1### 2### Domain for all zygote spawned apps 3### 4### This file is the base policy for all zygote spawned apps. 5### Other policy files, such as isolated_app.te, untrusted_app.te, etc 6### extend from this policy. Only policies which should apply to ALL 7### zygote spawned apps should be added here. 8### 9 10# TODO: deal with tmpfs_domain pub/priv split properly 11# Read system properties managed by zygote. 12allow appdomain zygote_tmpfs:file read; 13 14# WebView and other application-specific JIT compilers 15allow appdomain self:process execmem; 16 17allow appdomain ashmem_device:chr_file execute; 18 19# Receive and use open file descriptors inherited from zygote. 20allow appdomain zygote:fd use; 21 22# gdbserver for ndk-gdb reads the zygote. 23# valgrind needs mmap exec for zygote 24allow appdomain zygote_exec:file rx_file_perms; 25 26# Notify zygote of death; 27allow appdomain zygote:process sigchld; 28 29# Place process into foreground / background 30allow appdomain cgroup:dir { search write }; 31allow appdomain cgroup:file rw_file_perms; 32 33# Read /data/dalvik-cache. 34allow appdomain dalvikcache_data_file:dir { search getattr }; 35allow appdomain dalvikcache_data_file:file r_file_perms; 36 37# Read the /sdcard and /mnt/sdcard symlinks 38allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms; 39allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms; 40 41# Search /storage/emulated tmpfs mount. 42allow appdomain tmpfs:dir r_dir_perms; 43 44userdebug_or_eng(` 45 # Notify zygote of the wrapped process PID when using --invoke-with. 46 allow appdomain zygote:fifo_file write; 47 48 # Allow apps to create and write method traces in /data/misc/trace. 49 allow appdomain method_trace_data_file:dir w_dir_perms; 50 allow appdomain method_trace_data_file:file { create w_file_perms }; 51') 52 53# Notify shell and adbd of death when spawned via runas for ndk-gdb. 54allow appdomain shell:process sigchld; 55allow appdomain adbd:process sigchld; 56 57# child shell or gdbserver pty access for runas. 58allow appdomain devpts:chr_file { getattr read write ioctl }; 59 60# Use pipes and sockets provided by system_server via binder or local socket. 61allow appdomain system_server:fd use; 62allow appdomain system_server:fifo_file rw_file_perms; 63allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; 64allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; 65 66# Communication with other apps via fifos 67allow appdomain appdomain:fifo_file rw_file_perms; 68 69# Communicate with surfaceflinger. 70allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; 71 72# Query whether a Surface supports wide color 73allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; 74 75# App sandbox file accesses. 76allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; 77allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; 78 79# Traverse into expanded storage 80allow appdomain mnt_expand_file:dir r_dir_perms; 81 82# Keychain and user-trusted credentials 83r_dir_file(appdomain, keychain_data_file) 84allow appdomain misc_user_data_file:dir r_dir_perms; 85allow appdomain misc_user_data_file:file r_file_perms; 86 87# TextClassifier 88r_dir_file({ appdomain -isolated_app }, textclassifier_data_file) 89 90# Access to OEM provided data and apps 91allow appdomain oemfs:dir r_dir_perms; 92allow appdomain oemfs:file rx_file_perms; 93 94# Execute the shell or other system executables. 95allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms; 96allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms; 97allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms; 98not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;') 99 100# Renderscript needs the ability to read directories on /system 101allow appdomain system_file:dir r_dir_perms; 102allow appdomain system_file:lnk_file { getattr open read }; 103# Renderscript specific permissions to open /system/vendor/lib64. 104not_full_treble(` 105 allow appdomain vendor_file_type:dir r_dir_perms; 106 allow appdomain vendor_file_type:lnk_file { getattr open read }; 107') 108 109full_treble_only(` 110 # For looking up Renderscript vendor drivers 111 allow { appdomain -isolated_app } vendor_file:dir { open read }; 112') 113 114# Allow apps access to /vendor/app except for privileged 115# apps which cannot be in /vendor. 116r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file) 117allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute; 118 119# Allow apps access to /vendor/overlay 120r_dir_file(appdomain, vendor_overlay_file) 121 122# Allow apps access to /vendor/framework 123# for vendor provided libraries. 124r_dir_file(appdomain, vendor_framework_file) 125 126# Execute dex2oat when apps call dexclassloader 127allow appdomain dex2oat_exec:file rx_file_perms; 128 129# Read/write wallpaper file (opened by system). 130allow appdomain wallpaper_file:file { getattr read write }; 131 132# Read/write cached ringtones (opened by system). 133allow appdomain ringtone_file:file { getattr read write }; 134 135# Read ShortcutManager icon files (opened by system). 136allow appdomain shortcut_manager_icons:file { getattr read }; 137 138# Read icon file (opened by system). 139allow appdomain icon_file:file { getattr read }; 140 141# Write to /data/anr/traces.txt. 142allow appdomain anr_data_file:dir search; 143allow appdomain anr_data_file:file { open append }; 144 145# Allow apps to send dump information to dumpstate 146allow appdomain dumpstate:fd use; 147allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; 148allow appdomain dumpstate:fifo_file { write getattr }; 149allow appdomain shell_data_file:file { write getattr }; 150 151# Write profiles /data/misc/profiles 152allow appdomain user_profile_data_file:dir { search write add_name }; 153allow appdomain user_profile_data_file:file create_file_perms; 154 155# Send heap dumps to system_server via an already open file descriptor 156# % adb shell am set-watch-heap com.android.systemui 1048576 157# % adb shell dumpsys procstats --start-testing 158# debuggable builds only. 159userdebug_or_eng(` 160 allow appdomain heapdump_data_file:file append; 161') 162 163# Write to /proc/net/xt_qtaguid/ctrl file. 164allow appdomain qtaguid_proc:file rw_file_perms; 165# read /proc/net/xt_qtguid/stats 166r_dir_file({ appdomain -ephemeral_app}, proc_net) 167# Everybody can read the xt_qtaguid resource tracking misc dev. 168# So allow all apps to read from /dev/xt_qtaguid. 169allow appdomain qtaguid_device:chr_file r_file_perms; 170 171# Grant GPU access to all processes started by Zygote. 172# They need that to render the standard UI. 173allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; 174 175# Use the Binder. 176binder_use(appdomain) 177# Perform binder IPC to binder services. 178binder_call(appdomain, binderservicedomain) 179# Perform binder IPC to other apps. 180binder_call(appdomain, appdomain) 181# Perform binder IPC to ephemeral apps. 182binder_call(appdomain, ephemeral_app) 183 184# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized 185# as OMX HAL 186hwbinder_use({ appdomain -isolated_app }) 187allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find; 188allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find; 189 190# Talk with graphics composer fences 191allow appdomain hal_graphics_composer:fd use; 192 193# Already connected, unnamed sockets being passed over some other IPC 194# hence no sock_file or connectto permission. This appears to be how 195# Chrome works, may need to be updated as more apps using isolated services 196# are examined. 197allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; 198 199# Backup ability for every app. BMS opens and passes the fd 200# to any app that has backup ability. Hence, no open permissions here. 201allow appdomain backup_data_file:file { read write getattr }; 202allow appdomain cache_backup_file:file { read write getattr }; 203allow appdomain cache_backup_file:dir getattr; 204# Backup ability using 'adb backup' 205allow appdomain system_data_file:lnk_file r_file_perms; 206allow appdomain system_data_file:file { getattr read }; 207 208# Allow read/stat of /data/media files passed by Binder or local socket IPC. 209allow { appdomain -isolated_app } media_rw_data_file:file { read getattr }; 210 211# Read and write /data/data/com.android.providers.telephony files passed over Binder. 212allow { appdomain -isolated_app } radio_data_file:file { read write getattr }; 213 214# Allow access to external storage; we have several visible mount points under /storage 215# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 216allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms; 217allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms; 218allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms; 219allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms; 220 221# Read/write visible storage 222allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms; 223allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms; 224allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms; 225allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms; 226# This should be removed if sdcardfs is modified to alter the secontext for its 227# accesses to the underlying FS. 228allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms; 229allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms; 230 231# Access OBBs (vfat images) mounted by vold (b/17633509) 232# File write access allowed for FDs returned through Storage Access Framework 233allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms; 234allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms; 235 236# Allow apps to use the USB Accessory interface. 237# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 238# 239# USB devices are first opened by the system server (USBDeviceManagerService) 240# and the file descriptor is passed to the right Activity via binder. 241allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl }; 242allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr }; 243 244# For art. 245allow appdomain dalvikcache_data_file:file execute; 246allow appdomain dalvikcache_data_file:lnk_file r_file_perms; 247 248# Allow any app to read shared RELRO files. 249allow appdomain shared_relro_file:dir search; 250allow appdomain shared_relro_file:file r_file_perms; 251 252# Allow apps to read/execute installed binaries 253allow appdomain apk_data_file:dir r_dir_perms; 254allow appdomain apk_data_file:file rx_file_perms; 255 256# /data/resource-cache 257allow appdomain resourcecache_data_file:file r_file_perms; 258allow appdomain resourcecache_data_file:dir r_dir_perms; 259 260# logd access 261read_logd(appdomain) 262control_logd({ appdomain -ephemeral_app untrusted_v2_app }) 263# application inherit logd write socket (urge is to deprecate this long term) 264allow appdomain zygote:unix_dgram_socket write; 265 266allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; 267 268use_keystore({ appdomain -isolated_app -ephemeral_app }) 269 270allow appdomain console_device:chr_file { read write }; 271 272# only allow unprivileged socket ioctl commands 273allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } 274 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 275 276allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; 277# TODO is write really necessary ? 278auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append }; 279 280# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx) 281get_prop({ appdomain -isolated_app }, hwservicemanager_prop); 282 283# Allow app access to mediacodec (IOMX HAL) 284binder_call({ appdomain -isolated_app }, mediacodec) 285 286# Allow AAudio apps to use shared memory file descriptors from the HAL 287allow { appdomain -isolated_app } hal_audio:fd use; 288 289# Allow app to access shared memory created by camera HAL1 290allow { appdomain -isolated_app } hal_camera:fd use; 291 292# RenderScript always-passthrough HAL 293allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find; 294 295# TODO: switch to meminfo service 296allow appdomain proc_meminfo:file r_file_perms; 297 298# For app fuse. 299allow appdomain app_fuse_file:file { getattr read append write }; 300 301pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client) 302pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager) 303pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync) 304pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client) 305# Apps do not directly open the IPC socket for bufferhubd. 306pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client) 307 308### 309### CTS-specific rules 310### 311 312# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 313# testRunAsHasCorrectCapabilities 314allow appdomain runas_exec:file getattr; 315# Others are either allowed elsewhere or not desired. 316 317# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 318# Check SELinux policy and contexts. 319selinux_check_access(appdomain) 320selinux_check_context(appdomain) 321 322# Apps receive an open tun fd from the framework for 323# device traffic. Do not allow untrusted app to directly open tun_device 324allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append }; 325 326# Connect to adbd and use a socket transferred from it. 327# This is used for e.g. adb backup/restore. 328allow appdomain adbd:unix_stream_socket connectto; 329allow appdomain adbd:fd use; 330allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 331 332allow appdomain cache_file:dir getattr; 333 334### 335### Neverallow rules 336### 337### These are things that Android apps should NEVER be able to do 338### 339 340# Superuser capabilities. 341# bluetooth requires net_admin and wake_alarm. 342neverallow { appdomain -bluetooth } self:capability *; 343neverallow { appdomain -bluetooth } self:capability2 *; 344 345# Block device access. 346neverallow appdomain dev_type:blk_file { read write }; 347 348# Access to any of the following character devices. 349neverallow appdomain { 350 audio_device 351 camera_device 352 dm_device 353 radio_device 354 rpmsg_device 355 video_device 356}:chr_file { read write }; 357 358# Note: Try expanding list of app domains in the future. 359neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 360 361neverallow { appdomain -nfc } nfc_device:chr_file 362 { read write }; 363neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 364 { read write }; 365neverallow appdomain tee_device:chr_file { read write }; 366 367# Privileged netlink socket interfaces. 368neverallow appdomain 369 domain:{ 370 netlink_tcpdiag_socket 371 netlink_nflog_socket 372 netlink_xfrm_socket 373 netlink_audit_socket 374 netlink_dnrt_socket 375 } *; 376 377# These messages are broadcast messages from the kernel to userspace. 378# Do not allow the writing of netlink messages, which has been a source 379# of rooting vulns in the past. 380neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; 381 382# Sockets under /dev/socket that are not specifically typed. 383neverallow appdomain socket_device:sock_file write; 384 385# Unix domain sockets. 386neverallow appdomain adbd_socket:sock_file write; 387neverallow { appdomain -radio } rild_socket:sock_file write; 388neverallow appdomain vold_socket:sock_file write; 389neverallow appdomain zygote_socket:sock_file write; 390 391# ptrace access to non-app domains. 392neverallow appdomain { domain -appdomain }:process ptrace; 393 394# Write access to /proc/pid entries for any non-app domain. 395neverallow appdomain { domain -appdomain }:file write; 396 397# signal access to non-app domains. 398# sigchld allowed for parent death notification. 399# signull allowed for kill(pid, 0) existence test. 400# All others prohibited. 401neverallow appdomain { domain -appdomain }:process 402 { sigkill sigstop signal }; 403 404# Transition to a non-app domain. 405# Exception for the shell and su domains, can transition to runas, etc. 406# Exception for crash_dump. 407neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process 408 { transition }; 409neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process 410 { dyntransition }; 411 412# Write to rootfs. 413neverallow appdomain rootfs:dir_file_class_set 414 { create write setattr relabelfrom relabelto append unlink link rename }; 415 416# Write to /system. 417neverallow appdomain system_file:dir_file_class_set 418 { create write setattr relabelfrom relabelto append unlink link rename }; 419 420# Write to entrypoint executables. 421neverallow appdomain exec_type:file 422 { create write setattr relabelfrom relabelto append unlink link rename }; 423 424# Write to system-owned parts of /data. 425# This is the default type for anything under /data not otherwise 426# specified in file_contexts. Define a different type for portions 427# that should be writable by apps. 428neverallow appdomain system_data_file:dir_file_class_set 429 { create write setattr relabelfrom relabelto append unlink link rename }; 430 431# Write to various other parts of /data. 432neverallow appdomain drm_data_file:dir_file_class_set 433 { create write setattr relabelfrom relabelto append unlink link rename }; 434neverallow { appdomain -platform_app } 435 apk_data_file:dir_file_class_set 436 { create write setattr relabelfrom relabelto append unlink link rename }; 437neverallow { appdomain -platform_app } 438 apk_tmp_file:dir_file_class_set 439 { create write setattr relabelfrom relabelto append unlink link rename }; 440neverallow { appdomain -platform_app } 441 apk_private_data_file:dir_file_class_set 442 { create write setattr relabelfrom relabelto append unlink link rename }; 443neverallow { appdomain -platform_app } 444 apk_private_tmp_file:dir_file_class_set 445 { create write setattr relabelfrom relabelto append unlink link rename }; 446neverallow { appdomain -shell } 447 shell_data_file:dir_file_class_set 448 { create setattr relabelfrom relabelto append unlink link rename }; 449neverallow { appdomain -bluetooth } 450 bluetooth_data_file:dir_file_class_set 451 { create write setattr relabelfrom relabelto append unlink link rename }; 452neverallow appdomain 453 keystore_data_file:dir_file_class_set 454 { create write setattr relabelfrom relabelto append unlink link rename }; 455neverallow appdomain 456 systemkeys_data_file:dir_file_class_set 457 { create write setattr relabelfrom relabelto append unlink link rename }; 458neverallow appdomain 459 wifi_data_file:dir_file_class_set 460 { create write setattr relabelfrom relabelto append unlink link rename }; 461neverallow appdomain 462 dhcp_data_file:dir_file_class_set 463 { create write setattr relabelfrom relabelto append unlink link rename }; 464 465# access tmp apk files 466neverallow { appdomain -platform_app -priv_app } 467 { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; 468 469# Access to factory files. 470neverallow appdomain efs_file:dir_file_class_set write; 471neverallow { appdomain -shell } efs_file:dir_file_class_set read; 472 473# Write to various pseudo file systems. 474neverallow { appdomain -bluetooth -nfc } 475 sysfs:dir_file_class_set write; 476neverallow appdomain 477 proc:dir_file_class_set write; 478 479# Access to syslog(2) or /proc/kmsg. 480neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; 481 482# Ability to perform any filesystem operation other than statfs(2). 483# i.e. no mount(2), unmount(2), etc. 484neverallow appdomain fs_type:filesystem ~getattr; 485 486# prevent creation/manipulation of globally readable symlinks 487neverallow appdomain { 488 apk_data_file 489 cache_file 490 cache_recovery_file 491 dev_type 492 rootfs 493 system_file 494 tmpfs 495}:lnk_file no_w_file_perms; 496 497# Blacklist app domains not allowed to execute from /data 498neverallow { 499 bluetooth 500 isolated_app 501 nfc 502 radio 503 shared_relro 504 system_app 505} { 506 data_file_type 507 -dalvikcache_data_file 508 -system_data_file # shared libs in apks 509 -apk_data_file 510}:file no_x_file_perms; 511 512# Applications should use the activity model for receiving events 513neverallow { 514 appdomain 515 -shell # bugreport 516} input_device:chr_file ~getattr; 517 518# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. 519# neverallow rules for access to Bluetooth-related data files are above. 520neverallow { 521 appdomain 522 -bluetooth 523 -system_app 524} bluetooth_prop:file create_file_perms; 525