app.te - platform/external/sepolicy - Git at Google

 #
 # Domains for apps that do not run with one of the predefined
 # platform UIDs (system, radio, nfc, ...).
 #

 #
 # Apps signed with the platform key.
 #
 type platform_app, domain;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
 # Write to /cache.
 allow platform_app cache_file:dir rw_dir_perms;
 allow platform_app cache_file:file create_file_perms;
 # Read from /data/local.
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
 # created by system server.
 allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
 allow platform_app apk_private_data_file:dir search;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
 allow platform_app download_file:file rw_file_perms;

 # Apps signed with the media key.
 type media_app, domain;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
 # Access /dev/mtp_usb.
 allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
 # Stat /cache/lost+found
 allow media_app unlabeled:file getattr;
 allow media_app unlabeled:dir getattr;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
 # Read files in the rootdir
 allow media_app rootfs:file r_file_perms;
 # Allow platform apps to mark platform app data files as download files
 allow media_app platform_app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;

 # Apps signed with the shared key.
 type shared_app, domain;
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
 # ASEC
 r_dir_file(shared_app, asec_apk_file)

 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
 net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)

 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
 # set it must be an mlstrustedsubject.
 type isolated_app, domain, mlstrustedsubject;
 app_domain(isolated_app)

 #
 # Rules for platform app domains.
 #

 # App sandbox file accesses.
 allow platformappdomain platform_app_data_file:dir create_dir_perms;
 allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;


 #
 # Untrusted apps.
 #
 type untrusted_app, domain;
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 allow untrusted_app tun_device:chr_file rw_file_perms;

 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;
 if (app_internal_sdcard_rw) {
 allow untrusted_app sdcard_internal:dir create_dir_perms;
 allow untrusted_app sdcard_internal:file create_file_perms;
 }
 # External SDCard rw access.
 bool app_external_sdcard_rw true;
 if (app_external_sdcard_rw) {
 allow untrusted_app sdcard_external:dir create_dir_perms;
 allow untrusted_app sdcard_external:file create_file_perms;
 }

 #
 # Rules for all app domains.
 #

 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)

 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;

 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;

 # Notify zygote of death;
 allow appdomain zygote:process sigchld;

 # Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
 allow appdomain system:unix_stream_socket { read write setopt };

 # Communicate over a socket created by surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };

 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;

 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.
 allow appdomain platform_app_data_file:file { getattr read write };

 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 allow appdomain system_data_file:file { execute open };

 # Execute the shell or other system executables.
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;

 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { read write };

 # Write to /data/anr/traces.txt.
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };

 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;

 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)

 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)

 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
 allow appdomain isolated_app:unix_stream_socket { read write };
 allow isolated_app appdomain:unix_stream_socket { read write };

 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
 allow { appdomain isolated_app } backup_data_file:file { read write };
 allow { appdomain isolated_app } cache_backup_file:file { read write };
 # Backup ability using 'adb backup'
 allow { appdomain isolated_app } system_data_file:lnk_file getattr;

 # Allow all applications to read downloaded files
 allow appdomain download_file:file r_file_perms;
 file_type_auto_trans(appdomain, download_file, download_file)

 # ASEC
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
	#
	# Domains for apps that do not run with one of the predefined
	# platform UIDs (system, radio, nfc, ...).
	#

	#
	# Apps signed with the platform key.
	#
	type platform_app, domain;
	app_domain(platform_app)
	platform_app_domain(platform_app)
	# Access the network.
	net_domain(platform_app)
	# Access bluetooth.
	bluetooth_domain(platform_app)
	# Write to /cache.
	allow platform_app cache_file:dir rw_dir_perms;
	allow platform_app cache_file:file create_file_perms;
	# Read from /data/local.
	allow platform_app shell_data_file:dir search;
	allow platform_app shell_data_file:file { open getattr read };
	allow platform_app shell_data_file:lnk_file read;
	# Populate /data/app/vmdl.tmp, /data/app-private/vmdl.tmp files
	# created by system server.
	allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
	allow platform_app apk_private_data_file:dir search;
	# ASEC
	allow platform_app asec_apk_file:dir create_dir_perms;
	allow platform_app asec_apk_file:file create_file_perms;
	allow platform_app download_file:file rw_file_perms;

	# Apps signed with the media key.
	type media_app, domain;
	app_domain(media_app)
	platform_app_domain(media_app)
	# Access the network.
	net_domain(media_app)
	# Access /dev/mtp_usb.
	allow media_app mtp_device:chr_file rw_file_perms;
	# Write to /cache.
	allow media_app cache_file:dir rw_dir_perms;
	allow media_app cache_file:file create_file_perms;
	# Stat /cache/lost+found
	allow media_app unlabeled:file getattr;
	allow media_app unlabeled:dir getattr;
	# Stat /cache/backup
	allow media_app cache_backup_file:file getattr;
	allow media_app cache_backup_file:dir getattr;
	# Read files in the rootdir
	allow media_app rootfs:file r_file_perms;
	# Allow platform apps to mark platform app data files as download files
	allow media_app platform_app_data_file:dir relabelfrom;
	allow media_app download_file:dir relabelto;

	# Apps signed with the shared key.
	type shared_app, domain;
	app_domain(shared_app)
	platform_app_domain(shared_app)
	# Access the network.
	net_domain(shared_app)
	# Access bluetooth.
	bluetooth_domain(shared_app)
	# ASEC
	r_dir_file(shared_app, asec_apk_file)

	# Apps signed with the release key (testkey in AOSP).
	type release_app, domain;
	app_domain(release_app)
	platform_app_domain(release_app)
	# Access the network.
	net_domain(release_app)
	# Access bluetooth.
	bluetooth_domain(release_app)

	# Services with isolatedProcess=true in their manifest.
	# In order for isolated_apps to interact with apps that have levelFromUid=true
	# set it must be an mlstrustedsubject.
	type isolated_app, domain, mlstrustedsubject;
	app_domain(isolated_app)

	#
	# Rules for platform app domains.
	#

	# App sandbox file accesses.
	allow platformappdomain platform_app_data_file:dir create_dir_perms;
	allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
	# App sdcard file accesses
	allow platformappdomain sdcard_type:dir create_dir_perms;
	allow platformappdomain sdcard_type:file create_file_perms;


	#
	# Untrusted apps.
	#
	type untrusted_app, domain;
	app_domain(untrusted_app)
	net_domain(untrusted_app)
	bluetooth_domain(untrusted_app)
	allow untrusted_app tun_device:chr_file rw_file_perms;

	# Internal SDCard rw access.
	bool app_internal_sdcard_rw true;
	if (app_internal_sdcard_rw) {
	allow untrusted_app sdcard_internal:dir create_dir_perms;
	allow untrusted_app sdcard_internal:file create_file_perms;
	}
	# External SDCard rw access.
	bool app_external_sdcard_rw true;
	if (app_external_sdcard_rw) {
	allow untrusted_app sdcard_external:dir create_dir_perms;
	allow untrusted_app sdcard_external:file create_file_perms;
	}

	#
	# Rules for all app domains.
	#

	# Allow apps to connect to the keystore
	unix_socket_connect(appdomain, keystore, keystore)

	# Receive and use open file descriptors inherited from zygote.
	allow appdomain zygote:fd use;

	# Read system properties managed by zygote.
	allow appdomain zygote_tmpfs:file read;

	# Notify zygote of death;
	allow appdomain zygote:process sigchld;

	# Communicate over a FIFO or socket created by the system_server.
	allow appdomain system:fifo_file rw_file_perms;
	allow appdomain system:unix_stream_socket { read write setopt };

	# Communicate over a socket created by surfaceflinger.
	allow appdomain surfaceflinger:unix_stream_socket { read write setopt };

	# App sandbox file accesses.
	allow appdomain app_data_file:dir create_dir_perms;
	allow appdomain app_data_file:notdevfile_class_set create_file_perms;

	# Read/write data files created by the platform apps if they
	# were passed to the app via binder or local IPC. Do not allow open.
	allow appdomain platform_app_data_file:file { getattr read write };

	# lib subdirectory of /data/data dir is system-owned.
	allow appdomain system_data_file:dir r_dir_perms;
	allow appdomain system_data_file:file { execute open };

	# Execute the shell or other system executables.
	allow appdomain shell_exec:file rx_file_perms;
	allow appdomain system_file:file rx_file_perms;

	# Read/write wallpaper file (opened by system).
	allow appdomain wallpaper_file:file { read write };

	# Write to /data/anr/traces.txt.
	allow appdomain anr_data_file:dir search;
	allow appdomain anr_data_file:file { open append };

	# Write to /proc/net/xt_qtaguid/ctrl file.
	allow appdomain qtaguid_proc:file rw_file_perms;
	# Everybody can read the xt_qtaguid resource tracking misc dev.
	# So allow all apps to read from /dev/xt_qtaguid.
	allow appdomain qtaguid_device:chr_file r_file_perms;

	# Use the Binder.
	binder_use(appdomain)
	# Perform binder IPC to binder services.
	binder_call(appdomain, binderservicedomain)
	# Perform binder IPC to other apps.
	binder_call(appdomain, appdomain)

	# Appdomain interaction with isolated apps
	r_dir_file(appdomain, isolated_app)

	# Already connected, unnamed sockets being passed over some other IPC
	# hence no sock_file or connectto permission. This appears to be how
	# Chrome works, may need to be updated as more apps using isolated services
	# are examined.
	allow appdomain isolated_app:unix_stream_socket { read write };
	allow isolated_app appdomain:unix_stream_socket { read write };

	# Backup ability for every app. BMS opens and passes the fd
	# to any app that has backup ability. Hence, no open permissions here.
	allow { appdomain isolated_app } backup_data_file:file { read write };
	allow { appdomain isolated_app } cache_backup_file:file { read write };
	# Backup ability using 'adb backup'
	allow { appdomain isolated_app } system_data_file:lnk_file getattr;

	# Allow all applications to read downloaded files
	allow appdomain download_file:file r_file_perms;
	file_type_auto_trans(appdomain, download_file, download_file)

	# ASEC
	allow untrusted_app asec_apk_file:dir { getattr };
	allow untrusted_app asec_apk_file:file r_file_perms;