diff options
Diffstat (limited to 'priv_app.te')
-rw-r--r-- | priv_app.te | 123 |
1 files changed, 0 insertions, 123 deletions
diff --git a/priv_app.te b/priv_app.te deleted file mode 100644 index 9146263..0000000 --- a/priv_app.te +++ /dev/null @@ -1,123 +0,0 @@ -### -### A domain for further sandboxing privileged apps. -### -type priv_app, domain, domain_deprecated; -app_domain(priv_app) -# Access the network. -net_domain(priv_app) -# Access bluetooth. -bluetooth_domain(priv_app) - -# Some apps ship with shared libraries and binaries that they write out -# to their sandbox directory and then execute. -allow priv_app app_data_file:file rx_file_perms; - -# android.process.media uses /dev/mtp_usb -allow priv_app mtp_device:chr_file rw_file_perms; - -# Allow the allocation and use of ptys -# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm -create_pty(priv_app) - -allow priv_app drmserver_service:service_manager find; -allow priv_app mediaserver_service:service_manager find; -allow priv_app nfc_service:service_manager find; -allow priv_app radio_service:service_manager find; -allow priv_app surfaceflinger_service:service_manager find; -allow priv_app app_api_service:service_manager find; -allow priv_app system_api_service:service_manager find; -allow priv_app persistent_data_block_service:service_manager find; -allow priv_app recovery_service:service_manager find; - -# Traverse into /mnt/media_rw for bypassing FUSE daemon -# TODO: narrow this to just MediaProvider -allow priv_app mnt_media_rw_file:dir search; - -# Write to /cache. -allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; -allow priv_app { cache_file cache_recovery_file }:file create_file_perms; - -# Access to /data/media. -allow priv_app media_rw_data_file:dir create_dir_perms; -allow priv_app media_rw_data_file:file create_file_perms; - -# Used by Finsky / Android "Verify Apps" functionality when -# running "adb install foo.apk". -allow priv_app shell_data_file:file r_file_perms; -allow priv_app shell_data_file:dir r_dir_perms; - -# Allow verifier to access staged apks. -allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; -allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; - -# b/18504118: Allow reads from /data/anr/traces.txt -allow priv_app anr_data_file:file r_file_perms; - -# Allow GMS core to access perfprofd output, which is stored -# in /data/misc/perfprofd/. GMS core will need to list all -# data stored in that directory to process them one by one. -userdebug_or_eng(` - allow priv_app perfprofd_data_file:file r_file_perms; - allow priv_app perfprofd_data_file:dir r_dir_perms; -') - -# Allow GMS core to stat files and executables on -# the system partition -allow priv_app exec_type:file getattr; - -# For AppFuse. -allow priv_app vold:fd use; -allow priv_app fuse_device:chr_file { read write }; -allow priv_app app_fuse_file:dir rw_dir_perms; -allow priv_app app_fuse_file:file rw_file_perms; - -# /sys access -allow priv_app sysfs_zram:dir search; -allow priv_app sysfs_zram:file r_file_perms; - -# Allow GMS core to communicate with update_engine for A/B update. -binder_call(priv_app, update_engine) -allow priv_app update_engine_service:service_manager find; - -### -### neverallow rules -### - -# Receive or send uevent messages. -neverallow priv_app domain:netlink_kobject_uevent_socket *; - -# Receive or send generic netlink messages -neverallow priv_app domain:netlink_socket *; - -# Too much leaky information in debugfs. It's a security -# best practice to ensure these files aren't readable. -neverallow priv_app debugfs:file read; - -# Do not allow privileged apps to register services. -# Only trusted components of Android should be registering -# services. -neverallow priv_app service_manager_type:service_manager add; - -# Do not allow privileged apps to connect to the property service -# or set properties. b/10243159 -neverallow priv_app property_socket:sock_file write; -neverallow priv_app init:unix_stream_socket connectto; -neverallow priv_app property_type:property_service set; - -# Do not allow priv_app to be assigned mlstrustedsubject. -# This would undermine the per-user isolation model being -# enforced via levelFrom=user in seapp_contexts and the mls -# constraints. As there is no direct way to specify a neverallow -# on attribute assignment, this relies on the fact that fork -# permission only makes sense within a domain (hence should -# never be granted to any other domain within mlstrustedsubject) -# and priv_app is allowed fork permission to itself. -neverallow priv_app mlstrustedsubject:process fork; - -# Do not allow priv_app to hard link to any files. -# In particular, if priv_app links to other app data -# files, installd will not be able to guarantee the deletion -# of the linked to file. Hard links also contribute to security -# bugs, so we want to ensure priv_app never has this -# capability. -neverallow priv_app file_type:file link; |