• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1###
2### Domain for all zygote spawned apps
3###
4### This file is the base policy for all zygote spawned apps.
5### Other policy files, such as isolated_app.te, untrusted_app.te, etc
6### extend from this policy. Only policies which should apply to ALL
7### zygote spawned apps should be added here.
8###
9
10# WebView and other application-specific JIT compilers
11allow appdomain self:process execmem;
12
13allow appdomain ashmem_device:chr_file execute;
14
15# Receive and use open file descriptors inherited from zygote.
16allow appdomain zygote:fd use;
17
18# gdbserver for ndk-gdb reads the zygote.
19# valgrind needs mmap exec for zygote
20allow appdomain zygote_exec:file rx_file_perms;
21
22# Notify zygote of death;
23allow appdomain zygote:process sigchld;
24
25# Place process into foreground / background
26allow appdomain cgroup:dir { search write };
27allow appdomain cgroup:file rw_file_perms;
28
29# Read /data/dalvik-cache.
30allow appdomain dalvikcache_data_file:dir { search getattr };
31allow appdomain dalvikcache_data_file:file r_file_perms;
32
33# Read the /sdcard and /mnt/sdcard symlinks
34allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
35allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
36
37# Search /storage/emulated tmpfs mount.
38allow appdomain tmpfs:dir r_dir_perms;
39
40# Notify zygote of the wrapped process PID when using --invoke-with.
41allow appdomain zygote:fifo_file write;
42
43userdebug_or_eng(`
44  # Allow apps to create and write method traces in /data/misc/trace.
45  allow appdomain method_trace_data_file:dir w_dir_perms;
46  allow appdomain method_trace_data_file:file { create w_file_perms };
47')
48
49# Notify shell and adbd of death when spawned via runas for ndk-gdb.
50allow appdomain shell:process sigchld;
51allow appdomain adbd:process sigchld;
52
53# child shell or gdbserver pty access for runas.
54allow appdomain devpts:chr_file { getattr read write ioctl };
55
56# Use pipes and sockets provided by system_server via binder or local socket.
57allow appdomain system_server:fd use;
58allow appdomain system_server:fifo_file rw_file_perms;
59allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
60allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
61
62# Communication with other apps via fifos
63allow appdomain appdomain:fifo_file rw_file_perms;
64
65# Communicate with surfaceflinger.
66allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
67
68# App sandbox file accesses.
69allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
70allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
71
72# Traverse into expanded storage
73allow appdomain mnt_expand_file:dir r_dir_perms;
74
75# Keychain and user-trusted credentials
76r_dir_file(appdomain, keychain_data_file)
77allow appdomain misc_user_data_file:dir r_dir_perms;
78allow appdomain misc_user_data_file:file r_file_perms;
79
80# TextClassifier
81r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
82
83# Access to OEM provided data and apps
84allow appdomain oemfs:dir r_dir_perms;
85allow appdomain oemfs:file rx_file_perms;
86
87# Execute the shell or other system executables.
88allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
89allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
90allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
91not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
92
93# Renderscript needs the ability to read directories on /system
94allow appdomain system_file:dir r_dir_perms;
95allow appdomain system_file:lnk_file { getattr open read };
96# Renderscript specific permissions to open /system/vendor/lib64.
97not_full_treble(`
98    allow appdomain vendor_file_type:dir r_dir_perms;
99    allow appdomain vendor_file_type:lnk_file { getattr open read };
100')
101
102full_treble_only(`
103    # For looking up Renderscript vendor drivers
104    allow { appdomain -isolated_app } vendor_file:dir { open read };
105')
106
107# Allow apps access to /vendor/app except for privileged
108# apps which cannot be in /vendor.
109r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
110allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
111
112# Allow apps access to /vendor/overlay
113r_dir_file(appdomain, vendor_overlay_file)
114
115# Allow apps access to /vendor/framework
116# for vendor provided libraries.
117r_dir_file(appdomain, vendor_framework_file)
118
119# Execute dex2oat when apps call dexclassloader
120allow appdomain dex2oat_exec:file rx_file_perms;
121
122# Read/write wallpaper file (opened by system).
123allow appdomain wallpaper_file:file { getattr read write };
124
125# Read/write cached ringtones (opened by system).
126allow appdomain ringtone_file:file { getattr read write };
127
128# Read ShortcutManager icon files (opened by system).
129allow appdomain shortcut_manager_icons:file { getattr read };
130
131# Read icon file (opened by system).
132allow appdomain icon_file:file { getattr read };
133
134# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
135#
136# TODO: All of these permissions except for anr_data_file:file append can be
137# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
138# and the rules below.
139allow appdomain anr_data_file:dir search;
140allow appdomain anr_data_file:file { open append };
141
142# New stack dumping scheme : request an output FD from tombstoned via a unix
143# domain socket.
144#
145# Allow apps to connect and write to the tombstoned java trace socket in
146# order to dump their traces. Also allow them to append traces to pipes
147# created by dumptrace. (Also see the rules below where they are given
148# additional permissions to dumpstate pipes for other aspects of bug report
149# creation).
150unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
151allow appdomain tombstoned:fd use;
152allow appdomain dumpstate:fifo_file append;
153allow appdomain incidentd:fifo_file append;
154
155# Allow apps to send dump information to dumpstate
156allow appdomain dumpstate:fd use;
157allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
158allow appdomain dumpstate:fifo_file { write getattr };
159allow appdomain shell_data_file:file { write getattr };
160
161# Allow apps to send dump information to incidentd
162allow appdomain incidentd:fd use;
163allow appdomain incidentd:fifo_file { write getattr };
164
165# Write profiles /data/misc/profiles
166allow appdomain user_profile_data_file:dir { search write add_name };
167allow appdomain user_profile_data_file:file create_file_perms;
168
169# Send heap dumps to system_server via an already open file descriptor
170# % adb shell am set-watch-heap com.android.systemui 1048576
171# % adb shell dumpsys procstats --start-testing
172# debuggable builds only.
173userdebug_or_eng(`
174  allow appdomain heapdump_data_file:file append;
175')
176
177# Write to /proc/net/xt_qtaguid/ctrl file.
178allow {
179    untrusted_app_25
180    untrusted_app_27
181    priv_app
182    system_app
183    platform_app
184    shell
185} qtaguid_proc:file rw_file_perms;
186r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
187# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
188# Exclude isolated app which may not use network sockets.
189r_dir_file({
190    untrusted_app_25
191    untrusted_app_27
192    priv_app
193    system_app
194    platform_app
195    shell
196}, proc_qtaguid_stat)
197# Everybody can read the xt_qtaguid resource tracking misc dev.
198# So allow all apps to read from /dev/xt_qtaguid.
199allow {
200    untrusted_app_25
201    untrusted_app_27
202    priv_app
203    system_app
204    platform_app
205    shell
206} qtaguid_device:chr_file r_file_perms;
207
208# Grant GPU access to all processes started by Zygote.
209# They need that to render the standard UI.
210allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
211
212# Use the Binder.
213binder_use(appdomain)
214# Perform binder IPC to binder services.
215binder_call(appdomain, binderservicedomain)
216# Perform binder IPC to other apps.
217binder_call(appdomain, appdomain)
218# Perform binder IPC to ephemeral apps.
219binder_call(appdomain, ephemeral_app)
220
221# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
222# as OMX HAL
223hwbinder_use({ appdomain  -isolated_app })
224allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
225allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
226allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
227
228# Talk with graphics composer fences
229allow appdomain hal_graphics_composer:fd use;
230
231# Already connected, unnamed sockets being passed over some other IPC
232# hence no sock_file or connectto permission. This appears to be how
233# Chrome works, may need to be updated as more apps using isolated services
234# are examined.
235allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
236
237# Backup ability for every app. BMS opens and passes the fd
238# to any app that has backup ability. Hence, no open permissions here.
239allow appdomain backup_data_file:file { read write getattr };
240allow appdomain cache_backup_file:file { read write getattr };
241allow appdomain cache_backup_file:dir getattr;
242# Backup ability using 'adb backup'
243allow appdomain system_data_file:lnk_file r_file_perms;
244allow appdomain system_data_file:file { getattr read };
245
246# Allow read/stat of /data/media files passed by Binder or local socket IPC.
247allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
248
249# Read and write /data/data/com.android.providers.telephony files passed over Binder.
250allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
251
252# Allow access to external storage; we have several visible mount points under /storage
253# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
254allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
255allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
256allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
257allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
258
259# Read/write visible storage
260allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
261allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
262# This should be removed if sdcardfs is modified to alter the secontext for its
263# accesses to the underlying FS.
264allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
265allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
266
267# Allow apps to use the USB Accessory interface.
268# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
269#
270# USB devices are first opened by the system server (USBDeviceManagerService)
271# and the file descriptor is passed to the right Activity via binder.
272allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
273allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
274
275# For art.
276allow appdomain dalvikcache_data_file:file execute;
277allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
278
279# Allow any app to read shared RELRO files.
280allow appdomain shared_relro_file:dir search;
281allow appdomain shared_relro_file:file r_file_perms;
282
283# Allow apps to read/execute installed binaries
284allow appdomain apk_data_file:dir r_dir_perms;
285allow appdomain apk_data_file:file rx_file_perms;
286
287# /data/resource-cache
288allow appdomain resourcecache_data_file:file r_file_perms;
289allow appdomain resourcecache_data_file:dir r_dir_perms;
290
291# logd access
292read_logd(appdomain)
293control_logd({ appdomain -ephemeral_app untrusted_v2_app })
294# application inherit logd write socket (urge is to deprecate this long term)
295allow appdomain zygote:unix_dgram_socket write;
296
297allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
298
299use_keystore({ appdomain -isolated_app -ephemeral_app })
300
301allow appdomain console_device:chr_file { read write };
302
303# only allow unprivileged socket ioctl commands
304allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
305  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
306
307allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
308# TODO is write really necessary ?
309auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
310
311# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
312get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
313
314# Allow app access to mediacodec (IOMX HAL)
315binder_call({ appdomain -isolated_app }, mediacodec)
316
317# Allow AAudio apps to use shared memory file descriptors from the HAL
318allow { appdomain -isolated_app } hal_audio:fd use;
319
320# Allow app to access shared memory created by camera HAL1
321allow { appdomain -isolated_app } hal_camera:fd use;
322
323# RenderScript always-passthrough HAL
324allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
325
326# TODO: switch to meminfo service
327allow appdomain proc_meminfo:file r_file_perms;
328
329# For app fuse.
330allow appdomain app_fuse_file:file { getattr read append write };
331
332pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
333pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
334pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
335pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
336# Apps do not directly open the IPC socket for bufferhubd.
337pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
338
339###
340### CTS-specific rules
341###
342
343# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
344# testRunAsHasCorrectCapabilities
345allow appdomain runas_exec:file getattr;
346# Others are either allowed elsewhere or not desired.
347
348# Apps receive an open tun fd from the framework for
349# device traffic. Do not allow untrusted app to directly open tun_device
350allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
351
352# Connect to adbd and use a socket transferred from it.
353# This is used for e.g. adb backup/restore.
354allow appdomain adbd:unix_stream_socket connectto;
355allow appdomain adbd:fd use;
356allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
357
358allow appdomain cache_file:dir getattr;
359
360# Allow apps to run with asanwrapper.
361with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
362
363###
364### Neverallow rules
365###
366### These are things that Android apps should NEVER be able to do
367###
368
369# Superuser capabilities.
370# bluetooth requires net_admin and wake_alarm.
371neverallow { appdomain -bluetooth } self:capability_class_set *;
372
373# Block device access.
374neverallow appdomain dev_type:blk_file { read write };
375
376# Access to any of the following character devices.
377neverallow appdomain {
378    audio_device
379    camera_device
380    dm_device
381    radio_device
382    rpmsg_device
383    video_device
384}:chr_file { read write };
385
386# Note: Try expanding list of app domains in the future.
387neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
388
389neverallow { appdomain -nfc } nfc_device:chr_file
390    { read write };
391neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
392    { read write };
393neverallow appdomain tee_device:chr_file { read write };
394
395# Privileged netlink socket interfaces.
396neverallow appdomain
397    domain:{
398        netlink_tcpdiag_socket
399        netlink_nflog_socket
400        netlink_xfrm_socket
401        netlink_audit_socket
402        netlink_dnrt_socket
403    } *;
404
405# These messages are broadcast messages from the kernel to userspace.
406# Do not allow the writing of netlink messages, which has been a source
407# of rooting vulns in the past.
408neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
409
410# Sockets under /dev/socket that are not specifically typed.
411neverallow appdomain socket_device:sock_file write;
412
413# Unix domain sockets.
414neverallow appdomain adbd_socket:sock_file write;
415neverallow { appdomain -radio } rild_socket:sock_file write;
416neverallow appdomain zygote_socket:sock_file write;
417
418# ptrace access to non-app domains.
419neverallow appdomain { domain -appdomain }:process ptrace;
420
421# Read or write access to /proc/pid entries for any non-app domain.
422# A different form of hidepid=2 like protections
423neverallow appdomain { domain -appdomain }:file no_w_file_perms;
424neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
425
426# signal access to non-app domains.
427# sigchld allowed for parent death notification.
428# signull allowed for kill(pid, 0) existence test.
429# All others prohibited.
430neverallow appdomain { domain -appdomain }:process
431    { sigkill sigstop signal };
432
433# Transition to a non-app domain.
434# Exception for the shell and su domains, can transition to runas, etc.
435# Exception for crash_dump.
436neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
437    { transition };
438neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
439    { dyntransition };
440
441# Write to rootfs.
442neverallow appdomain rootfs:dir_file_class_set
443    { create write setattr relabelfrom relabelto append unlink link rename };
444
445# Write to /system.
446neverallow appdomain system_file:dir_file_class_set
447    { create write setattr relabelfrom relabelto append unlink link rename };
448
449# Write to entrypoint executables.
450neverallow appdomain exec_type:file
451    { create write setattr relabelfrom relabelto append unlink link rename };
452
453# Write to system-owned parts of /data.
454# This is the default type for anything under /data not otherwise
455# specified in file_contexts.  Define a different type for portions
456# that should be writable by apps.
457neverallow appdomain system_data_file:dir_file_class_set
458    { create write setattr relabelfrom relabelto append unlink link rename };
459
460# Write to various other parts of /data.
461neverallow appdomain drm_data_file:dir_file_class_set
462    { create write setattr relabelfrom relabelto append unlink link rename };
463neverallow { appdomain -platform_app }
464    apk_data_file:dir_file_class_set
465    { create write setattr relabelfrom relabelto append unlink link rename };
466neverallow { appdomain -platform_app }
467    apk_tmp_file:dir_file_class_set
468    { create write setattr relabelfrom relabelto append unlink link rename };
469neverallow { appdomain -platform_app }
470    apk_private_data_file:dir_file_class_set
471    { create write setattr relabelfrom relabelto append unlink link rename };
472neverallow { appdomain -platform_app }
473    apk_private_tmp_file:dir_file_class_set
474    { create write setattr relabelfrom relabelto append unlink link rename };
475neverallow { appdomain -shell }
476    shell_data_file:dir_file_class_set
477    { create setattr relabelfrom relabelto append unlink link rename };
478neverallow { appdomain -bluetooth }
479    bluetooth_data_file:dir_file_class_set
480    { create write setattr relabelfrom relabelto append unlink link rename };
481neverallow appdomain
482    keystore_data_file:dir_file_class_set
483    { create write setattr relabelfrom relabelto append unlink link rename };
484neverallow appdomain
485    systemkeys_data_file:dir_file_class_set
486    { create write setattr relabelfrom relabelto append unlink link rename };
487neverallow appdomain
488    wifi_data_file:dir_file_class_set
489    { create write setattr relabelfrom relabelto append unlink link rename };
490neverallow appdomain
491    dhcp_data_file:dir_file_class_set
492    { create write setattr relabelfrom relabelto append unlink link rename };
493
494# access tmp apk files
495neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
496    { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
497
498neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
499neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
500
501# Access to factory files.
502neverallow appdomain efs_file:dir_file_class_set write;
503neverallow { appdomain -shell } efs_file:dir_file_class_set read;
504
505# Write to various pseudo file systems.
506neverallow { appdomain -bluetooth -nfc }
507    sysfs:dir_file_class_set write;
508neverallow appdomain
509    proc:dir_file_class_set write;
510
511# Access to syslog(2) or /proc/kmsg.
512neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
513
514# SELinux is not an API for apps to use
515neverallow { appdomain -shell } *:security { compute_av check_context };
516neverallow { appdomain -shell } *:netlink_selinux_socket *;
517
518# Ability to perform any filesystem operation other than statfs(2).
519# i.e. no mount(2), unmount(2), etc.
520neverallow appdomain fs_type:filesystem ~getattr;
521
522# prevent creation/manipulation of globally readable symlinks
523neverallow appdomain {
524  apk_data_file
525  cache_file
526  cache_recovery_file
527  dev_type
528  rootfs
529  system_file
530  tmpfs
531}:lnk_file no_w_file_perms;
532
533# Denylist app domains not allowed to execute from /data
534neverallow {
535  bluetooth
536  isolated_app
537  nfc
538  radio
539  shared_relro
540  system_app
541} {
542  data_file_type
543  -dalvikcache_data_file
544  -system_data_file # shared libs in apks
545  -apk_data_file
546}:file no_x_file_perms;
547
548# Applications should use the activity model for receiving events
549neverallow {
550  appdomain
551  -shell # bugreport
552} input_device:chr_file ~getattr;
553
554# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
555# neverallow rules for access to Bluetooth-related data files are above.
556neverallow {
557  appdomain
558  -bluetooth
559  -system_app
560} { bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
561
562# Apps cannot access proc_uid_time_in_state
563neverallow appdomain proc_uid_time_in_state:file *;
564
565# Apps cannot access proc_uid_concurrent_active_time
566neverallow appdomain proc_uid_concurrent_active_time:file *;
567
568# Apps cannot access proc_uid_concurrent_policy_time
569neverallow appdomain proc_uid_concurrent_policy_time:file *;
570
571# Apps cannot access proc_uid_cpupower
572neverallow appdomain proc_uid_cpupower:file *;
573