| get_prop(coredomain, apex_ready_prop) |
| get_prop(coredomain, boot_status_prop) |
| get_prop(coredomain, camera_config_prop) |
| get_prop(coredomain, dalvik_config_prop_type) |
| get_prop(coredomain, dalvik_runtime_prop) |
| get_prop(coredomain, exported_pm_prop) |
| get_prop(coredomain, ffs_config_prop) |
| get_prop(coredomain, graphics_config_prop) |
| get_prop(coredomain, graphics_config_writable_prop) |
| get_prop(coredomain, hdmi_config_prop) |
| get_prop(coredomain, init_service_status_private_prop) |
| get_prop(coredomain, lmkd_config_prop) |
| get_prop(coredomain, localization_prop) |
| get_prop(coredomain, pm_prop) |
| get_prop(coredomain, radio_control_prop) |
| get_prop(coredomain, rollback_test_prop) |
| get_prop(coredomain, setupwizard_prop) |
| get_prop(coredomain, sqlite_log_prop) |
| get_prop(coredomain, storagemanager_config_prop) |
| get_prop(coredomain, surfaceflinger_color_prop) |
| get_prop(coredomain, systemsound_config_prop) |
| get_prop(coredomain, telephony_config_prop) |
| get_prop(coredomain, usb_config_prop) |
| get_prop(coredomain, usb_control_prop) |
| get_prop(coredomain, userspace_reboot_config_prop) |
| get_prop(coredomain, vold_config_prop) |
| get_prop(coredomain, vts_status_prop) |
| get_prop(coredomain, zygote_config_prop) |
| get_prop(coredomain, zygote_wrap_prop) |
| |
| # TODO(b/170590987): remove this after cleaning up default_prop |
| get_prop(coredomain, default_prop) |
| |
| full_treble_only(` |
| neverallow { |
| coredomain |
| |
| # for chowning |
| -init |
| |
| # generic access to sysfs_type |
| -apexd |
| -ueventd |
| -vold |
| } sysfs_leds:file *; |
| ') |
| |
| # On TREBLE devices, a limited set of files in /vendor are accessible to |
| # only a few allowlisted coredomains to keep system/vendor separation. |
| full_treble_only(` |
| # Limit access to /vendor/app |
| neverallow { |
| coredomain |
| -appdomain |
| -artd |
| -dex2oat |
| -dexoptanalyzer |
| -idmap |
| -init |
| -installd |
| -heapprofd |
| -postinstall_dexopt |
| -rs # spawned by appdomain, so carryover the exception above |
| -system_server |
| -traced_perf |
| } vendor_app_file:dir { open read getattr search }; |
| ') |
| |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -appdomain |
| -artd |
| -dex2oat |
| -dexoptanalyzer |
| -idmap |
| -init |
| -installd |
| -heapprofd |
| userdebug_or_eng(`-profcollectd') |
| -postinstall_dexopt |
| -profman |
| -rs # spawned by appdomain, so carryover the exception above |
| userdebug_or_eng(`-simpleperf_boot') |
| -system_server |
| -traced_perf |
| -mediaserver |
| } vendor_app_file:file r_file_perms; |
| ') |
| |
| full_treble_only(` |
| # Limit access to /vendor/overlay |
| neverallow { |
| coredomain |
| -appdomain |
| -artd |
| -dex2oat |
| -dexoptanalyzer |
| -idmap |
| -init |
| -installd |
| -postinstall_dexopt |
| -rs # spawned by appdomain, so carryover the exception above |
| -system_server |
| -traced_perf |
| -app_zygote |
| -webview_zygote |
| -zygote |
| -heapprofd |
| } vendor_overlay_file:dir { getattr open read search }; |
| ') |
| |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -appdomain |
| -artd |
| -dex2oat |
| -dexoptanalyzer |
| -idmap |
| -init |
| -installd |
| -postinstall_dexopt |
| -rs # spawned by appdomain, so carryover the exception above |
| -system_server |
| -traced_perf |
| -app_zygote |
| -webview_zygote |
| -zygote |
| -heapprofd |
| userdebug_or_eng(`-profcollectd') |
| userdebug_or_eng(`-simpleperf_boot') |
| } vendor_overlay_file:file open; |
| ') |
| |
| # Core domains are not permitted to use kernel interfaces which are not |
| # explicitly labeled. |
| # TODO(b/65643247): Apply these neverallow rules to all coredomain. |
| full_treble_only(` |
| # /proc |
| neverallow { |
| coredomain |
| -init |
| -vold |
| } proc:file no_rw_file_perms; |
| |
| # /sys |
| neverallow { |
| coredomain |
| -apexd |
| -init |
| -ueventd |
| -vfio_handler |
| -vold |
| } sysfs:file no_rw_file_perms; |
| |
| # /dev |
| neverallow { |
| coredomain |
| -apexd |
| -fsck |
| -init |
| -ueventd |
| } device:{ blk_file file } no_rw_file_perms; |
| |
| # debugfs |
| neverallow { |
| coredomain |
| no_debugfs_restriction(` |
| -dumpstate |
| -init |
| -system_server |
| ') |
| } debugfs:file no_rw_file_perms; |
| |
| # tracefs |
| neverallow { |
| coredomain |
| -atrace |
| -dumpstate |
| -gpuservice |
| -init |
| -traced_perf |
| -traced_probes |
| -shell |
| -system_server |
| -traceur_app |
| userdebug_or_eng(`-profcollectd') |
| userdebug_or_eng(`-simpleperf_boot') |
| } debugfs_tracing:file no_rw_file_perms; |
| |
| # inotifyfs |
| neverallow { |
| coredomain |
| -init |
| } inotify:file no_rw_file_perms; |
| |
| # pstorefs |
| neverallow { |
| coredomain |
| -bootstat |
| -charger |
| -dumpstate |
| userdebug_or_eng(`-incidentd') |
| -init |
| -logd |
| -logpersist |
| -recovery_persist |
| -recovery_refresh |
| -shell |
| -system_server |
| } pstorefs:file no_rw_file_perms; |
| |
| # configfs |
| neverallow { |
| coredomain |
| -init |
| -system_server |
| } configfs:file no_rw_file_perms; |
| |
| # functionfs |
| neverallow { |
| coredomain |
| -adbd |
| -init |
| -mediaprovider |
| -system_server |
| } functionfs:file no_rw_file_perms; |
| |
| # usbfs and binfmt_miscfs |
| neverallow { |
| coredomain |
| -init |
| }{ usbfs binfmt_miscfs }:file no_rw_file_perms; |
| |
| # dmabuf heaps |
| neverallow { |
| coredomain |
| -init |
| -ueventd |
| }{ |
| dmabuf_heap_device_type |
| -dmabuf_system_heap_device |
| -dmabuf_system_secure_heap_device |
| }:chr_file no_rw_file_perms; |
| ') |
| |
| # Following /dev nodes must not be directly accessed by coredomain, but should |
| # instead be wrapped by HALs. |
| neverallow coredomain { |
| iio_device |
| radio_device |
| }:chr_file { open read append write ioctl }; |
| |
| # TODO(b/120243891): HAL permission to tee_device is included into coredomain |
| # on non-Treble devices. |
| full_treble_only(` |
| neverallow coredomain tee_device:chr_file { open read append write ioctl }; |
| ') |