1### 2### Ephemeral apps. 3### 4### This file defines the security policy for apps with the ephemeral 5### feature. 6### 7### The ephemeral_app domain is a reduced permissions sandbox allowing 8### ephemeral applications to be safely installed and run. Non ephemeral 9### applications may also opt-in to ephemeral to take advantage of the 10### additional security features. 11### 12### PackageManager flags an app as ephemeral at install time. 13 14typeattribute ephemeral_app coredomain; 15 16net_domain(ephemeral_app) 17app_domain(ephemeral_app) 18 19# Allow ephemeral apps to read/write files in visible storage if provided fds 20allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; 21 22# Some apps ship with shared libraries and binaries that they write out 23# to their sandbox directory and then execute. 24allow ephemeral_app privapp_data_file:file { r_file_perms execute }; 25allow ephemeral_app app_data_file:file { r_file_perms execute }; 26 27# Follow priv-app symlinks. This is used for dynamite functionality. 28allow ephemeral_app privapp_data_file:lnk_file r_file_perms; 29 30# Allow the renderscript compiler to be run. 31domain_auto_trans(ephemeral_app, rs_exec, rs) 32 33# Allow loading and deleting shared libraries created by trusted system 34# components within an application home directory. 35allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink }; 36 37# services 38allow ephemeral_app audioserver_service:service_manager find; 39allow ephemeral_app cameraserver_service:service_manager find; 40allow ephemeral_app mediaserver_service:service_manager find; 41allow ephemeral_app mediaextractor_service:service_manager find; 42allow ephemeral_app mediametrics_service:service_manager find; 43allow ephemeral_app mediadrmserver_service:service_manager find; 44allow ephemeral_app drmserver_service:service_manager find; 45allow ephemeral_app radio_service:service_manager find; 46allow ephemeral_app ephemeral_app_api_service:service_manager find; 47allow ephemeral_app gpu_service:service_manager find; 48 49# Allow ephemeral apps to interact with gpuservice 50binder_call(ephemeral_app, gpuservice) 51 52# Write app-specific trace data to the Perfetto traced damon. This requires 53# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 54perfetto_producer(ephemeral_app) 55 56# Allow profiling if the app opts in by being marked profileable/debuggable. 57can_profile_heap(ephemeral_app) 58can_profile_perf(ephemeral_app) 59 60# allow ephemeral apps to use UDP sockets provided by the system server but not 61# modify them other than to connect 62allow ephemeral_app system_server:udp_socket { 63 connect getattr read recvfrom sendto write getopt setopt }; 64 65allow ephemeral_app ashmem_device:chr_file rw_file_perms; 66 67### 68### neverallow rules 69### 70 71neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans; 72 73# Receive or send uevent messages. 74neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 75 76# Receive or send generic netlink messages 77neverallow ephemeral_app domain:netlink_socket *; 78 79# Too much leaky information in debugfs. It's a security 80# best practice to ensure these files aren't readable. 81neverallow ephemeral_app debugfs:file read; 82 83# execute gpu_device 84neverallow ephemeral_app gpu_device:chr_file execute; 85 86# access files in /sys with the default sysfs label 87neverallow ephemeral_app sysfs:file *; 88 89# Avoid reads from generically labeled /proc files 90# Create a more specific label if needed 91neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 92 93# Directly access external storage 94neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; 95neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search; 96 97# Avoid reads to proc_net, it contains too much device wide information about 98# ongoing connections. 99neverallow ephemeral_app proc_net:file no_rw_file_perms; 100