| ##################################### |
| # domain_trans(olddomain, type, newdomain) |
| # Allow a transition from olddomain to newdomain |
| # upon executing a file labeled with type. |
| # This only allows the transition; it does not |
| # cause it to occur automatically - use domain_auto_trans |
| # if that is what you want. |
| # |
| define(`domain_trans', ` |
| # Old domain may exec the file and transition to the new domain. |
| allow $1 $2:file { getattr open read execute }; |
| allow $1 $3:process transition; |
| # New domain is entered by executing the file. |
| allow $3 $2:file { entrypoint read execute }; |
| # New domain can send SIGCHLD to its caller. |
| allow $3 $1:process sigchld; |
| # Enable AT_SECURE, i.e. libc secure mode. |
| dontaudit $1 $3:process noatsecure; |
| # XXX dontaudit candidate but requires further study. |
| allow $1 $3:process { siginh rlimitinh }; |
| ') |
| |
| ##################################### |
| # domain_auto_trans(olddomain, type, newdomain) |
| # Automatically transition from olddomain to newdomain |
| # upon executing a file labeled with type. |
| # |
| define(`domain_auto_trans', ` |
| # Allow the necessary permissions. |
| domain_trans($1,$2,$3) |
| # Make the transition occur by default. |
| type_transition $1 $2:process $3; |
| ') |
| |
| ##################################### |
| # file_type_trans(domain, dir_type, file_type) |
| # Allow domain to create a file labeled file_type in a |
| # directory labeled dir_type. |
| # This only allows the transition; it does not |
| # cause it to occur automatically - use file_type_auto_trans |
| # if that is what you want. |
| # |
| define(`file_type_trans', ` |
| # Allow the domain to add entries to the directory. |
| allow $1 $2:dir ra_dir_perms; |
| # Allow the domain to create the file. |
| allow $1 $3:notdevfile_class_set create_file_perms; |
| allow $1 $3:dir create_dir_perms; |
| ') |
| |
| ##################################### |
| # file_type_auto_trans(domain, dir_type, file_type) |
| # Automatically label new files with file_type when |
| # they are created by domain in directories labeled dir_type. |
| # |
| define(`file_type_auto_trans', ` |
| # Allow the necessary permissions. |
| file_type_trans($1, $2, $3) |
| # Make the transition occur by default. |
| type_transition $1 $2:dir $3; |
| type_transition $1 $2:notdevfile_class_set $3; |
| ') |
| |
| ##################################### |
| # r_dir_file(domain, type) |
| # Allow the specified domain to read directories, files |
| # and symbolic links of the specified type. |
| define(`r_dir_file', ` |
| allow $1 $2:dir r_dir_perms; |
| allow $1 $2:{ file lnk_file } r_file_perms; |
| ') |
| |
| ##################################### |
| # unconfined_domain(domain) |
| # Allow the specified domain to perform more privileged operations |
| # than would be typically allowed. Please see the comments at the |
| # top of unconfined.te. |
| # |
| define(`unconfined_domain', ` |
| typeattribute $1 mlstrustedsubject; |
| typeattribute $1 unconfineddomain; |
| ') |
| |
| ##################################### |
| # tmpfs_domain(domain) |
| # Define and allow access to a unique type for |
| # this domain when creating tmpfs / shmem / ashmem files. |
| define(`tmpfs_domain', ` |
| type $1_tmpfs, file_type; |
| type_transition $1 tmpfs:file $1_tmpfs; |
| allow $1 $1_tmpfs:file { read write }; |
| ') |
| |
| ##################################### |
| # init_daemon_domain(domain) |
| # Set up a transition from init to the daemon domain |
| # upon executing its binary. |
| define(`init_daemon_domain', ` |
| domain_auto_trans(init, $1_exec, $1) |
| tmpfs_domain($1) |
| ') |
| |
| ##################################### |
| # app_domain(domain) |
| # Allow a base set of permissions required for all apps. |
| define(`app_domain', ` |
| typeattribute $1 appdomain; |
| # Label ashmem objects with our own unique type. |
| tmpfs_domain($1) |
| # Map with PROT_EXEC. |
| allow $1 $1_tmpfs:file execute; |
| ') |
| |
| ##################################### |
| # relabelto_domain(domain) |
| # Allows this domain to use the relabelto permission |
| define(`relabelto_domain', ` |
| typeattribute $1 relabeltodomain; |
| ') |
| |
| ##################################### |
| # platform_app_domain(domain) |
| # Allow permissions specific to platform apps. |
| define(`platform_app_domain', ` |
| typeattribute $1 platformappdomain; |
| typeattribute $1 mlstrustedsubject; |
| ') |
| |
| ##################################### |
| # net_domain(domain) |
| # Allow a base set of permissions required for network access. |
| define(`net_domain', ` |
| typeattribute $1 netdomain; |
| ') |
| |
| ##################################### |
| # bluetooth_domain(domain) |
| # Allow a base set of permissions required for bluetooth access. |
| define(`bluetooth_domain', ` |
| typeattribute $1 bluetoothdomain; |
| ') |
| |
| ##################################### |
| # unix_socket_connect(clientdomain, socket, serverdomain) |
| # Allow a local socket connection from clientdomain via |
| # socket to serverdomain. |
| define(`unix_socket_connect', ` |
| allow $1 $2_socket:sock_file write; |
| allow $1 $3:unix_stream_socket connectto; |
| ') |
| |
| ##################################### |
| # unix_socket_send(clientdomain, socket, serverdomain) |
| # Allow a local socket send from clientdomain via |
| # socket to serverdomain. |
| define(`unix_socket_send', ` |
| allow $1 $2_socket:sock_file write; |
| allow $1 $3:unix_dgram_socket sendto; |
| ') |
| |
| ##################################### |
| # binder_use(domain) |
| # Allow domain to use Binder IPC. |
| define(`binder_use', ` |
| # Call the servicemanager and transfer references to it. |
| allow $1 servicemanager:binder { call transfer }; |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| # all domains in domain.te. |
| ') |
| |
| ##################################### |
| # binder_call(clientdomain, serverdomain) |
| # Allow clientdomain to perform binder IPC to serverdomain. |
| define(`binder_call', ` |
| # Call the server domain and optionally transfer references to it. |
| allow $1 $2:binder { call transfer }; |
| # Allow the serverdomain to transfer references to the client on the reply. |
| allow $2 $1:binder transfer; |
| # Receive and use open files from the server. |
| allow $1 $2:fd use; |
| ') |
| |
| ##################################### |
| # binder_service(domain) |
| # Mark a domain as being a Binder service domain. |
| # Used to allow binder IPC to the various system services. |
| define(`binder_service', ` |
| typeattribute $1 binderservicedomain; |
| ') |
| |
| ##################################### |
| # selinux_check_access(domain) |
| # Allow domain to check SELinux permissions via selinuxfs. |
| define(`selinux_check_access', ` |
| allow $1 selinuxfs:dir r_dir_perms; |
| allow $1 selinuxfs:file rw_file_perms; |
| allow $1 kernel:security compute_av; |
| allow $1 self:netlink_selinux_socket *; |
| ') |
| |
| ##################################### |
| # selinux_check_context(domain) |
| # Allow domain to check SELinux contexts via selinuxfs. |
| define(`selinux_check_context', ` |
| allow $1 selinuxfs:dir r_dir_perms; |
| allow $1 selinuxfs:file rw_file_perms; |
| allow $1 kernel:security check_context; |
| ') |
| |
| ##################################### |
| # selinux_getenforce(domain) |
| # Allow domain to check whether SELinux is enforcing. |
| define(`selinux_getenforce', ` |
| allow $1 selinuxfs:dir r_dir_perms; |
| allow $1 selinuxfs:file r_file_perms; |
| ') |
| |
| ##################################### |
| # selinux_setenforce(domain) |
| # Allow domain to set SELinux to enforcing. |
| define(`selinux_setenforce', ` |
| allow $1 selinuxfs:dir r_dir_perms; |
| allow $1 selinuxfs:file rw_file_perms; |
| allow $1 kernel:security setenforce; |
| ') |
| |
| ##################################### |
| # selinux_setbool(domain) |
| # Allow domain to set SELinux booleans. |
| define(`selinux_setbool', ` |
| allow $1 selinuxfs:dir r_dir_perms; |
| allow $1 selinuxfs:file rw_file_perms; |
| allow $1 kernel:security setbool; |
| ') |
| |
| ##################################### |
| # security_access_policy(domain) |
| # Read only access to all policy files and |
| # selinuxfs |
| define(`security_access_policy', ` |
| allow $1 security_file:dir r_dir_perms; |
| allow $1 security_file:file r_file_perms; |
| allow $1 security_file:lnk_file r_file_perms; |
| allow $1 selinuxfs:dir r_dir_perms; |
| allow $1 selinuxfs:file r_file_perms; |
| allow $1 rootfs:dir r_dir_perms; |
| allow $1 rootfs:file r_file_perms; |
| ') |
| |
| ##################################### |
| # selinux_manage_policy(domain) |
| # Ability to manage policy files and |
| # trigger runtime reload. |
| define(`selinux_manage_policy', ` |
| security_access_policy($1) |
| unix_socket_connect($1, property, init) |
| allow $1 security_file:dir create_dir_perms; |
| allow $1 security_file:file create_file_perms; |
| allow $1 security_file:lnk_file { create rename unlink }; |
| allow $1 security_prop:property_service set; |
| ') |
| |
| ##################################### |
| # mmac_manage_policy(domain) |
| # Ability to manage mmac policy files, |
| # trigger runtime reload, change |
| # mmac enforcing mode and access logcat. |
| define(`mmac_manage_policy', ` |
| unix_socket_connect($1, property, init) |
| allow $1 security_file:dir create_dir_perms; |
| allow $1 security_file:file create_file_perms; |
| allow $1 security_file:lnk_file { create rename unlink }; |
| allow $1 security_prop:property_service set; |
| ') |
| |
| ##################################### |
| # access_logcat(domain) |
| # Ability to read from logcat logs |
| # and execute the logcat command |
| define(`access_logcat', ` |
| allow $1 log_device:chr_file read; |
| allow $1 system_file:file x_file_perms; |
| ') |
| |
| ##################################### |
| # access_kmsg(domain) |
| # Ability to read from kernel logs |
| # and execute the klogctl syscall |
| # in a non destructive manner. See |
| # man 2 klogctl |
| define(`access_kmsg', ` |
| allow $1 kernel:system syslog_read; |
| ') |
| |
| ##################################### |
| # write_klog(domain) |
| # Ability to write to kernel log via |
| # klog_write() |
| # See system/core/libcutil/klog.c |
| define(`write_klog', ` |
| type_transition $1 device:chr_file klog_device "__kmsg__"; |
| allow $1 klog_device:chr_file { create open write unlink }; |
| allow $1 device:dir { write add_name remove_name }; |
| ') |
| |
| ##################################### |
| # create_pty(domain) |
| # Allow domain to create and use a pty, isolated from any other domain ptys. |
| define(`create_pty', ` |
| # Each domain gets a unique devpts type. |
| type $1_devpts, fs_type; |
| # Label the pty with the unique type when created. |
| type_transition $1 devpts:chr_file $1_devpts; |
| # Allow use of the pty after creation. |
| allow $1 $1_devpts:chr_file { open getattr read write ioctl }; |
| # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms |
| # allowed to everyone via domain.te. |
| ') |
| |
| ##################################### |
| # Non system_app application set |
| # |
| define(`non_system_app_set', `{ appdomain -system_app }') |
| |
| ##################################### |
| # Userdebug or eng builds |
| # SELinux rules which apply only to userdebug or eng builds |
| # |
| define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) |
| |
| ##################################### |
| # permissive_or_unconfined |
| # Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, |
| # and "unconfined($1)" otherwise. |
| # |
| # This is used for experimental domains, where we want to ensure |
| # the domain is unconfined+enforcing once new SELinux policy development |
| # has ceased. |
| # |
| define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1))) |