Blame - private/priv_app.te - android_system_sepolicy

blob: c776907e36286e5fcde1c128c46f348a04cc8d68 [file] [log] [blame]

Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	1	###
				2	### A domain for further sandboxing privileged apps.
				3	###
				4
Alex Klyubin	f5446eb	2017-03-23 14:27:32 -0700	[diff] [blame]	5	typeattribute priv_app coredomain;
dcashman	3e8dbf0	2016-12-08 11:23:34 -0800	[diff] [blame]	6	app_domain(priv_app)
dcashman	2e00e63	2016-10-12 14:58:09 -0700	[diff] [blame]	7
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	8	# Access the network.
				9	net_domain(priv_app)
				10	# Access bluetooth.
				11	bluetooth_domain(priv_app)
				12
dcashman	2e00e63	2016-10-12 14:58:09 -0700	[diff] [blame]	13	# Allow the allocation and use of ptys
				14	# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
				15	create_pty(priv_app)
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	16
				17	# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
				18	allow priv_app self:process ptrace;
				19
Nick Kralevich	e1ddd74	2018-10-27 15:20:38 -0700	[diff] [blame]	20	# Allow loading executable code from writable priv-app home
				21	# directories. This is a W^X violation, however, it needs
				22	# to be supported for now for the following reasons.
				23	# * /data/user_/0//code_cache/* POSSIBLE uses (b/117841367)
				24	# 1) com.android.opengl.shaders_cache
				25	# 2) com.android.skia.shaders_cache
				26	# 3) com.android.renderscript.cache
				27	# * /data/user_de/0/com.google.android.gms/app_chimera
				28	# TODO: Tighten (b/112357170)
				29	allow priv_app privapp_data_file:file execute;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	30	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				31	userdebug_or_eng(`
				32	auditallow priv_app privapp_data_file:file execute;
				33	')
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	34
Nick Kralevich	87e9123	2019-01-24 13:05:03 -0800	[diff] [blame]	35	allow priv_app privapp_data_file:lnk_file create_file_perms;
				36
Alan Stokes	5c378a5	2019-03-21 23:52:30 +0000	[diff] [blame]	37	# Priv apps can find services that expose both @SystemAPI and normal APIs.
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	38	allow priv_app app_api_service:service_manager find;
Alan Stokes	5c378a5	2019-03-21 23:52:30 +0000	[diff] [blame]	39	allow priv_app system_api_service:service_manager find;
				40
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	41	allow priv_app audioserver_service:service_manager find;
				42	allow priv_app cameraserver_service:service_manager find;
				43	allow priv_app drmserver_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	44	allow priv_app mediadrmserver_service:service_manager find;
				45	allow priv_app mediaextractor_service:service_manager find;
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	46	allow priv_app mediametrics_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	47	allow priv_app mediaserver_service:service_manager find;
Ricky Wai	c635297	2017-11-13 17:52:05 +0000	[diff] [blame]	48	allow priv_app network_watchlist_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	49	allow priv_app nfc_service:service_manager find;
Andrew Scull	3717424	2017-02-17 13:51:32 +0000	[diff] [blame]	50	allow priv_app oem_lock_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	51	allow priv_app persistent_data_block_service:service_manager find;
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	52	allow priv_app radio_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	53	allow priv_app recovery_service:service_manager find;
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	54	allow priv_app stats_service:service_manager find;
Mark Chien	9dfaa7d	2019-11-11 21:30:23 +0900	[diff] [blame]	55	allow priv_app tethering_service:service_manager find;
Yiwei Zhang	544d6b3	2019-02-07 15:00:55 -0800	[diff] [blame]	56
				57	# Allow privileged apps to interact with gpuservice
				58	binder_call(priv_app, gpuservice)
Alan Stokes	5c378a5	2019-03-21 23:52:30 +0000	[diff] [blame]	59	allow priv_app gpu_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	60
				61	# Write to /cache.
				62	allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
				63	allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
Nick Kralevich	21cb045	2017-01-23 22:19:06 -0800	[diff] [blame]	64	# /cache is a symlink to /data/cache on some devices. Allow reading the link.
				65	allow priv_app cache_file:lnk_file r_file_perms;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	66
				67	# Write to /data/ota_package for OTA packages.
				68	allow priv_app ota_package_file:dir rw_dir_perms;
				69	allow priv_app ota_package_file:file create_file_perms;
				70
				71	# Access to /data/media.
				72	allow priv_app media_rw_data_file:dir create_dir_perms;
				73	allow priv_app media_rw_data_file:file create_file_perms;
				74
				75	# Used by Finsky / Android "Verify Apps" functionality when
				76	# running "adb install foo.apk".
				77	allow priv_app shell_data_file:file r_file_perms;
				78	allow priv_app shell_data_file:dir r_dir_perms;
				79
Max Bires	715e2ae	2018-03-13 09:56:27 -0700	[diff] [blame]	80	# Allow traceur to pass file descriptors through a content provider to betterbug
				81	allow priv_app trace_data_file:file { getattr read };
				82
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	83	# Allow verifier to access staged apks.
				84	allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
				85	allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
				86
				87	# b/18504118: Allow reads from /data/anr/traces.txt
				88	allow priv_app anr_data_file:file r_file_perms;
				89
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	90	# For AppFuse.
				91	allow priv_app vold:fd use;
				92	allow priv_app fuse_device:chr_file { read write };
				93
Tri Vo	f92cfb9	2017-12-08 15:37:01 -0800	[diff] [blame]	94	# /proc access
				95	allow priv_app {
				96	proc_vmstat
				97	}:file r_file_perms;
				98
				99	allow priv_app sysfs_type:dir search;
				100	# Read access to /sys/class/net/wlan*/address
				101	r_dir_file(priv_app, sysfs_net)
				102	# Read access to /sys/block/zram*/mm_stat
				103	r_dir_file(priv_app, sysfs_zram)
				104
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	105	r_dir_file(priv_app, rootfs)
				106
Sandeep Patil	0465442	2017-04-19 11:35:15 -0700	[diff] [blame]	107	# Allow GMS core to open kernel config for OTA matching through libvintf
				108	allow priv_app config_gz:file { open read getattr };
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	109	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				110	userdebug_or_eng(`
				111	auditallow priv_app config_gz:file { open read getattr };
				112	')
Sandeep Patil	0465442	2017-04-19 11:35:15 -0700	[diff] [blame]	113
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	114	# access the mac address
				115	allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
				116
				117	# Allow GMS core to communicate with update_engine for A/B update.
				118	binder_call(priv_app, update_engine)
				119	allow priv_app update_engine_service:service_manager find;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	120	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				121	userdebug_or_eng(`
				122	auditallow priv_app update_engine:binder { call transfer };
				123	auditallow update_engine priv_app:binder transfer;
				124	auditallow priv_app update_engine:fd use;
				125	auditallow priv_app update_engine_service:service_manager find;
				126	')
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	127
Jin Qian	00a1789	2017-04-12 17:38:11 -0700	[diff] [blame]	128	# Allow GMS core to communicate with dumpsys storaged.
				129	binder_call(priv_app, storaged)
				130	allow priv_app storaged_service:service_manager find;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	131	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				132	userdebug_or_eng(`
				133	auditallow priv_app storaged:binder { call transfer };
				134	auditallow storaged priv_app:binder transfer;
				135	auditallow priv_app storaged:fd use;
				136	auditallow priv_app storaged_service:service_manager find;
				137	')
				138
Jin Qian	00a1789	2017-04-12 17:38:11 -0700	[diff] [blame]	139
Tao Bao	d7d9cfc	2017-10-16 21:57:12 -0700	[diff] [blame]	140	# Allow GMS core to access system_update_service (e.g. to publish pending
				141	# system update info).
				142	allow priv_app system_update_service:service_manager find;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	143	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				144	userdebug_or_eng(`
				145	auditallow priv_app system_update_service:service_manager find;
				146	')
Tao Bao	d7d9cfc	2017-10-16 21:57:12 -0700	[diff] [blame]	147
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	148	# Allow GMS core to communicate with statsd.
				149	binder_call(priv_app, statsd)
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	150	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				151	userdebug_or_eng(`
				152	auditallow priv_app statsd:binder { call transfer };
				153	auditallow statsd priv_app:binder transfer;
				154	auditallow priv_app statsd:fd use;
				155	')
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	156
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	157	# Allow Phone to read/write cached ringtones (opened by system).
				158	allow priv_app ringtone_file:file { getattr read write };
				159
				160	# Access to /data/preloads
				161	allow priv_app preloads_data_file:file r_file_perms;
				162	allow priv_app preloads_data_file:dir r_dir_perms;
Fyodor Kupolov	b238fe6	2017-03-14 11:42:03 -0700	[diff] [blame]	163	allow priv_app preloads_media_file:file r_file_perms;
				164	allow priv_app preloads_media_file:dir r_dir_perms;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	165
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	166	# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
				167	allow priv_app keystore:keystore_key gen_unique_id;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	168	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				169	userdebug_or_eng(`
				170	auditallow priv_app keystore:keystore_key gen_unique_id;
				171	')
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	172
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	173	# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
				174	allow priv_app selinuxfs:file r_file_perms;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	175	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				176	userdebug_or_eng(`
				177	auditallow priv_app selinuxfs:file r_file_perms;
				178	')
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	179
Mark Salyzyn	d33a9a1	2016-11-07 15:11:39 -0800	[diff] [blame]	180	read_runtime_log_tags(priv_app)
				181
Primiano Tucci	c80f9e0	2017-12-21 03:51:15 +0100	[diff] [blame]	182	# Write app-specific trace data to the Perfetto traced damon. This requires
				183	# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
Florian Mayer	5e52281	2019-10-08 16:15:14 +0100	[diff] [blame]	184	perfetto_producer(priv_app)
Primiano Tucci	c80f9e0	2017-12-21 03:51:15 +0100	[diff] [blame]	185
Joe Onorato	9cc5c09	2019-03-16 15:45:45 -0700	[diff] [blame]	186	# Allow priv_apps to request and collect incident reports.
				187	# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
				188	allow priv_app incident_service:service_manager find;
				189	binder_call(priv_app, incidentd)
				190	allow priv_app incidentd:fifo_file { read write };
				191
Ryan Savitski	ca0690e	2019-01-16 16:29:43 +0000	[diff] [blame]	192	# Allow heap profiling if the app opts in by being marked
				193	# profileable/debuggable.
				194	can_profile_heap(priv_app)
				195
Hung-ying Tyan	565384d	2019-04-26 16:14:52 +0800	[diff] [blame]	196	# Allow priv_apps to check whether Dynamic System Update is enabled
				197	get_prop(priv_app, dynamic_system_prop)
				198
Jeff Vander Stoep	6d8a876	2018-01-18 08:55:02 -0800	[diff] [blame]	199	# suppress denials for non-API accesses.
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	200	dontaudit priv_app exec_type:file getattr;
Jeff Vander Stoep	6233848	2017-10-20 13:35:42 -0700	[diff] [blame]	201	dontaudit priv_app device:dir read;
Joel Galenson	9ec59f6	2018-04-20 15:27:21 -0700	[diff] [blame]	202	dontaudit priv_app fs_bpf:dir search;
Jeff Vander Stoep	9dc1d53	2018-04-04 14:36:13 -0700	[diff] [blame]	203	dontaudit priv_app net_dns_prop:file read;
Tri Vo	f92cfb9	2017-12-08 15:37:01 -0800	[diff] [blame]	204	dontaudit priv_app proc:file read;
Jeff Vander Stoep	6233848	2017-10-20 13:35:42 -0700	[diff] [blame]	205	dontaudit priv_app proc_interrupts:file read;
				206	dontaudit priv_app proc_modules:file read;
Tri Vo	e319c03	2019-05-09 16:14:04 -0700	[diff] [blame]	207	dontaudit priv_app proc_net:file read;
Jeff Vander Stoep	e88d649	2018-01-29 20:50:59 -0800	[diff] [blame]	208	dontaudit priv_app proc_stat:file read;
Jeff Vander Stoep	6d8a876	2018-01-18 08:55:02 -0800	[diff] [blame]	209	dontaudit priv_app proc_version:file read;
Jeff Vander Stoep	9dc1d53	2018-04-04 14:36:13 -0700	[diff] [blame]	210	dontaudit priv_app sysfs:dir read;
Jeff Vander Stoep	4894d9f	2018-06-29 11:04:24 -0700	[diff] [blame]	211	dontaudit priv_app sysfs:file read;
Jeff Vander Stoep	9dc1d53	2018-04-04 14:36:13 -0700	[diff] [blame]	212	dontaudit priv_app sysfs_android_usb:file read;
Jeff Vander Stoep	90bd1de	2019-10-25 11:01:40 +0200	[diff] [blame]	213	dontaudit priv_app sysfs_dm:file r_file_perms;
Jeff Vander Stoep	6d8a876	2018-01-18 08:55:02 -0800	[diff] [blame]	214	dontaudit priv_app wifi_prop:file read;
Jaekyun Seok	224921d	2018-04-09 12:07:32 +0900	[diff] [blame]	215	dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	216
Nathan Harold	ee26864	2017-12-14 18:20:30 -0800	[diff] [blame]	217	# allow privileged apps to use UDP sockets provided by the system server but not
				218	# modify them other than to connect
Nathan Harold	252b015	2018-03-27 06:34:54 -0700	[diff] [blame]	219	allow priv_app system_server:udp_socket {
				220	connect getattr read recvfrom sendto write getopt setopt };
Nathan Harold	ee26864	2017-12-14 18:20:30 -0800	[diff] [blame]	221
Jeff Vander Stoep	9c7396d	2018-06-01 12:12:11 -0700	[diff] [blame]	222	# Attempts to write to system_data_file is generally a sign
				223	# that apps are attempting to access encrypted storage before
				224	# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
				225	# denial to prevent apps from spamming the logs.
				226	dontaudit priv_app system_data_file:dir write;
				227
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	228	###
				229	### neverallow rules
				230	###
				231
				232	# Receive or send uevent messages.
				233	neverallow priv_app domain:netlink_kobject_uevent_socket *;
				234
				235	# Receive or send generic netlink messages
				236	neverallow priv_app domain:netlink_socket *;
				237
				238	# Too much leaky information in debugfs. It's a security
				239	# best practice to ensure these files aren't readable.
				240	neverallow priv_app debugfs:file read;
				241
				242	# Do not allow privileged apps to register services.
				243	# Only trusted components of Android should be registering
				244	# services.
				245	neverallow priv_app service_manager_type:service_manager add;
				246
				247	# Do not allow privileged apps to connect to the property service
				248	# or set properties. b/10243159
				249	neverallow priv_app property_socket:sock_file write;
				250	neverallow priv_app init:unix_stream_socket connectto;
				251	neverallow priv_app property_type:property_service set;
				252
				253	# Do not allow priv_app to be assigned mlstrustedsubject.
				254	# This would undermine the per-user isolation model being
				255	# enforced via levelFrom=user in seapp_contexts and the mls
				256	# constraints. As there is no direct way to specify a neverallow
				257	# on attribute assignment, this relies on the fact that fork
				258	# permission only makes sense within a domain (hence should
				259	# never be granted to any other domain within mlstrustedsubject)
				260	# and priv_app is allowed fork permission to itself.
				261	neverallow priv_app mlstrustedsubject:process fork;
				262
				263	# Do not allow priv_app to hard link to any files.
				264	# In particular, if priv_app links to other app data
				265	# files, installd will not be able to guarantee the deletion
				266	# of the linked to file. Hard links also contribute to security
				267	# bugs, so we want to ensure priv_app never has this
				268	# capability.
				269	neverallow priv_app file_type:file link;
Max Bires	715e2ae	2018-03-13 09:56:27 -0700	[diff] [blame]	270
				271	# priv apps should not be able to open trace data files, they should depend
				272	# upon traceur to pass a file descriptor which they can then read
				273	neverallow priv_app trace_data_file:dir *;
				274	neverallow priv_app trace_data_file:file { no_w_file_perms open };
Tri Vo	f55c989	2018-10-10 22:48:15 +0000	[diff] [blame]	275
				276	# Do not allow priv_app access to cgroups.
				277	neverallow priv_app cgroup:file *;
Nick Kralevich	e1ddd74	2018-10-27 15:20:38 -0700	[diff] [blame]	278
				279	# Do not allow loading executable code from non-privileged
				280	# application home directories. Code loading across a security boundary
				281	# is dangerous and allows a full compromise of a privileged process
				282	# by an unprivileged process. b/112357170
				283	neverallow priv_app app_data_file:file no_x_file_perms;
Nick Kralevich	87e9123	2019-01-24 13:05:03 -0800	[diff] [blame]	284
				285	# Do not follow untrusted app provided symlinks
				286	neverallow priv_app app_data_file:lnk_file { open read getattr };