Skip to content
Snippets Groups Projects
Select Git revision
  • ae4b79cefd7cbb04175c9ac1ab8ed95859b08263
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

servicemanager.te

Blame
    • Stephen Smalley's avatar
      45731c70
      Annotate MLS trusted subjects and objects. · 45731c70
      Stephen Smalley authored 
      
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      45731c70
      History
      Annotate MLS trusted subjects and objects.
      Stephen Smalley authored 
      
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    app.te 5.97 KiB 
    #
# Domains for apps that do not run with one of the predefined
# platform UIDs (system, radio, nfc, ...).
#

#
# Apps signed with the platform key.
#
type platform_app, domain;
app_domain(platform_app)
platform_app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Write to /cache.
allow platform_app cache_file:dir rw_dir_perms;
allow platform_app cache_file:file create_file_perms;
# Read from /data/local.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app shell_data_file:lnk_file read;
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;

# Apps signed with the media key.
type media_app, domain;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
net_domain(media_app)
# Access /dev/mtp_usb.
allow media_app mtp_device:chr_file rw_file_perms;
# Write to /cache.
allow media_app cache_file:dir rw_dir_perms;
allow media_app cache_file:file create_file_perms;
# Stat /cache/lost+found
allow media_app unlabeled:file getattr;
allow media_app unlabeled:dir getattr;
# Stat /cache/backup
allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr;

# Apps signed with the shared key.
type shared_app, domain;
app_domain(shared_app)
platform_app_domain(shared_app)
# Access the network.
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
# ASEC
r_dir_file(shared_app, asec_apk_file)

# Apps signed with the release key (testkey in AOSP).
type release_app, domain;
app_domain(release_app)
platform_app_domain(release_app)
# Access the network.
net_domain(release_app)
# Access bluetooth.
bluetooth_domain(release_app)

# Services with isolatedProcess=true in their manifest.
# In order for isolated_apps to interact with apps that have levelFromUid=true
    # set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject;
app_domain(isolated_app)

#
# Rules for platform app domains.
#

# App sandbox file accesses.
allow platformappdomain platform_app_data_file:dir create_dir_perms;
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
# App sdcard file accesses
allow platformappdomain sdcard_type:dir create_dir_perms;
allow platformappdomain sdcard_type:file create_file_perms;

#
# Untrusted apps.
#
type untrusted_app, domain;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
allow untrusted_app tun_device:chr_file rw_file_perms;

# Internal SDCard rw access.
bool app_internal_sdcard_rw true;
if (app_internal_sdcard_rw) {
allow untrusted_app sdcard_internal:dir create_dir_perms;
allow untrusted_app sdcard_internal:file create_file_perms;
}
# External SDCard rw access.
bool app_external_sdcard_rw true;
if (app_external_sdcard_rw) {
allow untrusted_app sdcard_external:dir create_dir_perms;
allow untrusted_app sdcard_external:file create_file_perms;
}

#
# Rules for all app domains.
#

# Allow apps to connect to the keystore
unix_socket_connect(appdomain, keystore, keystore)

# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;

# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;

# Notify zygote of death;
allow appdomain zygote:process sigchld;

# Communicate over a FIFO or socket created by the system_server.
allow appdomain system:fifo_file rw_file_perms;
allow appdomain system:unix_stream_socket { read write setopt };

# Communicate over a socket created by surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };

# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
allow appdomain app_data_file:notdevfile_class_set create_file_perms;

# Read/write data files created by the platform apps if they
# were passed to the app via binder or local IPC.  Do not allow open.
allow appdomain platform_app_data_file:file { getattr read write };

# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
    allow appdomain system_data_file:file { execute open };

# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;

# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { read write };

# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };

# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;

# Use the Binder.
binder_use(appdomain)
# Perform binder IPC to binder services.
binder_call(appdomain, binderservicedomain)
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)

# Appdomain interaction with isolated apps
r_dir_file(appdomain, isolated_app)

# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow appdomain isolated_app:unix_stream_socket { read write };
allow isolated_app appdomain:unix_stream_socket { read write };

# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
allow { appdomain isolated_app } backup_data_file:file { read write };
allow { appdomain isolated_app } cache_backup_file:file { read write };
# Backup ability using 'adb backup'
allow { appdomain isolated_app } system_data_file:lnk_file getattr;