Blame - private/untrusted_app_25.te - android_system_sepolicy

blob: a1abc416bd80249b194a90a5e3717c96143cb99e [file] [log] [blame]

Jeff Vander Stoep	bacb6d7	2017-02-13 13:33:27 -0800	[diff] [blame]	1	###
				2	### Untrusted_app_25
				3	###
				4	### This file defines the rules for untrusted apps running with
				5	### targetSdkVersion <= 25.
				6	###
Jeff Vander Stoep	a1aa221	2020-01-20 10:14:48 +0100	[diff] [blame^]	7	### See public/untrusted_app.te for more information about which apps are
				8	### placed in this selinux domain.
Jeff Vander Stoep	bacb6d7	2017-02-13 13:33:27 -0800	[diff] [blame]	9	###
				10
Alex Klyubin	f5446eb	2017-03-23 14:27:32 -0700	[diff] [blame]	11	typeattribute untrusted_app_25 coredomain;
				12
Jeff Vander Stoep	bacb6d7	2017-02-13 13:33:27 -0800	[diff] [blame]	13	app_domain(untrusted_app_25)
				14	untrusted_app_domain(untrusted_app_25)
				15	net_domain(untrusted_app_25)
				16	bluetooth_domain(untrusted_app_25)
				17
Nick Kralevich	50bb7b5	2017-03-03 12:17:49 -0800	[diff] [blame]	18	# b/35917228 - /proc/misc access
				19	# This will go away in a future Android release
				20	allow untrusted_app_25 proc_misc:file r_file_perms;
Nick Kralevich	b4f354f	2017-03-04 20:09:10 -0800	[diff] [blame]	21
				22	# Access to /proc/tty/drivers, to allow apps to determine if they
				23	# are running in an emulated environment.
				24	# b/33214085 b/33814662 b/33791054 b/33211769
				25	# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
				26	# This will go away in a future Android release
				27	allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
Jeff Vander Stoep	7a4af30	2018-04-10 12:47:48 -0700	[diff] [blame]	28
Jeff Vander Stoep	c9aba12	2019-04-02 13:01:10 -0700	[diff] [blame]	29	# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
Nick Kralevich	f3eb985	2018-08-07 15:14:34 -0700	[diff] [blame]	30	# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
				31	allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
Yabin Cui	5dc2c8c	2018-11-02 11:12:43 -0700	[diff] [blame]	32
Nick Kralevich	65a89c1	2018-12-21 10:03:50 -0800	[diff] [blame]	33	# The ability to call exec() on files in the apps home directories
				34	# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
				35	# and 28 in untrusted_app_27.te.
				36	allow untrusted_app_25 app_data_file:file execute_no_trans;
Alan Stokes	3f63dbf	2019-01-28 10:33:08 +0000	[diff] [blame]	37	auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
David Brazdil	535c5d2	2018-11-19 23:02:49 +0000	[diff] [blame]	38
				39	# The ability to invoke dex2oat. Historically required by ART, now only
				40	# allowed for targetApi<=28 for compat reasons.
				41	allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
Nick Kralevich	cfe1bae	2018-11-20 10:45:56 -0800	[diff] [blame]	42	userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
Tri Vo	73d0a67	2019-01-27 13:39:19 -0800	[diff] [blame]	43
				44	# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
				45	# ASharedMemory instead.
				46	allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
Tri Vo	8b12ff5	2019-02-12 14:14:30 -0800	[diff] [blame]	47	auditallow untrusted_app_25 ashmem_device:chr_file open;
Tri Vo	8eff3e2	2019-04-11 15:23:24 -0700	[diff] [blame]	48
				49	# Read /mnt/sdcard symlink.
				50	allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
Jeff Vander Stoep	a1aa221	2020-01-20 10:14:48 +0100	[diff] [blame^]	51
				52	# allow binding to netlink route sockets and sending RTM_GETLINK messages.
				53	allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };