policy/modules/contrib/android.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

policy_module(android, 1.0.0)

############################
#
# Declarations
#

# adb needs to be labelled with android_tools_exec_t
type android_tools_t;
type android_tools_exec_t; # customizable
userdom_user_application_domain(android_tools_t, android_tools_exec_t)

type android_tmp_t;
userdom_user_tmp_file(android_tmp_t)

# for X server SHM
type android_tmpfs_t;
userdom_user_tmpfs_file(android_tmpfs_t)

type android_java_t;
type android_java_exec_t;
userdom_user_application_domain(android_java_t, android_java_exec_t)
java_domain_type(android_java_t)

# the android dir ~/.android/, ~/.AndroidStudio/
# this is customizable since the sdk needs to be labelled
type android_home_t; # customizable
userdom_user_home_content(android_home_t)
userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })

type android_sdk_t;
files_type(android_sdk_t)

############################
#
# Android Tools Policy Rules
#

# this domain has access to usb and is intended for adb and fastboot
# the java domain can run these tools

allow android_tools_t self:process { execmem signal_perms };

allow android_tools_t self:fifo_file rw_fifo_file_perms;
allow android_tools_t self:tcp_socket create_stream_socket_perms;

can_exec(android_tools_t, android_tools_exec_t)

manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
manage_files_pattern(android_tools_t, android_home_t, android_home_t)

list_dirs_pattern(android_tools_t, android_sdk_t, android_sdk_t)
read_files_pattern(android_tools_t, android_sdk_t, android_sdk_t)

files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)

corecmd_list_bin(android_tools_t)

corenet_tcp_bind_adb_port(android_tools_t)
corenet_tcp_bind_generic_node(android_tools_t)
corenet_tcp_connect_adb_port(android_tools_t)

dev_read_sysfs(android_tools_t)
dev_rw_generic_usb_dev(android_tools_t)

files_read_etc_files(android_tools_t)

userdom_manage_user_home_content_dirs(android_tools_t)
userdom_manage_user_home_content_files(android_tools_t)
userdom_search_user_home_content(android_tools_t)
userdom_use_user_terminals(android_tools_t)

sysnet_dns_name_resolve(android_tools_t)


############################
#
# Android Java Policy Rules
#

# this domain is for java and android studio and
# all the (java-based) build tools

allow android_java_t self:tcp_socket { accept listen };

can_exec(android_java_t, android_home_t)
can_exec(android_java_t, android_java_exec_t)
can_exec(android_java_t, android_sdk_t)

manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
manage_files_pattern(android_java_t, android_home_t, android_home_t)

manage_dirs_pattern(android_java_t, android_sdk_t, android_sdk_t)
manage_files_pattern(android_java_t, android_sdk_t, android_sdk_t)

manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)

corecmd_exec_bin(android_java_t)
corecmd_exec_shell(android_java_t)

corenet_tcp_bind_all_unreserved_ports(android_java_t)
corenet_tcp_bind_generic_node(android_java_t)
corenet_tcp_connect_adb_port(android_java_t)
corenet_tcp_connect_http_port(android_java_t)
corenet_udp_bind_generic_node(android_java_t)

dev_rw_kvm(android_java_t)
dev_rw_dri(android_java_t)
dev_read_sysfs(android_java_t)

domain_dontaudit_getattr_all_domains(android_java_t)
domain_dontaudit_search_all_domains_state(android_java_t)

miscfiles_read_fonts(android_java_t)
miscfiles_read_localization(android_java_t)

userdom_use_user_terminals(android_java_t)
userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")

android_tools_domtrans(android_java_t)

dbus_all_session_bus_client(android_java_t)

xdg_read_config_home_files(android_java_t)

xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)