domain.te revision 61362840813c3a396339a7f7b5d73ca825a83748
1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Read access to properties mapping. 7allow domain kernel:fd use; 8allow domain tmpfs:file { read getattr }; 9 10# binder adjusts the nice value during IPC. 11allow domain self:capability sys_nice; 12 13# Intra-domain accesses. 14allow domain self:process ~{ execstack execheap }; 15allow domain self:fd use; 16allow domain self:dir r_dir_perms; 17allow domain self:lnk_file r_file_perms; 18allow domain self:{ fifo_file file } rw_file_perms; 19allow domain self:{ unix_dgram_socket unix_stream_socket } *; 20 21# Inherit or receive open files from others. 22allow domain init:fd use; 23allow domain system:fd use; 24 25# Connect to adbd and use a socket transferred from it. 26allow domain adbd:unix_stream_socket connectto; 27allow domain adbd:fd use; 28allow domain adbd:unix_stream_socket { getattr read write shutdown }; 29 30# Talk to debuggerd. 31allow domain debuggerd:process sigchld; 32allow domain debuggerd:unix_stream_socket connectto; 33 34# Root fs. 35allow domain rootfs:dir r_dir_perms; 36allow domain rootfs:lnk_file { read getattr }; 37 38# Device accesses. 39allow domain device:dir search; 40allow domain devpts:dir search; 41allow domain device:file read; 42allow domain socket_device:dir search; 43allow domain null_device:chr_file rw_file_perms; 44allow domain zero_device:chr_file r_file_perms; 45allow domain ashmem_device:chr_file rw_file_perms; 46allow domain binder_device:chr_file rw_file_perms; 47allow domain ptmx_device:chr_file rw_file_perms; 48allow domain powervr_device:chr_file rw_file_perms; 49allow domain log_device:dir search; 50allow domain log_device:chr_file w_file_perms; 51allow domain nv_device:chr_file rw_file_perms; 52allow domain alarm_device:chr_file r_file_perms; 53allow domain urandom_device:chr_file r_file_perms; 54allow domain random_device:chr_file r_file_perms; 55 56# Filesystem accesses. 57allow domain fs_type:filesystem getattr; 58allow domain fs_type:dir getattr; 59 60# System file accesses. 61allow domain system_file:dir r_dir_perms; 62allow domain system_file:file r_file_perms; 63allow domain system_file:file execute; 64allow domain system_file:lnk_file read; 65 66# Read files already opened under /data. 67allow domain system_data_file:dir { search getattr }; 68allow domain system_data_file:file { getattr read }; 69allow domain system_data_file:lnk_file read; 70 71# Read apk files under /data/app. 72allow domain apk_data_file:dir search; 73allow domain apk_data_file:file r_file_perms; 74 75# Read /data/dalvik-cache. 76allow domain dalvikcache_data_file:dir { search getattr }; 77allow domain dalvikcache_data_file:file r_file_perms; 78 79# Read already opened /cache files. 80allow domain cache_file:dir r_dir_perms; 81allow domain cache_file:file { getattr read }; 82allow domain cache_file:lnk_file read; 83 84# For /acct/uid/*/tasks. 85allow domain cgroup:dir { search write }; 86allow domain cgroup:file w_file_perms; 87 88#Allow access to ion memory allocation device 89allow domain ion_device:chr_file rw_file_perms; 90 91# For /sys/qemu_trace files in the emulator. 92bool in_qemu false; 93if (in_qemu) { 94allow domain sysfs:file rw_file_perms; 95} 96allow domain sysfs_writable:file rw_file_perms; 97 98# Read access to pseudo filesystems. 99r_dir_file(domain, proc) 100r_dir_file(domain, sysfs) 101r_dir_file(domain, inotify) 102r_dir_file(domain, cgroup) 103 104# debugfs access 105bool debugfs false; 106if (debugfs) { 107allow domain debugfs:dir r_dir_perms; 108allow domain debugfs:file rw_file_perms; 109} else { 110dontaudit domain debugfs:dir r_dir_perms; 111dontaudit domain debugfs:file rw_file_perms; 112} 113