| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # |
| 2 | # Apps that run with the system UID, e.g. com.android.system.ui, |
| 3 | # com.android.settings. These are not as privileged as the system |
| 4 | # server. |
| 5 | # |
| 6 | type system_app, domain; |
| 7 | app_domain(system_app) |
| 8 | |
| 9 | # Perform binder IPC to any app domain. |
| 10 | binder_call(system_app, appdomain) |
| 11 | binder_transfer(system_app, appdomain) |
| 12 | |
| 13 | # Read and write system data files. |
| 14 | # May want to split into separate types. |
| 15 | allow system_app system_data_file:dir create_dir_perms; |
| 16 | allow system_app system_data_file:file create_file_perms; |
| 17 | |
| Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 18 | # Read wallpaper file. |
| 19 | allow system_app wallpaper_file:file r_file_perms; |
| 20 | |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 21 | # Write to dalvikcache. |
| 22 | allow system_app dalvikcache_data_file:file { write setattr }; |
| 23 | |
| 24 | # Talk to keystore. |
| 25 | unix_socket_connect(system_app, keystore, keystore) |
| 26 | |
| 27 | # Read SELinux enforcing status. |
| 28 | selinux_getenforce(system_app) |
| 29 | |
| Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame^] | 30 | bool manage_selinux true; |
| 31 | if (manage_selinux) { |
| 32 | # Set SELinux enforcing status. |
| Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 33 | selinux_setenforce(system_app) |
| 34 | |
| Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame^] | 35 | # Set SELinux booleans. |
| Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 36 | selinux_setbool(system_app) |
| James Carter | a83fc37 | 2012-04-13 13:35:21 -0400 | [diff] [blame] | 37 | |
| Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame^] | 38 | # Read syslog to display AVC messages. |
| James Carter | a83fc37 | 2012-04-13 13:35:21 -0400 | [diff] [blame] | 39 | allow system_app kernel:system syslog_read; |
| Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame^] | 40 | } |
| James Carter | a83fc37 | 2012-04-13 13:35:21 -0400 | [diff] [blame] | 41 | |
| Stephen Smalley | 965f2ff | 2012-06-14 12:33:38 -0400 | [diff] [blame^] | 42 | bool manage_mac true; |
| 43 | if (manage_mac) { |
| 44 | # Set properties via the init property service. |
| 45 | unix_socket_connect(system_app, property, init) |
| 46 | |
| 47 | # Set the persist.mac_enforcing_mode property. |
| 48 | allow system_app system_prop:property_service set; |
| 49 | |
| 50 | # Run logcat and read the logs for MAC denials. |
| 51 | allow system_app system_file:file x_file_perms; |
| 52 | allow system_app log_device:chr_file read; |
| Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 53 | } |
| 54 | |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 55 | # |
| 56 | # System Server aka system_server spawned by zygote. |
| 57 | # Most of the framework services run in this process. |
| 58 | # |
| 59 | type system, domain, mlstrustedsubject; |
| 60 | |
| 61 | # Child of the zygote. |
| 62 | allow system zygote:fd use; |
| 63 | allow system zygote:process sigchld; |
| 64 | allow system zygote_tmpfs:file read; |
| 65 | |
| 66 | # system server gets network and bluetooth permissions. |
| 67 | net_domain(system) |
| 68 | bluetooth_domain(system) |
| 69 | |
| 70 | # These are the capabilities assigned by the zygote to the |
| 71 | # system server. |
| 72 | # XXX See if we can remove some of these. |
| 73 | allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; |
| 74 | |
| 75 | # Use netlink uevent sockets. |
| 76 | allow system self:netlink_kobject_uevent_socket *; |
| 77 | |
| 78 | # Kill apps. |
| 79 | allow system appdomain:process { sigkill signal }; |
| 80 | |
| Stephen Smalley | 0d76f4e | 2012-01-10 13:21:28 -0500 | [diff] [blame] | 81 | # Set scheduling info for apps. |
| 82 | allow system appdomain:process setsched; |
| 83 | |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 84 | # Read /proc data for apps. |
| 85 | allow system appdomain:dir r_dir_perms; |
| 86 | allow system appdomain:{ file lnk_file } rw_file_perms; |
| 87 | |
| 88 | # Write to /proc/net/xt_qtaguid/ctrl. |
| Stephen Smalley | 35c8d4f | 2012-06-27 09:15:38 -0400 | [diff] [blame] | 89 | allow system qtaguid:file rw_file_perms; |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 90 | |
| 91 | # Notify init of death. |
| 92 | allow system init:process sigchld; |
| 93 | |
| 94 | # Talk to init and various daemons via sockets. |
| 95 | unix_socket_connect(system, property, init) |
| 96 | unix_socket_connect(system, qemud, qemud) |
| 97 | unix_socket_connect(system, installd, installd) |
| 98 | unix_socket_connect(system, netd, netd) |
| 99 | unix_socket_connect(system, vold, vold) |
| 100 | unix_socket_connect(system, zygote, zygote) |
| 101 | unix_socket_connect(system, keystore, keystore) |
| 102 | unix_socket_connect(system, dbus, dbusd) |
| 103 | unix_socket_connect(system, gps, gpsd) |
| 104 | unix_socket_connect(system, bluetooth, bluetoothd) |
| 105 | unix_socket_send(system, wpa, wpa) |
| 106 | |
| 107 | # Perform Binder IPC. |
| 108 | tmpfs_domain(system) |
| 109 | binder_use(system) |
| 110 | binder_call(system, binderservicedomain) |
| 111 | binder_call(system, appdomain) |
| 112 | binder_service(system) |
| 113 | # Transfer other Binder references. |
| 114 | binder_transfer(system, binderservicedomain) |
| 115 | binder_transfer(system, appdomain) |
| 116 | |
| 117 | # Read /proc/pid files for Binder clients. |
| 118 | r_dir_file(system, appdomain) |
| 119 | r_dir_file(system, mediaserver) |
| 120 | allow system appdomain:process getattr; |
| 121 | allow system mediaserver:process getattr; |
| 122 | |
| 123 | # Specify any arguments to zygote. |
| 124 | allow system self:zygote *; |
| 125 | |
| 126 | # Check SELinux permissions. |
| 127 | selinux_check_access(system) |
| 128 | |
| 129 | # XXX Label sysfs files with a specific type? |
| 130 | allow system sysfs:file rw_file_perms; |
| Stephen Smalley | f794823 | 2012-03-19 15:56:01 -0400 | [diff] [blame] | 131 | allow system sysfs_nfc_power_writable:file rw_file_perms; |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 132 | |
| 133 | # Access devices. |
| Stephen Smalley | c94e239 | 2012-01-06 10:25:53 -0500 | [diff] [blame] | 134 | allow system device:dir r_dir_perms; |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 135 | allow system device:chr_file rw_file_perms; |
| 136 | allow system akm_device:chr_file rw_file_perms; |
| 137 | allow system accelerometer_device:chr_file rw_file_perms; |
| 138 | allow system alarm_device:chr_file rw_file_perms; |
| 139 | allow system graphics_device:dir search; |
| 140 | allow system graphics_device:chr_file rw_file_perms; |
| 141 | allow system input_device:dir r_dir_perms; |
| 142 | allow system input_device:chr_file rw_file_perms; |
| 143 | allow system tty_device:chr_file rw_file_perms; |
| 144 | allow system urandom_device:chr_file rw_file_perms; |
| 145 | allow system video_device:chr_file rw_file_perms; |
| 146 | allow system qemu_device:chr_file rw_file_perms; |
| 147 | |
| 148 | # Manage data files. |
| 149 | allow system data_file_type:dir create_dir_perms; |
| 150 | allow system data_file_type:notdevfile_class_set create_file_perms; |
| 151 | |
| Stephen Smalley | 59d2803 | 2012-03-19 10:24:52 -0400 | [diff] [blame] | 152 | # Read /file_contexts. |
| 153 | allow system rootfs:file r_file_perms; |
| 154 | |
| 155 | # Relabel apk files. |
| 156 | allow system apk_tmp_file:file { relabelfrom relabelto }; |
| 157 | allow system apk_data_file:file { relabelfrom relabelto }; |
| 158 | |
| Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 159 | # Relabel wallpaper. |
| 160 | allow system system_data_file:file relabelfrom; |
| 161 | allow system wallpaper_file:file relabelto; |
| Stephen Smalley | 6c39ee0 | 2012-06-27 08:50:27 -0400 | [diff] [blame] | 162 | allow system wallpaper_file:file rw_file_perms; |
| Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 163 | |
| Stephen Smalley | 124720a | 2012-04-04 10:11:16 -0400 | [diff] [blame] | 164 | # Property Service write |
| 165 | allow system system_prop:property_service set; |
| Stephen Smalley | 730957a | 2012-04-04 16:01:19 -0400 | [diff] [blame] | 166 | allow system radio_prop:property_service set; |
| Stephen Smalley | 124720a | 2012-04-04 10:11:16 -0400 | [diff] [blame] | 167 | |
| 168 | # ctl interface |
| 169 | allow system ctl_default_prop:property_service set; |
| 170 | |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 171 | # Create a socket for receiving info from wpa. |
| 172 | type_transition system wifi_data_file:sock_file system_wpa_socket; |
| 173 | allow system system_wpa_socket:sock_file create_file_perms; |
| 174 | |
| 175 | # Manage cache files. |
| 176 | allow system cache_file:dir create_dir_perms; |
| 177 | allow system cache_file:file create_file_perms; |
| 178 | |
| 179 | # Run system programs, e.g. dexopt. |
| 180 | allow system system_file:file x_file_perms; |
| 181 | |
| Stephen Smalley | c83d008 | 2012-03-07 14:59:01 -0500 | [diff] [blame] | 182 | # Allow reading of /proc/pid data for other domains. |
| 183 | # XXX dontaudit candidate |
| 184 | allow system domain:dir r_dir_perms; |
| 185 | allow system domain:file r_file_perms; |