| ### |
| ### Ephemeral apps. |
| ### |
| ### This file defines the security policy for apps with the ephemeral |
| ### feature. |
| ### |
| ### The ephemeral_app domain is a reduced permissions sandbox allowing |
| ### ephemeral applications to be safely installed and run. Non ephemeral |
| ### applications may also opt-in to ephemeral to take advantage of the |
| ### additional security features. |
| ### |
| ### PackageManager flags an app as ephemeral at install time. |
| |
| typeattribute ephemeral_app coredomain; |
| |
| net_domain(ephemeral_app) |
| app_domain(ephemeral_app) |
| |
| # Allow ephemeral apps to read/write files in visible storage if provided fds |
| allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; |
| |
| # Some apps ship with shared libraries and binaries that they write out |
| # to their sandbox directory and then execute. |
| allow ephemeral_app app_data_file:file {r_file_perms execute}; |
| |
| # services |
| allow ephemeral_app audioserver_service:service_manager find; |
| allow ephemeral_app cameraserver_service:service_manager find; |
| allow ephemeral_app mediaserver_service:service_manager find; |
| allow ephemeral_app mediaextractor_service:service_manager find; |
| allow ephemeral_app mediacodec_service:service_manager find; |
| allow ephemeral_app mediametrics_service:service_manager find; |
| allow ephemeral_app mediadrmserver_service:service_manager find; |
| allow ephemeral_app drmserver_service:service_manager find; |
| allow ephemeral_app radio_service:service_manager find; |
| allow ephemeral_app ephemeral_app_api_service:service_manager find; |
| |
| # Write app-specific trace data to the Perfetto traced damon. This requires |
| # connecting to its producer socket and obtaining a (per-process) tmpfs fd. |
| allow ephemeral_app traced:fd use; |
| allow ephemeral_app traced_tmpfs:file { read write getattr map }; |
| unix_socket_connect(ephemeral_app, traced_producer, traced) |
| |
| # allow ephemeral apps to use UDP sockets provided by the system server but not |
| # modify them other than to connect |
| allow ephemeral_app system_server:udp_socket { |
| connect getattr read recvfrom sendto write getopt setopt }; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| neverallow ephemeral_app app_data_file:file execute_no_trans; |
| |
| # Receive or send uevent messages. |
| neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; |
| |
| # Receive or send generic netlink messages |
| neverallow ephemeral_app domain:netlink_socket *; |
| |
| # Too much leaky information in debugfs. It's a security |
| # best practice to ensure these files aren't readable. |
| neverallow ephemeral_app debugfs:file read; |
| |
| # execute gpu_device |
| neverallow ephemeral_app gpu_device:chr_file execute; |
| |
| # access files in /sys with the default sysfs label |
| neverallow ephemeral_app sysfs:file *; |
| |
| # Avoid reads from generically labeled /proc files |
| # Create a more specific label if needed |
| neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; |
| |
| # Directly access external storage |
| neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; |
| neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search; |
| |
| # Avoid reads to proc_net, it contains too much device wide information about |
| # ongoing connections. |
| neverallow ephemeral_app proc_net:file no_rw_file_perms; |
