Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # |
| 2 | # Apps that run with the system UID, e.g. com.android.system.ui, |
| 3 | # com.android.settings. These are not as privileged as the system |
| 4 | # server. |
| 5 | # |
| 6 | type system_app, domain; |
| 7 | app_domain(system_app) |
| 8 | |
| 9 | # Perform binder IPC to any app domain. |
| 10 | binder_call(system_app, appdomain) |
| 11 | binder_transfer(system_app, appdomain) |
| 12 | |
| 13 | # Read and write system data files. |
| 14 | # May want to split into separate types. |
| 15 | allow system_app system_data_file:dir create_dir_perms; |
| 16 | allow system_app system_data_file:file create_file_perms; |
| 17 | |
Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 18 | # Read wallpaper file. |
| 19 | allow system_app wallpaper_file:file r_file_perms; |
| 20 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 21 | # Write to dalvikcache. |
| 22 | allow system_app dalvikcache_data_file:file { write setattr }; |
| 23 | |
| 24 | # Talk to keystore. |
| 25 | unix_socket_connect(system_app, keystore, keystore) |
| 26 | |
| 27 | # Read SELinux enforcing status. |
| 28 | selinux_getenforce(system_app) |
| 29 | |
Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame] | 30 | bool manage_selinux true; |
| 31 | if (manage_selinux) { |
| 32 | # Set SELinux enforcing status. |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 33 | selinux_setenforce(system_app) |
| 34 | |
Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame] | 35 | # Set SELinux booleans. |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 36 | selinux_setbool(system_app) |
James Carter | a83fc37 | 2012-04-13 13:35:21 -0400 | [diff] [blame] | 37 | |
Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame] | 38 | # Read syslog to display AVC messages. |
James Carter | a83fc37 | 2012-04-13 13:35:21 -0400 | [diff] [blame] | 39 | allow system_app kernel:system syslog_read; |
Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame] | 40 | } |
James Carter | a83fc37 | 2012-04-13 13:35:21 -0400 | [diff] [blame] | 41 | |
Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame] | 42 | bool manage_mac true; |
| 43 | if (manage_mac) { |
| 44 | # Set properties via the init property service. |
| 45 | unix_socket_connect(system_app, property, init) |
| 46 | |
| 47 | # Set the persist.mac_enforcing_mode property. |
| 48 | allow system_app system_prop:property_service set; |
| 49 | |
| 50 | # Run logcat and read the logs for MAC denials. |
| 51 | allow system_app system_file:file x_file_perms; |
| 52 | allow system_app log_device:chr_file read; |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 53 | } |
| 54 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 55 | # |
| 56 | # System Server aka system_server spawned by zygote. |
| 57 | # Most of the framework services run in this process. |
| 58 | # |
| 59 | type system, domain, mlstrustedsubject; |
| 60 | |
| 61 | # Child of the zygote. |
| 62 | allow system zygote:fd use; |
| 63 | allow system zygote:process sigchld; |
| 64 | allow system zygote_tmpfs:file read; |
| 65 | |
| 66 | # system server gets network and bluetooth permissions. |
| 67 | net_domain(system) |
| 68 | bluetooth_domain(system) |
| 69 | |
| 70 | # These are the capabilities assigned by the zygote to the |
| 71 | # system server. |
| 72 | # XXX See if we can remove some of these. |
| 73 | allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; |
| 74 | |
Stephen Smalley | 60e4f11 | 2012-06-28 14:28:24 -0400 | [diff] [blame] | 75 | # Trigger module auto-load. |
| 76 | allow system kernel:system module_request; |
| 77 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 78 | # Use netlink uevent sockets. |
| 79 | allow system self:netlink_kobject_uevent_socket *; |
| 80 | |
| 81 | # Kill apps. |
| 82 | allow system appdomain:process { sigkill signal }; |
| 83 | |
Stephen Smalley | 0d76f4e | 2012-01-10 13:21:28 -0500 | [diff] [blame] | 84 | # Set scheduling info for apps. |
| 85 | allow system appdomain:process setsched; |
| 86 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 87 | # Read /proc data for apps. |
| 88 | allow system appdomain:dir r_dir_perms; |
| 89 | allow system appdomain:{ file lnk_file } rw_file_perms; |
| 90 | |
| 91 | # Write to /proc/net/xt_qtaguid/ctrl. |
hqjiang | 4c06d27 | 2012-07-19 11:07:04 -0700 | [diff] [blame] | 92 | allow system qtaguid_proc:file rw_file_perms; |
| 93 | allow system qtaguid_device:chr_file rw_file_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 94 | |
| 95 | # Notify init of death. |
| 96 | allow system init:process sigchld; |
| 97 | |
| 98 | # Talk to init and various daemons via sockets. |
| 99 | unix_socket_connect(system, property, init) |
| 100 | unix_socket_connect(system, qemud, qemud) |
| 101 | unix_socket_connect(system, installd, installd) |
| 102 | unix_socket_connect(system, netd, netd) |
| 103 | unix_socket_connect(system, vold, vold) |
| 104 | unix_socket_connect(system, zygote, zygote) |
| 105 | unix_socket_connect(system, keystore, keystore) |
| 106 | unix_socket_connect(system, dbus, dbusd) |
| 107 | unix_socket_connect(system, gps, gpsd) |
| 108 | unix_socket_connect(system, bluetooth, bluetoothd) |
| 109 | unix_socket_send(system, wpa, wpa) |
| 110 | |
Stephen Smalley | 1c73516 | 2012-07-12 13:26:15 -0400 | [diff] [blame] | 111 | # Communicate over a socket created by surfaceflinger. |
| 112 | allow system surfaceflinger:unix_stream_socket { read write setopt }; |
| 113 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 114 | # Perform Binder IPC. |
| 115 | tmpfs_domain(system) |
| 116 | binder_use(system) |
| 117 | binder_call(system, binderservicedomain) |
| 118 | binder_call(system, appdomain) |
| 119 | binder_service(system) |
| 120 | # Transfer other Binder references. |
| 121 | binder_transfer(system, binderservicedomain) |
| 122 | binder_transfer(system, appdomain) |
| 123 | |
| 124 | # Read /proc/pid files for Binder clients. |
| 125 | r_dir_file(system, appdomain) |
| 126 | r_dir_file(system, mediaserver) |
| 127 | allow system appdomain:process getattr; |
| 128 | allow system mediaserver:process getattr; |
| 129 | |
| 130 | # Specify any arguments to zygote. |
| 131 | allow system self:zygote *; |
| 132 | |
| 133 | # Check SELinux permissions. |
| 134 | selinux_check_access(system) |
| 135 | |
| 136 | # XXX Label sysfs files with a specific type? |
| 137 | allow system sysfs:file rw_file_perms; |
Stephen Smalley | f794823 | 2012-03-19 15:56:01 -0400 | [diff] [blame] | 138 | allow system sysfs_nfc_power_writable:file rw_file_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 139 | |
| 140 | # Access devices. |
Stephen Smalley | c94e239 | 2012-01-06 10:25:53 -0500 | [diff] [blame] | 141 | allow system device:dir r_dir_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 142 | allow system device:chr_file rw_file_perms; |
Stephen Smalley | 60e4f11 | 2012-06-28 14:28:24 -0400 | [diff] [blame] | 143 | allow system device:sock_file rw_file_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 144 | allow system akm_device:chr_file rw_file_perms; |
| 145 | allow system accelerometer_device:chr_file rw_file_perms; |
| 146 | allow system alarm_device:chr_file rw_file_perms; |
| 147 | allow system graphics_device:dir search; |
| 148 | allow system graphics_device:chr_file rw_file_perms; |
| 149 | allow system input_device:dir r_dir_perms; |
| 150 | allow system input_device:chr_file rw_file_perms; |
| 151 | allow system tty_device:chr_file rw_file_perms; |
| 152 | allow system urandom_device:chr_file rw_file_perms; |
| 153 | allow system video_device:chr_file rw_file_perms; |
| 154 | allow system qemu_device:chr_file rw_file_perms; |
| 155 | |
| 156 | # Manage data files. |
| 157 | allow system data_file_type:dir create_dir_perms; |
| 158 | allow system data_file_type:notdevfile_class_set create_file_perms; |
| 159 | |
Stephen Smalley | 59d2803 | 2012-03-19 10:24:52 -0400 | [diff] [blame] | 160 | # Read /file_contexts. |
| 161 | allow system rootfs:file r_file_perms; |
| 162 | |
| 163 | # Relabel apk files. |
| 164 | allow system apk_tmp_file:file { relabelfrom relabelto }; |
| 165 | allow system apk_data_file:file { relabelfrom relabelto }; |
| 166 | |
Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 167 | # Relabel wallpaper. |
| 168 | allow system system_data_file:file relabelfrom; |
| 169 | allow system wallpaper_file:file relabelto; |
Stephen Smalley | 6c39ee0 | 2012-06-27 08:50:27 -0400 | [diff] [blame] | 170 | allow system wallpaper_file:file rw_file_perms; |
Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 171 | |
Stephen Smalley | 124720a | 2012-04-04 10:11:16 -0400 | [diff] [blame] | 172 | # Property Service write |
| 173 | allow system system_prop:property_service set; |
Stephen Smalley | 730957a | 2012-04-04 16:01:19 -0400 | [diff] [blame] | 174 | allow system radio_prop:property_service set; |
Stephen Smalley | 124720a | 2012-04-04 10:11:16 -0400 | [diff] [blame] | 175 | |
| 176 | # ctl interface |
| 177 | allow system ctl_default_prop:property_service set; |
| 178 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 179 | # Create a socket for receiving info from wpa. |
| 180 | type_transition system wifi_data_file:sock_file system_wpa_socket; |
| 181 | allow system system_wpa_socket:sock_file create_file_perms; |
| 182 | |
| 183 | # Manage cache files. |
| 184 | allow system cache_file:dir create_dir_perms; |
| 185 | allow system cache_file:file create_file_perms; |
| 186 | |
| 187 | # Run system programs, e.g. dexopt. |
| 188 | allow system system_file:file x_file_perms; |
| 189 | |
Stephen Smalley | c83d008 | 2012-03-07 14:59:01 -0500 | [diff] [blame] | 190 | # Allow reading of /proc/pid data for other domains. |
| 191 | # XXX dontaudit candidate |
| 192 | allow system domain:dir r_dir_perms; |
| 193 | allow system domain:file r_file_perms; |
hqjiang | 81039ab | 2012-07-10 14:36:22 -0700 | [diff] [blame] | 194 | |
| 195 | # LocationManager(e.g, GPS) needs to read and write |
| 196 | # to uart driver and ctrl proc entry |
| 197 | allow system gps_device:chr_file rw_file_perms; |
| 198 | allow system gps_control:file rw_file_perms; |
hqjiang | 569f589 | 2012-07-23 14:20:59 -0700 | [diff] [blame^] | 199 | |
| 200 | # system Read/Write udp_socket of untrusted_app |
| 201 | allow system appdomain:udp_socket { read write }; |