1### 2### A domain for further sandboxing privileged apps. 3### 4 5typeattribute priv_app coredomain; 6app_domain(priv_app) 7 8# Access the network. 9net_domain(priv_app) 10# Access bluetooth. 11bluetooth_domain(priv_app) 12 13# Allow the allocation and use of ptys 14# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm 15create_pty(priv_app) 16 17# Allow loading executable code from writable priv-app home 18# directories. This is a W^X violation, however, it needs 19# to be supported for now for the following reasons. 20# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) 21# 1) com.android.opengl.shaders_cache 22# 2) com.android.skia.shaders_cache 23# 3) com.android.renderscript.cache 24# * /data/user_de/0/com.google.android.gms/app_chimera 25# TODO: Tighten (b/112357170) 26allow priv_app privapp_data_file:file execute; 27 28allow priv_app privapp_data_file:lnk_file create_file_perms; 29 30# Priv apps can find services that expose both @SystemAPI and normal APIs. 31allow priv_app app_api_service:service_manager find; 32allow priv_app system_api_service:service_manager find; 33 34allow priv_app audioserver_service:service_manager find; 35allow priv_app cameraserver_service:service_manager find; 36allow priv_app drmserver_service:service_manager find; 37allow priv_app mediadrmserver_service:service_manager find; 38allow priv_app mediaextractor_service:service_manager find; 39allow priv_app mediametrics_service:service_manager find; 40allow priv_app mediaserver_service:service_manager find; 41allow priv_app network_watchlist_service:service_manager find; 42allow priv_app nfc_service:service_manager find; 43allow priv_app oem_lock_service:service_manager find; 44allow priv_app persistent_data_block_service:service_manager find; 45allow priv_app radio_service:service_manager find; 46allow priv_app recovery_service:service_manager find; 47allow priv_app stats_service:service_manager find; 48 49# Write to /cache. 50allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; 51allow priv_app { cache_file cache_recovery_file }:file create_file_perms; 52# /cache is a symlink to /data/cache on some devices. Allow reading the link. 53allow priv_app cache_file:lnk_file r_file_perms; 54 55# Access to /data/media. 56allow priv_app media_rw_data_file:dir create_dir_perms; 57allow priv_app media_rw_data_file:file create_file_perms; 58 59# Used by Finsky / Android "Verify Apps" functionality when 60# running "adb install foo.apk". 61allow priv_app shell_data_file:file r_file_perms; 62allow priv_app shell_data_file:dir r_dir_perms; 63 64# Allow traceur to pass file descriptors through a content provider to betterbug 65allow priv_app trace_data_file:file { getattr read }; 66 67# Allow verifier to access staged apks. 68allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 69allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 70 71# For AppFuse. 72allow priv_app vold:fd use; 73allow priv_app fuse_device:chr_file { read write }; 74 75# /proc access 76allow priv_app { 77 proc_vmstat 78}:file r_file_perms; 79 80allow priv_app sysfs_type:dir search; 81# Read access to /sys/class/net/wlan*/address 82r_dir_file(priv_app, sysfs_net) 83# Read access to /sys/block/zram*/mm_stat 84r_dir_file(priv_app, sysfs_zram) 85 86r_dir_file(priv_app, rootfs) 87 88# access the mac address 89allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; 90 91# Allow com.android.vending to communicate with statsd. 92binder_call(priv_app, statsd) 93 94# Allow Phone to read/write cached ringtones (opened by system). 95allow priv_app ringtone_file:file { getattr read write }; 96 97# Access to /data/preloads 98allow priv_app preloads_data_file:file r_file_perms; 99allow priv_app preloads_data_file:dir r_dir_perms; 100allow priv_app preloads_media_file:file r_file_perms; 101allow priv_app preloads_media_file:dir r_dir_perms; 102 103read_runtime_log_tags(priv_app) 104 105# Write app-specific trace data to the Perfetto traced damon. This requires 106# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 107perfetto_producer(priv_app) 108 109# Allow priv_apps to request and collect incident reports. 110# (Also requires DUMP and PACKAGE_USAGE_STATS permissions) 111allow priv_app incident_service:service_manager find; 112binder_call(priv_app, incidentd) 113allow priv_app incidentd:fifo_file { read write }; 114 115# Allow profiling if the app opts in by being marked profileable/debuggable. 116can_profile_heap(priv_app) 117can_profile_perf(priv_app) 118 119# Allow priv_apps to check whether Dynamic System Update is enabled 120get_prop(priv_app, dynamic_system_prop) 121 122# suppress denials for non-API accesses. 123dontaudit priv_app exec_type:file getattr; 124dontaudit priv_app device:dir read; 125dontaudit priv_app fs_bpf:dir search; 126dontaudit priv_app net_dns_prop:file read; 127dontaudit priv_app proc:file read; 128dontaudit priv_app proc_interrupts:file read; 129dontaudit priv_app proc_modules:file read; 130dontaudit priv_app proc_net:file read; 131dontaudit priv_app proc_stat:file read; 132dontaudit priv_app proc_version:file read; 133dontaudit priv_app sysfs:dir read; 134dontaudit priv_app sysfs:file read; 135dontaudit priv_app sysfs_android_usb:file read; 136dontaudit priv_app sysfs_dm:file r_file_perms; 137dontaudit priv_app { wifi_prop wifi_hal_prop }:file read; 138 139# allow privileged apps to use UDP sockets provided by the system server but not 140# modify them other than to connect 141allow priv_app system_server:udp_socket { 142 connect getattr read recvfrom sendto write getopt setopt }; 143 144# allow apps like Phonesky to check the file signature of an apk installed on 145# the Incremental File System, and fill missing blocks in the apk 146allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS }; 147 148# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System 149allow priv_app incremental_control_file:file { read getattr ioctl }; 150 151# allow apps like Phonesky to request permission to fill blocks of an apk file 152# on the Incremental File System. 153allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL; 154 155# Required for Phonesky to be able to read APEX files under /data/apex/active/. 156allow priv_app apex_data_file:dir search; 157allow priv_app staging_data_file:file r_file_perms; 158 159# allow priv app to access the system app data files for ContentProvider case. 160allow priv_app system_app_data_file:file { read getattr }; 161 162### 163### neverallow rules 164### 165 166# Receive or send uevent messages. 167neverallow priv_app domain:netlink_kobject_uevent_socket *; 168 169# Receive or send generic netlink messages 170neverallow priv_app domain:netlink_socket *; 171 172# Too much leaky information in debugfs. It's a security 173# best practice to ensure these files aren't readable. 174neverallow priv_app debugfs:file read; 175 176# Do not allow privileged apps to register services. 177# Only trusted components of Android should be registering 178# services. 179neverallow priv_app service_manager_type:service_manager add; 180 181# Do not allow privileged apps to connect to the property service 182# or set properties. b/10243159 183neverallow priv_app property_socket:sock_file write; 184neverallow priv_app init:unix_stream_socket connectto; 185neverallow priv_app property_type:property_service set; 186 187# Do not allow priv_app to be assigned mlstrustedsubject. 188# This would undermine the per-user isolation model being 189# enforced via levelFrom=user in seapp_contexts and the mls 190# constraints. As there is no direct way to specify a neverallow 191# on attribute assignment, this relies on the fact that fork 192# permission only makes sense within a domain (hence should 193# never be granted to any other domain within mlstrustedsubject) 194# and priv_app is allowed fork permission to itself. 195neverallow priv_app mlstrustedsubject:process fork; 196 197# Do not allow priv_app to hard link to any files. 198# In particular, if priv_app links to other app data 199# files, installd will not be able to guarantee the deletion 200# of the linked to file. Hard links also contribute to security 201# bugs, so we want to ensure priv_app never has this 202# capability. 203neverallow priv_app file_type:file link; 204 205# priv apps should not be able to open trace data files, they should depend 206# upon traceur to pass a file descriptor which they can then read 207neverallow priv_app trace_data_file:dir *; 208neverallow priv_app trace_data_file:file { no_w_file_perms open }; 209 210# Do not allow priv_app access to cgroups. 211neverallow priv_app cgroup:file *; 212 213# Do not allow loading executable code from non-privileged 214# application home directories. Code loading across a security boundary 215# is dangerous and allows a full compromise of a privileged process 216# by an unprivileged process. b/112357170 217neverallow priv_app app_data_file:file no_x_file_perms; 218 219# Do not follow untrusted app provided symlinks 220neverallow priv_app app_data_file:lnk_file { open read getattr }; 221