| # Rules for all domains. |
| |
| # Allow reaping by init. |
| allow domain init:process sigchld; |
| |
| # Intra-domain accesses. |
| allow domain self:process { |
| fork |
| sigchld |
| sigkill |
| sigstop |
| signull |
| signal |
| getsched |
| setsched |
| getsession |
| getpgid |
| setpgid |
| getcap |
| setcap |
| getattr |
| setrlimit |
| }; |
| allow domain self:fd use; |
| allow domain proc:dir r_dir_perms; |
| allow domain proc_net_type:dir search; |
| r_dir_file(domain, self) |
| allow domain self:{ fifo_file file } rw_file_perms; |
| allow domain self:unix_dgram_socket { create_socket_perms sendto }; |
| allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; |
| |
| # Inherit or receive open files from others. |
| allow domain init:fd use; |
| |
| userdebug_or_eng(` |
| allow domain su:fd use; |
| allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; |
| allow domain su:unix_dgram_socket sendto; |
| |
| allow { domain -init } su:binder { call transfer }; |
| |
| # Running something like "pm dump com.android.bluetooth" requires |
| # fifo writes |
| allow domain su:fifo_file { write getattr }; |
| |
| # allow "gdbserver --attach" to work for su. |
| allow domain su:process sigchld; |
| |
| # Allow writing coredumps to /cores/* |
| allow domain coredump_file:file create_file_perms; |
| allow domain coredump_file:dir ra_dir_perms; |
| ') |
| |
| with_native_coverage(` |
| # Allow writing coverage information to /data/misc/trace |
| allow domain method_trace_data_file:dir create_dir_perms; |
| allow domain method_trace_data_file:file create_file_perms; |
| ') |
| |
| # Root fs. |
| allow domain tmpfs:dir { getattr search }; |
| allow domain rootfs:dir search; |
| allow domain rootfs:lnk_file { read getattr }; |
| |
| # Device accesses. |
| allow domain device:dir search; |
| allow domain dev_type:lnk_file r_file_perms; |
| allow domain devpts:dir search; |
| allow domain dmabuf_heap_device:dir r_dir_perms; |
| allow domain socket_device:dir r_dir_perms; |
| allow domain owntty_device:chr_file rw_file_perms; |
| allow domain null_device:chr_file rw_file_perms; |
| allow domain zero_device:chr_file rw_file_perms; |
| |
| # /dev/ashmem is being deprecated by means of constraining and eventually |
| # removing all "open" permissions. We preserve the other permissions. |
| allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; |
| # This device is used by libcutils, which is accessible to everyone. |
| allow domain ashmem_libcutils_device:chr_file rw_file_perms; |
| |
| # /dev/binder can be accessed by ... everyone! :) |
| allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; |
| |
| # Restrict binder ioctls to an allowlist. Additional ioctl commands may be |
| # added to individual domains, but this sets safe defaults for all processes. |
| allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; |
| |
| # /dev/binderfs needs to be accessed by everyone too! |
| allow domain binderfs:dir { getattr search }; |
| allow domain binderfs_logs_proc:dir search; |
| |
| allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; |
| allow domain ptmx_device:chr_file rw_file_perms; |
| allow domain random_device:chr_file rw_file_perms; |
| allow domain proc_random:dir r_dir_perms; |
| allow domain proc_random:file r_file_perms; |
| allow domain properties_device:dir { search getattr }; |
| allow domain properties_serial:file r_file_perms; |
| allow domain property_info:file r_file_perms; |
| |
| # Public readable properties |
| get_prop(domain, aaudio_config_prop) |
| get_prop(domain, arm64_memtag_prop) |
| get_prop(domain, bootloader_prop) |
| get_prop(domain, build_odm_prop) |
| get_prop(domain, build_prop) |
| get_prop(domain, build_vendor_prop) |
| get_prop(domain, debug_prop) |
| get_prop(domain, exported_config_prop) |
| get_prop(domain, exported_default_prop) |
| get_prop(domain, exported_dumpstate_prop) |
| get_prop(domain, exported_secure_prop) |
| get_prop(domain, exported_system_prop) |
| get_prop(domain, fingerprint_prop) |
| get_prop(domain, hal_instrumentation_prop) |
| get_prop(domain, hw_timeout_multiplier_prop) |
| get_prop(domain, init_service_status_prop) |
| get_prop(domain, libc_debug_prop) |
| get_prop(domain, logd_prop) |
| get_prop(domain, mediadrm_config_prop) |
| get_prop(domain, property_service_version_prop) |
| get_prop(domain, soc_prop) |
| get_prop(domain, socket_hook_prop) |
| get_prop(domain, surfaceflinger_prop) |
| get_prop(domain, telephony_status_prop) |
| get_prop(domain, vendor_socket_hook_prop) |
| get_prop(domain, vndk_prop) |
| get_prop(domain, vold_status_prop) |
| get_prop(domain, vts_config_prop) |
| |
| # Binder cache properties are world-readable |
| get_prop(domain, binder_cache_bluetooth_server_prop) |
| get_prop(domain, binder_cache_system_server_prop) |
| get_prop(domain, binder_cache_telephony_server_prop) |
| |
| # Let everyone read log properties, so that liblog can avoid sending unloggable |
| # messages to logd. |
| get_prop(domain, log_property_type) |
| dontaudit domain property_type:file audit_access; |
| allow domain property_contexts_file:file r_file_perms; |
| |
| allow domain init:key search; |
| allow domain vold:key search; |
| |
| # logd access |
| write_logd(domain) |
| |
| # Directory/link file access for path resolution. |
| allow domain { |
| system_file |
| system_lib_file |
| system_seccomp_policy_file |
| system_security_cacerts_file |
| }:dir r_dir_perms; |
| allow domain system_file:lnk_file { getattr read }; |
| |
| # Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, |
| # /(system|product|system_ext)/etc/(group|passwd), linker and its config. |
| allow domain system_seccomp_policy_file:file r_file_perms; |
| # cacerts are accessible from public Java API. |
| allow domain system_security_cacerts_file:file r_file_perms; |
| allow domain system_group_file:file r_file_perms; |
| allow domain system_passwd_file:file r_file_perms; |
| allow domain system_linker_exec:file { execute read open getattr map }; |
| allow domain system_linker_config_file:file r_file_perms; |
| allow domain system_lib_file:file { execute read open getattr map }; |
| # To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. |
| allow domain system_linker_exec:lnk_file { read open getattr }; |
| allow domain system_lib_file:lnk_file { read open getattr }; |
| |
| allow domain system_event_log_tags_file:file r_file_perms; |
| |
| allow { appdomain coredomain } system_file:file { execute read open getattr map }; |
| |
| # Make sure system/vendor split doesn not affect non-treble |
| # devices |
| not_full_treble(` |
| allow domain system_file:file { execute read open getattr map }; |
| allow domain vendor_file_type:dir { search getattr }; |
| allow domain vendor_file_type:file { execute read open getattr map }; |
| allow domain vendor_file_type:lnk_file { getattr read }; |
| ') |
| |
| # All domains are allowed to open and read directories |
| # that contain HAL implementations (e.g. passthrough |
| # HALs require clients to have these permissions) |
| allow domain vendor_hal_file:dir r_dir_perms; |
| |
| # Everyone can read and execute all same process HALs |
| allow domain same_process_hal_file:dir r_dir_perms; |
| allow { |
| domain |
| -coredomain # access is explicitly granted to individual coredomains |
| } same_process_hal_file:file { execute read open getattr map }; |
| |
| # Any process can load vndk-sp libraries, which are system libraries |
| # used by same process HALs |
| allow domain vndk_sp_file:dir r_dir_perms; |
| allow domain vndk_sp_file:file { execute read open getattr map }; |
| |
| # All domains get access to /vendor/etc |
| allow domain vendor_configs_file:dir r_dir_perms; |
| allow domain vendor_configs_file:file { read open getattr map }; |
| |
| full_treble_only(` |
| # Allow all domains to be able to follow /system/vendor and/or |
| # /vendor/odm symlinks. |
| allow domain vendor_file_type:lnk_file { getattr open read }; |
| |
| # This is required to be able to search & read /vendor/lib64 |
| # in order to lookup vendor libraries. The execute permission |
| # for coredomains is granted *only* for same process HALs |
| allow domain vendor_file:dir { getattr search }; |
| |
| # Allow reading and executing out of /vendor to all vendor domains |
| allow { domain -coredomain } vendor_file_type:dir r_dir_perms; |
| allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; |
| allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; |
| ') |
| |
| # read and stat any sysfs symlinks |
| allow domain sysfs:lnk_file { getattr read }; |
| |
| # libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for |
| # timezone related information. |
| # This directory is considered to be a VNDK-stable |
| allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms; |
| allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms; |
| |
| # Lots of processes access current CPU information |
| r_dir_file(domain, sysfs_devices_system_cpu) |
| |
| r_dir_file(domain, sysfs_usb); |
| |
| # If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically |
| # included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. |
| allow domain sysfs_transparent_hugepage:dir search; |
| allow domain sysfs_transparent_hugepage:file r_file_perms; |
| |
| # files under /data. |
| not_full_treble(` |
| allow domain system_data_file:dir getattr; |
| ') |
| allow { coredomain appdomain } system_data_file:dir getattr; |
| # /data has the label system_data_root_file. Vendor components need the search |
| # permission on system_data_root_file for path traversal to /data/vendor. |
| allow domain system_data_root_file:dir { search getattr } ; |
| allow domain system_data_file:dir search; |
| # TODO restrict this to non-coredomain |
| allow domain vendor_data_file:dir { getattr search }; |
| |
| # required by the dynamic linker |
| allow domain proc:lnk_file { getattr read }; |
| |
| # /proc/cpuinfo |
| allow domain proc_cpuinfo:file r_file_perms; |
| |
| # /dev/cpu_variant:.* |
| allow domain dev_cpu_variant:file r_file_perms; |
| |
| # profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate |
| allow domain proc_perf:file r_file_perms; |
| |
| # toybox loads libselinux which stats /sys/fs/selinux/ |
| allow domain selinuxfs:dir search; |
| allow domain selinuxfs:file getattr; |
| allow domain sysfs:dir search; |
| allow domain selinuxfs:filesystem getattr; |
| |
| # Almost all processes log tracing information to |
| # /sys/kernel/debug/tracing/trace_marker |
| # The reason behind this is documented in b/6513400 |
| allow domain debugfs:dir search; |
| allow domain debugfs_tracing:dir search; |
| allow domain debugfs_tracing_debug:dir search; |
| allow domain debugfs_trace_marker:file w_file_perms; |
| |
| # Linux lockdown mode offers coarse-grained definitions for access controls. |
| # The "confidentiality" level detects access to tracefs or the perf subsystem. |
| # This overlaps with more precise declarations in Android's policy. The |
| # debugfs_trace_marker above is an example in which all processes should have |
| # some access to tracefs. Therefore, allow all domains to access this level. |
| # The "integrity" level is however enforced. |
| allow domain self:lockdown confidentiality; |
| |
| # Filesystem access. |
| allow domain fs_type:filesystem getattr; |
| allow domain fs_type:dir getattr; |
| |
| # Restrict all domains to an allowlist for common socket types. Additional |
| # ioctl commands may be added to individual domains, but this sets safe |
| # defaults for all processes. Note that granting this allowlist to domain does |
| # not grant the ioctl permission on these socket types. That must be granted |
| # separately. |
| allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } |
| ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; |
| # default allowlist for unix sockets. |
| allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } |
| ioctl unpriv_unix_sock_ioctls; |
| |
| # Restrict PTYs to only allowed ioctls. |
| # Note that granting this allowlist to domain does |
| # not grant the wider ioctl permission. That must be granted |
| # separately. |
| allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; |
| |
| # All domains must clearly enumerate what ioctls they use |
| # on filesystem objects (plain files, directories, symbolic links, |
| # named pipes, and named sockets). We start off with a safe set. |
| allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; |
| |
| # If a domain has ioctl access to tun_device, it must clearly enumerate the |
| # ioctls used. Safe defaults are listed below. |
| allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; |
| |
| # Allow a process to make a determination whether a file descriptor |
| # for a plain file or pipe (fifo_file) is a tty. Note that granting |
| # this allowlist to domain does not grant the ioctl permission to |
| # these files. That must be granted separately. |
| allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; |
| allowxperm domain domain:fifo_file ioctl { TCGETS }; |
| |
| # If a domain has access to perform an ioctl on a block device, allow these |
| # very common, benign ioctls |
| allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; |
| |
| # Support sqlite F2FS specific optimizations |
| # ioctl permission on the specific file type is still required |
| # TODO: consider only compiling these rules if we know the |
| # /data partition is F2FS |
| allowxperm domain { file_type sdcard_type }:file ioctl { |
| F2FS_IOC_ABORT_VOLATILE_WRITE |
| F2FS_IOC_COMMIT_ATOMIC_WRITE |
| F2FS_IOC_GET_FEATURES |
| F2FS_IOC_GET_PIN_FILE |
| F2FS_IOC_SET_PIN_FILE |
| F2FS_IOC_START_ATOMIC_WRITE |
| }; |
| |
| # Workaround for policy compiler being too aggressive and removing hwservice_manager_type |
| # when it's not explicitly used in allow rules |
| allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; |
| # Workaround for policy compiler being too aggressive and removing vndservice_manager_type |
| # when it's not explicitly used in allow rules |
| allow { domain -domain } vndservice_manager_type:service_manager { add find }; |
| |
| # Under ASAN, processes will try to read /data, as the sanitized libraries are there. |
| with_asan(`allow domain system_data_file:dir getattr;') |
| # Under ASAN, /system/asan.options needs to be globally accessible. |
| with_asan(`allow domain system_asan_options_file:file r_file_perms;') |
| |
| # read APEX dir and stat any symlink pointing to APEXs. |
| allow domain apex_mnt_dir:dir { getattr search }; |
| allow domain apex_mnt_dir:lnk_file r_file_perms; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # All ioctls on file-like objects (except chr_file and blk_file) and |
| # sockets must be restricted to an allowlist. |
| neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; |
| |
| # b/68014825 and https://android-review.googlesource.com/516535 |
| # rfc6093 says that processes should not use the TCP urgent mechanism |
| neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; |
| |
| # TIOCSTI is only ever used for exploits. Block it. |
| # b/33073072, b/7530569 |
| # http://www.openwall.com/lists/oss-security/2016/09/26/14 |
| neverallowxperm * devpts:chr_file ioctl TIOCSTI; |
| |
| # Do not allow any domain other than init to create unlabeled files. |
| neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; |
| |
| # Limit device node creation to these allowed domains. |
| neverallow { |
| domain |
| -kernel |
| -init |
| -ueventd |
| -vold |
| } self:global_capability_class_set mknod; |
| |
| # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). |
| neverallow * self:memprotect mmap_zero; |
| |
| # No domain needs mac_override as it is unused by SELinux. |
| neverallow * self:global_capability2_class_set mac_override; |
| |
| # Disallow attempts to set contexts not defined in current policy |
| # This helps guarantee that unknown or dangerous contents will not ever |
| # be set. |
| neverallow * self:global_capability2_class_set mac_admin; |
| |
| # Once the policy has been loaded there shall be none to modify the policy. |
| # It is sealed. |
| neverallow * kernel:security load_policy; |
| |
| # Only init prior to switching context should be able to set enforcing mode. |
| # init starts in kernel domain and switches to init domain via setcon in |
| # the init.rc, so the setenforce occurs while still in kernel. After |
| # switching domains, there is never any need to setenforce again by init. |
| neverallow * kernel:security setenforce; |
| neverallow { domain -kernel } kernel:security setcheckreqprot; |
| |
| # No booleans in AOSP policy, so no need to ever set them. |
| neverallow * kernel:security setbool; |
| |
| # Adjusting the AVC cache threshold. |
| # Not presently allowed to anything in policy, but possibly something |
| # that could be set from init.rc. |
| neverallow { domain -init } kernel:security setsecparam; |
| |
| # Only the kernel hwrng thread should be able to read from the HW RNG. |
| neverallow { |
| domain |
| -shell # For CTS, restricted to just getattr in shell.te |
| -ueventd # To create the /dev/hw_random file |
| } hw_random_device:chr_file *; |
| # b/78174219 b/64114943 |
| neverallow { |
| domain |
| -shell # stat of /dev, getattr only |
| -ueventd |
| } keychord_device:chr_file *; |
| |
| # Ensure that all entrypoint executables are in exec_type or postinstall_file. |
| neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; |
| |
| # The dynamic linker always calls access(2) on the path. Don't generate SElinux |
| # denials since the linker does not actually access the path in case the path |
| # does not exist or isn't accessible for the process. |
| dontaudit domain postinstall_mnt_dir:dir audit_access; |
| |
| #Ensure that nothing in userspace can access /dev/port |
| neverallow { |
| domain |
| -shell # Shell user should not have any abilities outside of getattr |
| -ueventd |
| } port_device:chr_file *; |
| neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; |
| # Only init should be able to configure kernel usermodehelpers or |
| # security-sensitive proc settings. |
| neverallow { domain -init } usermodehelper:file { append write }; |
| neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; |
| neverallow { domain -init -vendor_init } proc_security:file { append open read write }; |
| |
| # Init can't do anything with binder calls. If this neverallow rule is being |
| # triggered, it's probably due to a service with no SELinux domain. |
| neverallow * init:binder *; |
| neverallow * vendor_init:binder *; |
| |
| # Don't allow raw read/write/open access to block_device |
| # Rather force a relabel to a more specific type |
| neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; |
| |
| # Do not allow renaming of block files or character files |
| # Ability to do so can lead to possible use in an exploit chain |
| # e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html |
| neverallow * *:{ blk_file chr_file } rename; |
| |
| # Don't allow raw read/write/open access to generic devices. |
| # Rather force a relabel to a more specific type. |
| neverallow domain device:chr_file { open read write }; |
| |
| # Files from cache should never be executed |
| neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; |
| |
| # The test files and executables MUST not be accessible to any domain |
| neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; |
| neverallow domain nativetest_data_file:dir no_w_dir_perms; |
| neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; |
| |
| neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; |
| neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; |
| neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *; |
| neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; |
| neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; |
| |
| # Only the init property service should write to /data/property and /dev/__properties__ |
| neverallow { domain -init } property_data_file:dir no_w_dir_perms; |
| neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; |
| neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; |
| neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; |
| neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; |
| |
| # Nobody should be doing writes to /system & /vendor |
| # These partitions are intended to be read-only and must never be |
| # modified. Doing so would violate important Android security guarantees |
| # and invalidate dm-verity signatures. |
| neverallow { |
| domain |
| with_asan(`-asan_extract') |
| recovery_only(`userdebug_or_eng(`-fastbootd')') |
| } { |
| system_file_type |
| vendor_file_type |
| exec_type |
| }:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; |
| |
| neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; |
| |
| # Don't allow mounting on top of /system files or directories |
| neverallow * exec_type:dir_file_class_set mounton; |
| |
| # Nothing should be writing to files in the rootfs. |
| neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; |
| |
| # Restrict context mounts to specific types marked with |
| # the contextmount_type attribute. |
| neverallow * {fs_type -contextmount_type}:filesystem relabelto; |
| |
| # Ensure that context mount types are not writable, to ensure that |
| # the write to /system restriction above is not bypassed via context= |
| # mount to another type. |
| neverallow * contextmount_type:dir_file_class_set |
| { create setattr relabelfrom relabelto append link rename }; |
| neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; |
| |
| # Do not allow service_manager add for default service labels. |
| # Instead domains should use a more specific type such as |
| # system_app_service rather than the generic type. |
| # New service_types are defined in {,hw,vnd}service.te and new mappings |
| # from service name to service_type are defined in {,hw,vnd}service_contexts. |
| neverallow * default_android_service:service_manager *; |
| neverallow * default_android_vndservice:service_manager *; |
| neverallow * default_android_hwservice:hwservice_manager *; |
| |
| # Looking up the base class/interface of all HwBinder services is a bad idea. |
| # hwservicemanager currently offer such lookups only to make it so that security |
| # decisions are expressed in SELinux policy. However, it's unclear whether this |
| # lookup has security implications. If it doesn't, hwservicemanager should be |
| # modified to not offer this lookup. |
| # This rule can be removed if hwservicemanager is modified to not permit these |
| # lookups. |
| neverallow * hidl_base_hwservice:hwservice_manager find; |
| |
| # Require that domains explicitly label unknown properties, and do not allow |
| # anyone but init to modify unknown properties. |
| neverallow { domain -init -vendor_init } mmc_prop:property_service set; |
| neverallow { domain -init -vendor_init } vndk_prop:property_service set; |
| |
| compatible_property_only(` |
| neverallow { domain -init } mmc_prop:property_service set; |
| neverallow { domain -init -vendor_init } exported_default_prop:property_service set; |
| neverallow { domain -init } exported_secure_prop:property_service set; |
| neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; |
| neverallow { domain -init -vendor_init } storage_config_prop:property_service set; |
| neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; |
| ') |
| |
| compatible_property_only(` |
| neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; |
| neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; |
| ') |
| |
| neverallow { domain -init } aac_drc_prop:property_service set; |
| neverallow { domain -init } build_prop:property_service set; |
| |
| # Do not allow reading device's serial number from system properties except form |
| # a few allowed domains. |
| neverallow { |
| domain |
| -adbd |
| -dumpstate |
| -fastbootd |
| -hal_camera_server |
| -hal_cas_server |
| -hal_drm_server |
| userdebug_or_eng(`-incidentd') |
| -init |
| -mediadrmserver |
| -mediaserver |
| -recovery |
| -shell |
| -system_server |
| -vendor_init |
| } serialno_prop:file r_file_perms; |
| |
| neverallow { |
| domain |
| -init |
| -recovery |
| -system_server |
| -shell # Shell is further restricted in shell.te |
| -ueventd # Further restricted in ueventd.te |
| } frp_block_device:blk_file no_rw_file_perms; |
| |
| # The metadata block device is set aside for device encryption and |
| # verified boot metadata. It may be reset at will and should not |
| # be used by other domains. |
| neverallow { |
| domain |
| -init |
| -recovery |
| -vold |
| -e2fs |
| -fsck |
| -fastbootd |
| } metadata_block_device:blk_file { append link rename write open read ioctl lock }; |
| |
| # No domain other than recovery, update_engine and fastbootd can write to system partition(s). |
| neverallow { |
| domain |
| -fastbootd |
| userdebug_or_eng(`-fsck') |
| userdebug_or_eng(`-init') |
| -recovery |
| -update_engine |
| } system_block_device:blk_file { write append }; |
| |
| # No domains other than a select few can access the misc_block_device. This |
| # block device is reserved for OTA use. |
| # Do not assert this rule on userdebug/eng builds, due to some devices using |
| # this partition for testing purposes. |
| neverallow { |
| domain |
| userdebug_or_eng(`-domain') # exclude debuggable builds |
| -fastbootd |
| -hal_bootctl_server |
| -init |
| -uncrypt |
| -update_engine |
| -vendor_init |
| -vendor_misc_writer |
| -vold |
| -recovery |
| -ueventd |
| } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; |
| |
| # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager |
| neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; |
| # The service managers are only allowed to access their own device node |
| neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; |
| neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; |
| neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; |
| neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; |
| neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; |
| neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; |
| |
| # system services cant add vendor services |
| neverallow { |
| coredomain |
| } vendor_service:service_manager add; |
| |
| full_treble_only(` |
| # vendor services cant add system services |
| neverallow { |
| domain |
| -coredomain |
| } { |
| service_manager_type |
| -vendor_service |
| }:service_manager add; |
| ') |
| |
| full_treble_only(` |
| # Vendor apps are permited to use only stable public services. If they were to use arbitrary |
| # services which can change any time framework/core is updated, breakage is likely. |
| # |
| # Note, this same logic applies to untrusted apps, but neverallows for these are separate. |
| neverallow { |
| appdomain |
| -coredomain |
| } { |
| service_manager_type |
| |
| -app_api_service |
| -vendor_service # must be @VintfStability to be used by an app |
| -ephemeral_app_api_service |
| |
| -apc_service |
| -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed |
| -cameraserver_service |
| -drmserver_service |
| -credstore_service |
| -keystore_maintenance_service |
| -keystore_service |
| -legacykeystore_service |
| -mediadrmserver_service |
| -mediaextractor_service |
| -mediametrics_service |
| -mediaserver_service |
| -nfc_service |
| -radio_service |
| -virtual_touchpad_service |
| -vr_hwc_service |
| -vr_manager_service |
| userdebug_or_eng(`-hal_face_service') |
| }:service_manager find; |
| ') |
| |
| # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -shell |
| userdebug_or_eng(`-su') |
| -ueventd # uevent is granted create for this device, but we still neverallow I/O below |
| } vndbinder_device:chr_file rw_file_perms; |
| ') |
| full_treble_only(` |
| neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; |
| ') |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -shell |
| userdebug_or_eng(`-su') |
| } vndservice_manager_type:service_manager *; |
| ') |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -shell |
| userdebug_or_eng(`-su') |
| } vndservicemanager:binder *; |
| ') |
| |
| # On full TREBLE devices, socket communications between core components and vendor components are |
| # not permitted. |
| # Most general rules first, more specific rules below. |
| |
| # Core domains are not permitted to initiate communications to vendor domain sockets. |
| # We are not restricting the use of already established sockets because it is fine for a process |
| # to obtain an already established socket via some public/official/stable API and then exchange |
| # data with its peer over that socket. The wire format in this scenario is dicatated by the API |
| # and thus does not break the core-vendor separation. |
| full_treble_only(` |
| neverallow_establish_socket_comms({ |
| coredomain |
| -init |
| -adbd |
| }, { |
| domain |
| -coredomain |
| -socket_between_core_and_vendor_violators |
| }); |
| ') |
| |
| # Vendor domains are not permitted to initiate create/open sockets owned by core domains |
| full_treble_only(` |
| neverallow { |
| domain |
| -coredomain |
| -appdomain # appdomain restrictions below |
| -data_between_core_and_vendor_violators # b/70393317 |
| -socket_between_core_and_vendor_violators |
| -vendor_init |
| } { |
| coredomain_socket |
| core_data_file_type |
| unlabeled # used only by core domains |
| }:sock_file ~{ append getattr ioctl read write }; |
| ') |
| full_treble_only(` |
| neverallow { |
| appdomain |
| -coredomain |
| } { |
| coredomain_socket |
| unlabeled # used only by core domains |
| core_data_file_type |
| -app_data_file |
| -privapp_data_file |
| -pdx_endpoint_socket_type # used by VR layer |
| -pdx_channel_socket_type # used by VR layer |
| }:sock_file ~{ append getattr ioctl read write }; |
| ') |
| |
| # Core domains are not permitted to create/open sockets owned by vendor domains |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -init |
| -ueventd |
| -socket_between_core_and_vendor_violators |
| } { |
| file_type |
| dev_type |
| -coredomain_socket |
| -core_data_file_type |
| -app_data_file_type |
| -unlabeled |
| }:sock_file ~{ append getattr ioctl read write }; |
| ') |
| |
| # On TREBLE devices, vendor and system components are only allowed to share |
| # files by passing open FDs over hwbinder. Ban all directory access and all file |
| # accesses other than what can be applied to an open FD such as |
| # ioctl/stat/read/write/append. This is enforced by segregating /data. |
| # Vendor domains may directly access file in /data/vendor by path, but may only |
| # access files outside of /data/vendor via an open FD passed over hwbinder. |
| # Likewise, core domains may only directly access files outside /data/vendor by |
| # path and files in /data/vendor by open FD. |
| full_treble_only(` |
| # only coredomains may only access core_data_file_type, particularly not |
| # /data/vendor |
| neverallow { |
| coredomain |
| -appdomain # TODO(b/34980020) remove exemption for appdomain |
| -data_between_core_and_vendor_violators |
| -init |
| -vold_prepare_subdirs |
| } { |
| data_file_type |
| -core_data_file_type |
| -app_data_file_type |
| }:file_class_set ~{ append getattr ioctl read write map }; |
| ') |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -appdomain # TODO(b/34980020) remove exemption for appdomain |
| -data_between_core_and_vendor_violators |
| -init |
| -vold_prepare_subdirs |
| } { |
| data_file_type |
| -core_data_file_type |
| -app_data_file_type |
| # TODO(b/72998741) Remove exemption. Further restricted in a subsequent |
| # neverallow. Currently only getattr and search are allowed. |
| -vendor_data_file |
| }:dir *; |
| |
| ') |
| full_treble_only(` |
| # vendor domains may only access files in /data/vendor, never core_data_file_types |
| neverallow { |
| domain |
| -appdomain # TODO(b/34980020) remove exemption for appdomain |
| -coredomain |
| -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up |
| -vendor_init |
| } { |
| core_data_file_type |
| # libc includes functions like mktime and localtime which attempt to access |
| # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata. |
| # These functions are considered vndk-stable and thus must be allowed for |
| # all processes. |
| -zoneinfo_data_file |
| with_native_coverage(`-method_trace_data_file') |
| }:file_class_set ~{ append getattr ioctl read write map }; |
| neverallow { |
| vendor_init |
| -data_between_core_and_vendor_violators |
| } { |
| core_data_file_type |
| -unencrypted_data_file |
| -zoneinfo_data_file |
| with_native_coverage(`-method_trace_data_file') |
| }:file_class_set ~{ append getattr ioctl read write map }; |
| # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. |
| # The vendor init binary lives on the system partition so there is not a concern with stability. |
| neverallow vendor_init unencrypted_data_file:file ~r_file_perms; |
| ') |
| full_treble_only(` |
| # vendor domains may only access dirs in /data/vendor, never core_data_file_types |
| neverallow { |
| domain |
| -appdomain # TODO(b/34980020) remove exemption for appdomain |
| -coredomain |
| -data_between_core_and_vendor_violators |
| -vendor_init |
| } { |
| core_data_file_type |
| -system_data_file # default label for files on /data. Covered below... |
| -system_data_root_file |
| -vendor_data_file |
| -zoneinfo_data_file |
| with_native_coverage(`-method_trace_data_file') |
| }:dir *; |
| neverallow { |
| vendor_init |
| -data_between_core_and_vendor_violators |
| } { |
| core_data_file_type |
| -unencrypted_data_file |
| -system_data_file |
| -system_data_root_file |
| -vendor_data_file |
| -zoneinfo_data_file |
| with_native_coverage(`-method_trace_data_file') |
| }:dir *; |
| # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. |
| # The vendor init binary lives on the system partition so there is not a concern with stability. |
| neverallow vendor_init unencrypted_data_file:dir ~search; |
| ') |
| full_treble_only(` |
| # vendor domains may only access dirs in /data/vendor, never core_data_file_types |
| neverallow { |
| domain |
| -appdomain # TODO(b/34980020) remove exemption for appdomain |
| -coredomain |
| -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up |
| } { |
| system_data_file # default label for files on /data. Covered below |
| }:dir ~{ getattr search }; |
| ') |
| |
| full_treble_only(` |
| # coredomains may not access dirs in /data/vendor. |
| neverallow { |
| coredomain |
| -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up |
| -init |
| -vold # vold creates per-user storage for both system and vendor |
| -vold_prepare_subdirs |
| } { |
| vendor_data_file # default label for files on /data. Covered below |
| }:dir ~{ getattr search }; |
| ') |
| |
| full_treble_only(` |
| # coredomains may not access dirs in /data/vendor. |
| neverallow { |
| coredomain |
| -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up |
| -init |
| } { |
| vendor_data_file # default label for files on /data/vendor{,_ce,_de}. |
| }:file_class_set ~{ append getattr ioctl read write map }; |
| ') |
| |
| full_treble_only(` |
| # Non-vendor domains are not allowed to file execute shell |
| # from vendor |
| neverallow { |
| coredomain |
| -init |
| -shell |
| -ueventd |
| } vendor_shell_exec:file { execute execute_no_trans }; |
| ') |
| |
| full_treble_only(` |
| # Do not allow vendor components to execute files from system |
| # except for the ones allowed here. |
| neverallow { |
| domain |
| -coredomain |
| -appdomain |
| -vendor_executes_system_violators |
| -vendor_init |
| } { |
| system_file_type |
| -system_lib_file |
| -system_linker_exec |
| -crash_dump_exec |
| -iorap_prefetcherd_exec |
| -iorap_inode2filename_exec |
| -netutils_wrapper_exec |
| userdebug_or_eng(`-tcpdump_exec') |
| }:file { entrypoint execute execute_no_trans }; |
| ') |
| |
| full_treble_only(` |
| # Do not allow coredomain to access entrypoint for files other |
| # than system_file_type and postinstall_file |
| neverallow coredomain { |
| file_type |
| -system_file_type |
| -postinstall_file |
| }:file entrypoint; |
| # Do not allow domains other than coredomain to access entrypoint |
| # for anything but vendor_file_type and init_exec for vendor_init. |
| neverallow { domain -coredomain } { |
| file_type |
| -vendor_file_type |
| -init_exec |
| }:file entrypoint; |
| ') |
| |
| full_treble_only(` |
| # Do not allow system components to execute files from vendor |
| # except for the ones allowed here. |
| neverallow { |
| coredomain |
| -init |
| -shell |
| -system_executes_vendor_violators |
| -ueventd |
| } { |
| vendor_file_type |
| -same_process_hal_file |
| -vndk_sp_file |
| -vendor_app_file |
| -vendor_public_framework_file |
| -vendor_public_lib_file |
| }:file execute; |
| ') |
| |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -shell |
| -system_executes_vendor_violators |
| } { |
| vendor_file_type |
| -same_process_hal_file |
| }:file execute_no_trans; |
| ') |
| |
| full_treble_only(` |
| # Do not allow vendor components access to /system files except for the |
| # ones allowed here. |
| neverallow { |
| domain |
| -appdomain |
| -coredomain |
| -vendor_executes_system_violators |
| # vendor_init needs access to init_exec for domain transition. vendor_init |
| # neverallows are covered in public/vendor_init.te |
| -vendor_init |
| } { |
| system_file_type |
| -crash_dump_exec |
| -file_contexts_file |
| -iorap_inode2filename_exec |
| -netutils_wrapper_exec |
| -property_contexts_file |
| -system_event_log_tags_file |
| -system_group_file |
| -system_lib_file |
| with_asan(`-system_asan_options_file') |
| -system_linker_exec |
| -system_linker_config_file |
| -system_passwd_file |
| -system_seccomp_policy_file |
| -system_security_cacerts_file |
| -system_zoneinfo_file |
| -task_profiles_api_file |
| -task_profiles_file |
| userdebug_or_eng(`-tcpdump_exec') |
| }:file *; |
| ') |
| |
| # Only system_server should be able to send commands via the zygote socket |
| neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; |
| neverallow { domain -system_server } zygote_socket:sock_file write; |
| |
| neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; |
| neverallow { domain -system_server } webview_zygote:sock_file write; |
| neverallow { domain -system_server } app_zygote:sock_file write; |
| |
| neverallow { |
| domain |
| -tombstoned |
| -crash_dump |
| -dumpstate |
| -incidentd |
| -system_server |
| |
| # Processes that can't exec crash_dump |
| -hal_codec2_server |
| -hal_omx_server |
| -mediaextractor |
| } tombstoned_crash_socket:unix_stream_socket connectto; |
| |
| # Never allow anyone except dumpstate, incidentd, or the system server to connect or write to |
| # the tombstoned intercept socket. |
| neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; |
| neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; |
| |
| # Never allow anyone but system_server to read heapdumps in /data/system/heapdump. |
| neverallow { domain -init -system_server } heapdump_data_file:file read; |
| |
| # Android does not support System V IPCs. |
| # |
| # The reason for this is due to the fact that, by design, they lead to global |
| # kernel resource leakage. |
| # |
| # For example, there is no way to automatically release a SysV semaphore |
| # allocated in the kernel when: |
| # |
| # - a buggy or malicious process exits |
| # - a non-buggy and non-malicious process crashes or is explicitly killed. |
| # |
| # Killing processes automatically to make room for new ones is an |
| # important part of Android's application lifecycle implementation. This means |
| # that, even assuming only non-buggy and non-malicious code, it is very likely |
| # that over time, the kernel global tables used to implement SysV IPCs will fill |
| # up. |
| neverallow * *:{ shm sem msg msgq } *; |
| |
| # Do not mount on top of symlinks, fifos, or sockets. |
| # Feature parity with Chromium LSM. |
| neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; |
| |
| # Nobody should be able to execute su on user builds. |
| # On userdebug/eng builds, only dumpstate, shell, and |
| # su itself execute su. |
| neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; |
| |
| # Do not allow the introduction of new execmod rules. Text relocations |
| # and modification of executable pages are unsafe. |
| # The only exceptions are for NDK text relocations associated with |
| # https://code.google.com/p/android/issues/detail?id=23203 |
| # which, long term, need to go away. |
| neverallow * { |
| file_type |
| -apk_data_file |
| -app_data_file |
| -asec_public_file |
| }:file execmod; |
| |
| # Do not allow making the stack or heap executable. |
| # We would also like to minimize execmem but it seems to be |
| # required by some device-specific service domains. |
| neverallow * self:process { execstack execheap }; |
| |
| # Do not allow the introduction of new execmod rules. Text relocations |
| # and modification of executable pages are unsafe. |
| neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; |
| |
| neverallow { domain -init } proc:{ file dir } mounton; |
| |
| # Ensure that all types assigned to processes are included |
| # in the domain attribute, so that all allow and neverallow rules |
| # written on domain are applied to all processes. |
| # This is achieved by ensuring that it is impossible to transition |
| # from a domain to a non-domain type and vice versa. |
| # TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; |
| neverallow ~domain domain:process { transition dyntransition }; |
| |
| # |
| # Only system_app and system_server should be creating or writing |
| # their files. The proper way to share files is to setup |
| # type transitions to a more specific type or assigning a type |
| # to its parent directory via a file_contexts entry. |
| # Example type transition: |
| # mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) |
| # |
| neverallow { |
| domain |
| -system_server |
| -system_app |
| -init |
| -toolbox # TODO(b/141108496) We want to remove toolbox |
| -installd # for relabelfrom and unlink, check for this in explicit neverallow |
| -vold_prepare_subdirs # For unlink |
| with_asan(`-asan_extract') |
| } system_data_file:file no_w_file_perms; |
| # do not grant anything greater than r_file_perms and relabelfrom unlink |
| # to installd |
| neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; |
| |
| # respect system_app sandboxes |
| neverallow { |
| domain |
| -appdomain # finer-grained rules for appdomain are listed below |
| -system_server #populate com.android.providers.settings/databases/settings.db. |
| -installd # creation of app sandbox |
| -iorap_inode2filename |
| -traced_probes # resolve inodes for i/o tracing. |
| # only needs open and read, the rest is neverallow in |
| # traced_probes.te. |
| } system_app_data_file:dir_file_class_set { create unlink open }; |
| neverallow { |
| isolated_app |
| untrusted_app_all # finer-grained rules for appdomain are listed below |
| ephemeral_app |
| priv_app |
| } system_app_data_file:dir_file_class_set { create unlink open }; |
| |
| # |
| # Only these domains should transition to shell domain. This domain is |
| # permissible for the "shell user". If you need a process to exec a shell |
| # script with differing privilege, define a domain and set up a transition. |
| # |
| neverallow { |
| domain |
| -adbd |
| -init |
| -runas |
| -zygote |
| } shell:process { transition dyntransition }; |
| |
| # Only domains spawned from zygote, runas and simpleperf_app_runner may have |
| # the appdomain attribute. simpleperf is excluded as a domain transitioned to |
| # when running an app-scoped profiling session. |
| neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { |
| appdomain -shell -simpleperf userdebug_or_eng(`-su') |
| }:process { transition dyntransition }; |
| |
| # Minimize read access to shell- or app-writable symlinks. |
| # This is to prevent malicious symlink attacks. |
| neverallow { |
| domain |
| -appdomain |
| -installd |
| } { app_data_file privapp_data_file }:lnk_file read; |
| |
| neverallow { |
| domain |
| -shell |
| userdebug_or_eng(`-uncrypt') |
| -installd |
| } shell_data_file:lnk_file read; |
| |
| # In addition to the symlink reading restrictions above, restrict |
| # write access to shell owned directories. The /data/local/tmp |
| # directory is untrustworthy, and non-allowed domains should |
| # not be trusting any content in those directories. |
| neverallow { |
| domain |
| -adbd |
| -dumpstate |
| -installd |
| -init |
| -shell |
| -vold |
| } shell_data_file:dir no_w_dir_perms; |
| |
| neverallow { |
| domain |
| -adbd |
| -appdomain |
| -dumpstate |
| -init |
| -installd |
| -iorap_inode2filename |
| -simpleperf_app_runner |
| -system_server # why? |
| userdebug_or_eng(`-uncrypt') |
| } shell_data_file:dir { open search }; |
| |
| # Same as above for /data/local/tmp files. We allow shell files |
| # to be passed around by file descriptor, but not directly opened. |
| neverallow { |
| domain |
| -adbd |
| -appdomain |
| -dumpstate |
| -installd |
| userdebug_or_eng(`-uncrypt') |
| } shell_data_file:file open; |
| |
| # servicemanager and vndservicemanager are the only processes which handle the |
| # service_manager list request |
| neverallow * ~{ |
| servicemanager |
| vndservicemanager |
| }:service_manager list; |
| |
| # hwservicemanager is the only process which handles hw list requests |
| neverallow * ~{ |
| hwservicemanager |
| }:hwservice_manager list; |
| |
| # only service_manager_types can be added to service_manager |
| # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; |
| |
| # Prevent assigning non property types to properties |
| # TODO - rework this: neverallow * ~property_type:property_service set; |
| |
| # Domain types should never be assigned to any files other |
| # than the /proc/pid files associated with a process. The |
| # executable file used to enter a domain should be labeled |
| # with its own _exec type, not with the domain type. |
| # Conventionally, this looks something like: |
| # $ cat mydaemon.te |
| # type mydaemon, domain; |
| # type mydaemon_exec, exec_type, file_type; |
| # init_daemon_domain(mydaemon) |
| # $ grep mydaemon file_contexts |
| # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 |
| neverallow * domain:file { execute execute_no_trans entrypoint }; |
| |
| # Do not allow access to the generic debugfs label. This is too broad. |
| # Instead, if access to part of debugfs is desired, it should have a |
| # more specific label. |
| # TODO: fix dumpstate |
| neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; |
| |
| # Do not allow executable files in debugfs. |
| neverallow domain debugfs_type:file { execute execute_no_trans }; |
| |
| # Don't allow access to the FUSE control filesystem, except to vold and init's |
| neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; |
| |
| # Profiles contain untrusted data and profman parses that. We should only run |
| # in from installd forked processes. |
| neverallow { |
| domain |
| -installd |
| -profman |
| } profman_exec:file no_x_file_perms; |
| |
| # Enforce restrictions on kernel module origin. |
| # Do not allow kernel module loading except from system, |
| # vendor, and boot partitions. |
| neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load; |
| |
| # Only allow filesystem caps to be set at build time. Runtime changes |
| # to filesystem capabilities are not permitted. |
| neverallow * self:global_capability_class_set setfcap; |
| |
| # Enforce AT_SECURE for executing crash_dump. |
| neverallow domain crash_dump:process noatsecure; |
| |
| # Do not permit non-core domains to register HwBinder services which are |
| # guaranteed to be provided by core domains only. |
| neverallow ~coredomain coredomain_hwservice:hwservice_manager add; |
| |
| # Do not permit the registeration of HwBinder services which are guaranteed to |
| # be passthrough only (i.e., run in the process of their clients instead of a |
| # separate server process). |
| neverallow * same_process_hwservice:hwservice_manager add; |
| |
| # If an already existing file is opened with O_CREAT, the kernel might generate |
| # a false report of a create denial. Silence these denials and make sure that |
| # inappropriate permissions are not granted. |
| |
| # These filesystems don't allow files or directories to be created, so the permission |
| # to do so should never be granted. |
| neverallow domain { |
| proc_type |
| sysfs_type |
| }:dir { add_name create link remove_name rename reparent rmdir write }; |
| |
| # cgroupfs directories can be created, but not files within them. |
| neverallow domain cgroup:file create; |
| neverallow domain cgroup_v2:file create; |
| |
| dontaudit domain proc_type:dir write; |
| dontaudit domain sysfs_type:dir write; |
| dontaudit domain cgroup:file create; |
| dontaudit domain cgroup_v2:file create; |
| |
| # These are only needed in permissive mode - in enforcing mode the |
| # directory write check fails and so these are never attempted. |
| userdebug_or_eng(` |
| dontaudit domain proc_type:dir add_name; |
| dontaudit domain sysfs_type:dir add_name; |
| dontaudit domain proc_type:file create; |
| dontaudit domain sysfs_type:file create; |
| ') |
| |
| # Platform must not have access to /mnt/vendor. |
| neverallow { |
| coredomain |
| -init |
| -ueventd |
| -vold |
| -system_writes_mnt_vendor_violators |
| } mnt_vendor_file:dir *; |
| |
| # Only apps are allowed access to vendor public libraries. |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -appdomain |
| } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; |
| ') |
| |
| # Vendor domian must not have access to /mnt/product. |
| neverallow { |
| domain |
| -coredomain |
| } mnt_product_file:dir *; |
| |
| # Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd |
| full_treble_only(` |
| neverallow { |
| coredomain |
| -healthd |
| -shell |
| # Generate uevents for health info |
| -ueventd |
| # Recovery uses health HAL passthrough implementation. |
| -recovery |
| # Charger uses health HAL passthrough implementation. |
| -charger |
| # TODO(b/110891300): remove this exception |
| -incidentd |
| } sysfs_batteryinfo:file { open read }; |
| ') |
| |
| neverallow { |
| domain |
| -hal_codec2_server |
| -hal_omx_server |
| } hal_codec2_hwservice:hwservice_manager add; |
| |
| # Only apps targetting < Q are allowed to open /dev/ashmem directly. |
| # Apps must use ASharedMemory NDK API. Native code must use libcutils API. |
| neverallow { |
| domain |
| -ephemeral_app # We don't distinguish ephemeral apps based on target API. |
| -untrusted_app_25 |
| -untrusted_app_27 |
| } ashmem_device:chr_file open; |
| |
| neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; |
| |
| # Linux lockdown "integrity" level is enforced for user builds. |
| neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; |