1### 2### Untrusted_27. 3### 4### This file defines the rules for untrusted apps running with 5### 25 < targetSdkVersion <= 28. 6### 7### See public/untrusted_app.te for more information about which apps are 8### placed in this selinux domain. 9### 10 11typeattribute untrusted_app_27 coredomain; 12 13app_domain(untrusted_app_27) 14untrusted_app_domain(untrusted_app_27) 15net_domain(untrusted_app_27) 16bluetooth_domain(untrusted_app_27) 17 18# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q. 19# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 20allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod; 21 22# The ability to call exec() on files in the apps home directories 23# for targetApi 26, 27, and 28. 24allow untrusted_app_27 app_data_file:file execute_no_trans; 25auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans }; 26 27# The ability to invoke dex2oat. Historically required by ART, now only 28# allowed for targetApi<=28 for compat reasons. 29allow untrusted_app_27 dex2oat_exec:file rx_file_perms; 30userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;') 31 32# The ability to talk to /dev/ashmem directly. targetApi>=29 must use 33# ASharedMemory instead. 34allow untrusted_app_27 ashmem_device:chr_file rw_file_perms; 35auditallow untrusted_app_27 ashmem_device:chr_file open; 36 37# Read /mnt/sdcard symlink. 38allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms; 39 40# allow binding to netlink route sockets and sending RTM_GETLINK messages. 41allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv }; 42auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv }; 43