autoplay_app.te - platform/system/sepolicy - Git at Google

 ###
 ### AutoPlay apps.
 ###
 ### This file defines the security policy for apps with the autoplay
 ### feature.
 ###
 ### The autoplay_app domain is a reduced permissions sandbox allowing
 ### ephemeral applications to be safely installed and run. Non ephemeral
 ### applications may also opt-in to autoplay to take advantage of the
 ### additional security features.
 ###
 ### PackageManager flags an app as autoplay at install time.
 type autoplay_app, domain;

 # allow JITing
 allow autoplay_app self:process execmem;
 allow autoplay_app ashmem_device:chr_file execute;

 # Define and allow access to our own type for ashmem regions.
 # Label ashmem objects with our own unique type.
 tmpfs_domain(autoplay_app)
 # Map with PROT_EXEC.
 allow autoplay_app autoplay_app_tmpfs:file execute;

 # Read system properties managed by zygote.
 allow autoplay_app zygote_tmpfs:file read;

 # Send logcat messages to logd.
 write_logd(autoplay_app)

 # Receive and use open file descriptors inherited from zygote.
 allow autoplay_app zygote:fd use;

 # Notify zygote of death;
 allow autoplay_app zygote:process sigchld;

 # application inherit logd write socket (urge is to deprecate this long term)
 allow autoplay_app zygote:unix_dgram_socket write;

 # App sandbox file accesses.
 allow autoplay_app autoplay_data_file:dir create_dir_perms;
 allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;

 # For art.
 allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
 allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
 allow autoplay_app dalvikcache_data_file:dir getattr;

 # Grant GPU access. autoplay_app needs that to render the standard UI.
 allow autoplay_app gpu_device:chr_file rw_file_perms;

 # Use the Binder.
 binder_use(autoplay_app)
 # Perform binder IPC to binder services.
 binder_call(autoplay_app, surfaceflinger)
 binder_call(autoplay_app, system_server)

 # Allow read access to ion memory allocation device
 allow autoplay_app ion_device:chr_file { read open };

 # Use pipes and sockets provided by system_server via binder or local socket.
 allow autoplay_app system_server:fifo_file rw_file_perms;
 allow autoplay_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow autoplay_app system_server:tcp_socket { read write getattr getopt shutdown };

 # Inherit or receive open files from system_server.
 allow autoplay_app system_server:fd use;

 # Communicate with surfaceflinger.
 allow autoplay_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };

 # Read files already opened under /data.
 allow autoplay_app system_data_file:file { getattr read };
 allow autoplay_app system_data_file:lnk_file read;

 # System file accesses. Check for libraries
 allow autoplay_app system_file:dir getattr;

 # services
 allow autoplay_app accessibility_service:service_manager find;
 allow autoplay_app activity_service:service_manager find;
 allow autoplay_app assetatlas_service:service_manager find;
 allow autoplay_app connectivity_service:service_manager find;
 allow autoplay_app display_service:service_manager find;
 allow autoplay_app graphicsstats_service:service_manager find;
 allow autoplay_app input_method_service:service_manager find;
 allow autoplay_app input_service:service_manager find;
 allow autoplay_app surfaceflinger_service:service_manager find;
 allow autoplay_app textservices_service:service_manager find;

 ###
 ### neverallow rules
 ###

 # Receive or send uevent messages.
 neverallow autoplay_app domain:netlink_kobject_uevent_socket *;

 # Receive or send generic netlink messages
 neverallow autoplay_app domain:netlink_socket *;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow autoplay_app debugfs:file read;

 # execute gpu_device
 neverallow autoplay_app gpu_device:chr_file execute;

 # access files in /sys with the default sysfs label
 neverallow autoplay_app sysfs:file *;
	###
	### AutoPlay apps.
	###
	### This file defines the security policy for apps with the autoplay
	### feature.
	###
	### The autoplay_app domain is a reduced permissions sandbox allowing
	### ephemeral applications to be safely installed and run. Non ephemeral
	### applications may also opt-in to autoplay to take advantage of the
	### additional security features.
	###
	### PackageManager flags an app as autoplay at install time.
	type autoplay_app, domain;

	# allow JITing
	allow autoplay_app self:process execmem;
	allow autoplay_app ashmem_device:chr_file execute;

	# Define and allow access to our own type for ashmem regions.
	# Label ashmem objects with our own unique type.
	tmpfs_domain(autoplay_app)
	# Map with PROT_EXEC.
	allow autoplay_app autoplay_app_tmpfs:file execute;

	# Read system properties managed by zygote.
	allow autoplay_app zygote_tmpfs:file read;

	# Send logcat messages to logd.
	write_logd(autoplay_app)

	# Receive and use open file descriptors inherited from zygote.
	allow autoplay_app zygote:fd use;

	# Notify zygote of death;
	allow autoplay_app zygote:process sigchld;

	# application inherit logd write socket (urge is to deprecate this long term)
	allow autoplay_app zygote:unix_dgram_socket write;

	# App sandbox file accesses.
	allow autoplay_app autoplay_data_file:dir create_dir_perms;
	allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;

	# For art.
	allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
	allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
	allow autoplay_app dalvikcache_data_file:dir getattr;

	# Grant GPU access. autoplay_app needs that to render the standard UI.
	allow autoplay_app gpu_device:chr_file rw_file_perms;

	# Use the Binder.
	binder_use(autoplay_app)
	# Perform binder IPC to binder services.
	binder_call(autoplay_app, surfaceflinger)
	binder_call(autoplay_app, system_server)

	# Allow read access to ion memory allocation device
	allow autoplay_app ion_device:chr_file { read open };

	# Use pipes and sockets provided by system_server via binder or local socket.
	allow autoplay_app system_server:fifo_file rw_file_perms;
	allow autoplay_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
	allow autoplay_app system_server:tcp_socket { read write getattr getopt shutdown };

	# Inherit or receive open files from system_server.
	allow autoplay_app system_server:fd use;

	# Communicate with surfaceflinger.
	allow autoplay_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };

	# Read files already opened under /data.
	allow autoplay_app system_data_file:file { getattr read };
	allow autoplay_app system_data_file:lnk_file read;

	# System file accesses. Check for libraries
	allow autoplay_app system_file:dir getattr;

	# services
	allow autoplay_app accessibility_service:service_manager find;
	allow autoplay_app activity_service:service_manager find;
	allow autoplay_app assetatlas_service:service_manager find;
	allow autoplay_app connectivity_service:service_manager find;
	allow autoplay_app display_service:service_manager find;
	allow autoplay_app graphicsstats_service:service_manager find;
	allow autoplay_app input_method_service:service_manager find;
	allow autoplay_app input_service:service_manager find;
	allow autoplay_app surfaceflinger_service:service_manager find;
	allow autoplay_app textservices_service:service_manager find;

	###
	### neverallow rules
	###

	# Receive or send uevent messages.
	neverallow autoplay_app domain:netlink_kobject_uevent_socket *;

	# Receive or send generic netlink messages
	neverallow autoplay_app domain:netlink_socket *;

	# Too much leaky information in debugfs. It's a security
	# best practice to ensure these files aren't readable.
	neverallow autoplay_app debugfs:file read;

	# execute gpu_device
	neverallow autoplay_app gpu_device:chr_file execute;

	# access files in /sys with the default sysfs label
	neverallow autoplay_app sysfs:file *;