| # Transition to crash_dump when /system/bin/crash_dump* is executed. |
| # This occurs when the process crashes. |
| # We do not apply this to the su domain to avoid interfering with |
| # tests (b/114136122) |
| domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); |
| allow domain crash_dump:process sigchld; |
| |
| # Allow every process to check the heapprofd.enable properties to determine |
| # whether to load the heap profiling library. This does not necessarily enable |
| # heap profiling, as initialization will fail if it does not have the |
| # necessary SELinux permissions. |
| get_prop(domain, heapprofd_prop); |
| # Allow heap profiling on debug builds. |
| userdebug_or_eng(`can_profile_heap_central({ |
| domain |
| -bpfloader |
| -init |
| -kernel |
| -keystore |
| -llkd |
| -logd |
| -logpersist |
| -recovery |
| -recovery_persist |
| -recovery_refresh |
| -ueventd |
| -vendor_init |
| -vold |
| })') |
| |
| # As above, allow perf profiling most processes on debug builds. |
| # zygote is excluded as system-wide profiling could end up with it |
| # (unexpectedly) holding an open fd across a fork. |
| userdebug_or_eng(`can_profile_perf({ |
| domain |
| -bpfloader |
| -init |
| -kernel |
| -keystore |
| -llkd |
| -logd |
| -logpersist |
| -recovery |
| -recovery_persist |
| -recovery_refresh |
| -ueventd |
| -vendor_init |
| -vold |
| -zygote |
| })') |
| |
| # Path resolution access in cgroups. |
| allow domain cgroup:dir search; |
| allow { domain -appdomain -rs } cgroup:dir w_dir_perms; |
| allow { domain -appdomain -rs } cgroup:file w_file_perms; |
| |
| allow domain cgroup_rc_file:dir search; |
| allow domain cgroup_rc_file:file r_file_perms; |
| allow domain task_profiles_file:file r_file_perms; |
| allow domain vendor_task_profiles_file:file r_file_perms; |
| |
| # Allow all domains to read sys.use_memfd to determine |
| # if memfd support can be used if device supports it |
| get_prop(domain, use_memfd_prop); |
| |
| # Read access to sdkextensions props |
| get_prop(domain, module_sdkextensions_prop) |
| |
| # Read access to bq configuration values |
| get_prop(domain, bq_config_prop); |
| |
| # For now, everyone can access core property files |
| # Device specific properties are not granted by default |
| not_compatible_property(` |
| # DO NOT ADD ANY PROPERTIES HERE |
| get_prop(domain, core_property_type) |
| get_prop(domain, exported2_system_prop) |
| get_prop(domain, exported3_default_prop) |
| get_prop(domain, exported3_radio_prop) |
| get_prop(domain, exported3_system_prop) |
| get_prop(domain, vendor_default_prop) |
| ') |
| compatible_property_only(` |
| # DO NOT ADD ANY PROPERTIES HERE |
| get_prop({coredomain appdomain shell}, core_property_type) |
| get_prop({coredomain appdomain shell}, exported2_system_prop) |
| get_prop({coredomain appdomain shell}, exported3_default_prop) |
| get_prop({coredomain appdomain shell}, exported3_radio_prop) |
| get_prop({coredomain appdomain shell}, exported3_system_prop) |
| get_prop({coredomain appdomain shell}, exported_camera_prop) |
| get_prop({coredomain shell}, userspace_reboot_exported_prop) |
| get_prop({coredomain shell}, userspace_reboot_log_prop) |
| get_prop({coredomain shell}, userspace_reboot_test_prop) |
| get_prop({domain -coredomain -appdomain}, vendor_default_prop) |
| ') |
| |
| # Allow access to fsverity keyring. |
| allow domain kernel:key search; |
| # Allow access to keys in the fsverity keyring that were installed at boot. |
| allow domain fsverity_init:key search; |
| # For testing purposes, allow access to keys installed with su. |
| userdebug_or_eng(` |
| allow domain su:key search; |
| ') |
| |
| # Allow access to linkerconfig file |
| allow domain linkerconfig_file:dir search; |
| allow domain linkerconfig_file:file r_file_perms; |
| |
| # Allow all processes to check for the existence of the boringssl_self_test_marker files. |
| allow domain boringssl_self_test_marker:dir search; |
| |
| # Limit ability to ptrace or read sensitive /proc/pid files of processes |
| # with other UIDs to these whitelisted domains. |
| neverallow { |
| domain |
| -vold |
| userdebug_or_eng(`-llkd') |
| -dumpstate |
| userdebug_or_eng(`-incidentd') |
| -storaged |
| -system_server |
| } self:global_capability_class_set sys_ptrace; |
| |
| # Limit ability to generate hardware unique device ID attestations to priv_apps |
| neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id; |
| |
| neverallow { |
| domain |
| -init |
| -vendor_init |
| userdebug_or_eng(`-domain') |
| } debugfs_tracing_debug:file no_rw_file_perms; |
| |
| # System_server owns dropbox data, and init creates/restorecons the directory |
| # Disallow direct access by other processes. |
| neverallow { domain -init -system_server } dropbox_data_file:dir *; |
| neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; |
| |
| ### |
| # Services should respect app sandboxes |
| neverallow { |
| domain |
| -appdomain |
| -installd # creation of sandbox |
| } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; |
| |
| # Only the following processes should be directly accessing private app |
| # directories. |
| neverallow { |
| domain |
| -adbd |
| -appdomain |
| -app_zygote |
| -dexoptanalyzer |
| -installd |
| -iorap_inode2filename |
| -iorap_prefetcherd |
| -profman |
| -rs # spawned by appdomain, so carryover the exception above |
| -runas |
| -system_server |
| -viewcompiler |
| -zygote |
| } { privapp_data_file app_data_file }:dir *; |
| |
| # Only apps should be modifying app data. installd is exempted for |
| # restorecon and package install/uninstall. |
| neverallow { |
| domain |
| -appdomain |
| -installd |
| -rs # spawned by appdomain, so carryover the exception above |
| } { privapp_data_file app_data_file }:dir ~r_dir_perms; |
| |
| neverallow { |
| domain |
| -appdomain |
| -app_zygote |
| -installd |
| -iorap_prefetcherd |
| -rs # spawned by appdomain, so carryover the exception above |
| } { privapp_data_file app_data_file }:file_class_set open; |
| |
| neverallow { |
| domain |
| -appdomain |
| -installd # creation of sandbox |
| } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; |
| |
| neverallow { |
| domain |
| -installd |
| } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; |
| |
| # The staging directory contains APEX and APK files. It is important to ensure |
| # that these files cannot be accessed by other domains to ensure that the files |
| # do not change between system_server staging the files and apexd processing |
| # the files. |
| neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *; |
| neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *; |
| neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; |
| # apexd needs the link and unlink permissions, so list every `no_w_file_perms` |
| # except for `link` and `unlink`. |
| neverallow { domain -init -system_server } staging_data_file:file |
| { append create relabelfrom rename setattr write no_x_file_perms }; |
| |
| neverallow { |
| domain |
| -appdomain # for oemfs |
| -bootanim # for oemfs |
| -recovery # for /tmp/update_binary in tmpfs |
| } { fs_type -rootfs }:file execute; |
| |
| # |
| # Assert that, to the extent possible, we're not loading executable content from |
| # outside the rootfs or /system partition except for a few whitelisted domains. |
| # Executable files loaded from /data is a persistence vector |
| # we want to avoid. See |
| # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. |
| # |
| neverallow { |
| domain |
| -appdomain |
| with_asan(`-asan_extract') |
| -iorap_prefetcherd |
| -shell |
| userdebug_or_eng(`-su') |
| -system_server_startup # for memfd backed executable regions |
| -app_zygote |
| -webview_zygote |
| -zygote |
| userdebug_or_eng(`-mediaextractor') |
| userdebug_or_eng(`-mediaswcodec') |
| } { |
| file_type |
| -system_file_type |
| -system_lib_file |
| -system_linker_exec |
| -vendor_file_type |
| -exec_type |
| -postinstall_file |
| }:file execute; |
| |
| # Only init is allowed to write cgroup.rc file |
| neverallow { |
| domain |
| -init |
| -vendor_init |
| } cgroup_rc_file:file no_w_file_perms; |
| |
| # Only authorized processes should be writing to files in /data/dalvik-cache |
| neverallow { |
| domain |
| -init # TODO: limit init to relabelfrom for files |
| -zygote |
| -installd |
| -postinstall_dexopt |
| -cppreopts |
| -dex2oat |
| -otapreopt_slot |
| -art_apex_postinstall |
| -art_apex_boot_integrity |
| } dalvikcache_data_file:file no_w_file_perms; |
| |
| neverallow { |
| domain |
| -init |
| -installd |
| -postinstall_dexopt |
| -cppreopts |
| -dex2oat |
| -zygote |
| -otapreopt_slot |
| -art_apex_boot_integrity |
| -art_apex_postinstall |
| } dalvikcache_data_file:dir no_w_dir_perms; |
| |
| # Minimize dac_override and dac_read_search. |
| # Instead of granting them it is usually better to add the domain to |
| # a Unix group or change the permissions of a file. |
| define(`dac_override_allowed', `{ |
| apexd |
| dnsmasq |
| dumpstate |
| init |
| installd |
| userdebug_or_eng(`llkd') |
| lmkd |
| migrate_legacy_obb_data |
| netd |
| postinstall_dexopt |
| recovery |
| rss_hwm_reset |
| sdcardd |
| tee |
| ueventd |
| uncrypt |
| vendor_init |
| vold |
| vold_prepare_subdirs |
| zygote |
| }') |
| neverallow ~dac_override_allowed self:global_capability_class_set dac_override; |
| # Since the kernel checks dac_read_search before dac_override, domains that |
| # have dac_override should also have dac_read_search to eliminate spurious |
| # denials. Some domains have dac_read_search without having dac_override, so |
| # this list should be a superset of the one above. |
| neverallow ~{ |
| dac_override_allowed |
| iorap_inode2filename |
| iorap_prefetcherd |
| traced_perf |
| traced_probes |
| userdebug_or_eng(`heapprofd') |
| } self:global_capability_class_set dac_read_search; |
| |
| # Limit what domains can mount filesystems or change their mount flags. |
| # sdcard_type / vfat is exempt as a larger set of domains need |
| # this capability, including device-specific domains. |
| neverallow { |
| domain |
| -apexd |
| recovery_only(`userdebug_or_eng(`-fastbootd')') |
| -init |
| -kernel |
| -otapreopt_chroot |
| -recovery |
| -update_engine |
| -vold |
| -zygote |
| } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; |
| |
| # Limit raw I/O to these whitelisted domains. Do not apply to debug builds. |
| neverallow { |
| domain |
| userdebug_or_eng(`-domain') |
| -kernel |
| -gsid |
| -init |
| -recovery |
| -ueventd |
| -healthd |
| -uncrypt |
| -tee |
| -hal_bootctl_server |
| -fastbootd |
| } self:global_capability_class_set sys_rawio; |
| |
| # Limit directory operations that doesn't need to do app data isolation. |
| neverallow { |
| domain |
| -init |
| -installd |
| -zygote |
| } mirror_data_file:dir *; |
| |
| # This property is being removed. Remove remaining access. |
| neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; |
| neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; |
| |
| # Only core domains are allowed to access package_manager properties |
| neverallow { domain -init -system_server } pm_prop:property_service set; |
| neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; |
| |
| # Do not allow reading the last boot timestamp from system properties |
| neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; |
| |
| # Kprobes should only be used by adb root |
| neverallow { domain -init -vendor_init } debugfs_kprobes:file *; |