| # |
| # Domains for apps that do not run with one of the predefined |
| # platform UIDs (system, radio, nfc, ...). |
| # |
| |
| # |
| # Apps signed with the platform key. |
| # |
| type platform_app, domain; |
| app_domain(platform_app) |
| platform_app_domain(platform_app) |
| # Access the network. |
| net_domain(platform_app) |
| # Access bluetooth. |
| bluetooth_domain(platform_app) |
| # Read logs. |
| allow platform_app log_device:chr_file read; |
| # Write to /cache. |
| allow platform_app cache_file:dir rw_dir_perms; |
| allow platform_app cache_file:file create_file_perms; |
| # Read from /data/local. |
| allow platform_app shell_data_file:dir search; |
| allow platform_app shell_data_file:file { open getattr read }; |
| allow platform_app shell_data_file:lnk_file read; |
| # Populate /data/app/vmdl*.tmp file created by system server. |
| allow platform_app apk_tmp_file:file rw_file_perms; |
| # ASEC |
| allow platform_app asec_apk_file:dir create_dir_perms; |
| allow platform_app asec_apk_file:file create_file_perms; |
| |
| # Apps signed with the media key. |
| type media_app, domain; |
| app_domain(media_app) |
| platform_app_domain(media_app) |
| # Access the network. |
| net_domain(media_app) |
| # Read logs. |
| allow media_app log_device:chr_file read; |
| # Access /dev/mtp_usb. |
| allow media_app mtp_device:chr_file rw_file_perms; |
| # Write to /cache. |
| allow media_app cache_file:dir rw_dir_perms; |
| allow media_app cache_file:file create_file_perms; |
| |
| # Apps signed with the shared key. |
| type shared_app, domain; |
| app_domain(shared_app) |
| platform_app_domain(shared_app) |
| # Access the network. |
| net_domain(shared_app) |
| # Access bluetooth. |
| bluetooth_domain(shared_app) |
| # Read logs. |
| allow shared_app log_device:chr_file read; |
| # ASEC |
| r_dir_file(shared_app, asec_apk_file); |
| |
| # Apps signed with the release key (testkey in AOSP). |
| type release_app, domain; |
| app_domain(release_app) |
| platform_app_domain(release_app) |
| # Access the network. |
| net_domain(release_app) |
| # Access bluetooth. |
| bluetooth_domain(release_app) |
| # Read logs. |
| allow release_app log_device:chr_file read; |
| |
| # Services with isolatedProcess=true in their manifest. |
| # In order for isolated_apps to interact with apps that have levelFromUid=true |
| # set it must be an mlstrustedsubject. |
| type isolated_app, domain, mlstrustedsubject; |
| app_domain(isolated_app) |
| |
| # |
| # An example of a specific domain for a specific app |
| # A domain for com.android.browser. |
| type browser_app, domain; |
| app_domain(browser_app) |
| platform_app_domain(browser_app) |
| # Access the network. |
| net_domain(browser_app) |
| |
| # |
| # Rules for platform app domains. |
| # |
| |
| # App sandbox file accesses. |
| allow platformappdomain platform_app_data_file:dir create_dir_perms; |
| allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms; |
| # App sdcard file accesses |
| allow platformappdomain sdcard_type:dir create_dir_perms; |
| allow platformappdomain sdcard_type:file create_file_perms; |
| # System data file accesses (e.g, shared objects from the lib directory) |
| allow platformappdomain system_data_file:file { execute open }; |
| |
| # |
| # Untrusted apps. |
| # |
| type untrusted_app, domain; |
| app_domain(untrusted_app) |
| # Boolean-controlled options for untrusted apps. |
| # Network access. |
| bool app_network true; |
| if (app_network) { |
| # Cannot use net_domain within a conditional - type attribute. |
| allow untrusted_app self:{ tcp_socket udp_socket } *; |
| allow untrusted_app port_type:tcp_socket name_connect; |
| allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind; |
| allow untrusted_app port_type:udp_socket name_bind; |
| allow untrusted_app port_type:tcp_socket name_bind; |
| unix_socket_connect(untrusted_app, dnsproxyd, netd) |
| # Get route information. |
| allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read }; |
| } |
| # Bluetooth access. |
| bool app_bluetooth false; |
| if (app_bluetooth or android_cts) { |
| # No specific SELinux class for bluetooth sockets presently. |
| allow untrusted_app self:socket *; |
| allow untrusted_app bluetooth:unix_stream_socket { read write shutdown }; |
| } |
| # Internal SDCard rw access. |
| bool app_internal_sdcard_rw true; |
| if (app_internal_sdcard_rw) { |
| allow untrusted_app sdcard_internal:dir create_dir_perms; |
| allow untrusted_app sdcard_internal:file create_file_perms; |
| } |
| # External SDCard rw access. |
| bool app_external_sdcard_rw true; |
| if (app_external_sdcard_rw) { |
| allow untrusted_app sdcard_external:dir create_dir_perms; |
| allow untrusted_app sdcard_external:file create_file_perms; |
| } |
| # Native app support. |
| bool app_ndk false; |
| if (app_ndk or android_cts) { |
| allow untrusted_app system_data_file:file { execute open }; |
| allow isolated_app system_data_file:file { open execute }; |
| } |
| # Read Logs |
| bool app_read_logs false; |
| if (app_read_logs or android_cts) { |
| allow untrusted_app log_device:chr_file read; |
| } |
| |
| # |
| # Rules for all app domains. |
| # |
| |
| # Allow apps to connect to the keystore |
| unix_socket_connect(appdomain, keystore, keystore) |
| |
| # Receive and use open file descriptors inherited from zygote. |
| allow appdomain zygote:fd use; |
| |
| # Read system properties managed by zygote. |
| allow appdomain zygote_tmpfs:file read; |
| |
| # Notify zygote of death; |
| allow appdomain zygote:process sigchld; |
| |
| # Communicate over a FIFO or socket created by the system_server. |
| allow appdomain system:fifo_file rw_file_perms; |
| allow appdomain system:unix_stream_socket { read write setopt }; |
| |
| # Communicate over a socket created by surfaceflinger. |
| allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; |
| |
| # App sandbox file accesses. |
| allow appdomain app_data_file:dir create_dir_perms; |
| allow appdomain app_data_file:notdevfile_class_set create_file_perms; |
| |
| # Read/write data files created by the platform apps if they |
| # were passed to the app via binder or local IPC. Do not allow open. |
| allow appdomain platform_app_data_file:file { read write }; |
| |
| # lib subdirectory of /data/data dir is system-owned. |
| allow appdomain system_data_file:dir r_dir_perms; |
| |
| # Read/write wallpaper file (opened by system). |
| allow appdomain wallpaper_file:file { read write }; |
| |
| # Write to /data/anr/traces.txt. |
| allow appdomain anr_data_file:dir search; |
| allow appdomain anr_data_file:file { open append }; |
| |
| # Write to /proc/net/xt_qtaguid/ctrl file. |
| allow appdomain qtaguid_proc:file rw_file_perms; |
| # Everybody can read the xt_qtaguid resource tracking misc dev. |
| # So allow all apps to read from /dev/xt_qtaguid. |
| allow appdomain qtaguid_device:chr_file r_file_perms; |
| |
| # Use the Binder. |
| binder_use(appdomain) |
| # Perform binder IPC to binder services. |
| binder_call(appdomain, binderservicedomain) |
| # Perform binder IPC to other apps. |
| binder_call(appdomain, appdomain) |
| |
| # Appdomain interaction with isolated apps |
| r_dir_file(appdomain, isolated_app) |
| |
| # Already connected, unnamed sockets being passed over some other IPC |
| # hence no sock_file or connectto permission. This appears to be how |
| # Chrome works, may need to be updated as more apps using isolated services |
| # are examined. |
| allow appdomain isolated_app:unix_stream_socket { read write }; |
| allow isolated_app appdomain:unix_stream_socket { read write }; |
| |
| # Backup ability for every app. BMS opens and passes the fd |
| # to any app that has backup ability. Hence, no open permissions here. |
| allow { appdomain isolated_app } backup_data_file:file { read write }; |
| allow { appdomain isolated_app } cache_backup_file:file { read write }; |
| # Backup ability using 'adb backup' |
| allow { appdomain isolated_app } system_data_file:lnk_file getattr; |