1### 2### Untrusted apps. 3### 4### This file defines the rules for untrusted apps. An "untrusted 5### app" is an APP with UID between APP_AID (10000) 6### and AID_ISOLATED_START (99000). 7### 8### untrusted_app includes all the appdomain rules, plus the 9### additional following rules: 10### 11 12type untrusted_app, domain; 13permissive untrusted_app; 14app_domain(untrusted_app) 15net_domain(untrusted_app) 16bluetooth_domain(untrusted_app) 17 18allow untrusted_app tun_device:chr_file rw_file_perms; 19 20# Internal SDCard rw access. 21allow untrusted_app sdcard_internal:dir create_dir_perms; 22allow untrusted_app sdcard_internal:file create_file_perms; 23 24# External SDCard rw access. 25allow untrusted_app sdcard_external:dir create_dir_perms; 26allow untrusted_app sdcard_external:file create_file_perms; 27 28# ASEC 29allow untrusted_app asec_apk_file:dir { getattr }; 30allow untrusted_app asec_apk_file:file r_file_perms; 31 32# Create tcp/udp sockets 33allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind; 34allow untrusted_app self:{ tcp_socket udp_socket } { create_socket_perms accept listen }; 35# Bind to a particular hostname/address/interface (e.g., localhost) instead of 36# ANY. Normally, apps should not be listening on all interfaces. 37allow untrusted_app port:{ tcp_socket udp_socket } name_bind; 38 39# Allow the allocation and use of ptys 40# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 41allow untrusted_app devpts:chr_file rw_file_perms; 42 43# Used by Finsky / Android "Verify Apps" functionality when 44# running "adb install foo.apk". 45# TODO: Long term, we don't want apps probing into shell data files. 46# Figure out a way to remove these rules. 47# XXX Adding writing to shell_data_file to fix 10290009; this needs a real fix, 48# as allowing apps to write shell data files is a significant possible security 49# vuln 50allow untrusted_app shell_data_file:file rw_file_perms; 51allow untrusted_app shell_data_file:dir r_dir_perms; 52