public/ephemeral_app.te - platform/system/sepolicy - Git at Google

 ###
 ### Ephemeral apps.
 ###
 ### This file defines the security policy for apps with the ephemeral
 ### feature.
 ###
 ### The ephemeral_app domain is a reduced permissions sandbox allowing
 ### ephemeral applications to be safely installed and run. Non ephemeral
 ### applications may also opt-in to ephemeral to take advantage of the
 ### additional security features.
 ###
 ### PackageManager flags an app as ephemeral at install time.
 type ephemeral_app, domain;

 # allow JITing
 allow ephemeral_app self:process execmem;
 allow ephemeral_app ashmem_device:chr_file execute;

 # Map with PROT_EXEC.
 allow ephemeral_app ephemeral_app_tmpfs:file execute;

 # Read system properties managed by zygote.
 allow ephemeral_app zygote_tmpfs:file read;

 # Send logcat messages to logd.
 write_logd(ephemeral_app)

 # Receive and use open file descriptors inherited from zygote.
 allow ephemeral_app zygote:fd use;

 # Notify zygote of death;
 allow ephemeral_app zygote:process sigchld;

 # application inherit logd write socket (urge is to deprecate this long term)
 allow ephemeral_app zygote:unix_dgram_socket write;

 # App sandbox file accesses.
 allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
 allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;

 # Allow apps to read/execute installed binaries
 allow ephemeral_app ephemeral_apk_data_file:dir search;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };

 # For art.
 allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
 allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
 allow ephemeral_app dalvikcache_data_file:dir getattr;

 # Grant GPU access. ephemeral_app needs that to render the standard UI.
 allow ephemeral_app gpu_device:chr_file rw_file_perms;

 # Use the Binder.
 binder_use(ephemeral_app)
 # Perform binder IPC to binder services.
 binder_call(ephemeral_app, surfaceflinger)
 binder_call(ephemeral_app, system_server)

 # Allow read access to ion memory allocation device
 allow ephemeral_app ion_device:chr_file { read open };

 # Use pipes and sockets provided by system_server via binder or local socket.
 allow ephemeral_app system_server:fifo_file rw_file_perms;
 allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };

 # Inherit or receive open files from system_server.
 allow ephemeral_app system_server:fd use;

 # Communicate with surfaceflinger.
 allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };

 # Read files already opened under /data.
 allow ephemeral_app system_data_file:file { getattr read };
 allow ephemeral_app system_data_file:lnk_file read;

 # System file accesses. Check for libraries
 allow ephemeral_app system_file:dir getattr;

 # services
 allow ephemeral_app accessibility_service:service_manager find;
 allow ephemeral_app activity_service:service_manager find;
 allow ephemeral_app assetatlas_service:service_manager find;
 allow ephemeral_app connectivity_service:service_manager find;
 allow ephemeral_app display_service:service_manager find;
 allow ephemeral_app graphicsstats_service:service_manager find;
 allow ephemeral_app input_method_service:service_manager find;
 allow ephemeral_app input_service:service_manager find;
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app textservices_service:service_manager find;

 ###
 ### neverallow rules
 ###

 # Executable content should never be loaded from an ephemeral app home directory.
 neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };

 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

 # Receive or send generic netlink messages
 neverallow ephemeral_app domain:netlink_socket *;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow ephemeral_app debugfs:file read;

 # execute gpu_device
 neverallow ephemeral_app gpu_device:chr_file execute;

 # access files in /sys with the default sysfs label
 neverallow ephemeral_app sysfs:file *;
	###
	### Ephemeral apps.
	###
	### This file defines the security policy for apps with the ephemeral
	### feature.
	###
	### The ephemeral_app domain is a reduced permissions sandbox allowing
	### ephemeral applications to be safely installed and run. Non ephemeral
	### applications may also opt-in to ephemeral to take advantage of the
	### additional security features.
	###
	### PackageManager flags an app as ephemeral at install time.
	type ephemeral_app, domain;

	# allow JITing
	allow ephemeral_app self:process execmem;
	allow ephemeral_app ashmem_device:chr_file execute;

	# Map with PROT_EXEC.
	allow ephemeral_app ephemeral_app_tmpfs:file execute;

	# Read system properties managed by zygote.
	allow ephemeral_app zygote_tmpfs:file read;

	# Send logcat messages to logd.
	write_logd(ephemeral_app)

	# Receive and use open file descriptors inherited from zygote.
	allow ephemeral_app zygote:fd use;

	# Notify zygote of death;
	allow ephemeral_app zygote:process sigchld;

	# application inherit logd write socket (urge is to deprecate this long term)
	allow ephemeral_app zygote:unix_dgram_socket write;

	# App sandbox file accesses.
	allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
	allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;

	# Allow apps to read/execute installed binaries
	allow ephemeral_app ephemeral_apk_data_file:dir search;
	allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };

	# For art.
	allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
	allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
	allow ephemeral_app dalvikcache_data_file:dir getattr;

	# Grant GPU access. ephemeral_app needs that to render the standard UI.
	allow ephemeral_app gpu_device:chr_file rw_file_perms;

	# Use the Binder.
	binder_use(ephemeral_app)
	# Perform binder IPC to binder services.
	binder_call(ephemeral_app, surfaceflinger)
	binder_call(ephemeral_app, system_server)

	# Allow read access to ion memory allocation device
	allow ephemeral_app ion_device:chr_file { read open };

	# Use pipes and sockets provided by system_server via binder or local socket.
	allow ephemeral_app system_server:fifo_file rw_file_perms;
	allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
	allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };

	# Inherit or receive open files from system_server.
	allow ephemeral_app system_server:fd use;

	# Communicate with surfaceflinger.
	allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };

	# Read files already opened under /data.
	allow ephemeral_app system_data_file:file { getattr read };
	allow ephemeral_app system_data_file:lnk_file read;

	# System file accesses. Check for libraries
	allow ephemeral_app system_file:dir getattr;

	# services
	allow ephemeral_app accessibility_service:service_manager find;
	allow ephemeral_app activity_service:service_manager find;
	allow ephemeral_app assetatlas_service:service_manager find;
	allow ephemeral_app connectivity_service:service_manager find;
	allow ephemeral_app display_service:service_manager find;
	allow ephemeral_app graphicsstats_service:service_manager find;
	allow ephemeral_app input_method_service:service_manager find;
	allow ephemeral_app input_service:service_manager find;
	allow ephemeral_app surfaceflinger_service:service_manager find;
	allow ephemeral_app textservices_service:service_manager find;

	###
	### neverallow rules
	###

	# Executable content should never be loaded from an ephemeral app home directory.
	neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };

	# Receive or send uevent messages.
	neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

	# Receive or send generic netlink messages
	neverallow ephemeral_app domain:netlink_socket *;

	# Too much leaky information in debugfs. It's a security
	# best practice to ensure these files aren't readable.
	neverallow ephemeral_app debugfs:file read;

	# execute gpu_device
	neverallow ephemeral_app gpu_device:chr_file execute;

	# access files in /sys with the default sysfs label
	neverallow ephemeral_app sysfs:file *;