1### 2### A domain for further sandboxing privileged apps. 3### 4 5typeattribute priv_app coredomain; 6app_domain(priv_app) 7 8# Access the network. 9net_domain(priv_app) 10# Access bluetooth. 11bluetooth_domain(priv_app) 12 13# Allow the allocation and use of ptys 14# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm 15create_pty(priv_app) 16 17# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) 18allow priv_app self:process ptrace; 19 20# Allow loading executable code from writable priv-app home 21# directories. This is a W^X violation, however, it needs 22# to be supported for now for the following reasons. 23# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) 24# 1) com.android.opengl.shaders_cache 25# 2) com.android.skia.shaders_cache 26# 3) com.android.renderscript.cache 27# * /data/user_de/0/com.google.android.gms/app_chimera 28# TODO: Tighten (b/112357170) 29allow priv_app privapp_data_file:file execute; 30 31allow priv_app privapp_data_file:lnk_file create_file_perms; 32 33# Priv apps can find services that expose both @SystemAPI and normal APIs. 34allow priv_app app_api_service:service_manager find; 35allow priv_app system_api_service:service_manager find; 36 37allow priv_app audioserver_service:service_manager find; 38allow priv_app cameraserver_service:service_manager find; 39allow priv_app drmserver_service:service_manager find; 40allow priv_app mediacodec_service:service_manager find; 41allow priv_app mediadrmserver_service:service_manager find; 42allow priv_app mediaextractor_service:service_manager find; 43allow priv_app mediametrics_service:service_manager find; 44allow priv_app mediaserver_service:service_manager find; 45allow priv_app network_watchlist_service:service_manager find; 46allow priv_app nfc_service:service_manager find; 47allow priv_app oem_lock_service:service_manager find; 48allow priv_app persistent_data_block_service:service_manager find; 49allow priv_app radio_service:service_manager find; 50allow priv_app recovery_service:service_manager find; 51allow priv_app stats_service:service_manager find; 52 53# Allow privileged apps to interact with gpuservice 54binder_call(priv_app, gpuservice) 55allow priv_app gpu_service:service_manager find; 56 57# Write to /cache. 58allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; 59allow priv_app { cache_file cache_recovery_file }:file create_file_perms; 60# /cache is a symlink to /data/cache on some devices. Allow reading the link. 61allow priv_app cache_file:lnk_file r_file_perms; 62 63# Write to /data/ota_package for OTA packages. 64allow priv_app ota_package_file:dir rw_dir_perms; 65allow priv_app ota_package_file:file create_file_perms; 66 67# Access to /data/media. 68allow priv_app media_rw_data_file:dir create_dir_perms; 69allow priv_app media_rw_data_file:file create_file_perms; 70 71# Used by Finsky / Android "Verify Apps" functionality when 72# running "adb install foo.apk". 73allow priv_app shell_data_file:file r_file_perms; 74allow priv_app shell_data_file:dir r_dir_perms; 75 76# Allow traceur to pass file descriptors through a content provider to betterbug 77allow priv_app trace_data_file:file { getattr read }; 78 79# Allow verifier to access staged apks. 80allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 81allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 82 83# b/18504118: Allow reads from /data/anr/traces.txt 84allow priv_app anr_data_file:file r_file_perms; 85 86# Allow GMS core to access perfprofd output, which is stored 87# in /data/misc/perfprofd/. GMS core will need to list all 88# data stored in that directory to process them one by one. 89userdebug_or_eng(` 90 allow priv_app perfprofd_data_file:file r_file_perms; 91 allow priv_app perfprofd_data_file:dir r_dir_perms; 92') 93 94# For AppFuse. 95allow priv_app vold:fd use; 96allow priv_app fuse_device:chr_file { read write }; 97 98# /proc access 99allow priv_app { 100 proc_vmstat 101}:file r_file_perms; 102 103allow priv_app sysfs_type:dir search; 104# Read access to /sys/class/net/wlan*/address 105r_dir_file(priv_app, sysfs_net) 106# Read access to /sys/block/zram*/mm_stat 107r_dir_file(priv_app, sysfs_zram) 108 109r_dir_file(priv_app, rootfs) 110 111# Allow GMS core to open kernel config for OTA matching through libvintf 112allow priv_app config_gz:file { open read getattr }; 113 114# access the mac address 115allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; 116 117# Allow GMS core to communicate with update_engine for A/B update. 118binder_call(priv_app, update_engine) 119allow priv_app update_engine_service:service_manager find; 120 121# Allow GMS core to communicate with dumpsys storaged. 122binder_call(priv_app, storaged) 123allow priv_app storaged_service:service_manager find; 124 125# Allow GMS core to access system_update_service (e.g. to publish pending 126# system update info). 127allow priv_app system_update_service:service_manager find; 128 129# Allow GMS core to communicate with statsd. 130binder_call(priv_app, statsd) 131 132# Allow Phone to read/write cached ringtones (opened by system). 133allow priv_app ringtone_file:file { getattr read write }; 134 135# Access to /data/preloads 136allow priv_app preloads_data_file:file r_file_perms; 137allow priv_app preloads_data_file:dir r_dir_perms; 138allow priv_app preloads_media_file:file r_file_perms; 139allow priv_app preloads_media_file:dir r_dir_perms; 140 141# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs 142allow priv_app keystore:keystore_key gen_unique_id; 143 144# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check 145allow priv_app selinuxfs:file r_file_perms; 146 147read_runtime_log_tags(priv_app) 148 149# Write app-specific trace data to the Perfetto traced damon. This requires 150# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 151allow priv_app traced:fd use; 152allow priv_app traced_tmpfs:file { read write getattr map }; 153unix_socket_connect(priv_app, traced_producer, traced) 154 155# Allow priv_apps to request and collect incident reports. 156# (Also requires DUMP and PACKAGE_USAGE_STATS permissions) 157allow priv_app incident_service:service_manager find; 158binder_call(priv_app, incidentd) 159allow priv_app incidentd:fifo_file { read write }; 160 161# Allow heap profiling if the app opts in by being marked 162# profileable/debuggable. 163can_profile_heap(priv_app) 164 165# Allow priv_apps to check whether Dynamic System Update is enabled 166get_prop(priv_app, dynamic_system_prop) 167 168# suppress denials for non-API accesses. 169dontaudit priv_app exec_type:file getattr; 170dontaudit priv_app device:dir read; 171dontaudit priv_app fs_bpf:dir search; 172dontaudit priv_app net_dns_prop:file read; 173dontaudit priv_app proc:file read; 174dontaudit priv_app proc_interrupts:file read; 175dontaudit priv_app proc_modules:file read; 176dontaudit priv_app proc_stat:file read; 177dontaudit priv_app proc_version:file read; 178dontaudit priv_app sysfs:dir read; 179dontaudit priv_app sysfs:file read; 180dontaudit priv_app sysfs_android_usb:file read; 181dontaudit priv_app wifi_prop:file read; 182dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; 183 184# allow privileged apps to use UDP sockets provided by the system server but not 185# modify them other than to connect 186allow priv_app system_server:udp_socket { 187 connect getattr read recvfrom sendto write getopt setopt }; 188 189# Attempts to write to system_data_file is generally a sign 190# that apps are attempting to access encrypted storage before 191# the ACTION_USER_UNLOCKED intent is delivered. Suppress this 192# denial to prevent apps from spamming the logs. 193dontaudit priv_app system_data_file:dir write; 194 195### 196### neverallow rules 197### 198 199# Receive or send uevent messages. 200neverallow priv_app domain:netlink_kobject_uevent_socket *; 201 202# Receive or send generic netlink messages 203neverallow priv_app domain:netlink_socket *; 204 205# Too much leaky information in debugfs. It's a security 206# best practice to ensure these files aren't readable. 207neverallow priv_app debugfs:file read; 208 209# Do not allow privileged apps to register services. 210# Only trusted components of Android should be registering 211# services. 212neverallow priv_app service_manager_type:service_manager add; 213 214# Do not allow privileged apps to connect to the property service 215# or set properties. b/10243159 216neverallow priv_app property_socket:sock_file write; 217neverallow priv_app init:unix_stream_socket connectto; 218neverallow priv_app property_type:property_service set; 219 220# Do not allow priv_app to be assigned mlstrustedsubject. 221# This would undermine the per-user isolation model being 222# enforced via levelFrom=user in seapp_contexts and the mls 223# constraints. As there is no direct way to specify a neverallow 224# on attribute assignment, this relies on the fact that fork 225# permission only makes sense within a domain (hence should 226# never be granted to any other domain within mlstrustedsubject) 227# and priv_app is allowed fork permission to itself. 228neverallow priv_app mlstrustedsubject:process fork; 229 230# Do not allow priv_app to hard link to any files. 231# In particular, if priv_app links to other app data 232# files, installd will not be able to guarantee the deletion 233# of the linked to file. Hard links also contribute to security 234# bugs, so we want to ensure priv_app never has this 235# capability. 236neverallow priv_app file_type:file link; 237 238# priv apps should not be able to open trace data files, they should depend 239# upon traceur to pass a file descriptor which they can then read 240neverallow priv_app trace_data_file:dir *; 241neverallow priv_app trace_data_file:file { no_w_file_perms open }; 242 243# Do not allow priv_app access to cgroups. 244neverallow priv_app cgroup:file *; 245 246# Do not allow loading executable code from non-privileged 247# application home directories. Code loading across a security boundary 248# is dangerous and allows a full compromise of a privileged process 249# by an unprivileged process. b/112357170 250neverallow priv_app app_data_file:file no_x_file_perms; 251 252# Do not follow untrusted app provided symlinks 253neverallow priv_app app_data_file:lnk_file { open read getattr }; 254