Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # |
| 2 | # Apps that run with the system UID, e.g. com.android.system.ui, |
| 3 | # com.android.settings. These are not as privileged as the system |
| 4 | # server. |
| 5 | # |
| 6 | type system_app, domain; |
| 7 | app_domain(system_app) |
| 8 | |
| 9 | # Perform binder IPC to any app domain. |
| 10 | binder_call(system_app, appdomain) |
| 11 | binder_transfer(system_app, appdomain) |
| 12 | |
| 13 | # Read and write system data files. |
| 14 | # May want to split into separate types. |
| 15 | allow system_app system_data_file:dir create_dir_perms; |
| 16 | allow system_app system_data_file:file create_file_perms; |
| 17 | |
Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 18 | # Read wallpaper file. |
| 19 | allow system_app wallpaper_file:file r_file_perms; |
| 20 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 21 | # Write to dalvikcache. |
| 22 | allow system_app dalvikcache_data_file:file { write setattr }; |
| 23 | |
| 24 | # Talk to keystore. |
| 25 | unix_socket_connect(system_app, keystore, keystore) |
| 26 | |
| 27 | # Read SELinux enforcing status. |
| 28 | selinux_getenforce(system_app) |
| 29 | |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 30 | bool settings_manage_selinux true; |
| 31 | if (settings_manage_selinux) { |
| 32 | # Allow settings app to set SELinux to enforcing |
| 33 | selinux_setenforce(system_app) |
| 34 | |
| 35 | # Allow settings app to set SELinux booleans |
| 36 | selinux_setbool(system_app) |
| 37 | } |
| 38 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 39 | # |
| 40 | # System Server aka system_server spawned by zygote. |
| 41 | # Most of the framework services run in this process. |
| 42 | # |
| 43 | type system, domain, mlstrustedsubject; |
| 44 | |
| 45 | # Child of the zygote. |
| 46 | allow system zygote:fd use; |
| 47 | allow system zygote:process sigchld; |
| 48 | allow system zygote_tmpfs:file read; |
| 49 | |
| 50 | # system server gets network and bluetooth permissions. |
| 51 | net_domain(system) |
| 52 | bluetooth_domain(system) |
| 53 | |
| 54 | # These are the capabilities assigned by the zygote to the |
| 55 | # system server. |
| 56 | # XXX See if we can remove some of these. |
| 57 | allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; |
| 58 | |
| 59 | # Use netlink uevent sockets. |
| 60 | allow system self:netlink_kobject_uevent_socket *; |
| 61 | |
| 62 | # Kill apps. |
| 63 | allow system appdomain:process { sigkill signal }; |
| 64 | |
Stephen Smalley | 0d76f4e | 2012-01-10 13:21:28 -0500 | [diff] [blame] | 65 | # Set scheduling info for apps. |
| 66 | allow system appdomain:process setsched; |
| 67 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 68 | # Read /proc data for apps. |
| 69 | allow system appdomain:dir r_dir_perms; |
| 70 | allow system appdomain:{ file lnk_file } rw_file_perms; |
| 71 | |
| 72 | # Write to /proc/net/xt_qtaguid/ctrl. |
| 73 | # XXX Split /proc/net into its own type. |
| 74 | allow system proc:file write; |
| 75 | |
| 76 | # Notify init of death. |
| 77 | allow system init:process sigchld; |
| 78 | |
| 79 | # Talk to init and various daemons via sockets. |
| 80 | unix_socket_connect(system, property, init) |
| 81 | unix_socket_connect(system, qemud, qemud) |
| 82 | unix_socket_connect(system, installd, installd) |
| 83 | unix_socket_connect(system, netd, netd) |
| 84 | unix_socket_connect(system, vold, vold) |
| 85 | unix_socket_connect(system, zygote, zygote) |
| 86 | unix_socket_connect(system, keystore, keystore) |
| 87 | unix_socket_connect(system, dbus, dbusd) |
| 88 | unix_socket_connect(system, gps, gpsd) |
| 89 | unix_socket_connect(system, bluetooth, bluetoothd) |
| 90 | unix_socket_send(system, wpa, wpa) |
| 91 | |
| 92 | # Perform Binder IPC. |
| 93 | tmpfs_domain(system) |
| 94 | binder_use(system) |
| 95 | binder_call(system, binderservicedomain) |
| 96 | binder_call(system, appdomain) |
| 97 | binder_service(system) |
| 98 | # Transfer other Binder references. |
| 99 | binder_transfer(system, binderservicedomain) |
| 100 | binder_transfer(system, appdomain) |
| 101 | |
| 102 | # Read /proc/pid files for Binder clients. |
| 103 | r_dir_file(system, appdomain) |
| 104 | r_dir_file(system, mediaserver) |
| 105 | allow system appdomain:process getattr; |
| 106 | allow system mediaserver:process getattr; |
| 107 | |
| 108 | # Specify any arguments to zygote. |
| 109 | allow system self:zygote *; |
| 110 | |
| 111 | # Check SELinux permissions. |
| 112 | selinux_check_access(system) |
| 113 | |
| 114 | # XXX Label sysfs files with a specific type? |
| 115 | allow system sysfs:file rw_file_perms; |
Stephen Smalley | f794823 | 2012-03-19 15:56:01 -0400 | [diff] [blame^] | 116 | allow system sysfs_nfc_power_writable:file rw_file_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 117 | |
| 118 | # Access devices. |
Stephen Smalley | c94e239 | 2012-01-06 10:25:53 -0500 | [diff] [blame] | 119 | allow system device:dir r_dir_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 120 | allow system device:chr_file rw_file_perms; |
| 121 | allow system akm_device:chr_file rw_file_perms; |
| 122 | allow system accelerometer_device:chr_file rw_file_perms; |
| 123 | allow system alarm_device:chr_file rw_file_perms; |
| 124 | allow system graphics_device:dir search; |
| 125 | allow system graphics_device:chr_file rw_file_perms; |
| 126 | allow system input_device:dir r_dir_perms; |
| 127 | allow system input_device:chr_file rw_file_perms; |
| 128 | allow system tty_device:chr_file rw_file_perms; |
| 129 | allow system urandom_device:chr_file rw_file_perms; |
| 130 | allow system video_device:chr_file rw_file_perms; |
| 131 | allow system qemu_device:chr_file rw_file_perms; |
| 132 | |
| 133 | # Manage data files. |
| 134 | allow system data_file_type:dir create_dir_perms; |
| 135 | allow system data_file_type:notdevfile_class_set create_file_perms; |
| 136 | |
Stephen Smalley | 59d2803 | 2012-03-19 10:24:52 -0400 | [diff] [blame] | 137 | # Read /file_contexts. |
| 138 | allow system rootfs:file r_file_perms; |
| 139 | |
| 140 | # Relabel apk files. |
| 141 | allow system apk_tmp_file:file { relabelfrom relabelto }; |
| 142 | allow system apk_data_file:file { relabelfrom relabelto }; |
| 143 | |
Stephen Smalley | f6cbbe2 | 2012-03-19 10:29:36 -0400 | [diff] [blame] | 144 | # Relabel wallpaper. |
| 145 | allow system system_data_file:file relabelfrom; |
| 146 | allow system wallpaper_file:file relabelto; |
| 147 | allow system wallpaper_file:file r_file_perms; |
| 148 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 149 | # Create a socket for receiving info from wpa. |
| 150 | type_transition system wifi_data_file:sock_file system_wpa_socket; |
| 151 | allow system system_wpa_socket:sock_file create_file_perms; |
| 152 | |
| 153 | # Manage cache files. |
| 154 | allow system cache_file:dir create_dir_perms; |
| 155 | allow system cache_file:file create_file_perms; |
| 156 | |
| 157 | # Run system programs, e.g. dexopt. |
| 158 | allow system system_file:file x_file_perms; |
| 159 | |
Stephen Smalley | c83d008 | 2012-03-07 14:59:01 -0500 | [diff] [blame] | 160 | # Allow reading of /proc/pid data for other domains. |
| 161 | # XXX dontaudit candidate |
| 162 | allow system domain:dir r_dir_perms; |
| 163 | allow system domain:file r_file_perms; |