• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1###
2### Untrusted apps.
3###
4### This file defines the rules for untrusted apps running with
5### 29 < targetSdkVersion <= 31.
6###
7### See public/untrusted_app.te for more information about which apps are
8### placed in this selinux domain.
9###
10### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
11###
12
13typeattribute untrusted_app_30 coredomain;
14
15app_domain(untrusted_app_30)
16untrusted_app_domain(untrusted_app_30)
17net_domain(untrusted_app_30)
18bluetooth_domain(untrusted_app_30)
19
20# allow sending RTM_GETNEIGH{TBL} messages.
21allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
22auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
23
24# Connect to mdnsd via mdnsd socket.
25unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
26userdebug_or_eng(`
27  auditallow untrusted_app_30 mdnsd_socket:sock_file write;
28  auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
29')
30
31# Allow calling inotify on APKs for backwards compatibility. This is disallowed
32# for targetSdkVersion>=34 to remove a sidechannel.
33allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
34allow untrusted_app_30 apk_data_file:file { watch watch_reads };
35userdebug_or_eng(`
36  auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
37  auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
38')
39