1# /proc/net access. 2# TODO(b/9496886) Audit access for removal. 3# proc_net access for the negated domains below is granted (or not) in their 4# individual .te files. 5r_dir_file({ 6 appdomain 7 -ephemeral_app 8 -isolated_app_all 9 -platform_app 10 -priv_app 11 -shell 12 -sdk_sandbox_all 13 -system_app 14 -untrusted_app_all 15}, proc_net_type) 16# audit access for all these non-core app domains. 17userdebug_or_eng(` 18 auditallow { 19 appdomain 20 -ephemeral_app 21 -isolated_app_all 22 -platform_app 23 -priv_app 24 -shell 25 -su 26 -sdk_sandbox_all 27 -system_app 28 -untrusted_app_all 29 } proc_net_type:{ dir file lnk_file } { getattr open read }; 30') 31 32# Allow apps to read the Test Harness Mode property. This property is used in 33# the implementation of ActivityManager.isDeviceInTestHarnessMode() 34get_prop(appdomain, test_harness_prop) 35 36get_prop(appdomain, boot_status_prop) 37get_prop(appdomain, dalvik_config_prop_type) 38get_prop(appdomain, media_config_prop) 39get_prop(appdomain, packagemanager_config_prop) 40get_prop(appdomain, radio_control_prop) 41get_prop(appdomain, surfaceflinger_color_prop) 42get_prop(appdomain, systemsound_config_prop) 43get_prop(appdomain, telephony_config_prop) 44get_prop(appdomain, userspace_reboot_config_prop) 45get_prop(appdomain, vold_config_prop) 46get_prop(appdomain, adbd_config_prop) 47get_prop(appdomain, dck_prop) 48get_prop(appdomain, persist_wm_debug_prop) 49get_prop(appdomain, persist_sysui_builder_extras_prop) 50 51# Allow the heap dump ART plugin to the count of sessions waiting for OOME 52get_prop(appdomain, traced_oome_heap_session_count_prop) 53 54# Allow to read ro.vendor.camera.extensions.enabled 55get_prop(appdomain, camera2_extensions_prop) 56 57# Allow to ro.camerax.extensions.enabled 58get_prop(appdomain, camerax_extensions_prop) 59 60# Prevent apps from causing presubmit failures. 61# Apps can cause selinux denials by accessing CE storage 62# and/or external storage. In either case, the selinux denial is 63# not the cause of the failure, but just a symptom that 64# storage isn't ready. Many apps handle the failure appropriately. 65# 66# Apps cannot access external storage before it becomes available. 67dontaudit appdomain storage_stub_file:dir getattr; 68# Attempts to write to system_data_file is generally a sign 69# that apps are attempting to access encrypted storage before 70# the ACTION_USER_UNLOCKED intent is delivered. Apps are not 71# allowed to write to CE storage before it's available. 72# Attempting to do so will be blocked by both selinux and unix 73# permissions. 74dontaudit appdomain system_data_file:dir write; 75# Apps should not be reading vendor-defined properties. 76dontaudit appdomain vendor_default_prop:file read; 77 78# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid) 79allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search; 80 81# allow apps to use UDP sockets provided by the system server but not 82# modify them other than to connect 83allow appdomain system_server:udp_socket { 84 connect getattr read recvfrom sendto write getopt setopt }; 85 86neverallow appdomain system_server:udp_socket { 87 accept append bind create ioctl listen lock name_bind 88 relabelfrom relabelto setattr shutdown }; 89 90# Transition to a non-app domain. 91# Exception for the shell and su domains, can transition to runas, etc. 92# Exception for crash_dump to allow for app crash reporting. 93# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc) 94# to allow renderscript to create privileged executable files. 95# Exception for virtualizationmanager to allow running VMs as child processes. 96neverallow { appdomain -shell userdebug_or_eng(`-su') } 97 { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition }; 98neverallow { appdomain -shell userdebug_or_eng(`-su') } 99 { domain -appdomain }:process { dyntransition }; 100 101# Don't allow regular apps access to storage configuration properties. 102neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms; 103 104# Allow to read sendbug.preferred.domain 105get_prop(appdomain, sendbug_config_prop) 106 107# Allow to read graphics related properties. 108get_prop(appdomain, graphics_config_prop) 109 110# Allow to read persist.config.calibration_fac 111get_prop(appdomain, camera_calibration_prop) 112 113# Allow to read db.log.detailed, db.log.slow_query_threshold* 114get_prop(appdomain, sqlite_log_prop) 115 116# Allow to read system_user_mode_emulation_prop, which is used by UserManager.java 117userdebug_or_eng(`get_prop(appdomain, system_user_mode_emulation_prop)') 118 119# Allow font file read by apps. 120allow appdomain font_data_file:file r_file_perms; 121allow appdomain font_data_file:dir r_dir_perms; 122 123# Enter /data/misc/apexdata/ 124allow appdomain apex_module_data_file:dir search; 125# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts. 126allow appdomain apex_art_data_file:dir r_dir_perms; 127allow appdomain apex_art_data_file:file rx_file_perms; 128 129# Allow access to tombstones if an fd to one is given to you. 130# This is restricted by unix permissions, so an app must go through system_server to get one. 131allow appdomain tombstone_data_file:file { getattr read }; 132neverallow appdomain tombstone_data_file:file ~{ getattr read }; 133 134# Execute the shell or other system executables. 135allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms; 136allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms; 137not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;') 138 139# Allow apps access to /vendor/app except for privileged 140# apps which cannot be in /vendor. 141r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file) 142allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute; 143 144# Perform binder IPC to sdk sandbox. 145binder_call(appdomain, sdk_sandbox_all) 146 147# Allow access to external storage; we have several visible mount points under /storage 148# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 149allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms; 150allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms; 151allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms; 152allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms; 153 154# Read/write visible storage 155allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms; 156allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms; 157# This should be removed if sdcardfs is modified to alter the secontext for its 158# accesses to the underlying FS. 159allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms; 160allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms; 161 162# Allow apps to use the USB Accessory interface. 163# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 164# 165# USB devices are first opened by the system server (USBDeviceManagerService) 166# and the file descriptor is passed to the right Activity via binder. 167allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl }; 168allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr }; 169 170#logd access 171control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }) 172 173# application inherit logd write socket (urge is to deprecate this long term) 174allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify }; 175allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update }; 176 177allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find; 178allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state; 179 180use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }) 181 182use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }) 183 184# For app fuse. 185pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client) 186pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager) 187pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync) 188pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client) 189# Apps do not directly open the IPC socket for bufferhubd. 190pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client) 191 192# Apps receive an open tun fd from the framework for 193# device traffic. Do not allow untrusted app to directly open tun_device 194allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl }; 195allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF; 196 197 198# WebView and other application-specific JIT compilers 199allow appdomain self:process execmem; 200 201allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute; 202 203# Receive and use open file descriptors inherited from zygote. 204allow appdomain zygote:fd use; 205 206# Receive and use open file descriptors inherited from app zygote. 207allow appdomain app_zygote:fd use; 208 209# gdbserver for ndk-gdb reads the zygote. 210# valgrind needs mmap exec for zygote 211allow appdomain zygote_exec:file rx_file_perms; 212 213# Notify zygote of death; 214allow appdomain zygote:process sigchld; 215 216# Read /data/dalvik-cache. 217allow appdomain dalvikcache_data_file:dir { search getattr }; 218allow appdomain dalvikcache_data_file:file r_file_perms; 219 220# Read the /sdcard and /mnt/sdcard symlinks 221allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms; 222allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms; 223 224# Search /storage/emulated tmpfs mount. 225allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms; 226 227# Notify zygote of the wrapped process PID when using --invoke-with. 228allow appdomain zygote:fifo_file write; 229 230userdebug_or_eng(` 231 # Allow apps to create and write method traces in /data/misc/trace. 232 allow appdomain method_trace_data_file:dir w_dir_perms; 233 allow appdomain method_trace_data_file:file { create w_file_perms }; 234') 235 236# Notify shell and adbd of death when spawned via runas for ndk-gdb. 237allow appdomain shell:process sigchld; 238allow appdomain adbd:process sigchld; 239 240# child shell or gdbserver pty access for runas. 241allow appdomain devpts:chr_file { getattr read write ioctl }; 242 243# Use pipes and sockets provided by system_server via binder or local socket. 244allow appdomain system_server:fd use; 245allow appdomain system_server:fifo_file rw_file_perms; 246allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 247allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 248 249# For AppFuse. 250allow appdomain vold:fd use; 251 252# Communication with other apps via fifos 253allow appdomain appdomain:fifo_file rw_file_perms; 254 255# Communicate with surfaceflinger. 256allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 257 258# App sandbox file accesses. 259allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms; 260allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms; 261 262# Access via already open fds is ok even for mlstrustedsubject. 263allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; 264 265# Access open fds from SDK sandbox 266allow appdomain sdk_sandbox_data_file:file { getattr read }; 267 268# Traverse into expanded storage 269allow appdomain mnt_expand_file:dir r_dir_perms; 270 271# Keychain and user-trusted credentials 272r_dir_file(appdomain, keychain_data_file) 273allow appdomain misc_user_data_file:dir r_dir_perms; 274allow appdomain misc_user_data_file:file r_file_perms; 275 276# TextClassifier 277r_dir_file({ appdomain -isolated_app_all }, textclassifier_data_file) 278 279# Access to OEM provided data and apps 280allow appdomain oemfs:dir r_dir_perms; 281allow appdomain oemfs:file rx_file_perms; 282 283allow appdomain system_file:file x_file_perms; 284 285# Renderscript needs the ability to read directories on /system 286allow appdomain system_file:dir r_dir_perms; 287allow appdomain system_file:lnk_file { getattr open read }; 288# Renderscript specific permissions to open /system/vendor/lib64. 289not_full_treble(` 290 allow appdomain vendor_file_type:dir r_dir_perms; 291 allow appdomain vendor_file_type:lnk_file { getattr open read }; 292') 293 294full_treble_only(` 295 # For looking up Renderscript vendor drivers 296 allow { appdomain -isolated_app_all } vendor_file:dir { open read }; 297') 298 299# Allow apps access to /vendor/overlay 300r_dir_file(appdomain, vendor_overlay_file) 301 302# Allow apps access to /vendor/framework 303# for vendor provided libraries. 304r_dir_file(appdomain, vendor_framework_file) 305 306# Allow apps read / execute access to vendor public libraries. 307allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms; 308allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map }; 309 310# Read/write wallpaper file (opened by system). 311allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map }; 312 313# Read/write cached ringtones (opened by system). 314allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map }; 315 316# Read ShortcutManager icon files (opened by system). 317allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map }; 318 319# Read icon file (opened by system). 320allow { appdomain -isolated_app_all } icon_file:file { getattr read map }; 321 322# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). 323# 324# TODO: All of these permissions except for anr_data_file:file append can be 325# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548 326# and the rules below. 327allow appdomain anr_data_file:dir search; 328allow appdomain anr_data_file:file { open append }; 329 330# New stack dumping scheme : request an output FD from tombstoned via a unix 331# domain socket. 332# 333# Allow apps to connect and write to the tombstoned java trace socket in 334# order to dump their traces. Also allow them to append traces to pipes 335# created by dumptrace. (Also see the rules below where they are given 336# additional permissions to dumpstate pipes for other aspects of bug report 337# creation). 338unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned) 339allow appdomain tombstoned:fd use; 340allow appdomain dumpstate:fifo_file append; 341allow appdomain incidentd:fifo_file append; 342 343# Allow apps to send dump information to dumpstate 344allow appdomain dumpstate:fd use; 345allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 346allow appdomain dumpstate:fifo_file { write getattr }; 347allow appdomain shell_data_file:file { write getattr }; 348 349# Allow apps to send dump information to incidentd 350allow appdomain incidentd:fd use; 351allow appdomain incidentd:fifo_file { write getattr }; 352 353# Allow apps to send information to statsd socket. 354unix_socket_send(appdomain, statsdw, statsd) 355 356# Write profiles /data/misc/profiles 357allow appdomain user_profile_root_file:dir search; 358allow appdomain user_profile_data_file:dir w_dir_perms; 359allow appdomain user_profile_data_file:file create_file_perms; 360 361# Allow writing performance tracing data into the perfetto traced daemon. 362# Needed for java heap graph ART plugin (perfetto_hprof). 363# The perfetto profiling daemon will check for the specific application's 364# opt-in/opt-out. 365perfetto_producer(appdomain) 366 367# Send heap dumps to system_server via an already open file descriptor 368# % adb shell am set-watch-heap com.android.systemui 1048576 369# % adb shell dumpsys procstats --start-testing 370# debuggable builds only. 371userdebug_or_eng(` 372 allow appdomain heapdump_data_file:file append; 373') 374 375# Grant GPU access to all processes started by Zygote. 376# They need that to render the standard UI. 377allow { appdomain -isolated_app_all } gpu_device:chr_file rw_file_perms; 378allow { appdomain -isolated_app_all } gpu_device:dir r_dir_perms; 379allow { appdomain -isolated_app_all } sysfs_gpu:file r_file_perms; 380 381 382# Use the Binder. 383binder_use(appdomain) 384# Perform binder IPC to binder services. 385binder_call(appdomain, binderservicedomain) 386# Perform binder IPC to other apps. 387binder_call(appdomain, appdomain) 388# Perform binder IPC to ephemeral apps. 389binder_call(appdomain, ephemeral_app) 390# Perform binder IPC to gpuservice. 391binder_call({ appdomain -isolated_app_all }, gpuservice) 392 393# Talk with graphics composer fences 394allow appdomain hal_graphics_composer:fd use; 395 396# Already connected, unnamed sockets being passed over some other IPC 397# hence no sock_file or connectto permission. This appears to be how 398# Chrome works, may need to be updated as more apps using isolated services 399# are examined. 400allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 401 402# Backup ability for every app. BMS opens and passes the fd 403# to any app that has backup ability. Hence, no open permissions here. 404allow appdomain backup_data_file:file { read write getattr map }; 405allow appdomain cache_backup_file:file { read write getattr map }; 406allow appdomain cache_backup_file:dir getattr; 407# Backup ability using 'adb backup' 408allow appdomain system_data_file:lnk_file r_file_perms; 409allow appdomain system_data_file:file { getattr read map }; 410 411# Allow read/stat of /data/media files passed by Binder or local socket IPC. 412allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr }; 413 414# Read and write /data/data/com.android.providers.telephony files passed over Binder. 415allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr }; 416 417# For art. 418allow appdomain dalvikcache_data_file:file execute; 419allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 420 421# Allow any app to read shared RELRO files. 422allow appdomain shared_relro_file:dir search; 423allow appdomain shared_relro_file:file r_file_perms; 424 425# Allow apps to read/execute installed binaries 426allow appdomain apk_data_file:dir { open getattr read search ioctl lock }; 427allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms }; 428 429# /data/resource-cache 430allow appdomain resourcecache_data_file:file r_file_perms; 431allow appdomain resourcecache_data_file:dir r_dir_perms; 432 433# logd access 434read_logd(appdomain) 435 436allow appdomain zygote:unix_dgram_socket write; 437 438allow appdomain console_device:chr_file { read write }; 439 440# only allow unprivileged socket ioctl commands 441allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } 442 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 443 444allow { appdomain -isolated_app_all } ion_device:chr_file r_file_perms; 445allow { appdomain -isolated_app_all } dmabuf_system_heap_device:chr_file r_file_perms; 446allow { appdomain -isolated_app_all } dmabuf_system_secure_heap_device:chr_file r_file_perms; 447 448# Allow AAudio apps to use shared memory file descriptors from the HAL 449allow { appdomain -isolated_app_all } hal_audio:fd use; 450 451# Allow app to access shared memory created by camera HAL1 452allow { appdomain -isolated_app_all } hal_camera:fd use; 453 454# Allow apps to access shared memory file descriptor from the tuner HAL 455allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use; 456 457# RenderScript always-passthrough HAL 458allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find; 459allow appdomain same_process_hal_file:file { execute read open getattr map }; 460 461# TODO: switch to meminfo service 462allow appdomain proc_meminfo:file r_file_perms; 463 464# For app fuse. 465allow appdomain app_fuse_file:file { getattr read append write map }; 466 467### 468### CTS-specific rules 469### 470 471# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 472# testRunAsHasCorrectCapabilities 473allow appdomain runas_exec:file getattr; 474# Others are either allowed elsewhere or not desired. 475 476# Connect to adbd and use a socket transferred from it. 477# This is used for e.g. adb backup/restore. 478allow appdomain adbd:unix_stream_socket connectto; 479allow appdomain adbd:fd use; 480allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 481 482allow appdomain cache_file:dir getattr; 483 484# Allow apps to run with asanwrapper. 485with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;') 486 487# Read access to FDs from the DropboxManagerService. 488allow appdomain dropbox_data_file:file { getattr read }; 489 490# Read tmpfs types from these processes. 491allow appdomain audioserver_tmpfs:file { getattr map read write }; 492allow appdomain system_server_tmpfs:file { getattr map read write }; 493allow appdomain zygote_tmpfs:file { map read }; 494 495# Sensitive app domains are not allowed to execute from /data 496# to prevent persistence attacks and ensure all code is executed 497# from read-only locations. 498neverallow { 499 bluetooth 500 isolated_app_all 501 nfc 502 radio 503 shared_relro 504 sdk_sandbox_all 505 system_app 506} { 507 data_file_type 508 -apex_art_data_file 509 -dalvikcache_data_file 510 -system_data_file # shared libs in apks 511 -apk_data_file 512}:file no_x_file_perms; 513 514# Don't allow apps access to any of the following character devices. 515neverallow appdomain { 516 audio_device 517 camera_device 518 dm_device 519 radio_device 520 rpmsg_device 521}:chr_file { read write }; 522 523# Block video device access for all apps except the DeviceAsWebcam Service which 524# needs access to /dev/video* for interfacing with the host 525neverallow { 526 appdomain 527 -device_as_webcam 528} video_device:chr_file { read write }; 529 530# Prevent calling inotify on APKs. This can be used as a side channel 531# to observer app launches, so it must be disallowed. b/231587164 532# Gate by targetSdkVersion to avoid breaking existing apps. 533neverallow { 534 appdomain 535 -untrusted_app_25 536 -untrusted_app_27 537 -untrusted_app_29 538 -untrusted_app_30 539 -untrusted_app_32 540} apk_data_file:dir { watch watch_reads }; 541neverallow { 542 appdomain 543 -untrusted_app_25 544 -untrusted_app_27 545 -untrusted_app_29 546 -untrusted_app_30 547 -untrusted_app_32 548} apk_data_file:file { watch watch_reads }; 549