1### 2### A domain for further sandboxing the PrebuiltGMSCore app. 3### 4typeattribute gmscore_app coredomain; 5 6app_domain(gmscore_app) 7 8allow gmscore_app sysfs_type:dir search; 9# Read access to /sys/class/net/wlan*/address 10r_dir_file(gmscore_app, sysfs_net) 11# Read access to /sys/block/zram*/mm_stat 12r_dir_file(gmscore_app, sysfs_zram) 13 14r_dir_file(gmscore_app, rootfs) 15 16# Allow GMS core to open kernel config for OTA matching through libvintf 17allow gmscore_app config_gz:file { open read getattr }; 18 19# Allow GMS core to communicate with update_engine for A/B update. 20binder_call(gmscore_app, update_engine) 21allow gmscore_app update_engine_service:service_manager find; 22 23# Allow GMS core to communicate with dumpsys storaged. 24binder_call(gmscore_app, storaged) 25allow gmscore_app storaged_service:service_manager find; 26 27# Allow GMS core to access system_update_service (e.g. to publish pending 28# system update info). 29allow gmscore_app system_update_service:service_manager find; 30 31# Allow GMS core to communicate with statsd. 32binder_call(gmscore_app, statsd) 33 34# Allow GMS core to generate unique hardware IDs 35allow gmscore_app keystore:keystore_key gen_unique_id; 36 37# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check 38allow gmscore_app selinuxfs:file r_file_perms; 39 40# suppress denials for non-API accesses. 41dontaudit gmscore_app exec_type:file r_file_perms; 42dontaudit gmscore_app device:dir r_dir_perms; 43dontaudit gmscore_app fs_bpf:dir r_dir_perms; 44dontaudit gmscore_app net_dns_prop:file r_file_perms; 45dontaudit gmscore_app proc:file r_file_perms; 46dontaudit gmscore_app proc_interrupts:file r_file_perms; 47dontaudit gmscore_app proc_modules:file r_file_perms; 48dontaudit gmscore_app proc_net:file r_file_perms; 49dontaudit gmscore_app proc_stat:file r_file_perms; 50dontaudit gmscore_app proc_version:file r_file_perms; 51dontaudit gmscore_app sysfs:dir r_dir_perms; 52dontaudit gmscore_app sysfs:file r_file_perms; 53dontaudit gmscore_app sysfs_android_usb:file r_file_perms; 54dontaudit gmscore_app sysfs_dm:file r_file_perms; 55dontaudit gmscore_app sysfs_loop:file r_file_perms; 56dontaudit gmscore_app wifi_prop:file r_file_perms; 57dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms; 58dontaudit gmscore_app mirror_data_file:dir search; 59dontaudit gmscore_app mnt_vendor_file:dir search; 60 61# Access the network 62net_domain(gmscore_app) 63 64# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) 65allow gmscore_app self:process ptrace; 66 67# Allow loading executable code from writable priv-app home 68# directories. This is a W^X violation, however, it needs 69# to be supported for now for the following reasons. 70# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) 71# 1) com.android.opengl.shaders_cache 72# 2) com.android.skia.shaders_cache 73# 3) com.android.renderscript.cache 74# * /data/user_de/0/com.google.android.gms/app_chimera 75# TODO: Tighten (b/112357170) 76allow gmscore_app privapp_data_file:file execute; 77 78# Chrome Crashpad uses the the dynamic linker to load native executables 79# from an APK (b/112050209, crbug.com/928422) 80allow gmscore_app system_linker_exec:file execute_no_trans; 81 82allow gmscore_app privapp_data_file:lnk_file create_file_perms; 83 84# /proc access 85allow gmscore_app proc_vmstat:file r_file_perms; 86 87# Allow interaction with gpuservice 88binder_call(gmscore_app, gpuservice) 89allow gmscore_app gpu_service:service_manager find; 90 91# find services that expose both @SystemAPI and normal APIs. 92allow gmscore_app app_api_service:service_manager find; 93allow gmscore_app system_api_service:service_manager find; 94allow gmscore_app audioserver_service:service_manager find; 95allow gmscore_app cameraserver_service:service_manager find; 96allow gmscore_app drmserver_service:service_manager find; 97allow gmscore_app mediadrmserver_service:service_manager find; 98allow gmscore_app mediaextractor_service:service_manager find; 99allow gmscore_app mediametrics_service:service_manager find; 100allow gmscore_app mediaserver_service:service_manager find; 101allow gmscore_app network_watchlist_service:service_manager find; 102allow gmscore_app nfc_service:service_manager find; 103allow gmscore_app oem_lock_service:service_manager find; 104allow gmscore_app persistent_data_block_service:service_manager find; 105allow gmscore_app radio_service:service_manager find; 106allow gmscore_app recovery_service:service_manager find; 107allow gmscore_app stats_service:service_manager find; 108 109# Used by Finsky / Android "Verify Apps" functionality when 110# running "adb install foo.apk". 111allow gmscore_app shell_data_file:file r_file_perms; 112allow gmscore_app shell_data_file:dir r_dir_perms; 113 114# Write to /cache. 115allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms; 116allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms; 117# /cache is a symlink to /data/cache on some devices. Allow reading the link. 118allow gmscore_app cache_file:lnk_file r_file_perms; 119 120# Write to /data/ota_package for OTA packages. 121allow gmscore_app ota_package_file:dir rw_dir_perms; 122allow gmscore_app ota_package_file:file create_file_perms; 123 124# Used by Finsky / Android "Verify Apps" functionality when 125# running "adb install foo.apk". 126allow gmscore_app shell_data_file:file r_file_perms; 127allow gmscore_app shell_data_file:dir r_dir_perms; 128 129# b/18504118: Allow reads from /data/anr/traces.txt 130allow gmscore_app anr_data_file:file r_file_perms; 131 132# b/148974132: com.android.vending needs this 133allow gmscore_app priv_app:tcp_socket { read write }; 134