| get_prop(coredomain, pm_prop) |
| get_prop(coredomain, exported_pm_prop) |
| |
| full_treble_only(` |
| neverallow { |
| coredomain |
| |
| # for chowning |
| -init |
| |
| # generic access to sysfs_type |
| -ueventd |
| -vold |
| } sysfs_leds:file *; |
| ') |
| |
| # On TREBLE devices, a limited set of files in /vendor are accessible to |
| # only a few whitelisted coredomains to keep system/vendor separation. |
| full_treble_only(` |
| # Limit access to /vendor/app |
| neverallow { |
| coredomain |
| -appdomain |
| -dex2oat |
| -idmap |
| -init |
| -installd |
| userdebug_or_eng(`-perfprofd') |
| userdebug_or_eng(`-heapprofd') |
| -postinstall_dexopt |
| -rs # spawned by appdomain, so carryover the exception above |
| -system_server |
| } vendor_app_file:dir { open read getattr search }; |
| ') |
| |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -appdomain |
| -dex2oat |
| -idmap |
| -init |
| -installd |
| userdebug_or_eng(`-perfprofd') |
| userdebug_or_eng(`-heapprofd') |
| -postinstall_dexopt |
| -rs # spawned by appdomain, so carryover the exception above |
| -system_server |
| -mediaserver |
| } vendor_app_file:file r_file_perms; |
| ') |
| |
| full_treble_only(` |
| # Limit access to /vendor/overlay |
| neverallow { |
| coredomain |
| -appdomain |
| -idmap |
| -init |
| -installd |
| -rs # spawned by appdomain, so carryover the exception above |
| -system_server |
| -app_zygote |
| -webview_zygote |
| -zygote |
| userdebug_or_eng(`-heapprofd') |
| } vendor_overlay_file:dir { getattr open read search }; |
| ') |
| |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -appdomain |
| -idmap |
| -init |
| -installd |
| -rs # spawned by appdomain, so carryover the exception above |
| -system_server |
| -app_zygote |
| -webview_zygote |
| -zygote |
| userdebug_or_eng(`-heapprofd') |
| } vendor_overlay_file:file r_file_perms; |
| ') |
| |
| # Core domains are not permitted to use kernel interfaces which are not |
| # explicitly labeled. |
| # TODO(b/65643247): Apply these neverallow rules to all coredomain. |
| full_treble_only(` |
| # /proc |
| neverallow { |
| coredomain |
| -vold |
| } proc:file no_rw_file_perms; |
| |
| # /sys |
| neverallow { |
| coredomain |
| -init |
| -ueventd |
| -vold |
| } sysfs:file no_rw_file_perms; |
| |
| # /dev |
| neverallow { |
| coredomain |
| -fsck |
| -init |
| -ueventd |
| } device:{ blk_file file } no_rw_file_perms; |
| |
| # debugfs |
| neverallow { |
| coredomain |
| -dumpstate |
| -init |
| -system_server |
| } debugfs:file no_rw_file_perms; |
| |
| # tracefs |
| neverallow { |
| coredomain |
| -atrace |
| -dumpstate |
| -init |
| userdebug_or_eng(`-perfprofd') |
| -traced_probes |
| -shell |
| -traceur_app |
| } debugfs_tracing:file no_rw_file_perms; |
| |
| # inotifyfs |
| neverallow { |
| coredomain |
| -init |
| } inotify:file no_rw_file_perms; |
| |
| # pstorefs |
| neverallow { |
| coredomain |
| -bootstat |
| -charger |
| -dumpstate |
| -healthd |
| userdebug_or_eng(`-incidentd') |
| -init |
| -logd |
| -logpersist |
| -recovery_persist |
| -recovery_refresh |
| -shell |
| -system_server |
| } pstorefs:file no_rw_file_perms; |
| |
| # configfs |
| neverallow { |
| coredomain |
| -init |
| -system_server |
| } configfs:file no_rw_file_perms; |
| |
| # functionfs |
| neverallow { |
| coredomain |
| -adbd |
| -init |
| -mediaprovider |
| -system_server |
| } functionfs:file no_rw_file_perms; |
| |
| # usbfs and binfmt_miscfs |
| neverallow { |
| coredomain |
| -init |
| }{ usbfs binfmt_miscfs }:file no_rw_file_perms; |
| ') |
| |
| # Following /dev nodes must not be directly accessed by coredomain, but should |
| # instead be wrapped by HALs. |
| neverallow coredomain { |
| iio_device |
| radio_device |
| }:chr_file { open read append write ioctl }; |
| |
| # TODO(b/120243891): HAL permission to tee_device is included into coredomain |
| # on non-Treble devices. |
| full_treble_only(` |
| neverallow coredomain tee_device:chr_file { open read append write ioctl }; |
| ') |