### ### Domain for all zygote spawned apps ### ### This file is the base policy for all zygote spawned apps. ### Other policy files, such as isolated_app.te, untrusted_app.te, etc ### extend from this policy. Only policies which should apply to ALL ### zygote spawned apps should be added here. ### # WebView and other application-specific JIT compilers allow appdomain self:process execmem; allow appdomain ashmem_device:chr_file execute; # Receive and use open file descriptors inherited from zygote. allow appdomain zygote:fd use; # gdbserver for ndk-gdb reads the zygote. # valgrind needs mmap exec for zygote allow appdomain zygote_exec:file rx_file_perms; # Read system properties managed by zygote. allow appdomain zygote_tmpfs:file read; # Notify zygote of death; allow appdomain zygote:process sigchld; # Place process into foreground / background allow appdomain cgroup:dir { search write }; allow appdomain cgroup:file w_file_perms; # Read /data/dalvik-cache. allow appdomain dalvikcache_data_file:dir { search getattr }; allow appdomain dalvikcache_data_file:file r_file_perms; # Read the /sdcard symlink allow appdomain rootfs:lnk_file r_file_perms; # Search /storage/emulated tmpfs mount. allow appdomain tmpfs:dir r_dir_perms; userdebug_or_eng(` # Notify zygote of the wrapped process PID when using --invoke-with. allow appdomain zygote:fifo_file write; # Allow apps to create and write method traces in /data/misc/trace. allow appdomain method_trace_data_file:dir w_dir_perms; allow appdomain method_trace_data_file:file { create w_file_perms }; ') # Notify shell and adbd of death when spawned via runas for ndk-gdb. allow appdomain shell:process sigchld; allow appdomain adbd:process sigchld; # child shell or gdbserver pty access for runas. allow appdomain devpts:chr_file { getattr read write ioctl }; # Use pipes and sockets provided by system_server via binder or local socket. allow appdomain system_server:fifo_file rw_file_perms; allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; # Communication with other apps via fifos allow appdomain appdomain:fifo_file rw_file_perms; # Communicate with surfaceflinger. allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; # App sandbox file accesses. allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:file { execute execute_no_trans open execmod }; # Traverse into expanded storage allow appdomain mnt_expand_file:dir r_dir_perms; # Keychain and user-trusted credentials allow appdomain keychain_data_file:dir r_dir_perms; allow appdomain keychain_data_file:file r_file_perms; allow appdomain misc_user_data_file:dir r_dir_perms; allow appdomain misc_user_data_file:file r_file_perms; # Access to OEM provided data and apps allow appdomain oemfs:dir r_dir_perms; allow appdomain oemfs:file rx_file_perms; # Execute the shell or other system executables. allow appdomain shell_exec:file rx_file_perms; allow appdomain system_file:file rx_file_perms; allow appdomain toolbox_exec:file rx_file_perms; # Renderscript needs the ability to read directories on /system r_dir_file(appdomain, system_file) # Execute dex2oat when apps call dexclassloader allow appdomain dex2oat_exec:file rx_file_perms; # Read/write wallpaper file (opened by system). allow appdomain wallpaper_file:file { getattr read write }; # Write to /data/anr/traces.txt. allow appdomain anr_data_file:dir search; allow appdomain anr_data_file:file { open append }; # Allow apps to send dump information to dumpstate allow appdomain dumpstate:fd use; allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; allow appdomain shell_data_file:file { write getattr }; # Send heap dumps to system_server via an already open file descriptor # % adb shell am set-watch-heap com.android.systemui 1048576 # % adb shell dumpsys procstats --start-testing # debuggable builds only. userdebug_or_eng(` allow appdomain heapdump_data_file:file append; ') # Write to /proc/net/xt_qtaguid/ctrl file. allow appdomain qtaguid_proc:file rw_file_perms; # Everybody can read the xt_qtaguid resource tracking misc dev. # So allow all apps to read from /dev/xt_qtaguid. allow appdomain qtaguid_device:chr_file r_file_perms; # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; # Use the Binder. binder_use(appdomain) # Perform binder IPC to binder services. binder_call(appdomain, binderservicedomain) # Perform binder IPC to other apps. binder_call(appdomain, appdomain) # Already connected, unnamed sockets being passed over some other IPC # hence no sock_file or connectto permission. This appears to be how # Chrome works, may need to be updated as more apps using isolated services # are examined. allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; # Backup ability for every app. BMS opens and passes the fd # to any app that has backup ability. Hence, no open permissions here. allow appdomain backup_data_file:file { read write getattr }; allow appdomain cache_backup_file:file { read write getattr }; allow appdomain cache_backup_file:dir getattr; # Backup ability using 'adb backup' allow appdomain system_data_file:lnk_file getattr; # Allow read/stat of /data/media files passed by Binder or local socket IPC. allow appdomain media_rw_data_file:file { read getattr }; # Read and write /data/data/com.android.providers.telephony files passed over Binder. allow appdomain radio_data_file:file { read write getattr }; # Allow access to external storage; we have several visible mount points under /storage # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary allow appdomain storage_file:dir r_dir_perms; allow appdomain storage_file:lnk_file r_file_perms; allow appdomain mnt_user_file:dir r_dir_perms; allow appdomain mnt_user_file:lnk_file r_file_perms; # Read/write visible storage allow appdomain fuse:dir create_dir_perms; allow appdomain fuse:file create_file_perms; # Access OBBs (vfat images) mounted by vold (b/17633509) # File write access allowed for FDs returned through Storage Access Framework allow appdomain vfat:dir r_dir_perms; allow appdomain vfat:file rw_file_perms; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html # # USB devices are first opened by the system server (USBDeviceManagerService) # and the file descriptor is passed to the right Activity via binder. allow appdomain usb_device:chr_file { read write getattr ioctl }; allow appdomain usbaccessory_device:chr_file { read write getattr }; # For art. allow appdomain dalvikcache_data_file:file execute; allow appdomain dalvikcache_data_file:lnk_file r_file_perms; # Allow any app to read shared RELRO files. allow appdomain shared_relro_file:dir search; allow appdomain shared_relro_file:file r_file_perms; # Allow apps to read/execute installed binaries allow appdomain apk_data_file:dir r_dir_perms; allow appdomain apk_data_file:file { rx_file_perms execmod }; # /data/resource-cache allow appdomain resourcecache_data_file:file r_file_perms; allow appdomain resourcecache_data_file:dir r_dir_perms; # logd access read_logd(appdomain) control_logd(appdomain) # application inherit logd write socket (urge is to deprecate this long term) allow appdomain zygote:unix_dgram_socket write; allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore({ appdomain -isolated_app }) allow appdomain console_device:chr_file { read write }; allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; # For app fuse. allow appdomain app_fuse_file:file { getattr read append write }; ### ### CTS-specific rules ### # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. # testRunAsHasCorrectCapabilities allow appdomain runas_exec:file getattr; # Others are either allowed elsewhere or not desired. # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java # Check SELinux policy and contexts. selinux_check_access(appdomain) selinux_check_context(appdomain) # Apps receive an open tun fd from the framework for # device traffic. Do not allow untrusted app to directly open tun_device allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; # Connect to adbd and use a socket transferred from it. # This is used for e.g. adb backup/restore. allow appdomain adbd:unix_stream_socket connectto; allow appdomain adbd:fd use; allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; allow appdomain cache_file:dir getattr; ### ### Neverallow rules ### ### These are things that Android apps should NEVER be able to do ### # Superuser capabilities. # bluetooth requires net_admin and wake_alarm. neverallow { appdomain -bluetooth } self:capability *; neverallow { appdomain -bluetooth } self:capability2 *; # Block device access. neverallow appdomain dev_type:blk_file { read write }; # Access to any of the following character devices. neverallow appdomain { audio_device video_device dm_device radio_device gps_device rpmsg_device }:chr_file { read write }; # Note: Try expanding list of app domains in the future. neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; neverallow { appdomain -nfc } nfc_device:chr_file { read write }; neverallow { appdomain -bluetooth } hci_attach_dev:chr_file { read write }; neverallow appdomain tee_device:chr_file { read write }; # Privileged netlink socket interfaces. neverallow appdomain domain:{ netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } *; # These messages are broadcast messages from the kernel to userspace. # Do not allow the writing of netlink messages, which has been a source # of rooting vulns in the past. neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; # Sockets under /dev/socket that are not specifically typed. neverallow appdomain socket_device:sock_file write; # Unix domain sockets. neverallow appdomain adbd_socket:sock_file write; neverallow appdomain installd_socket:sock_file write; neverallow { appdomain -radio } rild_socket:sock_file write; neverallow appdomain vold_socket:sock_file write; neverallow appdomain zygote_socket:sock_file write; # ptrace access to non-app domains. neverallow appdomain { domain -appdomain }:process ptrace; # Write access to /proc/pid entries for any non-app domain. neverallow appdomain { domain -appdomain }:file write; # signal access to non-app domains. # sigchld allowed for parent death notification. # signull allowed for kill(pid, 0) existence test. # All others prohibited. neverallow appdomain { domain -appdomain }:process { sigkill sigstop signal }; # Transition to a non-app domain. # Exception for the shell domain and the su domain, can transition to runas, # etc. neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process { transition dyntransition }; # Write to rootfs. neverallow appdomain rootfs:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Write to /system. neverallow appdomain system_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Write to entrypoint executables. neverallow appdomain exec_type:file { create write setattr relabelfrom relabelto append unlink link rename }; # Write to system-owned parts of /data. # This is the default type for anything under /data not otherwise # specified in file_contexts. Define a different type for portions # that should be writable by apps. neverallow appdomain system_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Write to various other parts of /data. neverallow appdomain drm_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -system_app } gps_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_tmp_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_private_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_private_tmp_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -shell } shell_data_file:dir_file_class_set { create setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -bluetooth } bluetooth_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain keystore_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain systemkeys_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain wifi_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain dhcp_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # access tmp apk files neverallow { appdomain -platform_app -priv_app } { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; # Access to factory files. neverallow appdomain efs_file:dir_file_class_set write; neverallow { appdomain -shell } efs_file:dir_file_class_set read; # Write to various pseudo file systems. neverallow { appdomain -bluetooth -nfc } sysfs:dir_file_class_set write; neverallow appdomain proc:dir_file_class_set write; # Access to syslog(2) or /proc/kmsg. neverallow { appdomain -system_app } kernel:system { syslog_mod syslog_console }; neverallow { appdomain -system_app -shell } kernel:system syslog_read; # Ability to perform any filesystem operation other than statfs(2). # i.e. no mount(2), unmount(2), etc. neverallow appdomain fs_type:filesystem ~getattr; # prevent creation/manipulation of globally readable symlinks neverallow appdomain { apk_data_file cache_file cache_recovery_file dev_type rootfs system_file tmpfs }:lnk_file no_w_file_perms;