Blame - prebuilts/api/28.0/private/domain.te - LeafOS-Project/android_system_sepolicy

blob: 5053c287ba64c62f48f96d1f1a1325a41b82006a [file] [log] [blame]

Tri Vo	afdfeeb	2018-05-16 10:43:26 -0700	[diff] [blame]	1	# Transition to crash_dump when /system/bin/crash_dump* is executed.
				2	# This occurs when the process crashes.
				3	domain_auto_trans(domain, crash_dump_exec, crash_dump);
				4	allow domain crash_dump:process sigchld;
				5
				6	# Limit ability to ptrace or read sensitive /proc/pid files of processes
Jeff Sharkey	a0e7a6d	2020-07-31 12:28:11 -0600	[diff] [blame]	7	# with other UIDs to these allowlisted domains.
Tri Vo	afdfeeb	2018-05-16 10:43:26 -0700	[diff] [blame]	8	neverallow {
				9	domain
				10	-vold
				11	-dumpstate
				12	userdebug_or_eng(`-incidentd')
				13	-storaged
				14	-system_server
				15	userdebug_or_eng(`-perfprofd')
				16	} self:global_capability_class_set sys_ptrace;
				17
				18	# Limit ability to generate hardware unique device ID attestations to priv_apps
				19	neverallow { domain -priv_app } *:keystore_key gen_unique_id;
				20
				21	neverallow {
				22	domain
				23	-init
				24	-vendor_init
				25	userdebug_or_eng(`-domain')
				26	} debugfs_tracing_debug:file no_rw_file_perms;
				27
				28	# Core domains are not permitted to use kernel interfaces which are not
				29	# explicitly labeled.
				30	# TODO(b/65643247): Apply these neverallow rules to all coredomain.
				31	full_treble_only(`
				32	# /proc
				33	neverallow {
				34	coredomain
				35	-vold
				36	} proc:file no_rw_file_perms;
				37
				38	# /sys
				39	neverallow {
				40	coredomain
				41	-init
				42	-ueventd
				43	-vold
				44	} sysfs:file no_rw_file_perms;
				45
				46	# /dev
				47	neverallow {
				48	coredomain
				49	-fsck
				50	-init
				51	-ueventd
				52	} device:{ blk_file file } no_rw_file_perms;
				53
				54	# debugfs
				55	neverallow {
				56	coredomain
				57	-dumpstate
				58	-init
				59	-system_server
				60	} debugfs:file no_rw_file_perms;
				61
				62	# tracefs
				63	neverallow {
				64	coredomain
				65	-atrace
				66	-dumpstate
				67	-init
				68	userdebug_or_eng(`-perfprofd')
				69	-traced_probes
				70	-shell
				71	-traceur_app
				72	} debugfs_tracing:file no_rw_file_perms;
				73
				74	# inotifyfs
				75	neverallow {
				76	coredomain
				77	-init
				78	} inotify:file no_rw_file_perms;
				79
				80	# pstorefs
				81	neverallow {
				82	coredomain
				83	-bootstat
				84	-charger
				85	-dumpstate
				86	-healthd
				87	userdebug_or_eng(`-incidentd')
				88	-init
				89	-logd
				90	-logpersist
				91	-recovery_persist
				92	-recovery_refresh
				93	-shell
				94	-system_server
				95	} pstorefs:file no_rw_file_perms;
				96
				97	# configfs
				98	neverallow {
				99	coredomain
				100	-init
				101	-system_server
				102	} configfs:file no_rw_file_perms;
				103
				104	# functionfs
				105	neverallow {
				106	coredomain
				107	-adbd
				108	-init
				109	-mediaprovider
				110	-system_server
				111	} functionfs:file no_rw_file_perms;
				112
				113	# usbfs and binfmt_miscfs
				114	neverallow {
				115	coredomain
				116	-init
				117	}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
				118	')