prebuilts/api/31.0/private/domain.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Transition to crash_dump when /system/bin/crash_dump* is executed.
 # This occurs when the process crashes.
 # We do not apply this to the su domain to avoid interfering with
 # tests (b/114136122)
 domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
 allow domain crash_dump:process sigchld;

 # Allow every process to check the heapprofd.enable properties to determine
 # whether to load the heap profiling library. This does not necessarily enable
 # heap profiling, as initialization will fail if it does not have the
 # necessary SELinux permissions.
 get_prop(domain, heapprofd_prop);
 # Allow heap profiling on debug builds.
 userdebug_or_eng(`can_profile_heap({
   domain
   -bpfloader
   -init
   -kernel
   -keystore
   -llkd
   -logd
   -logpersist
   -recovery
   -recovery_persist
   -recovery_refresh
   -ueventd
   -vendor_init
   -vold
 })')

 # As above, allow perf profiling most processes on debug builds.
 # zygote is excluded as system-wide profiling could end up with it
 # (unexpectedly) holding an open fd across a fork.
 userdebug_or_eng(`can_profile_perf({
   domain
   -bpfloader
   -init
   -kernel
   -keystore
   -llkd
   -logd
   -logpersist
   -recovery
   -recovery_persist
   -recovery_refresh
   -ueventd
   -vendor_init
   -vold
   -zygote
 })')

 # Everyone can access the IncFS list of features.
 r_dir_file(domain, sysfs_fs_incfs_features);

 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;

 allow domain cgroup_v2:dir search;
 allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;

 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;
 allow domain task_profiles_api_file:file r_file_perms;
 allow domain vendor_task_profiles_file:file r_file_perms;

 # Allow all domains to read sys.use_memfd to determine
 # if memfd support can be used if device supports it
 get_prop(domain, use_memfd_prop);

 # Read access to sdkextensions props
 get_prop(domain, module_sdkextensions_prop)

 # Read access to bq configuration values
 get_prop(domain, bq_config_prop);

 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 not_compatible_property(`
     # DO NOT ADD ANY PROPERTIES HERE
     get_prop(domain, core_property_type)
     get_prop(domain, exported3_system_prop)
     get_prop(domain, vendor_default_prop)
 ')
 compatible_property_only(`
     # DO NOT ADD ANY PROPERTIES HERE
     get_prop({coredomain appdomain shell}, core_property_type)
     get_prop({coredomain appdomain shell}, exported3_system_prop)
     get_prop({coredomain appdomain shell}, exported_camera_prop)
     get_prop({coredomain shell}, userspace_reboot_exported_prop)
     get_prop({coredomain shell}, userspace_reboot_log_prop)
     get_prop({coredomain shell}, userspace_reboot_test_prop)
     get_prop({domain -coredomain -appdomain}, vendor_default_prop)
 ')

 # Allow access to fsverity keyring.
 allow domain kernel:key search;
 # Allow access to keys in the fsverity keyring that were installed at boot.
 allow domain fsverity_init:key search;
 # For testing purposes, allow access to keys installed with su.
 userdebug_or_eng(`
   allow domain su:key search;
 ')

 # Allow access to linkerconfig file
 allow domain linkerconfig_file:dir search;
 allow domain linkerconfig_file:file r_file_perms;

 # Allow all processes to check for the existence of the boringssl_self_test_marker files.
 allow domain boringssl_self_test_marker:dir search;

 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these allowlisted domains.
 neverallow {
   domain
   -vold
   userdebug_or_eng(`-llkd')
   -dumpstate
   userdebug_or_eng(`-incidentd')
   userdebug_or_eng(`-profcollectd')
   -storaged
   -system_server
 } self:global_capability_class_set sys_ptrace;

 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
 neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
 neverallow { domain -system_server } *:keystore2_key use_dev_id;
 neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };

 neverallow {
   domain
   -init
   -vendor_init
   userdebug_or_eng(`-domain')
 } debugfs_tracing_debug:file no_rw_file_perms;

 # System_server owns dropbox data, and init creates/restorecons the directory
 # Disallow direct access by other processes.
 neverallow { domain -init -system_server } dropbox_data_file:dir *;
 neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };

 ###
 # Services should respect app sandboxes
 neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

 # Only the following processes should be directly accessing private app
 # directories.
 neverallow {
   domain
   -adbd
   -appdomain
   -app_zygote
   -dexoptanalyzer
   -installd
   -iorap_inode2filename
   -iorap_prefetcherd
   -profman
   -rs # spawned by appdomain, so carryover the exception above
   -runas
   -system_server
   -viewcompiler
   -zygote
 } { privapp_data_file app_data_file }:dir *;

 # Only apps should be modifying app data. installd is exempted for
 # restorecon and package install/uninstall.
 neverallow {
   domain
   -appdomain
   -installd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;

 neverallow {
   domain
   -appdomain
   -app_zygote
   -installd
   -iorap_prefetcherd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;

 neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

 neverallow {
   domain
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

 # The staging directory contains APEX and APK files. It is important to ensure
 # that these files cannot be accessed by other domains to ensure that the files
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
 neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.
 neverallow { domain -init -system_server } staging_data_file:file
   { append create relabelfrom rename setattr write no_x_file_perms };

 neverallow {
     domain
     -appdomain # for oemfs
     -bootanim # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;

 #
 # Assert that, to the extent possible, we're not loading executable content from
 # outside the rootfs or /system partition except for a few allowlisted domains.
 # Executable files loaded from /data is a persistence vector
 # we want to avoid. See
 # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
 #
 neverallow {
     domain
     -appdomain
     with_asan(`-asan_extract')
     -iorap_prefetcherd
     -shell
     userdebug_or_eng(`-su')
     -system_server_startup # for memfd backed executable regions
     -app_zygote
     -webview_zygote
     -zygote
     userdebug_or_eng(`-mediaextractor')
     userdebug_or_eng(`-mediaswcodec')
 } {
     file_type
     -system_file_type
     -system_lib_file
     -system_linker_exec
     -vendor_file_type
     -exec_type
     -postinstall_file
 }:file execute;

 # Only init is allowed to write cgroup.rc file
 neverallow {
   domain
   -init
   -vendor_init
 } cgroup_rc_file:file no_w_file_perms;

 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
   domain
   -init # TODO: limit init to relabelfrom for files
   -zygote
   -installd
   -postinstall_dexopt
   -cppreopts
   -dex2oat
   -otapreopt_slot
 } dalvikcache_data_file:file no_w_file_perms;

 neverallow {
   domain
   -init
   -installd
   -postinstall_dexopt
   -cppreopts
   -dex2oat
   -zygote
   -otapreopt_slot
 } dalvikcache_data_file:dir no_w_dir_perms;

 # Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
 # contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
 neverallow {
   domain
   # art processes
   -odrefresh
   -odsign
   # others
   -apexd
   -init
   -vold_prepare_subdirs
 } apex_art_data_file:file no_w_file_perms;

 neverallow {
   domain
   # art processes
   -odrefresh
   -odsign
   # others
   -apexd
   -init
   -vold_prepare_subdirs
 } apex_art_data_file:dir no_w_dir_perms;

 # Protect most domains from executing arbitrary content from /data.
 neverallow {
   domain
   -appdomain
 } {
   data_file_type
   -apex_art_data_file
   -dalvikcache_data_file
   -system_data_file # shared libs in apks
   -apk_data_file
 }:file no_x_file_perms;

 # Minimize dac_override and dac_read_search.
 # Instead of granting them it is usually better to add the domain to
 # a Unix group or change the permissions of a file.
 define(`dac_override_allowed', `{
   apexd
   dnsmasq
   dumpstate
   init
   installd
   userdebug_or_eng(`llkd')
   lmkd
   migrate_legacy_obb_data
   netd
   postinstall_dexopt
   recovery
   rss_hwm_reset
   sdcardd
   tee
   ueventd
   uncrypt
   vendor_init
   vold
   vold_prepare_subdirs
   zygote
 }')
 neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
 # Since the kernel checks dac_read_search before dac_override, domains that
 # have dac_override should also have dac_read_search to eliminate spurious
 # denials.  Some domains have dac_read_search without having dac_override, so
 # this list should be a superset of the one above.
 neverallow ~{
   dac_override_allowed
   iorap_inode2filename
   iorap_prefetcherd
   traced_perf
   traced_probes
   heapprofd
 } self:global_capability_class_set dac_read_search;

 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
 # this capability, including device-specific domains.
 neverallow {
     domain
     -apexd
     recovery_only(`-fastbootd')
     -init
     -kernel
     -otapreopt_chroot
     -recovery
     -update_engine
     -vold
     -zygote
 } { fs_type
     -sdcard_type
 }:filesystem { mount remount relabelfrom relabelto };

 enforce_debugfs_restriction(`
   neverallow {
     domain userdebug_or_eng(`-init')
   } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
 ')

 # Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
 neverallow {
   domain
   userdebug_or_eng(`-domain')
   -kernel
   -gsid
   -init
   -recovery
   -ueventd
   -healthd
   -uncrypt
   -tee
   -hal_bootctl_server
   -fastbootd
 } self:global_capability_class_set sys_rawio;

 # Limit directory operations that doesn't need to do app data isolation.
 neverallow {
   domain
   -init
   -installd
   -zygote
 } mirror_data_file:dir *;

 # This property is being removed. Remove remaining access.
 neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
 neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;

 # Only core domains are allowed to access package_manager properties
 neverallow { domain -init -system_server } pm_prop:property_service set;
 neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;

 # Do not allow reading the last boot timestamp from system properties
 neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;

 # Kprobes should only be used by adb root
 neverallow { domain -init -vendor_init } debugfs_kprobes:file *;

 # On TREBLE devices, most coredomains should not access vendor_files.
 # TODO(b/71553434): Remove exceptions here.
 full_treble_only(`
   neverallow {
     coredomain
     -appdomain
     -bootanim
     -crash_dump
     -heapprofd
     userdebug_or_eng(`-profcollectd')
     -init
     -iorap_inode2filename
     -iorap_prefetcherd
     -kernel
     -traced_perf
     -ueventd
   } vendor_file:file { no_w_file_perms no_x_file_perms open };
 ')

 # Vendor domains are not permitted to initiate communications to core domain sockets
 full_treble_only(`
   neverallow_establish_socket_comms({
     domain
     -coredomain
     -appdomain
     -socket_between_core_and_vendor_violators
   }, {
     coredomain
     -logd # Logging by writing to logd Unix domain socket is public API
     -netd # netdomain needs this
     -mdnsd # netdomain needs this
     userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
     -init
     -tombstoned # linker to tombstoned
     userdebug_or_eng(`-heapprofd')
     userdebug_or_eng(`-traced_perf')
   });
 ')

 full_treble_only(`
   # Do not allow system components access to /vendor files except for the
   # ones allowed here.
   neverallow {
     coredomain
     # TODO(b/37168747): clean up fwk access to /vendor
     -crash_dump
     -init # starts vendor executables
     -iorap_inode2filename
     -iorap_prefetcherd
     -kernel # loads /vendor/firmware
     -heapprofd
     userdebug_or_eng(`-profcollectd')
     -shell
     -system_executes_vendor_violators
     -traced_perf # library/binary access for symbolization
     -ueventd # reads /vendor/ueventd.rc
     -vold # loads incremental fs driver
   } {
     vendor_file_type
     -same_process_hal_file
     -vendor_app_file
     -vendor_apex_file
     -vendor_configs_file
     -vendor_service_contexts_file
     -vendor_framework_file
     -vendor_idc_file
     -vendor_keychars_file
     -vendor_keylayout_file
     -vendor_overlay_file
     -vendor_public_framework_file
     -vendor_public_lib_file
     -vendor_task_profiles_file
     -vndk_sp_file
   }:file *;
 ')

 # mlsvendorcompat is only for compatibility support for older vendor
 # images, and should not be granted to any domain in current policy.
 # (Every domain is allowed self:fork, so this will trigger if the
 # intsersection of domain & mlsvendorcompat is not empty.)
 neverallow domain mlsvendorcompat:process fork;

 # Only init and otapreopt_chroot should be mounting filesystems on locations
 # labeled system or vendor (/product and /vendor respectively).
 neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;

 # Only allow init and vendor_init to read/write mm_events properties
 # NOTE: dumpstate is allowed to read any system property
 neverallow {
   domain
   -init
   -vendor_init
   -dumpstate
 } mm_events_config_prop:file no_rw_file_perms;

 # Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
 # kernel traces. Addresses are not disclosed, they are repalced with symbol
 # names (if available). Traces don't disclose KASLR.
 neverallow {
   domain
   -init
   userdebug_or_eng(`-profcollectd')
   -vendor_init
   -traced_probes
   -traced_perf
 } proc_kallsyms:file { open read };

 # debugfs_kcov type is not included in this neverallow statement since the KCOV
 # tool uses it for kernel fuzzing.
 # vendor_modprobe is also exempted since the kernel modules it loads may create
 # debugfs files in its context.
 enforce_debugfs_restriction(`
   neverallow {
     domain
     -vendor_modprobe
     userdebug_or_eng(`
       -init
       -hal_dumpstate
     ')
   } { debugfs_type
       userdebug_or_eng(`-debugfs_kcov')
       -tracefs_type
   }:file no_rw_file_perms;
 ')
	# Transition to crash_dump when /system/bin/crash_dump* is executed.
	# This occurs when the process crashes.
	# We do not apply this to the su domain to avoid interfering with
	# tests (b/114136122)
	domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
	allow domain crash_dump:process sigchld;

	# Allow every process to check the heapprofd.enable properties to determine
	# whether to load the heap profiling library. This does not necessarily enable
	# heap profiling, as initialization will fail if it does not have the
	# necessary SELinux permissions.
	get_prop(domain, heapprofd_prop);
	# Allow heap profiling on debug builds.
	userdebug_or_eng(`can_profile_heap({
	domain
	-bpfloader
	-init
	-kernel
	-keystore
	-llkd
	-logd
	-logpersist
	-recovery
	-recovery_persist
	-recovery_refresh
	-ueventd
	-vendor_init
	-vold
	})')

	# As above, allow perf profiling most processes on debug builds.
	# zygote is excluded as system-wide profiling could end up with it
	# (unexpectedly) holding an open fd across a fork.
	userdebug_or_eng(`can_profile_perf({
	domain
	-bpfloader
	-init
	-kernel
	-keystore
	-llkd
	-logd
	-logpersist
	-recovery
	-recovery_persist
	-recovery_refresh
	-ueventd
	-vendor_init
	-vold
	-zygote
	})')

	# Everyone can access the IncFS list of features.
	r_dir_file(domain, sysfs_fs_incfs_features);

	# Path resolution access in cgroups.
	allow domain cgroup:dir search;
	allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
	allow { domain -appdomain -rs } cgroup:file w_file_perms;

	allow domain cgroup_v2:dir search;
	allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
	allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;

	allow domain cgroup_rc_file:dir search;
	allow domain cgroup_rc_file:file r_file_perms;
	allow domain task_profiles_file:file r_file_perms;
	allow domain task_profiles_api_file:file r_file_perms;
	allow domain vendor_task_profiles_file:file r_file_perms;

	# Allow all domains to read sys.use_memfd to determine
	# if memfd support can be used if device supports it
	get_prop(domain, use_memfd_prop);

	# Read access to sdkextensions props
	get_prop(domain, module_sdkextensions_prop)

	# Read access to bq configuration values
	get_prop(domain, bq_config_prop);

	# For now, everyone can access core property files
	# Device specific properties are not granted by default
	not_compatible_property(`
	# DO NOT ADD ANY PROPERTIES HERE
	get_prop(domain, core_property_type)
	get_prop(domain, exported3_system_prop)
	get_prop(domain, vendor_default_prop)
	')
	compatible_property_only(`
	# DO NOT ADD ANY PROPERTIES HERE
	get_prop({coredomain appdomain shell}, core_property_type)
	get_prop({coredomain appdomain shell}, exported3_system_prop)
	get_prop({coredomain appdomain shell}, exported_camera_prop)
	get_prop({coredomain shell}, userspace_reboot_exported_prop)
	get_prop({coredomain shell}, userspace_reboot_log_prop)
	get_prop({coredomain shell}, userspace_reboot_test_prop)
	get_prop({domain -coredomain -appdomain}, vendor_default_prop)
	')

	# Allow access to fsverity keyring.
	allow domain kernel:key search;
	# Allow access to keys in the fsverity keyring that were installed at boot.
	allow domain fsverity_init:key search;
	# For testing purposes, allow access to keys installed with su.
	userdebug_or_eng(`
	allow domain su:key search;
	')

	# Allow access to linkerconfig file
	allow domain linkerconfig_file:dir search;
	allow domain linkerconfig_file:file r_file_perms;

	# Allow all processes to check for the existence of the boringssl_self_test_marker files.
	allow domain boringssl_self_test_marker:dir search;

	# Limit ability to ptrace or read sensitive /proc/pid files of processes
	# with other UIDs to these allowlisted domains.
	neverallow {
	domain
	-vold
	userdebug_or_eng(`-llkd')
	-dumpstate
	userdebug_or_eng(`-incidentd')
	userdebug_or_eng(`-profcollectd')
	-storaged
	-system_server
	} self:global_capability_class_set sys_ptrace;

	# Limit ability to generate hardware unique device ID attestations to priv_apps
	neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
	neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
	neverallow { domain -system_server } *:keystore2_key use_dev_id;
	neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };

	neverallow {
	domain
	-init
	-vendor_init
	userdebug_or_eng(`-domain')
	} debugfs_tracing_debug:file no_rw_file_perms;

	# System_server owns dropbox data, and init creates/restorecons the directory
	# Disallow direct access by other processes.
	neverallow { domain -init -system_server } dropbox_data_file:dir *;
	neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };

	###
	# Services should respect app sandboxes
	neverallow {
	domain
	-appdomain
	-installd # creation of sandbox
	} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

	# Only the following processes should be directly accessing private app
	# directories.
	neverallow {
	domain
	-adbd
	-appdomain
	-app_zygote
	-dexoptanalyzer
	-installd
	-iorap_inode2filename
	-iorap_prefetcherd
	-profman
	-rs # spawned by appdomain, so carryover the exception above
	-runas
	-system_server
	-viewcompiler
	-zygote
	} { privapp_data_file app_data_file }:dir *;

	# Only apps should be modifying app data. installd is exempted for
	# restorecon and package install/uninstall.
	neverallow {
	domain
	-appdomain
	-installd
	-rs # spawned by appdomain, so carryover the exception above
	} { privapp_data_file app_data_file }:dir ~r_dir_perms;

	neverallow {
	domain
	-appdomain
	-app_zygote
	-installd
	-iorap_prefetcherd
	-rs # spawned by appdomain, so carryover the exception above
	} { privapp_data_file app_data_file }:file_class_set open;

	neverallow {
	domain
	-appdomain
	-installd # creation of sandbox
	} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

	neverallow {
	domain
	-installd
	} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

	# The staging directory contains APEX and APK files. It is important to ensure
	# that these files cannot be accessed by other domains to ensure that the files
	# do not change between system_server staging the files and apexd processing
	# the files.
	neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
	neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
	neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
	# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
	# except for `link` and `unlink`.
	neverallow { domain -init -system_server } staging_data_file:file
	{ append create relabelfrom rename setattr write no_x_file_perms };

	neverallow {
	domain
	-appdomain # for oemfs
	-bootanim # for oemfs
	-recovery # for /tmp/update_binary in tmpfs
	} { fs_type -rootfs }:file execute;

	#
	# Assert that, to the extent possible, we're not loading executable content from
	# outside the rootfs or /system partition except for a few allowlisted domains.
	# Executable files loaded from /data is a persistence vector
	# we want to avoid. See
	# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
	#
	neverallow {
	domain
	-appdomain
	with_asan(`-asan_extract')
	-iorap_prefetcherd
	-shell
	userdebug_or_eng(`-su')
	-system_server_startup # for memfd backed executable regions
	-app_zygote
	-webview_zygote
	-zygote
	userdebug_or_eng(`-mediaextractor')
	userdebug_or_eng(`-mediaswcodec')
	} {
	file_type
	-system_file_type
	-system_lib_file
	-system_linker_exec
	-vendor_file_type
	-exec_type
	-postinstall_file
	}:file execute;

	# Only init is allowed to write cgroup.rc file
	neverallow {
	domain
	-init
	-vendor_init
	} cgroup_rc_file:file no_w_file_perms;

	# Only authorized processes should be writing to files in /data/dalvik-cache
	neverallow {
	domain
	-init # TODO: limit init to relabelfrom for files
	-zygote
	-installd
	-postinstall_dexopt
	-cppreopts
	-dex2oat
	-otapreopt_slot
	} dalvikcache_data_file:file no_w_file_perms;

	neverallow {
	domain
	-init
	-installd
	-postinstall_dexopt
	-cppreopts
	-dex2oat
	-zygote
	-otapreopt_slot
	} dalvikcache_data_file:dir no_w_dir_perms;

	# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
	# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
	neverallow {
	domain
	# art processes
	-odrefresh
	-odsign
	# others
	-apexd
	-init
	-vold_prepare_subdirs
	} apex_art_data_file:file no_w_file_perms;

	neverallow {
	domain
	# art processes
	-odrefresh
	-odsign
	# others
	-apexd
	-init
	-vold_prepare_subdirs
	} apex_art_data_file:dir no_w_dir_perms;

	# Protect most domains from executing arbitrary content from /data.
	neverallow {
	domain
	-appdomain
	} {
	data_file_type
	-apex_art_data_file
	-dalvikcache_data_file
	-system_data_file # shared libs in apks
	-apk_data_file
	}:file no_x_file_perms;

	# Minimize dac_override and dac_read_search.
	# Instead of granting them it is usually better to add the domain to
	# a Unix group or change the permissions of a file.
	define(`dac_override_allowed', `{
	apexd
	dnsmasq
	dumpstate
	init
	installd
	userdebug_or_eng(`llkd')
	lmkd
	migrate_legacy_obb_data
	netd
	postinstall_dexopt
	recovery
	rss_hwm_reset
	sdcardd
	tee
	ueventd
	uncrypt
	vendor_init
	vold
	vold_prepare_subdirs
	zygote
	}')
	neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
	# Since the kernel checks dac_read_search before dac_override, domains that
	# have dac_override should also have dac_read_search to eliminate spurious
	# denials. Some domains have dac_read_search without having dac_override, so
	# this list should be a superset of the one above.
	neverallow ~{
	dac_override_allowed
	iorap_inode2filename
	iorap_prefetcherd
	traced_perf
	traced_probes
	heapprofd
	} self:global_capability_class_set dac_read_search;

	# Limit what domains can mount filesystems or change their mount flags.
	# sdcard_type / vfat is exempt as a larger set of domains need
	# this capability, including device-specific domains.
	neverallow {
	domain
	-apexd
	recovery_only(`-fastbootd')
	-init
	-kernel
	-otapreopt_chroot
	-recovery
	-update_engine
	-vold
	-zygote
	} { fs_type
	-sdcard_type
	}:filesystem { mount remount relabelfrom relabelto };

	enforce_debugfs_restriction(`
	neverallow {
	domain userdebug_or_eng(`-init')
	} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
	')

	# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
	neverallow {
	domain
	userdebug_or_eng(`-domain')
	-kernel
	-gsid
	-init
	-recovery
	-ueventd
	-healthd
	-uncrypt
	-tee
	-hal_bootctl_server
	-fastbootd
	} self:global_capability_class_set sys_rawio;

	# Limit directory operations that doesn't need to do app data isolation.
	neverallow {
	domain
	-init
	-installd
	-zygote
	} mirror_data_file:dir *;

	# This property is being removed. Remove remaining access.
	neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
	neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;

	# Only core domains are allowed to access package_manager properties
	neverallow { domain -init -system_server } pm_prop:property_service set;
	neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;

	# Do not allow reading the last boot timestamp from system properties
	neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;

	# Kprobes should only be used by adb root
	neverallow { domain -init -vendor_init } debugfs_kprobes:file *;

	# On TREBLE devices, most coredomains should not access vendor_files.
	# TODO(b/71553434): Remove exceptions here.
	full_treble_only(`
	neverallow {
	coredomain
	-appdomain
	-bootanim
	-crash_dump
	-heapprofd
	userdebug_or_eng(`-profcollectd')
	-init
	-iorap_inode2filename
	-iorap_prefetcherd
	-kernel
	-traced_perf
	-ueventd
	} vendor_file:file { no_w_file_perms no_x_file_perms open };
	')

	# Vendor domains are not permitted to initiate communications to core domain sockets
	full_treble_only(`
	neverallow_establish_socket_comms({
	domain
	-coredomain
	-appdomain
	-socket_between_core_and_vendor_violators
	}, {
	coredomain
	-logd # Logging by writing to logd Unix domain socket is public API
	-netd # netdomain needs this
	-mdnsd # netdomain needs this
	userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
	-init
	-tombstoned # linker to tombstoned
	userdebug_or_eng(`-heapprofd')
	userdebug_or_eng(`-traced_perf')
	});
	')

	full_treble_only(`
	# Do not allow system components access to /vendor files except for the
	# ones allowed here.
	neverallow {
	coredomain
	# TODO(b/37168747): clean up fwk access to /vendor
	-crash_dump
	-init # starts vendor executables
	-iorap_inode2filename
	-iorap_prefetcherd
	-kernel # loads /vendor/firmware
	-heapprofd
	userdebug_or_eng(`-profcollectd')
	-shell
	-system_executes_vendor_violators
	-traced_perf # library/binary access for symbolization
	-ueventd # reads /vendor/ueventd.rc
	-vold # loads incremental fs driver
	} {
	vendor_file_type
	-same_process_hal_file
	-vendor_app_file
	-vendor_apex_file
	-vendor_configs_file
	-vendor_service_contexts_file
	-vendor_framework_file
	-vendor_idc_file
	-vendor_keychars_file
	-vendor_keylayout_file
	-vendor_overlay_file
	-vendor_public_framework_file
	-vendor_public_lib_file
	-vendor_task_profiles_file
	-vndk_sp_file
	}:file *;
	')

	# mlsvendorcompat is only for compatibility support for older vendor
	# images, and should not be granted to any domain in current policy.
	# (Every domain is allowed self:fork, so this will trigger if the
	# intsersection of domain & mlsvendorcompat is not empty.)
	neverallow domain mlsvendorcompat:process fork;

	# Only init and otapreopt_chroot should be mounting filesystems on locations
	# labeled system or vendor (/product and /vendor respectively).
	neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;

	# Only allow init and vendor_init to read/write mm_events properties
	# NOTE: dumpstate is allowed to read any system property
	neverallow {
	domain
	-init
	-vendor_init
	-dumpstate
	} mm_events_config_prop:file no_rw_file_perms;

	# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
	# kernel traces. Addresses are not disclosed, they are repalced with symbol
	# names (if available). Traces don't disclose KASLR.
	neverallow {
	domain
	-init
	userdebug_or_eng(`-profcollectd')
	-vendor_init
	-traced_probes
	-traced_perf
	} proc_kallsyms:file { open read };

	# debugfs_kcov type is not included in this neverallow statement since the KCOV
	# tool uses it for kernel fuzzing.
	# vendor_modprobe is also exempted since the kernel modules it loads may create
	# debugfs files in its context.
	enforce_debugfs_restriction(`
	neverallow {
	domain
	-vendor_modprobe
	userdebug_or_eng(`
	-init
	-hal_dumpstate
	')
	} { debugfs_type
	userdebug_or_eng(`-debugfs_kcov')
	-tracefs_type
	}:file no_rw_file_perms;
	')