priv_app system_server:udp_socket {
166 connect getattr read recvfrom sendto write getopt setopt };
Nathan Haroldee268642017-12-14 18:20:30 -0800[diff] [blame]167
Jeff Vander Stoep9c7396d2018-06-01 12:12:11 -0700[diff] [blame]168# Attempts to write to system_data_file is generally a sign
169# that apps are attempting to access encrypted storage before
170# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
171# denial to prevent apps from spamming the logs.
172dontaudit priv_app system_data_file:dir write;
173
Alex Klyubin92295ef2017-01-05 15:44:32 -0800[diff] [blame]174###
175### neverallow rules
176###
177
178# Receive or send uevent messages.
179neverallow priv_app domain:netlink_kobject_uevent_socket *;
180
181# Receive or send generic netlink messages
182neverallow priv_app domain:netlink_socket *;
183
184# Too much leaky information in debugfs. It's a security
185# best practice to ensure these files aren't readable.
186neverallow priv_app debugfs:file read;
187
188# Do not allow privileged apps to register services.
189# Only trusted components of Android should be registering
190# services.
191neverallow priv_app service_manager_type:service_manager add;
192
193# Do not allow privileged apps to connect to the property service
194# or set properties. b/10243159
195neverallow priv_app property_socket:sock_file write;
196neverallow priv_app init:unix_stream_socket connectto;
197neverallow priv_app property_type:property_service set;
198
199# Do not allow priv_app to be assigned mlstrustedsubject.
200# This would undermine the per-user isolation model being
201# enforced via levelFrom=user in seapp_contexts and the mls
202# constraints. As there is no direct way to specify a neverallow
203# on attribute assignment, this relies on the fact that fork
204# permission only makes sense within a domain (hence should
205# never be granted to any other domain within mlstrustedsubject)
206# and priv_app is allowed fork permission to itself.
207neverallow priv_app mlstrustedsubject:process fork;
208
209# Do not allow priv_app to hard link to any files.
210# In particular, if priv_app links to other app data
211# files, installd will not be able to guarantee the deletion
212# of the linked to file. Hard links also contribute to security
213# bugs, so we want to ensure priv_app never has this
214# capability.
215neverallow priv_app file_type:file link;
Max Bires715e2ae2018-03-13 09:56:27 -0700[diff] [blame]216
217# priv apps should not be able to open trace data files, they should depend
218# upon traceur to pass a file descriptor which they can then read
219neverallow priv_app trace_data_file:dir *;
220neverallow priv_app trace_data_file:file { no_w_file_perms open };