blob: 7cd8c5a2b0ae02b8963a30451b783b8e57e20d99 [file] [log] [blame]
#
# Domains for apps that do not run with one of the predefined
# platform UIDs (system, radio, nfc, ...).
#
#
# Apps signed with the platform key.
#
type platform_app, domain;
app_domain(platform_app)
platform_app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Read logs.
allow platform_app log_device:chr_file read;
# Write to /cache.
allow platform_app cache_file:dir rw_dir_perms;
allow platform_app cache_file:file create_file_perms;
# Read from /data/local.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app shell_data_file:lnk_file read;
# Populate /data/app/vmdl*.tmp file created by system server.
allow platform_app apk_tmp_file:file rw_file_perms;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;
# Apps signed with the media key.
type media_app, domain;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
net_domain(media_app)
# Read logs.
allow media_app log_device:chr_file read;
# Access /dev/mtp_usb.
allow media_app mtp_device:chr_file rw_file_perms;
# Write to /cache.
allow media_app cache_file:dir rw_dir_perms;
allow media_app cache_file:file create_file_perms;
# Apps signed with the shared key.
type shared_app, domain;
app_domain(shared_app)
platform_app_domain(shared_app)
# Access the network.
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
# Read logs.
allow shared_app log_device:chr_file read;
# ASEC
r_dir_file(shared_app, asec_apk_file);
# Apps signed with the release key (testkey in AOSP).
type release_app, domain;
app_domain(release_app)
platform_app_domain(release_app)
# Access the network.
net_domain(release_app)
# Access bluetooth.
bluetooth_domain(release_app)
# Read logs.
allow release_app log_device:chr_file read;
# Services with isolatedProcess=true in their manifest.
# In order for isolated_apps to interact with apps that have levelFromUid=true
# set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject;
app_domain(isolated_app)
#
# An example of a specific domain for a specific app
# A domain for com.android.browser.
type browser_app, domain;
app_domain(browser_app)
platform_app_domain(browser_app)
# Access the network.
net_domain(browser_app)
#
# Rules for platform app domains.
#
# App sandbox file accesses.
allow platformappdomain platform_app_data_file:dir create_dir_perms;
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
# App sdcard file accesses
allow platformappdomain sdcard:dir create_dir_perms;
allow platformappdomain sdcard:file create_file_perms;
# System data file accesses (e.g, shared objects from the lib directory)
allow platformappdomain system_data_file:file { execute open };
#
# Untrusted apps.
#
type untrusted_app, domain;
app_domain(untrusted_app)
# Boolean-controlled options for untrusted apps.
# Network access.
bool app_network true;
if (app_network) {
# Cannot use net_domain within a conditional - type attribute.
allow untrusted_app self:{ tcp_socket udp_socket } *;
allow untrusted_app port_type:tcp_socket name_connect;
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
allow untrusted_app port_type:udp_socket name_bind;
allow untrusted_app port_type:tcp_socket name_bind;
unix_socket_connect(untrusted_app, dnsproxyd, netd)
# Get route information.
allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
}
# Bluetooth access.
bool app_bluetooth false;
if (app_bluetooth or android_cts) {
# No specific SELinux class for bluetooth sockets presently.
allow untrusted_app self:socket *;
}
# SDCard rw access.
bool app_sdcard_rw true;
if (app_sdcard_rw) {
allow untrusted_app sdcard:dir create_dir_perms;
allow untrusted_app sdcard:file create_file_perms;
}
# Native app support.
bool app_ndk false;
if (app_ndk or android_cts) {
allow untrusted_app system_data_file:file { execute open };
allow isolated_app system_data_file:file { open execute };
}
# Read Logs
bool app_read_logs false;
if (app_read_logs or android_cts) {
allow untrusted_app log_device:chr_file read;
}
#
# Rules for all app domains.
#
# Allow apps to connect to the keystore
unix_socket_connect(appdomain, keystore, keystore)
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
# Notify zygote of death;
allow appdomain zygote:process sigchld;
# Communicate over a FIFO or socket created by the system_server.
allow appdomain system:fifo_file rw_file_perms;
allow appdomain system:unix_stream_socket { read write };
# Communicate over a socket created by surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
allow appdomain app_data_file:notdevfile_class_set create_file_perms;
# Read/write data files created by the platform apps.
allow appdomain platform_app_data_file:file rw_file_perms;
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { read write };
# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
# Use the Binder.
binder_use(appdomain)
# Perform binder IPC to binder services.
binder_call(appdomain, binderservicedomain)
binder_transfer(appdomain, binderservicedomain)
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
binder_transfer(appdomain, appdomain)
# Appdomain interaction with isolated apps
r_dir_file(appdomain, isolated_app)
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow appdomain isolated_app:unix_stream_socket { read write };
allow isolated_app appdomain:unix_stream_socket { read write };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
allow { appdomain isolated_app } backup_data_file:file { read write };
allow { appdomain isolated_app } cache_backup_file:file { read write };
# Backup ability using 'adb backup'
allow { appdomain isolated_app } system_data_file:lnk_file getattr;