| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # |
| 2 | # Apps that run with the system UID, e.g. com.android.system.ui, |
| 3 | # com.android.settings. These are not as privileged as the system |
| 4 | # server. |
| 5 | # |
| 6 | type system_app, domain; |
| 7 | app_domain(system_app) |
| 8 | |
| 9 | # Perform binder IPC to any app domain. |
| 10 | binder_call(system_app, appdomain) |
| 11 | binder_transfer(system_app, appdomain) |
| 12 | |
| 13 | # Read and write system data files. |
| 14 | # May want to split into separate types. |
| 15 | allow system_app system_data_file:dir create_dir_perms; |
| 16 | allow system_app system_data_file:file create_file_perms; |
| 17 | |
| 18 | # Write to dalvikcache. |
| 19 | allow system_app dalvikcache_data_file:file { write setattr }; |
| 20 | |
| 21 | # Talk to keystore. |
| 22 | unix_socket_connect(system_app, keystore, keystore) |
| 23 | |
| 24 | # Read SELinux enforcing status. |
| 25 | selinux_getenforce(system_app) |
| 26 | |
| Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame^] | 27 | bool settings_manage_selinux true; |
| 28 | if (settings_manage_selinux) { |
| 29 | # Allow settings app to set SELinux to enforcing |
| 30 | selinux_setenforce(system_app) |
| 31 | |
| 32 | # Allow settings app to set SELinux booleans |
| 33 | selinux_setbool(system_app) |
| 34 | } |
| 35 | |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 36 | # |
| 37 | # System Server aka system_server spawned by zygote. |
| 38 | # Most of the framework services run in this process. |
| 39 | # |
| 40 | type system, domain, mlstrustedsubject; |
| 41 | |
| 42 | # Child of the zygote. |
| 43 | allow system zygote:fd use; |
| 44 | allow system zygote:process sigchld; |
| 45 | allow system zygote_tmpfs:file read; |
| 46 | |
| 47 | # system server gets network and bluetooth permissions. |
| 48 | net_domain(system) |
| 49 | bluetooth_domain(system) |
| 50 | |
| 51 | # These are the capabilities assigned by the zygote to the |
| 52 | # system server. |
| 53 | # XXX See if we can remove some of these. |
| 54 | allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; |
| 55 | |
| 56 | # Use netlink uevent sockets. |
| 57 | allow system self:netlink_kobject_uevent_socket *; |
| 58 | |
| 59 | # Kill apps. |
| 60 | allow system appdomain:process { sigkill signal }; |
| 61 | |
| Stephen Smalley | 0d76f4e | 2012-01-10 13:21:28 -0500 | [diff] [blame] | 62 | # Set scheduling info for apps. |
| 63 | allow system appdomain:process setsched; |
| 64 | |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 65 | # Read /proc data for apps. |
| 66 | allow system appdomain:dir r_dir_perms; |
| 67 | allow system appdomain:{ file lnk_file } rw_file_perms; |
| 68 | |
| 69 | # Write to /proc/net/xt_qtaguid/ctrl. |
| 70 | # XXX Split /proc/net into its own type. |
| 71 | allow system proc:file write; |
| 72 | |
| 73 | # Notify init of death. |
| 74 | allow system init:process sigchld; |
| 75 | |
| 76 | # Talk to init and various daemons via sockets. |
| 77 | unix_socket_connect(system, property, init) |
| 78 | unix_socket_connect(system, qemud, qemud) |
| 79 | unix_socket_connect(system, installd, installd) |
| 80 | unix_socket_connect(system, netd, netd) |
| 81 | unix_socket_connect(system, vold, vold) |
| 82 | unix_socket_connect(system, zygote, zygote) |
| 83 | unix_socket_connect(system, keystore, keystore) |
| 84 | unix_socket_connect(system, dbus, dbusd) |
| 85 | unix_socket_connect(system, gps, gpsd) |
| 86 | unix_socket_connect(system, bluetooth, bluetoothd) |
| 87 | unix_socket_send(system, wpa, wpa) |
| 88 | |
| 89 | # Perform Binder IPC. |
| 90 | tmpfs_domain(system) |
| 91 | binder_use(system) |
| 92 | binder_call(system, binderservicedomain) |
| 93 | binder_call(system, appdomain) |
| 94 | binder_service(system) |
| 95 | # Transfer other Binder references. |
| 96 | binder_transfer(system, binderservicedomain) |
| 97 | binder_transfer(system, appdomain) |
| 98 | |
| 99 | # Read /proc/pid files for Binder clients. |
| 100 | r_dir_file(system, appdomain) |
| 101 | r_dir_file(system, mediaserver) |
| 102 | allow system appdomain:process getattr; |
| 103 | allow system mediaserver:process getattr; |
| 104 | |
| 105 | # Specify any arguments to zygote. |
| 106 | allow system self:zygote *; |
| 107 | |
| 108 | # Check SELinux permissions. |
| 109 | selinux_check_access(system) |
| 110 | |
| 111 | # XXX Label sysfs files with a specific type? |
| 112 | allow system sysfs:file rw_file_perms; |
| 113 | |
| 114 | # Access devices. |
| Stephen Smalley | c94e239 | 2012-01-06 10:25:53 -0500 | [diff] [blame] | 115 | allow system device:dir r_dir_perms; |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 116 | allow system device:chr_file rw_file_perms; |
| 117 | allow system akm_device:chr_file rw_file_perms; |
| 118 | allow system accelerometer_device:chr_file rw_file_perms; |
| 119 | allow system alarm_device:chr_file rw_file_perms; |
| 120 | allow system graphics_device:dir search; |
| 121 | allow system graphics_device:chr_file rw_file_perms; |
| 122 | allow system input_device:dir r_dir_perms; |
| 123 | allow system input_device:chr_file rw_file_perms; |
| 124 | allow system tty_device:chr_file rw_file_perms; |
| 125 | allow system urandom_device:chr_file rw_file_perms; |
| 126 | allow system video_device:chr_file rw_file_perms; |
| 127 | allow system qemu_device:chr_file rw_file_perms; |
| 128 | |
| 129 | # Manage data files. |
| 130 | allow system data_file_type:dir create_dir_perms; |
| 131 | allow system data_file_type:notdevfile_class_set create_file_perms; |
| 132 | |
| 133 | # Create a socket for receiving info from wpa. |
| 134 | type_transition system wifi_data_file:sock_file system_wpa_socket; |
| 135 | allow system system_wpa_socket:sock_file create_file_perms; |
| 136 | |
| 137 | # Manage cache files. |
| 138 | allow system cache_file:dir create_dir_perms; |
| 139 | allow system cache_file:file create_file_perms; |
| 140 | |
| 141 | # Run system programs, e.g. dexopt. |
| 142 | allow system system_file:file x_file_perms; |
| 143 | |
| 144 | # Silently deny any /proc accesses that are not allowed. |
| 145 | # This suppresses noise from walking the process list. |
| 146 | dontaudit system domain:dir r_dir_perms; |
| 147 | dontaudit system domain:file r_file_perms; |