Skip to content
Snippets Groups Projects
app.te 4.21 KiB
Newer Older
  • Learn to ignore specific revisions
  • Stephen Smalley's avatar
    Stephen Smalley committed
    #
    # Domains for apps that do not run with one of the predefined
    # platform UIDs (system, radio, nfc, ...).
    #
    
    #
    
    # Apps signed with the platform key.
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    #
    
    type platform_app, domain;
    app_domain(platform_app)
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Access the network.
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Access bluetooth.
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Read logs.
    
    allow platform_app log_device:chr_file read;
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Write to /cache.
    
    allow platform_app cache_file:dir rw_dir_perms;
    allow platform_app cache_file:file create_file_perms;
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Read from /data/local.
    
    allow platform_app shell_data_file:dir search;
    allow platform_app shell_data_file:file { open getattr read };
    allow platform_app shell_data_file:lnk_file read;
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Access the sdcard.
    
    allow platform_app sdcard:dir create_dir_perms;
    allow platform_app sdcard:file create_file_perms;
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Populate /data/app/vmdl*.tmp file created by system server.
    
    allow platform_app apk_tmp_file:file rw_file_perms;
    
    # Apps signed with the media key.
    type media_app, domain;
    app_domain(media_app)
    # Access the network.
    net_domain(media_app)
    # Read logs.
    allow media_app log_device:chr_file read;
    # Access /dev/mtp_usb.
    allow media_app mtp_device:chr_file rw_file_perms;
    # Write to /cache.
    allow media_app cache_file:dir rw_dir_perms;
    allow media_app cache_file:file create_file_perms;
    # Access sdcard.
    
    allow media_app sdcard:dir rw_dir_perms;
    allow media_app sdcard:file rw_file_perms;
    
    
    # Apps signed with the shared key.
    type shared_app, domain;
    app_domain(shared_app)
    # Access the network.
    net_domain(shared_app)
    # Access bluetooth.
    bluetooth_domain(shared_app)
    # Read logs.
    allow shared_app log_device:chr_file read;
    
    # Apps signed with the release key (testkey in AOSP).
    type release_app, domain;
    app_domain(release_app)
    # Access the network.
    net_domain(release_app)
    # Access bluetooth.
    bluetooth_domain(release_app)
    # Read logs.
    allow release_app log_device:chr_file read;
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    
    #
    # An example of a specific domain for a specific app
    # A domain for com.android.browser.
    type browser_app, domain;
    app_domain(browser_app)
    # Access the network.
    net_domain(browser_app)
    
    #
    # Untrusted apps.
    #
    type untrusted_app, domain;
    app_domain(untrusted_app)
    # Boolean-controlled options for untrusted apps.
    # Network access.
    bool app_network true;
    if (app_network) {
    # Cannot use net_domain within a conditional - type attribute.
    allow untrusted_app self:{ tcp_socket udp_socket } *;
    allow untrusted_app port_type:tcp_socket name_connect;
    allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
    allow untrusted_app port_type:udp_socket name_bind;
    allow untrusted_app port_type:tcp_socket name_bind;
    unix_socket_connect(untrusted_app, dnsproxyd, netd)
    }
    # Bluetooth access.
    bool app_bluetooth false;
    if (app_bluetooth) {
    # No specific SELinux class for bluetooth sockets presently.
    allow untrusted_app self:socket *;
    }
    # SDCard rw access.
    bool app_sdcard_rw true;
    if (app_sdcard_rw) {
    allow untrusted_app sdcard:dir create_dir_perms;
    allow untrusted_app sdcard:file create_file_perms;
    }
    # Native app support.
    bool app_ndk false;
    if (app_ndk) {
    
    allow untrusted_app system_data_file:file { execute open };
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    }
    
    #
    # Rules for all app domains.
    #
    
    # Receive and use open file descriptors inherited from zygote.
    allow appdomain zygote:fd use;
    
    # Read system properties managed by zygote.
    allow appdomain zygote_tmpfs:file read;
    
    # Notify zygote of death;
    allow appdomain zygote:process sigchld;
    
    # Communicate over a FIFO to system processes.
    allow appdomain system:fifo_file rw_file_perms;
    
    # App sandbox file accesses.
    allow appdomain app_data_file:dir create_dir_perms;
    allow appdomain app_data_file:notdevfile_class_set create_file_perms;
    
    # lib subdirectory of /data/data dir is system-owned.
    allow appdomain system_data_file:dir r_dir_perms;
    
    
    # Read/write wallpaper file (opened by system).
    allow appdomain wallpaper_file:file { read write };
    
    
    # Write to /data/anr/traces.txt.
    allow appdomain anr_data_file:dir search;
    allow appdomain anr_data_file:file { open append };
    
    
    # Write to /proc/net/xt_qtaguid/ctrl file.
    allow appdomain qtaguid:file write;
    
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    # Use the Binder.
    binder_use(appdomain)
    # Perform binder IPC to binder services.
    binder_call(appdomain, binderservicedomain)
    binder_transfer(appdomain, binderservicedomain)
    
    # Perform binder IPC to other apps.
    binder_call(appdomain, appdomain)
    binder_transfer(appdomain, appdomain)