1### 2### Domain for all zygote spawned apps 3### 4### This file is the base policy for all zygote spawned apps. 5### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6### extend from this policy. Only policies which should apply to ALL 7### zygote spawned apps should be added here. 8### 9 10# WebView and other application-specific JIT compilers 11allow appdomain self:process execmem; 12 13allow appdomain ashmem_device:chr_file execute; 14 15# Receive and use open file descriptors inherited from zygote. 16allow appdomain zygote:fd use; 17 18# gdbserver for ndk-gdb reads the zygote. 19# valgrind needs mmap exec for zygote 20allow appdomain zygote_exec:file rx_file_perms; 21 22# Read system properties managed by zygote. 23allow appdomain zygote_tmpfs:file read; 24 25# Notify zygote of death; 26allow appdomain zygote:process sigchld; 27 28# Place process into foreground / background 29allow appdomain cgroup:dir { search write }; 30allow appdomain cgroup:file rw_file_perms; 31 32# Read /data/dalvik-cache. 33allow appdomain dalvikcache_data_file:dir { search getattr }; 34allow appdomain dalvikcache_data_file:file r_file_perms; 35 36# Read the /sdcard and /mnt/sdcard symlinks 37allow appdomain rootfs:lnk_file r_file_perms; 38allow appdomain tmpfs:lnk_file r_file_perms; 39 40# Search /storage/emulated tmpfs mount. 41allow appdomain tmpfs:dir r_dir_perms; 42 43userdebug_or_eng(` 44 # Notify zygote of the wrapped process PID when using --invoke-with. 45 allow appdomain zygote:fifo_file write; 46 47 # Allow apps to create and write method traces in /data/misc/trace. 48 allow appdomain method_trace_data_file:dir w_dir_perms; 49 allow appdomain method_trace_data_file:file { create w_file_perms }; 50') 51 52# Notify shell and adbd of death when spawned via runas for ndk-gdb. 53allow appdomain shell:process sigchld; 54allow appdomain adbd:process sigchld; 55 56# child shell or gdbserver pty access for runas. 57allow appdomain devpts:chr_file { getattr read write ioctl }; 58 59# Use pipes and sockets provided by system_server via binder or local socket. 60allow appdomain system_server:fifo_file rw_file_perms; 61allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 62allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 63 64# Communication with other apps via fifos 65allow appdomain appdomain:fifo_file rw_file_perms; 66 67# Communicate with surfaceflinger. 68allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 69 70# App sandbox file accesses. 71allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; 72allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; 73 74# lib subdirectory of /data/data dir is system-owned. 75allow appdomain system_data_file:dir r_dir_perms; 76allow appdomain system_data_file:file { execute execute_no_trans open execmod }; 77 78# Traverse into expanded storage 79allow appdomain mnt_expand_file:dir r_dir_perms; 80 81# Keychain and user-trusted credentials 82allow appdomain keychain_data_file:dir r_dir_perms; 83allow appdomain keychain_data_file:file r_file_perms; 84allow appdomain misc_user_data_file:dir r_dir_perms; 85allow appdomain misc_user_data_file:file r_file_perms; 86 87# Access to OEM provided data and apps 88allow appdomain oemfs:dir r_dir_perms; 89allow appdomain oemfs:file rx_file_perms; 90 91# Execute the shell or other system executables. 92allow appdomain shell_exec:file rx_file_perms; 93allow appdomain system_file:file rx_file_perms; 94allow appdomain toolbox_exec:file rx_file_perms; 95 96# Renderscript needs the ability to read directories on /system 97r_dir_file(appdomain, system_file) 98 99# Execute dex2oat when apps call dexclassloader 100allow appdomain dex2oat_exec:file rx_file_perms; 101 102# Read/write wallpaper file (opened by system). 103allow appdomain wallpaper_file:file { getattr read write }; 104 105# Read/write cached ringtones (opened by system). 106allow appdomain ringtone_file:file { getattr read write }; 107 108# Read ShortcutManager icon files (opened by system). 109allow appdomain shortcut_manager_icons:file { getattr read }; 110 111# Read icon file (opened by system). 112allow appdomain icon_file:file { getattr read }; 113 114# Write to /data/anr/traces.txt. 115allow appdomain anr_data_file:dir search; 116allow appdomain anr_data_file:file { open append }; 117 118# Allow apps to send dump information to dumpstate 119allow appdomain dumpstate:fd use; 120allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 121allow appdomain dumpstate:fifo_file { write getattr }; 122allow appdomain shell_data_file:file { write getattr }; 123 124# Write profiles /data/misc/profiles 125allow appdomain user_profile_data_file:dir { search write add_name }; 126allow appdomain user_profile_data_file:file create_file_perms; 127# Profiles for foreign dex files are just markers and only need create permissions. 128allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name }; 129allow appdomain user_profile_foreign_dex_data_file:file create; 130# There is no way to create user_profile_foreign_dex_data_file without 131# generating open/read denials. These permissions should not be granted and the 132# denial is harmless. dontaudit to suppress the denial. 133dontaudit appdomain user_profile_foreign_dex_data_file:file { open read }; 134 135# Send heap dumps to system_server via an already open file descriptor 136# % adb shell am set-watch-heap com.android.systemui 1048576 137# % adb shell dumpsys procstats --start-testing 138# debuggable builds only. 139userdebug_or_eng(` 140 allow appdomain heapdump_data_file:file append; 141') 142 143# Write to /proc/net/xt_qtaguid/ctrl file. 144allow appdomain qtaguid_proc:file rw_file_perms; 145# Everybody can read the xt_qtaguid resource tracking misc dev. 146# So allow all apps to read from /dev/xt_qtaguid. 147allow appdomain qtaguid_device:chr_file r_file_perms; 148 149# Grant GPU access to all processes started by Zygote. 150# They need that to render the standard UI. 151allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; 152 153# Use the Binder. 154binder_use(appdomain) 155# Perform binder IPC to binder services. 156binder_call(appdomain, binderservicedomain) 157# Perform binder IPC to other apps. 158binder_call(appdomain, appdomain) 159 160# Already connected, unnamed sockets being passed over some other IPC 161# hence no sock_file or connectto permission. This appears to be how 162# Chrome works, may need to be updated as more apps using isolated services 163# are examined. 164allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 165 166# Backup ability for every app. BMS opens and passes the fd 167# to any app that has backup ability. Hence, no open permissions here. 168allow appdomain backup_data_file:file { read write getattr }; 169allow appdomain cache_backup_file:file { read write getattr }; 170allow appdomain cache_backup_file:dir getattr; 171# Backup ability using 'adb backup' 172allow appdomain system_data_file:lnk_file getattr; 173 174# Allow read/stat of /data/media files passed by Binder or local socket IPC. 175allow appdomain media_rw_data_file:file { read getattr }; 176 177# Read and write /data/data/com.android.providers.telephony files passed over Binder. 178allow appdomain radio_data_file:file { read write getattr }; 179 180# Allow access to external storage; we have several visible mount points under /storage 181# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 182allow appdomain storage_file:dir r_dir_perms; 183allow appdomain storage_file:lnk_file r_file_perms; 184allow appdomain mnt_user_file:dir r_dir_perms; 185allow appdomain mnt_user_file:lnk_file r_file_perms; 186 187# Read/write visible storage 188allow appdomain fuse:dir create_dir_perms; 189allow appdomain fuse:file create_file_perms; 190allow appdomain sdcardfs:dir create_dir_perms; 191allow appdomain sdcardfs:file create_file_perms; 192 193# Access OBBs (vfat images) mounted by vold (b/17633509) 194# File write access allowed for FDs returned through Storage Access Framework 195allow appdomain vfat:dir r_dir_perms; 196allow appdomain vfat:file rw_file_perms; 197 198# Allow apps to use the USB Accessory interface. 199# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 200# 201# USB devices are first opened by the system server (USBDeviceManagerService) 202# and the file descriptor is passed to the right Activity via binder. 203allow appdomain usb_device:chr_file { read write getattr ioctl }; 204allow appdomain usbaccessory_device:chr_file { read write getattr }; 205 206# For art. 207allow appdomain dalvikcache_data_file:file execute; 208allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 209 210# Allow any app to read shared RELRO files. 211allow appdomain shared_relro_file:dir search; 212allow appdomain shared_relro_file:file r_file_perms; 213 214# Allow apps to read/execute installed binaries 215allow appdomain apk_data_file:dir r_dir_perms; 216allow appdomain apk_data_file:file { rx_file_perms execmod }; 217 218# /data/resource-cache 219allow appdomain resourcecache_data_file:file r_file_perms; 220allow appdomain resourcecache_data_file:dir r_dir_perms; 221 222# logd access 223read_logd(appdomain) 224control_logd(appdomain) 225# application inherit logd write socket (urge is to deprecate this long term) 226allow appdomain zygote:unix_dgram_socket write; 227 228allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; 229 230use_keystore({ appdomain -isolated_app }) 231 232allow appdomain console_device:chr_file { read write }; 233 234# only allow unprivileged socket ioctl commands 235allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } 236 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 237 238allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; 239 240# For app fuse. 241allow appdomain app_fuse_file:file { getattr read append write }; 242 243### 244### CTS-specific rules 245### 246 247# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 248# testRunAsHasCorrectCapabilities 249allow appdomain runas_exec:file getattr; 250# Others are either allowed elsewhere or not desired. 251 252# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 253# Check SELinux policy and contexts. 254selinux_check_access(appdomain) 255selinux_check_context(appdomain) 256 257# Apps receive an open tun fd from the framework for 258# device traffic. Do not allow untrusted app to directly open tun_device 259allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; 260 261# Connect to adbd and use a socket transferred from it. 262# This is used for e.g. adb backup/restore. 263allow appdomain adbd:unix_stream_socket connectto; 264allow appdomain adbd:fd use; 265allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 266 267allow appdomain cache_file:dir getattr; 268 269### 270### Neverallow rules 271### 272### These are things that Android apps should NEVER be able to do 273### 274 275# Superuser capabilities. 276# bluetooth requires net_admin and wake_alarm. 277neverallow { appdomain -bluetooth } self:capability *; 278neverallow { appdomain -bluetooth } self:capability2 *; 279 280# Block device access. 281neverallow appdomain dev_type:blk_file { read write }; 282 283# Access to any of the following character devices. 284neverallow appdomain { 285 audio_device 286 camera_device 287 dm_device 288 gps_device 289 radio_device 290 rpmsg_device 291 video_device 292}:chr_file { read write }; 293 294# Note: Try expanding list of app domains in the future. 295neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 296 297neverallow { appdomain -nfc } nfc_device:chr_file 298 { read write }; 299neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 300 { read write }; 301neverallow appdomain tee_device:chr_file { read write }; 302 303# Privileged netlink socket interfaces. 304neverallow appdomain 305 domain:{ 306 netlink_firewall_socket 307 netlink_tcpdiag_socket 308 netlink_nflog_socket 309 netlink_xfrm_socket 310 netlink_audit_socket 311 netlink_ip6fw_socket 312 netlink_dnrt_socket 313 } *; 314 315# These messages are broadcast messages from the kernel to userspace. 316# Do not allow the writing of netlink messages, which has been a source 317# of rooting vulns in the past. 318neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; 319 320# Sockets under /dev/socket that are not specifically typed. 321neverallow appdomain socket_device:sock_file write; 322 323# Unix domain sockets. 324neverallow appdomain adbd_socket:sock_file write; 325neverallow appdomain installd_socket:sock_file write; 326neverallow { appdomain -radio } rild_socket:sock_file write; 327neverallow appdomain vold_socket:sock_file write; 328neverallow appdomain zygote_socket:sock_file write; 329 330# ptrace access to non-app domains. 331neverallow appdomain { domain -appdomain }:process ptrace; 332 333# Write access to /proc/pid entries for any non-app domain. 334neverallow appdomain { domain -appdomain }:file write; 335 336# signal access to non-app domains. 337# sigchld allowed for parent death notification. 338# signull allowed for kill(pid, 0) existence test. 339# All others prohibited. 340neverallow appdomain { domain -appdomain }:process 341 { sigkill sigstop signal }; 342 343# Transition to a non-app domain. 344# Exception for the shell domain and the su domain, can transition to runas, 345# etc. 346neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process 347 { transition dyntransition }; 348 349# Write to rootfs. 350neverallow appdomain rootfs:dir_file_class_set 351 { create write setattr relabelfrom relabelto append unlink link rename }; 352 353# Write to /system. 354neverallow appdomain system_file:dir_file_class_set 355 { create write setattr relabelfrom relabelto append unlink link rename }; 356 357# Write to entrypoint executables. 358neverallow appdomain exec_type:file 359 { create write setattr relabelfrom relabelto append unlink link rename }; 360 361# Write to system-owned parts of /data. 362# This is the default type for anything under /data not otherwise 363# specified in file_contexts. Define a different type for portions 364# that should be writable by apps. 365neverallow appdomain system_data_file:dir_file_class_set 366 { create write setattr relabelfrom relabelto append unlink link rename }; 367 368# Write to various other parts of /data. 369neverallow appdomain drm_data_file:dir_file_class_set 370 { create write setattr relabelfrom relabelto append unlink link rename }; 371neverallow { appdomain -system_app } 372 gps_data_file:dir_file_class_set 373 { create write setattr relabelfrom relabelto append unlink link rename }; 374neverallow { appdomain -platform_app } 375 apk_data_file:dir_file_class_set 376 { create write setattr relabelfrom relabelto append unlink link rename }; 377neverallow { appdomain -platform_app } 378 apk_tmp_file:dir_file_class_set 379 { create write setattr relabelfrom relabelto append unlink link rename }; 380neverallow { appdomain -platform_app } 381 apk_private_data_file:dir_file_class_set 382 { create write setattr relabelfrom relabelto append unlink link rename }; 383neverallow { appdomain -platform_app } 384 apk_private_tmp_file:dir_file_class_set 385 { create write setattr relabelfrom relabelto append unlink link rename }; 386neverallow { appdomain -shell } 387 shell_data_file:dir_file_class_set 388 { create setattr relabelfrom relabelto append unlink link rename }; 389neverallow { appdomain -bluetooth } 390 bluetooth_data_file:dir_file_class_set 391 { create write setattr relabelfrom relabelto append unlink link rename }; 392neverallow appdomain 393 keystore_data_file:dir_file_class_set 394 { create write setattr relabelfrom relabelto append unlink link rename }; 395neverallow appdomain 396 systemkeys_data_file:dir_file_class_set 397 { create write setattr relabelfrom relabelto append unlink link rename }; 398neverallow appdomain 399 wifi_data_file:dir_file_class_set 400 { create write setattr relabelfrom relabelto append unlink link rename }; 401neverallow appdomain 402 dhcp_data_file:dir_file_class_set 403 { create write setattr relabelfrom relabelto append unlink link rename }; 404 405# access tmp apk files 406neverallow { appdomain -platform_app -priv_app } 407 { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; 408 409# Access to factory files. 410neverallow appdomain efs_file:dir_file_class_set write; 411neverallow { appdomain -shell } efs_file:dir_file_class_set read; 412 413# Write to various pseudo file systems. 414neverallow { appdomain -bluetooth -nfc } 415 sysfs:dir_file_class_set write; 416neverallow appdomain 417 proc:dir_file_class_set write; 418 419# Access to syslog(2) or /proc/kmsg. 420neverallow { appdomain -system_app } 421 kernel:system { syslog_mod syslog_console }; 422neverallow { appdomain -system_app -shell } 423 kernel:system syslog_read; 424 425# Ability to perform any filesystem operation other than statfs(2). 426# i.e. no mount(2), unmount(2), etc. 427neverallow appdomain fs_type:filesystem ~getattr; 428 429# prevent creation/manipulation of globally readable symlinks 430neverallow appdomain { 431 apk_data_file 432 cache_file 433 cache_recovery_file 434 dev_type 435 rootfs 436 system_file 437 security_file 438 tmpfs 439}:lnk_file no_w_file_perms; 440 441# Blacklist app domains not allowed to execute from /data 442neverallow { 443 bluetooth 444 isolated_app 445 nfc 446 radio 447 shared_relro 448 system_app 449} { 450 data_file_type 451 -dalvikcache_data_file 452 -system_data_file # shared libs in apks 453 -apk_data_file 454}:file no_x_file_perms; 455 456# Foreign dex profiles are just markers. Prevent apps to do anything but touch them. 457neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms; 458neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name }; 459