| ##################################### |
| # domain_trans(olddomain, type, newdomain) |
| # Allow a transition from olddomain to newdomain |
| # upon executing a file labeled with type. |
| # This only allows the transition; it does not |
| # cause it to occur automatically - use domain_auto_trans |
| # if that is what you want. |
| # |
| define(`domain_trans', ` |
| # Old domain may exec the file and transition to the new domain. |
| allow $1 $2:file { getattr open read execute map }; |
| allow $1 $3:process transition; |
| # New domain is entered by executing the file. |
| allow $3 $2:file { entrypoint open read execute getattr map }; |
| # New domain can send SIGCHLD to its caller. |
| ifelse($1, `init', `', `allow $3 $1:process sigchld;') |
| # Enable AT_SECURE, i.e. libc secure mode. |
| dontaudit $1 $3:process noatsecure; |
| # XXX dontaudit candidate but requires further study. |
| allow $1 $3:process { siginh rlimitinh }; |
| ') |
| |
| ##################################### |
| # domain_auto_trans(olddomain, type, newdomain) |
| # Automatically transition from olddomain to newdomain |
| # upon executing a file labeled with type. |
| # |
| define(`domain_auto_trans', ` |
| # Allow the necessary permissions. |
| domain_trans($1,$2,$3) |
| # Make the transition occur by default. |
| type_transition $1 $2:process $3; |
| ') |
| |
| ##################################### |
| # file_type_trans(domain, dir_type, file_type) |
| # Allow domain to create a file labeled file_type in a |
| # directory labeled dir_type. |
| # This only allows the transition; it does not |
| # cause it to occur automatically - use file_type_auto_trans |
| # if that is what you want. |
| # |
| define(`file_type_trans', ` |
| # Allow the domain to add entries to the directory. |
| allow $1 $2:dir ra_dir_perms; |
| # Allow the domain to create the file. |
| allow $1 $3:notdevfile_class_set create_file_perms; |
| allow $1 $3:dir create_dir_perms; |
| ') |
| |
| ##################################### |
| # file_type_auto_trans(domain, dir_type, file_type) |
| # Automatically label new files with file_type when |
| # they are created by domain in directories labeled dir_type. |
| # |
| define(`file_type_auto_trans', ` |
| # Allow the necessary permissions. |
| file_type_trans($1, $2, $3) |
| # Make the transition occur by default. |
| type_transition $1 $2:dir $3; |
| type_transition $1 $2:notdevfile_class_set $3; |
| ') |
| |
| ##################################### |
| # r_dir_file(domain, type) |
| # Allow the specified domain to read directories, files |
| # and symbolic links of the specified type. |
| define(`r_dir_file', ` |
| allow $1 $2:dir r_dir_perms; |
| allow $1 $2:{ file lnk_file } r_file_perms; |
| ') |
| |
| ##################################### |
| # tmpfs_domain(domain) |
| # Allow access to a unique type for this domain when creating tmpfs / ashmem files. |
| define(`tmpfs_domain', ` |
| type_transition $1 tmpfs:file $1_tmpfs; |
| allow $1 $1_tmpfs:file { read write getattr map }; |
| ') |
| |
| # pdx macros for IPC. pdx is a high-level name which contains transport-specific |
| # rules from underlying transport (e.g. UDS-based implementation). |
| |
| ##################################### |
| # pdx_service_attributes(service) |
| # Defines type attribute used to identify various service-related types. |
| define(`pdx_service_attributes', ` |
| attribute pdx_$1_endpoint_dir_type; |
| attribute pdx_$1_endpoint_socket_type; |
| attribute pdx_$1_channel_socket_type; |
| attribute pdx_$1_server_type; |
| ') |
| |
| ##################################### |
| # pdx_service_socket_types(service, endpoint_dir_t) |
| # Define types for endpoint and channel sockets. |
| define(`pdx_service_socket_types', ` |
| typeattribute $2 pdx_$1_endpoint_dir_type; |
| type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; |
| type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket; |
| userdebug_or_eng(` |
| dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *; |
| dontaudit su pdx_$1_channel_socket:unix_stream_socket *; |
| ') |
| ') |
| |
| ##################################### |
| # pdx_server(server_domain, service) |
| define(`pdx_server', ` |
| # Mark the server domain as a PDX server. |
| typeattribute $1 pdx_$2_server_type; |
| # Allow the init process to create the initial endpoint socket. |
| allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind }; |
| # Allow the server domain to use the endpoint socket and accept connections on it. |
| # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights |
| # than we need (e.g. we don"t need "bind" or "connect"). |
| allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; |
| # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). |
| allow $1 self:process setsockcreate; |
| # Allow the server domain to create a client channel socket. |
| allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms; |
| # Prevent other processes from claiming to be a server for the same service. |
| neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept }; |
| ') |
| |
| ##################################### |
| # pdx_connect(client, service) |
| define(`pdx_connect', ` |
| # Allow client to open the service endpoint file. |
| allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms; |
| allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms; |
| # Allow the client to connect to endpoint socket. |
| allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; |
| ') |
| |
| ##################################### |
| # pdx_use(client, service) |
| define(`pdx_use', ` |
| # Allow the client to use the PDX channel socket. |
| # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights |
| # than we need (e.g. we don"t need "bind" or "connect"). |
| allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; |
| # Client needs to use an channel event fd from the server. |
| allow $1 pdx_$2_server_type:fd use; |
| # Servers may receive sync fences, gralloc buffers, etc, from clients. |
| # This could be tightened on a per-server basis, but keeping track of service |
| # clients is error prone. |
| allow pdx_$2_server_type $1:fd use; |
| ') |
| |
| ##################################### |
| # pdx_client(client, service) |
| define(`pdx_client', ` |
| pdx_connect($1, $2) |
| pdx_use($1, $2) |
| ') |
| |
| ##################################### |
| # init_daemon_domain(domain) |
| # Set up a transition from init to the daemon domain |
| # upon executing its binary. |
| define(`init_daemon_domain', ` |
| domain_auto_trans(init, $1_exec, $1) |
| ') |
| |
| #################################### |
| # userfaultfd_use(domain) |
| # Allow domain to create/use userfaultfd. |
| define(`userfaultfd_use', ` |
| # Set up a type_transition to "userfaultfd" named anonymous inode object. |
| type $1_userfaultfd; |
| type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]"; |
| # Allow domain to create/use userfaultfd anon_inode. |
| allow $1 $1_userfaultfd:anon_inode { create ioctl read }; |
| # Suppress errors generate during bugreport |
| dontaudit su $1_userfaultfd:anon_inode *; |
| # Other domains may not use userfaultfd anon_inodes created by this domain. |
| neverallow { domain -$1 } $1_userfaultfd:anon_inode *; |
| ') |
| |
| #################################### |
| # virtualizationservice_use(domain) |
| # Allow domain to create and communicate with a virtual machine using |
| # virtualizationservice and virtualizationmanager. |
| define(`virtualizationservice_use', ` |
| # Transition to virtualizationmanager when the client executes it. |
| domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager) |
| # Allow virtualizationmanager to communicate over UDS with the client. |
| allow { virtualizationmanager crosvm } $1:unix_stream_socket { ioctl getattr read write }; |
| # Let the client pass file descriptors to virtualizationmanager and on to crosvm. |
| allow { virtualizationmanager crosvm } $1:fd use; |
| # Let the client use file descriptors created by virtualizationmanager. |
| allow $1 virtualizationmanager:fd use; |
| # Allow piping console log to the client |
| allow { virtualizationmanager crosvm } $1:fifo_file { ioctl getattr read write }; |
| # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM |
| # that it created. Notice that we do not grant permission to create a vsock; |
| # the client can only connect to VMs that it owns. |
| allow $1 virtualizationmanager:vsock_socket { getattr getopt read write }; |
| # Allow client to inspect hypervisor capabilities |
| get_prop($1, hypervisor_prop) |
| # Allow client to read (but not open) the crashdump provided by virtualizationmanager |
| allow $1 virtualizationservice_data_file:file { getattr read }; |
| ') |
| |
| ##################################### |
| # app_domain(domain) |
| # Allow a base set of permissions required for all apps. |
| define(`app_domain', ` |
| typeattribute $1 appdomain; |
| # Label tmpfs objects for all apps. |
| type_transition $1 tmpfs:file appdomain_tmpfs; |
| userfaultfd_use($1) |
| allow $1 appdomain_tmpfs:file { execute getattr map read write }; |
| neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms; |
| neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms; |
| # The Android security model guarantees the confidentiality and integrity |
| # of application data and execution state. Ptrace bypasses those |
| # confidentiality guarantees. Disallow ptrace access from system components to |
| # apps. crash_dump is excluded, as it needs ptrace access to produce stack |
| # traces. runas_app is excluded, as it operates only on debuggable apps. |
| # simpleperf is excluded, as it operates only on debuggable or profileable |
| # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for |
| # live lock conditions. |
| neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace; |
| ') |
| |
| ##################################### |
| # untrusted_app_domain(domain) |
| # Allow a base set of permissions required for all untrusted apps. |
| define(`untrusted_app_domain', ` |
| typeattribute $1 untrusted_app_all; |
| ') |
| |
| ##################################### |
| # isolated_app_domain(domain) |
| # Allow a base set of permissions required for all isolated apps. |
| define(`isolated_app_domain', ` |
| typeattribute $1 isolated_app_all; |
| ') |
| |
| ##################################### |
| # net_domain(domain) |
| # Allow a base set of permissions required for network access. |
| define(`net_domain', ` |
| typeattribute $1 netdomain; |
| ') |
| |
| ##################################### |
| # bluetooth_domain(domain) |
| # Allow a base set of permissions required for bluetooth access. |
| define(`bluetooth_domain', ` |
| typeattribute $1 bluetoothdomain; |
| ') |
| |
| ##################################### |
| # hal_attribute(hal_name) |
| # Add an attribute for hal implementations along with necessary |
| # restrictions. |
| define(`hal_attribute', ` |
| attribute hal_$1; |
| expandattribute hal_$1 true; |
| attribute hal_$1_client; |
| expandattribute hal_$1_client true; |
| attribute hal_$1_server; |
| expandattribute hal_$1_server false; |
| |
| neverallow { hal_$1_server -halserverdomain } domain:process fork; |
| # hal_*_client and halclientdomain attributes are always expanded for |
| # performance reasons. Neverallow rules targeting expanded attributes can not be |
| # verified by CTS since these attributes are already expanded by that time. |
| build_test_only(` |
| neverallow { hal_$1_server -hal_$1 } domain:process fork; |
| neverallow { hal_$1_client -halclientdomain } domain:process fork; |
| ') |
| ') |
| |
| ##################################### |
| # hal_server_domain(domain, hal_type) |
| # Allow a base set of permissions required for a domain to offer a |
| # HAL implementation of the specified type over HwBinder. |
| # |
| # For example, default implementation of Foo HAL: |
| # type hal_foo_default, domain; |
| # hal_server_domain(hal_foo_default, hal_foo) |
| # |
| define(`hal_server_domain', ` |
| typeattribute $1 halserverdomain; |
| typeattribute $1 $2_server; |
| typeattribute $1 $2; |
| ') |
| |
| ##################################### |
| # hal_client_domain(domain, hal_type) |
| # Allow a base set of permissions required for a domain to be a |
| # client of a HAL of the specified type. |
| # |
| # For example, make some_domain a client of Foo HAL: |
| # hal_client_domain(some_domain, hal_foo) |
| # |
| define(`hal_client_domain', ` |
| typeattribute $1 halclientdomain; |
| typeattribute $1 $2_client; |
| |
| # TODO(b/34170079): Make the inclusion of the rules below conditional also on |
| # non-Treble devices. For now, on non-Treble device, always grant clients of a |
| # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). |
| not_full_treble(` |
| typeattribute $1 $2; |
| # Find passthrough HAL implementations |
| allow $2 system_file:dir r_dir_perms; |
| allow $2 vendor_file:dir r_dir_perms; |
| allow $2 vendor_file:file { read open getattr execute map }; |
| ') |
| ') |
| |
| ##################################### |
| # passthrough_hal_client_domain(domain, hal_type) |
| # Allow a base set of permissions required for a domain to be a |
| # client of a passthrough HAL of the specified type. |
| # |
| # For example, make some_domain a client of passthrough Foo HAL: |
| # passthrough_hal_client_domain(some_domain, hal_foo) |
| # |
| define(`passthrough_hal_client_domain', ` |
| typeattribute $1 halclientdomain; |
| typeattribute $1 $2_client; |
| typeattribute $1 $2; |
| # Find passthrough HAL implementations |
| allow $2 system_file:dir r_dir_perms; |
| allow $2 vendor_file:dir r_dir_perms; |
| allow $2 vendor_file:file { read open getattr execute map }; |
| ') |
| |
| ##################################### |
| # unix_socket_connect(clientdomain, socket, serverdomain) |
| # Allow a local socket connection from clientdomain via |
| # socket to serverdomain. |
| # |
| # Note: If you see denial records that distill to the |
| # following allow rules: |
| # allow clientdomain property_socket:sock_file write; |
| # allow clientdomain init:unix_stream_socket connectto; |
| # allow clientdomain something_prop:property_service set; |
| # |
| # This sequence is indicative of attempting to set a property. |
| # use set_prop(sourcedomain, targetproperty) |
| # |
| define(`unix_socket_connect', ` |
| allow $1 $2_socket:sock_file write; |
| allow $1 $3:unix_stream_socket connectto; |
| ') |
| |
| ##################################### |
| # set_prop(sourcedomain, targetproperty) |
| # Allows source domain to set the |
| # targetproperty. |
| # |
| define(`set_prop', ` |
| unix_socket_connect($1, property, init) |
| allow $1 $2:property_service set; |
| get_prop($1, $2) |
| ') |
| |
| ##################################### |
| # get_prop(sourcedomain, targetproperty) |
| # Allows source domain to read the |
| # targetproperty. |
| # |
| define(`get_prop', ` |
| allow $1 $2:file { getattr open read map }; |
| ') |
| |
| ##################################### |
| # unix_socket_send(clientdomain, socket, serverdomain) |
| # Allow a local socket send from clientdomain via |
| # socket to serverdomain. |
| define(`unix_socket_send', ` |
| allow $1 $2_socket:sock_file write; |
| allow $1 $3:unix_dgram_socket sendto; |
| ') |
| |
| ##################################### |
| # binder_use(domain) |
| # Allow domain to use Binder IPC. |
| define(`binder_use', ` |
| # Call the servicemanager and transfer references to it. |
| allow $1 servicemanager:binder { call transfer }; |
| # Allow servicemanager to send out callbacks |
| allow servicemanager $1:binder { call transfer }; |
| # servicemanager performs getpidcon on clients. |
| allow servicemanager $1:dir search; |
| allow servicemanager $1:file { read open }; |
| allow servicemanager $1:process getattr; |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| # all domains in domain.te. |
| ') |
| |
| ##################################### |
| # hwbinder_use(domain) |
| # Allow domain to use HwBinder IPC. |
| define(`hwbinder_use', ` |
| # Call the hwservicemanager and transfer references to it. |
| allow $1 hwservicemanager:binder { call transfer }; |
| # Allow hwservicemanager to send out callbacks |
| allow hwservicemanager $1:binder { call transfer }; |
| # hwservicemanager performs getpidcon on clients. |
| allow hwservicemanager $1:dir search; |
| allow hwservicemanager $1:file { read open map }; |
| allow hwservicemanager $1:process getattr; |
| # rw access to /dev/hwbinder and /dev/ashmem is presently granted to |
| # all domains in domain.te. |
| ') |
| |
| ##################################### |
| # vndbinder_use(domain) |
| # Allow domain to use Binder IPC. |
| define(`vndbinder_use', ` |
| # Talk to the vndbinder device node |
| allow $1 vndbinder_device:chr_file rw_file_perms; |
| # Call the vndservicemanager and transfer references to it. |
| allow $1 vndservicemanager:binder { call transfer }; |
| # vndservicemanager performs getpidcon on clients. |
| allow vndservicemanager $1:dir search; |
| allow vndservicemanager $1:file { read open map }; |
| allow vndservicemanager $1:process getattr; |
| ') |
| |
| ##################################### |
| # binder_call(clientdomain, serverdomain) |
| # Allow clientdomain to perform binder IPC to serverdomain. |
| define(`binder_call', ` |
| # Call the server domain and optionally transfer references to it. |
| allow $1 $2:binder { call transfer }; |
| # Allow the serverdomain to transfer references to the client on the reply. |
| allow $2 $1:binder transfer; |
| # Receive and use open files from the server. |
| allow $1 $2:fd use; |
| ') |
| |
| ##################################### |
| # binder_service(domain) |
| # Deprecated. Consider granting the exact permissions required by your service. |
| define(`binder_service', ` |
| typeattribute $1 binderservicedomain; |
| ') |
| |
| ##################################### |
| # wakelock_use(domain) |
| # Allow domain to manage wake locks |
| define(`wakelock_use', ` |
| # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is |
| # deprecated. |
| # Access /sys/power/wake_lock and /sys/power/wake_unlock |
| allow $1 sysfs_wake_lock:file rw_file_perms; |
| # Accessing these files requires CAP_BLOCK_SUSPEND |
| allow $1 self:global_capability2_class_set block_suspend; |
| # system_suspend permissions |
| binder_call($1, system_suspend_server) |
| allow $1 system_suspend_hwservice:hwservice_manager find; |
| # halclientdomain permissions |
| hwbinder_use($1) |
| get_prop($1, hwservicemanager_prop) |
| allow $1 hidl_manager_hwservice:hwservice_manager find; |
| # AIDL suspend hal permissions |
| allow $1 hal_system_suspend_service:service_manager find; |
| binder_use($1) |
| ') |
| |
| ##################################### |
| # selinux_check_access(domain) |
| # Allow domain to check SELinux permissions via selinuxfs. |
| define(`selinux_check_access', ` |
| r_dir_file($1, selinuxfs) |
| allow $1 selinuxfs:file w_file_perms; |
| allow $1 kernel:security compute_av; |
| allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; |
| ') |
| |
| ##################################### |
| # selinux_check_context(domain) |
| # Allow domain to check SELinux contexts via selinuxfs. |
| define(`selinux_check_context', ` |
| r_dir_file($1, selinuxfs) |
| allow $1 selinuxfs:file w_file_perms; |
| allow $1 kernel:security check_context; |
| ') |
| |
| ##################################### |
| # create_pty(domain) |
| # Allow domain to create and use a pty, isolated from any other domain ptys. |
| define(`create_pty', ` |
| # Each domain gets a unique devpts type. |
| type $1_devpts, fs_type; |
| # Label the pty with the unique type when created. |
| type_transition $1 devpts:chr_file $1_devpts; |
| # Allow use of the pty after creation. |
| allow $1 $1_devpts:chr_file { open getattr read write ioctl }; |
| allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls; |
| # TIOCSTI is only ever used for exploits. Block it. |
| # b/33073072, b/7530569 |
| # http://www.openwall.com/lists/oss-security/2016/09/26/14 |
| neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI; |
| # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms |
| # allowed to everyone via domain.te. |
| ') |
| |
| ##################################### |
| # Non system_app application set |
| # |
| define(`non_system_app_set', `{ appdomain -system_app }') |
| |
| ##################################### |
| # Recovery only |
| # SELinux rules which apply only to recovery mode |
| # |
| define(`recovery_only', ifelse(target_recovery, `true', $1, )) |
| |
| ##################################### |
| # Not recovery |
| # SELinux rules which apply only to non-recovery (normal) mode |
| # |
| define(`not_recovery', ifelse(target_recovery, `true', , $1)) |
| |
| ##################################### |
| # Full TREBLE only |
| # SELinux rules which apply only to full TREBLE devices |
| # |
| define(`full_treble_only', ifelse(target_full_treble, `true', $1, |
| ifelse(target_full_treble, `cts', |
| # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify |
| $1 |
| # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify |
| , ))) |
| |
| ##################################### |
| # Not full TREBLE |
| # SELinux rules which apply only to devices which are not full TREBLE devices |
| # |
| define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) |
| |
| ##################################### |
| # enforce_debugfs_restriction |
| # SELinux rules which apply to devices that enable debugfs restrictions. |
| # The keyword "cts" is used to insert markers to only CTS test the neverallows |
| # added by the macro for S-launch devices and newer. |
| define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1, |
| ifelse(target_enforce_debugfs_restriction, `cts', |
| # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify |
| $1 |
| # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify |
| , ))) |
| |
| ##################################### |
| # no_debugfs_restriction |
| # SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds. |
| define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1)) |
| |
| ##################################### |
| # Compatible property only |
| # SELinux rules which apply only to devices with compatible property |
| # |
| define(`compatible_property_only', ifelse(target_compatible_property, `true', $1, |
| ifelse(target_compatible_property, `cts', |
| # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify |
| $1 |
| # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify |
| , ))) |
| |
| ##################################### |
| # Not compatible property |
| # SELinux rules which apply only to devices without compatible property |
| # |
| define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1)) |
| |
| ##################################### |
| # Userdebug or eng builds |
| # SELinux rules which apply only to userdebug or eng builds |
| # |
| define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) |
| |
| ##################################### |
| # asan builds |
| # SELinux rules which apply only to asan builds |
| # |
| define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) |
| |
| ##################################### |
| # native coverage builds |
| # SELinux rules which apply only to builds with native coverage |
| # |
| define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) |
| |
| ##################################### |
| # Build-time-only test |
| # SELinux rules which are verified during build, but not as part of *TS testing. |
| # |
| define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1)) |
| |
| #################################### |
| # Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). |
| # |
| define(`crash_dump_fallback', ` |
| userdebug_or_eng(` |
| allow $1 su:fifo_file append; |
| ') |
| allow $1 anr_data_file:file append; |
| allow $1 dumpstate:fd use; |
| allow $1 incidentd:fd use; |
| # TODO: Figure out why write is needed. |
| allow $1 dumpstate:fifo_file { append write }; |
| allow $1 incidentd:fifo_file { append write }; |
| allow $1 system_server:fifo_file { append write }; |
| allow $1 tombstoned:unix_stream_socket connectto; |
| allow $1 tombstoned:fd use; |
| allow $1 tombstoned_crash_socket:sock_file write; |
| allow $1 tombstone_data_file:file append; |
| ') |
| |
| ##################################### |
| # WITH_DEXPREOPT builds |
| # SELinux rules which apply only when pre-opting. |
| # |
| define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1)) |
| |
| ##################################### |
| # write_logd(domain) |
| # Ability to write to android log |
| # daemon via sockets |
| define(`write_logd', ` |
| unix_socket_send($1, logdw, logd) |
| allow $1 pmsg_device:chr_file w_file_perms; |
| ') |
| |
| ##################################### |
| # read_logd(domain) |
| # Ability to run logcat and read from android |
| # log daemon via sockets |
| define(`read_logd', ` |
| allow $1 logcat_exec:file rx_file_perms; |
| unix_socket_connect($1, logdr, logd) |
| ') |
| |
| ##################################### |
| # read_runtime_log_tags(domain) |
| # ability to directly map the runtime event log tags |
| define(`read_runtime_log_tags', ` |
| allow $1 runtime_event_log_tags_file:file r_file_perms; |
| ') |
| |
| ##################################### |
| # control_logd(domain) |
| # Ability to control |
| # android log daemon via sockets |
| define(`control_logd', ` |
| # Group AID_LOG checked by filesystem & logd |
| # to permit control commands |
| unix_socket_connect($1, logd, logd) |
| ') |
| |
| ##################################### |
| # use_keystore(domain) |
| # Ability to use keystore. |
| # Keystore is requires the following permissions |
| # to call getpidcon. |
| define(`use_keystore', ` |
| allow keystore $1:dir search; |
| allow keystore $1:file { read open }; |
| allow keystore $1:process getattr; |
| allow $1 apc_service:service_manager find; |
| allow $1 keystore_service:service_manager find; |
| allow $1 legacykeystore_service:service_manager find; |
| binder_call($1, keystore) |
| binder_call(keystore, $1) |
| ') |
| |
| ##################################### |
| # use_credstore(domain) |
| # Ability to use credstore. |
| define(`use_credstore', ` |
| allow credstore $1:dir search; |
| allow credstore $1:file { read open }; |
| allow credstore $1:process getattr; |
| allow $1 credstore_service:service_manager find; |
| binder_call($1, credstore) |
| binder_call(credstore, $1) |
| ') |
| |
| ########################################### |
| # use_drmservice(domain) |
| # Ability to use DrmService which requires |
| # DrmService to call getpidcon. |
| define(`use_drmservice', ` |
| allow drmserver $1:dir search; |
| allow drmserver $1:file { read open }; |
| allow drmserver $1:process getattr; |
| ') |
| |
| ########################################### |
| # add_service(domain, service) |
| # Ability for domain to add a service to service_manager |
| # and find it. It also creates a neverallow preventing |
| # others from adding it. |
| define(`add_service', ` |
| allow $1 $2:service_manager { add find }; |
| neverallow { domain -$1 } $2:service_manager add; |
| |
| # On debug builds with root, allow binder services to use binder over TCP. |
| # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. |
| userdebug_or_eng(` |
| allow $1 su:tcp_socket { accept getopt read write }; |
| ') |
| ') |
| |
| ########################################### |
| # add_hwservice(domain, service) |
| # Ability for domain to add a service to hwservice_manager |
| # and find it. It also creates a neverallow preventing |
| # others from adding it. |
| define(`add_hwservice', ` |
| allow $1 $2:hwservice_manager { add find }; |
| allow $1 hidl_base_hwservice:hwservice_manager add; |
| neverallow { domain -$1 } $2:hwservice_manager add; |
| ') |
| |
| ########################################### |
| # hal_attribute_hwservice(attribute, service) |
| # Ability for domain to get a service to hwservice_manager |
| # and find it. It also creates a neverallow preventing |
| # others from adding it. |
| # |
| # Used to pair hal_foo_client with hal_foo_hwservice |
| define(`hal_attribute_hwservice', ` |
| allow $1_client $2:hwservice_manager find; |
| add_hwservice($1_server, $2) |
| |
| build_test_only(` |
| # if you are hitting this neverallow, try using: |
| # hal_client_domain(<your domain>, hal_<foo>) |
| # instead |
| neverallow { domain -$1_client -$1_server } $2:hwservice_manager find; |
| ') |
| ') |
| |
| ########################################### |
| # hal_attribute_service(attribute, service) |
| # Ability for domain to get a service to service_manager |
| # and find it. It also creates a neverallow preventing |
| # others from adding it. |
| # |
| # Used to pair hal_foo_client with hal_foo_service |
| define(`hal_attribute_service', ` |
| allow $1_client $2:service_manager find; |
| add_service($1_server, $2) |
| |
| build_test_only(` |
| # if you are hitting this neverallow, try using: |
| # hal_client_domain(<your domain>, hal_<foo>) |
| # instead |
| neverallow { |
| domain |
| -$1_client |
| -$1_server |
| # some services are allowed to find all services |
| -atrace |
| -shell |
| -system_app |
| -traceur_app |
| } $2:service_manager find; |
| ') |
| ') |
| |
| ################################### |
| # can_profile_heap(domain) |
| # Allow processes within the domain to have their heap profiled by central |
| # heapprofd. |
| define(`can_profile_heap', ` |
| # Allow central daemon to send signal for client initialization. |
| allow heapprofd $1:process signal; |
| # Allow connecting to the daemon. |
| unix_socket_connect($1, heapprofd, heapprofd) |
| # Allow daemon to use the passed fds. |
| allow heapprofd $1:fd use; |
| # Allow to read and write to heapprofd shmem. |
| # The client needs to read the read and write pointers in order to write. |
| allow $1 heapprofd_tmpfs:file { read write getattr map }; |
| # Use shared memory received over the unix socket. |
| allow $1 heapprofd:fd use; |
| |
| # To read and write from the received file descriptors. |
| # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the |
| # process they relate to. |
| # We need to write to /proc/$PID/page_idle to find idle allocations. |
| # The client only opens /proc/self/page_idle with RDWR, everything else |
| # with RDONLY. |
| # heapprofd cannot open /proc/$PID/mem itself, as it does not have |
| # sys_ptrace. |
| allow heapprofd $1:file rw_file_perms; |
| # Allow searching the /proc/[pid] directory for cmdline. |
| allow heapprofd $1:dir r_dir_perms; |
| ') |
| |
| ################################### |
| # never_profile_heap(domain) |
| # Opt out of heap profiling by heapprofd. |
| define(`never_profile_heap', ` |
| neverallow heapprofd $1:file read; |
| neverallow heapprofd $1:process signal; |
| ') |
| |
| ################################### |
| # can_profile_perf(domain) |
| # Allow processes within the domain to be profiled, and have their stacks |
| # sampled, by traced_perf. |
| define(`can_profile_perf', ` |
| # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and |
| # reads /proc/[pid]/cmdline. |
| allow traced_perf $1:file r_file_perms; |
| allow traced_perf $1:dir r_dir_perms; |
| |
| # Allow central daemon to send signal to request /proc/[pid]/maps and |
| # /proc/[pid]/mem fds from this process. |
| allow traced_perf $1:process signal; |
| |
| # Allow connecting to the daemon. |
| unix_socket_connect($1, traced_perf, traced_perf) |
| # Allow daemon to use the passed fds. |
| allow traced_perf $1:fd use; |
| ') |
| |
| ################################### |
| # never_profile_perf(domain) |
| # Opt out of profiling by traced_perf. |
| define(`never_profile_perf', ` |
| neverallow traced_perf $1:file read; |
| neverallow traced_perf $1:process signal; |
| ') |
| |
| ################################### |
| # perfetto_producer(domain) |
| # Allow processes within the domain to write data to Perfetto. |
| # When applying this macro, you might need to also allow traced to use the |
| # producer tmpfs domain, if the producer will be the one creating the shared |
| # memory. |
| define(`perfetto_producer', ` |
| allow $1 traced:fd use; |
| allow $1 traced_tmpfs:file { read write getattr map }; |
| unix_socket_connect($1, traced_producer, traced) |
| |
| # Also allow the service to use the producer file descriptors. This is |
| # necessary when the producer is creating the shared memory, as it will be |
| # passed to the service as a file descriptor (obtained from memfd_create). |
| allow traced $1:fd use; |
| ') |
| |
| ########################################### |
| # dump_hal(hal_type) |
| # Ability to dump the hal debug info |
| # |
| define(`dump_hal', ` |
| hal_client_domain(dumpstate, $1); |
| allow $1_server dumpstate:fifo_file write; |
| allow $1_server dumpstate:fd use; |
| ') |
| |
| ##################################### |
| # treble_sysprop_neverallow(rules) |
| # SELinux neverallow rules which enforces the accessibility of each property |
| # outside the owner. |
| # |
| # For devices launching with R or later, exported properties must be explicitly marked as |
| # "restricted" or "public", depending on the accessibility outside the owner. |
| # For devices launching with Q or eariler, this neverallow rules can be relaxed with defining |
| # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk. |
| # See {partition}_{accessibility}_prop macros below. |
| # |
| # CTS uses these rules only for devices launching with R or later. |
| # |
| # TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW |
| # |
| define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1, |
| ifelse(target_treble_sysprop_neverallow, `cts', |
| # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify |
| $1 |
| # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify |
| , ))) |
| |
| ##################################### |
| # enforce_sysprop_owner(rules) |
| # SELinux neverallow rules which enforces the owner of each property. |
| # |
| # For devices launching with S or later, all properties must be explicitly marked as one of: |
| # system_property_type, vendor_property_type, or product_property_type. |
| # For devices launching with R or eariler, this neverallow rules can be relaxed with defining |
| # BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk. |
| # See {partition}_{accessibility}_prop macros below. |
| # |
| # CTS uses these ules only for devices launching with S or later. |
| # |
| define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1, |
| ifelse(target_enforce_sysprop_owner, `cts', |
| # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify |
| $1 |
| # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify |
| , ))) |
| |
| ########################################### |
| # define_prop(name, owner, scope) |
| # Define a property with given owner and scope |
| # |
| define(`define_prop', ` |
| type $1, property_type, $2_property_type, $2_$3_property_type; |
| ') |
| |
| ########################################### |
| # system_internal_prop(name) |
| # Define a /system-owned property used only in /system |
| # For devices launching with Q or eariler, this restriction can be relaxed with |
| # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true |
| # |
| define(`system_internal_prop', ` |
| define_prop($1, system, internal) |
| treble_sysprop_neverallow(` |
| neverallow { domain -coredomain } $1:file no_rw_file_perms; |
| ') |
| ') |
| |
| ########################################### |
| # system_restricted_prop(name) |
| # Define a /system-owned property which can't be written outside /system |
| # For devices launching with Q or eariler, this restriction can be relaxed with |
| # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true |
| # |
| define(`system_restricted_prop', ` |
| define_prop($1, system, restricted) |
| treble_sysprop_neverallow(` |
| neverallow { domain -coredomain } $1:property_service set; |
| ') |
| ') |
| |
| ########################################### |
| # system_public_prop(name) |
| # Define a /system-owned property with no restrictions |
| # |
| define(`system_public_prop', `define_prop($1, system, public)') |
| |
| ########################################### |
| # system_vendor_config_prop(name) |
| # Define a /system-owned property which can only be written by vendor_init |
| # This is a macro for vendor-specific configuration properties which is meant |
| # to be set once from vendor_init. |
| # |
| define(`system_vendor_config_prop', ` |
| system_public_prop($1) |
| set_prop(vendor_init, $1) |
| neverallow { domain -init -vendor_init } $1:property_service set; |
| ') |
| |
| ########################################### |
| # product_internal_prop(name) |
| # Define a /product-owned property used only in /product |
| # For devices launching with Q or eariler, this restriction can be relaxed with |
| # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true |
| # |
| define(`product_internal_prop', ` |
| define_prop($1, product, internal) |
| treble_sysprop_neverallow(` |
| neverallow { domain -coredomain } $1:file no_rw_file_perms; |
| ') |
| ') |
| |
| ########################################### |
| # product_restricted_prop(name) |
| # Define a /product-owned property which can't be written outside /product |
| # For devices launching with Q or eariler, this restriction can be relaxed with |
| # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true |
| # |
| define(`product_restricted_prop', ` |
| define_prop($1, product, restricted) |
| treble_sysprop_neverallow(` |
| neverallow { domain -coredomain } $1:property_service set; |
| ') |
| ') |
| |
| ########################################### |
| # product_public_prop(name) |
| # Define a /product-owned property with no restrictions |
| # |
| define(`product_public_prop', `define_prop($1, product, public)') |
| |
| ########################################### |
| # vendor_internal_prop(name) |
| # Define a /vendor-owned property used only in /vendor |
| # For devices launching with Q or eariler, this restriction can be relaxed with |
| # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true |
| # |
| define(`vendor_internal_prop', ` |
| define_prop($1, vendor, internal) |
| treble_sysprop_neverallow(` |
| # init and dumpstate are in coredomain, but should be able to read all props. |
| neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms; |
| ') |
| ') |
| |
| ########################################### |
| # vendor_restricted_prop(name) |
| # Define a /vendor-owned property which can't be written outside /vendor |
| # For devices launching with Q or eariler, this restriction can be relaxed with |
| # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true |
| # |
| define(`vendor_restricted_prop', ` |
| define_prop($1, vendor, restricted) |
| treble_sysprop_neverallow(` |
| # init is in coredomain, but should be able to write all props. |
| neverallow { coredomain -init } $1:property_service set; |
| ') |
| ') |
| |
| ########################################### |
| # vendor_public_prop(name) |
| # Define a /vendor-owned property with no restrictions |
| # |
| define(`vendor_public_prop', `define_prop($1, vendor, public)') |
| |
| ##################################### |
| # read_fstab(domain) |
| # Ability to call ReadDefaultFstab() and ReadFstabFromFile(). |
| # |
| define(`read_fstab', ` |
| allow $1 { metadata_file gsi_metadata_file_type }:dir search; |
| allow $1 gsi_public_metadata_file:file r_file_perms; |
| allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms; |
| ') |
| |
| ###################################### |
| # use_bootstrap_libs(domain) |
| # Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap |
| define(`use_bootstrap_libs', ` |
| allow $1 system_bootstrap_lib_file:dir r_dir_perms; |
| allow $1 system_bootstrap_lib_file:file { execute read open getattr map }; |
| ') |
| |
| ###################################### |
| # use_apex_info(domain) |
| # Allow access to apex information |
| define(`use_apex_info', ` |
| allow $1 apex_mnt_dir:dir r_dir_perms; |
| allow $1 apex_info_file:file r_file_perms; |
| r_dir_file($1, vendor_apex_metadata_file) |
| ') |
| |
| #################################### |
| # io_uring_use(domain) |
| # Allow domain to create/use io_uring. |
| define(`io_uring_use', ` |
| # Set up a type_transition to "io_uring" named anonymous inode object. |
| type $1_iouring; |
| type_transition $1 $1:anon_inode $1_iouring "[io_uring]"; |
| # Allow domain to create/use io_uring anon_inode. |
| allow $1 $1_iouring:anon_inode { create map read write }; |
| allow $1 self:io_uring sqpoll; |
| # Other domains may not use iouring anon_inodes created by this domain. |
| neverallow { domain -$1 } $1_iouring:anon_inode *; |
| # io_uring checks for CAP_IPC_LOCK to determine whether or not to track |
| # memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to |
| # grant CAP_IPC_LOCK to silence avc denials, which is undesireable. |
| dontaudit $1 self:global_capability_class_set ipc_lock; |
| ') |