| ### |
| ### Untrusted apps. |
| ### |
| ### This file defines the rules for untrusted apps. |
| ### Apps are labeled based on mac_permissions.xml (maps signer and |
| ### optionally package name to seinfo value) and seapp_contexts (maps UID |
| ### and optionally seinfo value to domain for process and type for data |
| ### directory). The untrusted_app domain is the default assignment in |
| ### seapp_contexts for any app with UID between APP_AID (10000) |
| ### and AID_ISOLATED_START (99000) if the app has no specific seinfo |
| ### value as determined from mac_permissions.xml. In current AOSP, this |
| ### domain is assigned to all non-system apps as well as to any system apps |
| ### that are not signed by the platform key. To move |
| ### a system app into a specific domain, add a signer entry for it to |
| ### mac_permissions.xml and assign it one of the pre-existing seinfo values |
| ### or define and use a new seinfo value in both mac_permissions.xml and |
| ### seapp_contexts. |
| ### |
| ### untrusted_app includes all the appdomain rules, plus the |
| ### additional following rules: |
| ### |
| |
| type untrusted_app, domain; |
| app_domain(untrusted_app) |
| net_domain(untrusted_app) |
| bluetooth_domain(untrusted_app) |
| |
| # Some apps ship with shared libraries and binaries that they write out |
| # to their sandbox directory and then execute. |
| allow untrusted_app app_data_file:file { rx_file_perms execmod }; |
| |
| allow untrusted_app tun_device:chr_file rw_file_perms; |
| |
| # ASEC |
| allow untrusted_app asec_apk_file:file r_file_perms; |
| # Execute libs in asec containers. |
| allow untrusted_app asec_public_file:file { execute execmod }; |
| |
| # Allow the allocation and use of ptys |
| # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm |
| create_pty(untrusted_app) |
| |
| # Used by Finsky / Android "Verify Apps" functionality when |
| # running "adb install foo.apk". |
| # TODO: Long term, we don't want apps probing into shell data files. |
| # Figure out a way to remove these rules. |
| allow untrusted_app shell_data_file:file r_file_perms; |
| allow untrusted_app shell_data_file:dir r_dir_perms; |
| |
| # b/18504118: Allow reads from /data/anr/traces.txt |
| # TODO: We shouldn't be allowing all untrusted_apps to read |
| # this file. This is only needed for the GMS feedback agent. |
| # See also b/18340553. GMS runs as untrusted_app, and |
| # it's too late to change the domain it runs in. |
| # This line needs to be deleted. |
| allow untrusted_app anr_data_file:file r_file_perms; |
| |
| # Read and write system app data files passed over Binder. |
| # Motivating case was /data/data/com.android.settings/cache/*.jpg for |
| # cropping or taking user photos. |
| allow untrusted_app system_app_data_file:file { read write getattr }; |
| |
| # |
| # Rules migrated from old app domains coalesced into untrusted_app. |
| # This includes what used to be media_app, shared_app, and release_app. |
| # |
| |
| # Access /dev/mtp_usb. |
| allow untrusted_app mtp_device:chr_file rw_file_perms; |
| |
| # Access to /data/media. |
| allow untrusted_app media_rw_data_file:dir create_dir_perms; |
| allow untrusted_app media_rw_data_file:file create_file_perms; |
| |
| # Write to /cache. |
| allow untrusted_app cache_file:dir create_dir_perms; |
| allow untrusted_app cache_file:file create_file_perms; |
| |
| allow untrusted_app drmserver_service:service_manager find; |
| allow untrusted_app mediaserver_service:service_manager find; |
| allow untrusted_app nfc_service:service_manager find; |
| allow untrusted_app radio_service:service_manager find; |
| allow untrusted_app surfaceflinger_service:service_manager find; |
| allow untrusted_app tmp_system_server_service:service_manager find; |
| allow untrusted_app app_api_service:service_manager find; |
| |
| # TODO: remove this once priv-apps are no longer running in untrusted_app |
| allow untrusted_app system_api_service:service_manager find; |
| |
| service_manager_local_audit_domain(untrusted_app) |
| auditallow untrusted_app { |
| tmp_system_server_service |
| -accessibility_service |
| -account_service |
| -activity_service |
| -appops_service |
| -appwidget_service |
| -assetatlas_service |
| -audio_service |
| -backup_service |
| -battery_service |
| -batterystats_service |
| -bluetooth_manager_service |
| -clipboard_service |
| -connectivity_service |
| -content_service |
| -country_detector_service |
| -default_android_service |
| -device_policy_service |
| -diskstats_service |
| -display_service |
| -dropbox_service |
| -graphicsstats_service |
| -healthd_service |
| -imms_service |
| -input_method_service |
| -input_service |
| -jobscheduler_service |
| -launcherapps_service |
| -location_service |
| -lock_settings_service |
| -media_router_service |
| -media_session_service |
| -meminfo_service |
| -mount_service |
| -netpolicy_service |
| -netstats_service |
| -network_management_service |
| -network_score_service |
| -notification_service |
| -persistent_data_block_service |
| -power_service |
| -procstats_service |
| -registry_service |
| -rttmanager_service |
| -search_service |
| -sensorservice_service |
| -statusbar_service |
| -textservices_service |
| -trust_service |
| -uimode_service |
| -usagestats_service |
| -user_service |
| -vibrator_service |
| -voiceinteraction_service |
| -wallpaper_service |
| -webviewupdate_service |
| -wifi_service |
| -wifip2p_service |
| }:service_manager find; |
| |
| # Allow verifier to access staged apks. |
| allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; |
| allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # Receive or send uevent messages. |
| neverallow untrusted_app domain:netlink_kobject_uevent_socket *; |
| |
| # Receive or send generic netlink messages |
| neverallow untrusted_app domain:netlink_socket *; |
| |
| # Too much leaky information in debugfs. It's a security |
| # best practice to ensure these files aren't readable. |
| neverallow untrusted_app debugfs:file read; |
| |
| # Do not allow untrusted apps to register services. |
| # Only trusted components of Android should be registering |
| # services. |
| neverallow untrusted_app service_manager_type:service_manager add; |
| |
| # Do not allow untrusted_apps to connect to the property service |
| # or set properties. b/10243159 |
| neverallow untrusted_app property_socket:sock_file write; |
| neverallow untrusted_app init:unix_stream_socket connectto; |
| neverallow untrusted_app property_type:property_service set; |
| |
| # Do not allow untrusted_app to be assigned mlstrustedsubject. |
| # This would undermine the per-user isolation model being |
| # enforced via levelFrom=user in seapp_contexts and the mls |
| # constraints. As there is no direct way to specify a neverallow |
| # on attribute assignment, this relies on the fact that fork |
| # permission only makes sense within a domain (hence should |
| # never be granted to any other domain within mlstrustedsubject) |
| # and untrusted_app is allowed fork permission to itself. |
| neverallow untrusted_app mlstrustedsubject:process fork; |
| |
| # Do not allow untrusted_app to hard link to any files. |
| # In particular, if untrusted_app links to other app data |
| # files, installd will not be able to guarantee the deletion |
| # of the linked to file. Hard links also contribute to security |
| # bugs, so we want to ensure untrusted_app never has this |
| # capability. |
| neverallow untrusted_app file_type:file link; |