private/ephemeral_app.te - platform/system/sepolicy - Git at Google

 ###
 ### Ephemeral apps.
 ###
 ### This file defines the security policy for apps with the ephemeral
 ### feature.
 ###
 ### The ephemeral_app domain is a reduced permissions sandbox allowing
 ### ephemeral applications to be safely installed and run. Non ephemeral
 ### applications may also opt-in to ephemeral to take advantage of the
 ### additional security features.
 ###
 ### PackageManager flags an app as ephemeral at install time.

 typeattribute ephemeral_app coredomain;

 net_domain(ephemeral_app)
 app_domain(ephemeral_app)

 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};

 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;

 ###
 ### neverallow rules
 ###

 # Executable content should never be loaded from an ephemeral app home directory.
 neverallow ephemeral_app app_data_file:file { execute execute_no_trans };

 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

 # Receive or send generic netlink messages
 neverallow ephemeral_app domain:netlink_socket *;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow ephemeral_app debugfs:file read;

 # execute gpu_device
 neverallow ephemeral_app gpu_device:chr_file execute;

 # access files in /sys with the default sysfs label
 neverallow ephemeral_app sysfs:file *;

 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };

 # Directly access external storage
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;

 # Avoid reads to proc_net, it contains too much device wide information about
 # ongoing connections.
 neverallow ephemeral_app proc_net:file no_rw_file_perms;
	###
	### Ephemeral apps.
	###
	### This file defines the security policy for apps with the ephemeral
	### feature.
	###
	### The ephemeral_app domain is a reduced permissions sandbox allowing
	### ephemeral applications to be safely installed and run. Non ephemeral
	### applications may also opt-in to ephemeral to take advantage of the
	### additional security features.
	###
	### PackageManager flags an app as ephemeral at install time.

	typeattribute ephemeral_app coredomain;

	net_domain(ephemeral_app)
	app_domain(ephemeral_app)

	# Allow ephemeral apps to read/write files in visible storage if provided fds
	allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};

	# services
	allow ephemeral_app surfaceflinger_service:service_manager find;
	allow ephemeral_app radio_service:service_manager find;
	allow ephemeral_app ephemeral_app_api_service:service_manager find;

	###
	### neverallow rules
	###

	# Executable content should never be loaded from an ephemeral app home directory.
	neverallow ephemeral_app app_data_file:file { execute execute_no_trans };

	# Receive or send uevent messages.
	neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

	# Receive or send generic netlink messages
	neverallow ephemeral_app domain:netlink_socket *;

	# Too much leaky information in debugfs. It's a security
	# best practice to ensure these files aren't readable.
	neverallow ephemeral_app debugfs:file read;

	# execute gpu_device
	neverallow ephemeral_app gpu_device:chr_file execute;

	# access files in /sys with the default sysfs label
	neverallow ephemeral_app sysfs:file *;

	# Avoid reads from generically labeled /proc files
	# Create a more specific label if needed
	neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };

	# Directly access external storage
	neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
	neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;

	# Avoid reads to proc_net, it contains too much device wide information about
	# ongoing connections.
	neverallow ephemeral_app proc_net:file no_rw_file_perms;