Blame - private/priv_app.te - android_system_sepolicy

blob: a41407947358b04ef14096c0561bad4ca5a5821c [file] [log] [blame]

Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	1	###
				2	### A domain for further sandboxing privileged apps.
				3	###
				4
Alex Klyubin	f5446eb	2017-03-23 14:27:32 -0700	[diff] [blame]	5	typeattribute priv_app coredomain;
dcashman	3e8dbf0	2016-12-08 11:23:34 -0800	[diff] [blame]	6	app_domain(priv_app)
dcashman	2e00e63	2016-10-12 14:58:09 -0700	[diff] [blame]	7
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	8	# Access the network.
				9	net_domain(priv_app)
				10	# Access bluetooth.
				11	bluetooth_domain(priv_app)
				12
dcashman	2e00e63	2016-10-12 14:58:09 -0700	[diff] [blame]	13	# Allow the allocation and use of ptys
				14	# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
				15	create_pty(priv_app)
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	16
				17	# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
				18	allow priv_app self:process ptrace;
Ashwini Oruganti	9ba277d	2019-12-11 16:53:45 -0800	[diff] [blame^]	19	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				20	userdebug_or_eng(`
				21	auditallow priv_app self:process ptrace;
				22	')
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	23
Nick Kralevich	e1ddd74	2018-10-27 15:20:38 -0700	[diff] [blame]	24	# Allow loading executable code from writable priv-app home
				25	# directories. This is a W^X violation, however, it needs
				26	# to be supported for now for the following reasons.
				27	# * /data/user_/0//code_cache/* POSSIBLE uses (b/117841367)
				28	# 1) com.android.opengl.shaders_cache
				29	# 2) com.android.skia.shaders_cache
				30	# 3) com.android.renderscript.cache
				31	# * /data/user_de/0/com.google.android.gms/app_chimera
				32	# TODO: Tighten (b/112357170)
				33	allow priv_app privapp_data_file:file execute;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	34	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				35	userdebug_or_eng(`
				36	auditallow priv_app privapp_data_file:file execute;
				37	')
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	38
Nick Kralevich	87e9123	2019-01-24 13:05:03 -0800	[diff] [blame]	39	allow priv_app privapp_data_file:lnk_file create_file_perms;
				40
Alan Stokes	5c378a5	2019-03-21 23:52:30 +0000	[diff] [blame]	41	# Priv apps can find services that expose both @SystemAPI and normal APIs.
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	42	allow priv_app app_api_service:service_manager find;
Alan Stokes	5c378a5	2019-03-21 23:52:30 +0000	[diff] [blame]	43	allow priv_app system_api_service:service_manager find;
				44
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	45	allow priv_app audioserver_service:service_manager find;
				46	allow priv_app cameraserver_service:service_manager find;
				47	allow priv_app drmserver_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	48	allow priv_app mediadrmserver_service:service_manager find;
				49	allow priv_app mediaextractor_service:service_manager find;
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	50	allow priv_app mediametrics_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	51	allow priv_app mediaserver_service:service_manager find;
Ricky Wai	c635297	2017-11-13 17:52:05 +0000	[diff] [blame]	52	allow priv_app network_watchlist_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	53	allow priv_app nfc_service:service_manager find;
Andrew Scull	3717424	2017-02-17 13:51:32 +0000	[diff] [blame]	54	allow priv_app oem_lock_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	55	allow priv_app persistent_data_block_service:service_manager find;
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	56	allow priv_app radio_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	57	allow priv_app recovery_service:service_manager find;
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	58	allow priv_app stats_service:service_manager find;
Mark Chien	9dfaa7d	2019-11-11 21:30:23 +0900	[diff] [blame]	59	allow priv_app tethering_service:service_manager find;
Yiwei Zhang	544d6b3	2019-02-07 15:00:55 -0800	[diff] [blame]	60
				61	# Allow privileged apps to interact with gpuservice
				62	binder_call(priv_app, gpuservice)
Alan Stokes	5c378a5	2019-03-21 23:52:30 +0000	[diff] [blame]	63	allow priv_app gpu_service:service_manager find;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	64
				65	# Write to /cache.
				66	allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
				67	allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
Nick Kralevich	21cb045	2017-01-23 22:19:06 -0800	[diff] [blame]	68	# /cache is a symlink to /data/cache on some devices. Allow reading the link.
				69	allow priv_app cache_file:lnk_file r_file_perms;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	70
				71	# Write to /data/ota_package for OTA packages.
				72	allow priv_app ota_package_file:dir rw_dir_perms;
				73	allow priv_app ota_package_file:file create_file_perms;
				74
				75	# Access to /data/media.
				76	allow priv_app media_rw_data_file:dir create_dir_perms;
				77	allow priv_app media_rw_data_file:file create_file_perms;
				78
				79	# Used by Finsky / Android "Verify Apps" functionality when
				80	# running "adb install foo.apk".
				81	allow priv_app shell_data_file:file r_file_perms;
				82	allow priv_app shell_data_file:dir r_dir_perms;
				83
Max Bires	715e2ae	2018-03-13 09:56:27 -0700	[diff] [blame]	84	# Allow traceur to pass file descriptors through a content provider to betterbug
				85	allow priv_app trace_data_file:file { getattr read };
				86
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	87	# Allow verifier to access staged apks.
				88	allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
				89	allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
				90
				91	# b/18504118: Allow reads from /data/anr/traces.txt
				92	allow priv_app anr_data_file:file r_file_perms;
				93
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	94	# For AppFuse.
				95	allow priv_app vold:fd use;
				96	allow priv_app fuse_device:chr_file { read write };
				97
Tri Vo	f92cfb9	2017-12-08 15:37:01 -0800	[diff] [blame]	98	# /proc access
				99	allow priv_app {
				100	proc_vmstat
				101	}:file r_file_perms;
				102
				103	allow priv_app sysfs_type:dir search;
				104	# Read access to /sys/class/net/wlan*/address
				105	r_dir_file(priv_app, sysfs_net)
				106	# Read access to /sys/block/zram*/mm_stat
				107	r_dir_file(priv_app, sysfs_zram)
				108
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	109	r_dir_file(priv_app, rootfs)
				110
Sandeep Patil	0465442	2017-04-19 11:35:15 -0700	[diff] [blame]	111	# Allow GMS core to open kernel config for OTA matching through libvintf
				112	allow priv_app config_gz:file { open read getattr };
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	113	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				114	userdebug_or_eng(`
				115	auditallow priv_app config_gz:file { open read getattr };
				116	')
Sandeep Patil	0465442	2017-04-19 11:35:15 -0700	[diff] [blame]	117
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	118	# access the mac address
				119	allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
				120
				121	# Allow GMS core to communicate with update_engine for A/B update.
				122	binder_call(priv_app, update_engine)
				123	allow priv_app update_engine_service:service_manager find;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	124	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				125	userdebug_or_eng(`
				126	auditallow priv_app update_engine:binder { call transfer };
				127	auditallow update_engine priv_app:binder transfer;
				128	auditallow priv_app update_engine:fd use;
				129	auditallow priv_app update_engine_service:service_manager find;
				130	')
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	131
Jin Qian	00a1789	2017-04-12 17:38:11 -0700	[diff] [blame]	132	# Allow GMS core to communicate with dumpsys storaged.
				133	binder_call(priv_app, storaged)
				134	allow priv_app storaged_service:service_manager find;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	135	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				136	userdebug_or_eng(`
				137	auditallow priv_app storaged:binder { call transfer };
				138	auditallow storaged priv_app:binder transfer;
				139	auditallow priv_app storaged:fd use;
				140	auditallow priv_app storaged_service:service_manager find;
				141	')
				142
Jin Qian	00a1789	2017-04-12 17:38:11 -0700	[diff] [blame]	143
Tao Bao	d7d9cfc	2017-10-16 21:57:12 -0700	[diff] [blame]	144	# Allow GMS core to access system_update_service (e.g. to publish pending
				145	# system update info).
				146	allow priv_app system_update_service:service_manager find;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	147	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				148	userdebug_or_eng(`
				149	auditallow priv_app system_update_service:service_manager find;
				150	')
Tao Bao	d7d9cfc	2017-10-16 21:57:12 -0700	[diff] [blame]	151
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	152	# Allow GMS core to communicate with statsd.
				153	binder_call(priv_app, statsd)
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	154	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				155	userdebug_or_eng(`
				156	auditallow priv_app statsd:binder { call transfer };
				157	auditallow statsd priv_app:binder transfer;
				158	auditallow priv_app statsd:fd use;
				159	')
yro	31b11d8	2018-01-09 11:27:36 -0800	[diff] [blame]	160
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	161	# Allow Phone to read/write cached ringtones (opened by system).
				162	allow priv_app ringtone_file:file { getattr read write };
				163
				164	# Access to /data/preloads
				165	allow priv_app preloads_data_file:file r_file_perms;
				166	allow priv_app preloads_data_file:dir r_dir_perms;
Fyodor Kupolov	b238fe6	2017-03-14 11:42:03 -0700	[diff] [blame]	167	allow priv_app preloads_media_file:file r_file_perms;
				168	allow priv_app preloads_media_file:dir r_dir_perms;
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	169
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	170	# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
				171	allow priv_app keystore:keystore_key gen_unique_id;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	172	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				173	userdebug_or_eng(`
				174	auditallow priv_app keystore:keystore_key gen_unique_id;
				175	')
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	176
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	177	# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
				178	allow priv_app selinuxfs:file r_file_perms;
Ashwini Oruganti	e6ed127	2019-11-26 11:02:31 -0800	[diff] [blame]	179	# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
				180	userdebug_or_eng(`
				181	auditallow priv_app selinuxfs:file r_file_perms;
				182	')
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	183
Mark Salyzyn	d33a9a1	2016-11-07 15:11:39 -0800	[diff] [blame]	184	read_runtime_log_tags(priv_app)
				185
Primiano Tucci	c80f9e0	2017-12-21 03:51:15 +0100	[diff] [blame]	186	# Write app-specific trace data to the Perfetto traced damon. This requires
				187	# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
Florian Mayer	5e52281	2019-10-08 16:15:14 +0100	[diff] [blame]	188	perfetto_producer(priv_app)
Primiano Tucci	c80f9e0	2017-12-21 03:51:15 +0100	[diff] [blame]	189
Joe Onorato	9cc5c09	2019-03-16 15:45:45 -0700	[diff] [blame]	190	# Allow priv_apps to request and collect incident reports.
				191	# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
				192	allow priv_app incident_service:service_manager find;
				193	binder_call(priv_app, incidentd)
				194	allow priv_app incidentd:fifo_file { read write };
				195
Ryan Savitski	ca0690e	2019-01-16 16:29:43 +0000	[diff] [blame]	196	# Allow heap profiling if the app opts in by being marked
				197	# profileable/debuggable.
				198	can_profile_heap(priv_app)
				199
Hung-ying Tyan	565384d	2019-04-26 16:14:52 +0800	[diff] [blame]	200	# Allow priv_apps to check whether Dynamic System Update is enabled
				201	get_prop(priv_app, dynamic_system_prop)
				202
Jeff Vander Stoep	6d8a876	2018-01-18 08:55:02 -0800	[diff] [blame]	203	# suppress denials for non-API accesses.
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	204	dontaudit priv_app exec_type:file getattr;
Jeff Vander Stoep	6233848	2017-10-20 13:35:42 -0700	[diff] [blame]	205	dontaudit priv_app device:dir read;
Joel Galenson	9ec59f6	2018-04-20 15:27:21 -0700	[diff] [blame]	206	dontaudit priv_app fs_bpf:dir search;
Jeff Vander Stoep	9dc1d53	2018-04-04 14:36:13 -0700	[diff] [blame]	207	dontaudit priv_app net_dns_prop:file read;
Tri Vo	f92cfb9	2017-12-08 15:37:01 -0800	[diff] [blame]	208	dontaudit priv_app proc:file read;
Jeff Vander Stoep	6233848	2017-10-20 13:35:42 -0700	[diff] [blame]	209	dontaudit priv_app proc_interrupts:file read;
				210	dontaudit priv_app proc_modules:file read;
Tri Vo	e319c03	2019-05-09 16:14:04 -0700	[diff] [blame]	211	dontaudit priv_app proc_net:file read;
Jeff Vander Stoep	e88d649	2018-01-29 20:50:59 -0800	[diff] [blame]	212	dontaudit priv_app proc_stat:file read;
Jeff Vander Stoep	6d8a876	2018-01-18 08:55:02 -0800	[diff] [blame]	213	dontaudit priv_app proc_version:file read;
Jeff Vander Stoep	9dc1d53	2018-04-04 14:36:13 -0700	[diff] [blame]	214	dontaudit priv_app sysfs:dir read;
Jeff Vander Stoep	4894d9f	2018-06-29 11:04:24 -0700	[diff] [blame]	215	dontaudit priv_app sysfs:file read;
Jeff Vander Stoep	9dc1d53	2018-04-04 14:36:13 -0700	[diff] [blame]	216	dontaudit priv_app sysfs_android_usb:file read;
Jeff Vander Stoep	90bd1de	2019-10-25 11:01:40 +0200	[diff] [blame]	217	dontaudit priv_app sysfs_dm:file r_file_perms;
Jeff Vander Stoep	6d8a876	2018-01-18 08:55:02 -0800	[diff] [blame]	218	dontaudit priv_app wifi_prop:file read;
Jaekyun Seok	224921d	2018-04-09 12:07:32 +0900	[diff] [blame]	219	dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame]	220
Nathan Harold	ee26864	2017-12-14 18:20:30 -0800	[diff] [blame]	221	# allow privileged apps to use UDP sockets provided by the system server but not
				222	# modify them other than to connect
Nathan Harold	252b015	2018-03-27 06:34:54 -0700	[diff] [blame]	223	allow priv_app system_server:udp_socket {
				224	connect getattr read recvfrom sendto write getopt setopt };
Nathan Harold	ee26864	2017-12-14 18:20:30 -0800	[diff] [blame]	225
Jeff Vander Stoep	9c7396d	2018-06-01 12:12:11 -0700	[diff] [blame]	226	# Attempts to write to system_data_file is generally a sign
				227	# that apps are attempting to access encrypted storage before
				228	# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
				229	# denial to prevent apps from spamming the logs.
				230	dontaudit priv_app system_data_file:dir write;
				231
Alex Klyubin	92295ef	2017-01-05 15:44:32 -0800	[diff] [blame]	232	###
				233	### neverallow rules
				234	###
				235
				236	# Receive or send uevent messages.
				237	neverallow priv_app domain:netlink_kobject_uevent_socket *;
				238
				239	# Receive or send generic netlink messages
				240	neverallow priv_app domain:netlink_socket *;
				241
				242	# Too much leaky information in debugfs. It's a security
				243	# best practice to ensure these files aren't readable.
				244	neverallow priv_app debugfs:file read;
				245
				246	# Do not allow privileged apps to register services.
				247	# Only trusted components of Android should be registering
				248	# services.
				249	neverallow priv_app service_manager_type:service_manager add;
				250
				251	# Do not allow privileged apps to connect to the property service
				252	# or set properties. b/10243159
				253	neverallow priv_app property_socket:sock_file write;
				254	neverallow priv_app init:unix_stream_socket connectto;
				255	neverallow priv_app property_type:property_service set;
				256
				257	# Do not allow priv_app to be assigned mlstrustedsubject.
				258	# This would undermine the per-user isolation model being
				259	# enforced via levelFrom=user in seapp_contexts and the mls
				260	# constraints. As there is no direct way to specify a neverallow
				261	# on attribute assignment, this relies on the fact that fork
				262	# permission only makes sense within a domain (hence should
				263	# never be granted to any other domain within mlstrustedsubject)
				264	# and priv_app is allowed fork permission to itself.
				265	neverallow priv_app mlstrustedsubject:process fork;
				266
				267	# Do not allow priv_app to hard link to any files.
				268	# In particular, if priv_app links to other app data
				269	# files, installd will not be able to guarantee the deletion
				270	# of the linked to file. Hard links also contribute to security
				271	# bugs, so we want to ensure priv_app never has this
				272	# capability.
				273	neverallow priv_app file_type:file link;
Max Bires	715e2ae	2018-03-13 09:56:27 -0700	[diff] [blame]	274
				275	# priv apps should not be able to open trace data files, they should depend
				276	# upon traceur to pass a file descriptor which they can then read
				277	neverallow priv_app trace_data_file:dir *;
				278	neverallow priv_app trace_data_file:file { no_w_file_perms open };
Tri Vo	f55c989	2018-10-10 22:48:15 +0000	[diff] [blame]	279
				280	# Do not allow priv_app access to cgroups.
				281	neverallow priv_app cgroup:file *;
Nick Kralevich	e1ddd74	2018-10-27 15:20:38 -0700	[diff] [blame]	282
				283	# Do not allow loading executable code from non-privileged
				284	# application home directories. Code loading across a security boundary
				285	# is dangerous and allows a full compromise of a privileged process
				286	# by an unprivileged process. b/112357170
				287	neverallow priv_app app_data_file:file no_x_file_perms;
Nick Kralevich	87e9123	2019-01-24 13:05:03 -0800	[diff] [blame]	288
				289	# Do not follow untrusted app provided symlinks
				290	neverallow priv_app app_data_file:lnk_file { open read getattr };