1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Intra-domain accesses.
7allow domain self:process {
8    fork
9    sigchld
10    sigkill
11    sigstop
12    signull
13    signal
14    getsched
15    setsched
16    getsession
17    getpgid
18    setpgid
19    getcap
20    setcap
21    getattr
22    setrlimit
23};
24allow domain self:fd use;
25allow domain proc:dir r_dir_perms;
26allow domain proc_net:dir search;
27r_dir_file(domain, self)
28allow domain self:{ fifo_file file } rw_file_perms;
29allow domain self:unix_dgram_socket { create_socket_perms sendto };
30allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
31allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
32
33# Inherit or receive open files from others.
34allow domain init:fd use;
35
36userdebug_or_eng(`
37  # Same as adbd rules above, except allow su to do the same thing
38  allow domain su:unix_stream_socket connectto;
39  allow domain su:fd use;
40  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
41
42  allow { domain -init } su:binder { call transfer };
43  allow { domain -init } su:fd use;
44
45  # Running something like "pm dump com.android.bluetooth" requires
46  # fifo writes
47  allow domain su:fifo_file { write getattr };
48
49  # allow "gdbserver --attach" to work for su.
50  allow domain su:process sigchld;
51
52  # Allow writing coredumps to /cores/*
53  allow domain coredump_file:file create_file_perms;
54  allow domain coredump_file:dir ra_dir_perms;
55')
56
57###
58### Talk to debuggerd.
59###
60allow domain debuggerd:process sigchld;
61allow domain debuggerd:unix_stream_socket connectto;
62
63# Root fs.
64allow domain rootfs:dir search;
65allow domain rootfs:lnk_file read;
66
67# Device accesses.
68allow domain device:dir search;
69allow domain dev_type:lnk_file r_file_perms;
70allow domain devpts:dir search;
71allow domain socket_device:dir r_dir_perms;
72allow domain owntty_device:chr_file rw_file_perms;
73allow domain null_device:chr_file rw_file_perms;
74allow domain zero_device:chr_file rw_file_perms;
75allow domain ashmem_device:chr_file rw_file_perms;
76allow domain binder_device:chr_file rw_file_perms;
77allow domain ptmx_device:chr_file rw_file_perms;
78allow domain alarm_device:chr_file r_file_perms;
79allow domain urandom_device:chr_file rw_file_perms;
80allow domain random_device:chr_file rw_file_perms;
81allow domain properties_device:dir r_dir_perms;
82allow domain properties_serial:file r_file_perms;
83
84# For now, everyone can access core property files
85# Device specific properties are not granted by default
86get_prop(domain, core_property_type)
87# Let everyone read log properties, so that liblog can avoid sending unloggable
88# messages to logd.
89get_prop(domain, log_property_type)
90dontaudit domain property_type:file audit_access;
91allow domain property_contexts:file r_file_perms;
92
93allow domain init:key search;
94allow domain vold:key search;
95
96# logd access
97write_logd(domain)
98
99# System file accesses.
100allow domain system_file:dir { search getattr };
101allow domain system_file:file { execute read open getattr };
102allow domain system_file:lnk_file read;
103
104# read any sysfs symlinks
105allow domain sysfs:lnk_file read;
106
107# libc references /data/misc/zoneinfo for timezone related information
108r_dir_file(domain, zoneinfo_data_file)
109
110# Lots of processes access current CPU information
111r_dir_file(domain, sysfs_devices_system_cpu)
112
113r_dir_file(domain, sysfs_usb);
114
115# files under /data.
116allow domain system_data_file:dir { search getattr };
117allow domain system_data_file:lnk_file read;
118
119# required by the dynamic linker
120allow domain proc:lnk_file { getattr read };
121
122# /proc/cpuinfo
123allow domain proc_cpuinfo:file r_file_perms;
124
125# toybox loads libselinux which stats /sys/fs/selinux/
126allow domain selinuxfs:dir search;
127allow domain selinuxfs:file getattr;
128allow domain sysfs:dir search;
129allow domain selinuxfs:filesystem getattr;
130
131# For /acct/uid/*/tasks.
132allow domain cgroup:dir { search write };
133allow domain cgroup:file w_file_perms;
134
135# Almost all processes log tracing information to
136# /sys/kernel/debug/tracing/trace_marker
137# The reason behind this is documented in b/6513400
138allow domain debugfs:dir search;
139allow domain debugfs_tracing:dir search;
140allow domain debugfs_trace_marker:file w_file_perms;
141
142# Filesystem access.
143allow domain fs_type:filesystem getattr;
144allow domain fs_type:dir getattr;
145
146###
147### neverallow rules
148###
149
150# Do not allow any domain other than init or recovery to create unlabeled files.
151neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
152
153# Limit ability to ptrace or read sensitive /proc/pid files of processes
154# with other UIDs to these whitelisted domains.
155neverallow {
156  domain
157  -debuggerd
158  -vold
159  -dumpstate
160  -system_server
161  userdebug_or_eng(`-perfprofd')
162} self:capability sys_ptrace;
163
164# Limit device node creation to these whitelisted domains.
165neverallow {
166  domain
167  -kernel
168  -init
169  -ueventd
170  -vold
171} self:capability mknod;
172
173# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
174neverallow {
175  domain
176  userdebug_or_eng(`-domain')
177  -kernel
178  -init
179  -recovery
180  -ueventd
181  -healthd
182  -uncrypt
183  -tee
184} self:capability sys_rawio;
185
186# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
187neverallow * self:memprotect mmap_zero;
188
189# No domain needs mac_override as it is unused by SELinux.
190neverallow * self:capability2 mac_override;
191
192# Only recovery needs mac_admin to set contexts not defined in current policy.
193neverallow { domain -recovery } self:capability2 mac_admin;
194
195# Only init should be able to load SELinux policies.
196# The first load technically occurs while still in the kernel domain,
197# but this does not trigger a denial since there is no policy yet.
198# Policy reload requires allowing this to the init domain.
199neverallow { domain -init } kernel:security load_policy;
200
201# Only init and the system_server can set selinux.reload_policy 1
202# to trigger a policy reload.
203neverallow { domain -init -system_server } security_prop:property_service set;
204
205# Only init and system_server can write to /data/security, where runtime
206# policy updates live.
207# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
208neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
209# Only init and system_server can create/setattr directories with this type.
210# init is for init.rc mkdir /data/security.
211# system_server is for creating subdirectories under /data/security.
212neverallow { domain -init -system_server } security_file:dir { create setattr };
213# Only system_server can create subdirectories and files under /data/security.
214neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
215neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
216neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
217
218# Only init prior to switching context should be able to set enforcing mode.
219# init starts in kernel domain and switches to init domain via setcon in
220# the init.rc, so the setenforce occurs while still in kernel. After
221# switching domains, there is never any need to setenforce again by init.
222neverallow * kernel:security setenforce;
223neverallow { domain -kernel } kernel:security setcheckreqprot;
224
225# No booleans in AOSP policy, so no need to ever set them.
226neverallow * kernel:security setbool;
227
228# Adjusting the AVC cache threshold.
229# Not presently allowed to anything in policy, but possibly something
230# that could be set from init.rc.
231neverallow { domain -init } kernel:security setsecparam;
232
233# Only init, ueventd and system_server should be able to access HW RNG
234neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
235
236# Ensure that all entrypoint executables are in exec_type or postinstall_file.
237neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
238
239# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
240neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
241neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
242
243# Only init should be able to configure kernel usermodehelpers or
244# security-sensitive proc settings.
245neverallow { domain -init } usermodehelper:file { append write };
246neverallow { domain -init } proc_security:file { append write };
247
248# No domain should be allowed to ptrace init.
249neverallow * init:process ptrace;
250
251# Init can't do anything with binder calls. If this neverallow rule is being
252# triggered, it's probably due to a service with no SELinux domain.
253neverallow * init:binder *;
254
255# Don't allow raw read/write/open access to block_device
256# Rather force a relabel to a more specific type
257neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
258
259# Don't allow raw read/write/open access to generic devices.
260# Rather force a relabel to a more specific type.
261# init is exempt from this as there are character devices that only it uses.
262# ueventd is exempt from this, as it is managing these devices.
263neverallow { domain -init -ueventd } device:chr_file { open read write };
264
265# Limit what domains can mount filesystems or change their mount flags.
266# sdcard_type / vfat is exempt as a larger set of domains need
267# this capability, including device-specific domains.
268neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
269
270#
271# Assert that, to the extent possible, we're not loading executable content from
272# outside the rootfs or /system partition except for a few whitelisted domains.
273#
274neverallow {
275    domain
276    -appdomain
277    -autoplay_app
278    -dumpstate
279    -shell
280    userdebug_or_eng(`-su')
281    -system_server
282    -zygote
283} { file_type -system_file -exec_type -postinstall_file }:file execute;
284neverallow {
285    domain
286    -appdomain # for oemfs
287    -recovery # for /tmp/update_binary in tmpfs
288} { fs_type -rootfs }:file execute;
289# Files from cache should never be executed
290neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
291
292# Protect most domains from executing arbitrary content from /data.
293neverallow {
294  domain
295  -appdomain
296} {
297  data_file_type
298  -dalvikcache_data_file
299  -system_data_file # shared libs in apks
300  -apk_data_file
301}:file no_x_file_perms;
302
303neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
304
305# Only the init property service should write to /data/property and /dev/__properties__
306neverallow { domain -init } property_data_file:dir no_w_dir_perms;
307neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
308neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
309neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
310neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
311
312# Only recovery should be doing writes to /system
313neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
314    { create write setattr relabelfrom append unlink link rename };
315neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
316
317# Don't allow mounting on top of /system files or directories
318neverallow * exec_type:dir_file_class_set mounton;
319neverallow { domain -init } system_file:dir_file_class_set mounton;
320
321# Nothing should be writing to files in the rootfs.
322neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
323
324# Restrict context mounts to specific types marked with
325# the contextmount_type attribute.
326neverallow * {fs_type -contextmount_type}:filesystem relabelto;
327
328# Ensure that context mount types are not writable, to ensure that
329# the write to /system restriction above is not bypassed via context=
330# mount to another type.
331neverallow { domain -recovery } contextmount_type:dir_file_class_set
332    { create write setattr relabelfrom relabelto append unlink link rename };
333
334# Do not allow service_manager add for default_android_service.
335# Instead domains should use a more specific type such as
336# system_app_service rather than the generic type.
337# New service_types are defined in service.te and new mappings
338# from service name to service_type are defined in service_contexts.
339neverallow * default_android_service:service_manager add;
340
341# Require that domains explicitly label unknown properties, and do not allow
342# anyone but init to modify unknown properties.
343neverallow { domain -init } default_prop:property_service set;
344neverallow { domain -init } mmc_prop:property_service set;
345
346neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
347
348# No domain other than recovery and update_engine can write to system partition(s).
349neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
350
351# No domains other than install_recovery or recovery can write to recovery.
352neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
353
354# No domains other than a select few can access the misc_block_device. This
355# block device is reserved for OTA use.
356# Do not assert this rule on userdebug/eng builds, due to some devices using
357# this partition for testing purposes.
358neverallow {
359  domain
360  userdebug_or_eng(`-domain') # exclude debuggable builds
361  -init
362  -uncrypt
363  -update_engine
364  -vold
365  -recovery
366  -ueventd
367} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
368
369# Only servicemanager should be able to register with binder as the context manager
370neverallow { domain -servicemanager } *:binder set_context_mgr;
371
372# Only authorized processes should be writing to files in /data/dalvik-cache
373neverallow {
374  domain
375  -init # TODO: limit init to relabelfrom for files
376  -zygote
377  -installd
378  -postinstall_dexopt
379  -cppreopts
380  -dex2oat
381  -otapreopt_slot
382} dalvikcache_data_file:file no_w_file_perms;
383
384neverallow {
385  domain
386  -init
387  -installd
388  -postinstall_dexopt
389  -cppreopts
390  -dex2oat
391  -zygote
392  -otapreopt_slot
393} dalvikcache_data_file:dir no_w_dir_perms;
394
395# Only system_server should be able to send commands via the zygote socket
396neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
397neverallow { domain -system_server } zygote_socket:sock_file write;
398
399# Android does not support System V IPCs.
400#
401# The reason for this is due to the fact that, by design, they lead to global
402# kernel resource leakage.
403#
404# For example, there is no way to automatically release a SysV semaphore
405# allocated in the kernel when:
406#
407# - a buggy or malicious process exits
408# - a non-buggy and non-malicious process crashes or is explicitly killed.
409#
410# Killing processes automatically to make room for new ones is an
411# important part of Android's application lifecycle implementation. This means
412# that, even assuming only non-buggy and non-malicious code, it is very likely
413# that over time, the kernel global tables used to implement SysV IPCs will fill
414# up.
415neverallow * *:{ shm sem msg msgq } *;
416
417# Do not mount on top of symlinks, fifos, or sockets.
418# Feature parity with Chromium LSM.
419neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
420
421# Nobody should be able to execute su on user builds.
422# On userdebug/eng builds, only dumpstate, shell, and
423# su itself execute su.
424neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
425
426# Do not allow the introduction of new execmod rules. Text relocations
427# and modification of executable pages are unsafe.
428# The only exceptions are for NDK text relocations associated with
429# https://code.google.com/p/android/issues/detail?id=23203
430# which, long term, need to go away.
431neverallow * {
432  file_type
433  -system_data_file
434  -apk_data_file
435  -app_data_file
436  -asec_public_file
437}:file execmod;
438
439# Do not allow making the stack or heap executable.
440# We would also like to minimize execmem but it seems to be
441# required by some device-specific service domains.
442neverallow * self:process { execstack execheap };
443
444# prohibit non-zygote spawned processes from using shared libraries
445# with text relocations. b/20013628 .
446neverallow { domain -appdomain } file_type:file execmod;
447
448neverallow { domain -init } proc:{ file dir } mounton;
449
450# Ensure that all types assigned to processes are included
451# in the domain attribute, so that all allow and neverallow rules
452# written on domain are applied to all processes.
453# This is achieved by ensuring that it is impossible to transition
454# from a domain to a non-domain type and vice versa.
455neverallow domain ~domain:process { transition dyntransition };
456neverallow ~domain domain:process { transition dyntransition };
457
458#
459# Only system_app and system_server should be creating or writing
460# their files. The proper way to share files is to setup
461# type transitions to a more specific type or assigning a type
462# to its parent directory via a file_contexts entry.
463# Example type transition:
464#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
465#
466neverallow {
467  domain
468  -system_server
469  -system_app
470  -init
471  -installd # for relabelfrom and unlink, check for this in explicit neverallow
472} system_data_file:file no_w_file_perms;
473# do not grant anything greater than r_file_perms and relabelfrom unlink
474# to installd
475neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
476
477#
478# Only these domains should transition to shell domain. This domain is
479# permissible for the "shell user". If you need a process to exec a shell
480# script with differing privilege, define a domain and set up a transition.
481#
482neverallow {
483  domain
484  -adbd
485  -init
486  -runas
487  -zygote
488} shell:process { transition dyntransition };
489
490# Only domains spawned from zygote and runas may have the appdomain attribute.
491neverallow { domain -runas -zygote } {
492  appdomain -shell userdebug_or_eng(`-su') -bluetooth
493}:process { transition dyntransition };
494
495# Minimize read access to shell- or app-writable symlinks.
496# This is to prevent malicious symlink attacks.
497neverallow {
498  domain
499  -appdomain
500  -installd
501  -uncrypt  # TODO: see if we can remove
502} app_data_file:lnk_file read;
503
504neverallow {
505  domain
506  -shell
507  userdebug_or_eng(`-uncrypt')
508  -installd
509} shell_data_file:lnk_file read;
510
511# In addition to the symlink reading restrictions above, restrict
512# write access to shell owned directories. The /data/local/tmp
513# directory is untrustworthy, and non-whitelisted domains should
514# not be trusting any content in those directories.
515neverallow {
516  domain
517  -adbd
518  -dumpstate
519  -installd
520  -init
521  -shell
522  -vold
523} shell_data_file:dir no_w_dir_perms;
524
525neverallow {
526  domain
527  -adbd
528  -appdomain
529  -dumpstate
530  -init
531  -installd
532  -system_server # why?
533  userdebug_or_eng(`-uncrypt')
534} shell_data_file:dir { open search };
535
536# Same as above for /data/local/tmp files. We allow shell files
537# to be passed around by file descriptor, but not directly opened.
538neverallow {
539  domain
540  -adbd
541  -appdomain
542  -dumpstate
543  -installd
544  userdebug_or_eng(`-uncrypt')
545} shell_data_file:file open;
546
547# servicemanager is the only process which handles list request
548neverallow * ~servicemanager:service_manager list;
549
550# only service_manager_types can be added to service_manager
551neverallow * ~service_manager_type:service_manager { add find };
552
553# Prevent assigning non property types to properties
554neverallow * ~property_type:property_service set;
555
556# Domain types should never be assigned to any files other
557# than the /proc/pid files associated with a process. The
558# executable file used to enter a domain should be labeled
559# with its own _exec type, not with the domain type.
560# Conventionally, this looks something like:
561# $ cat mydaemon.te
562# type mydaemon, domain;
563# type mydaemon_exec, exec_type, file_type;
564# init_daemon_domain(mydaemon)
565# $ grep mydaemon file_contexts
566# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
567neverallow * domain:file { execute execute_no_trans entrypoint };
568
569# Do not allow access to the generic debugfs label. This is too broad.
570# Instead, if access to part of debugfs is desired, it should have a
571# more specific label.
572# TODO: fix system_server and dumpstate
573neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
574
575neverallow {
576  domain
577  -init
578  -recovery
579  -sdcardd
580  -vold
581} fuse_device:chr_file open;
582neverallow {
583  domain
584  -dumpstate
585  -init
586  -priv_app
587  -recovery
588  -sdcardd
589  -system_server
590  -ueventd
591  -vold
592} fuse_device:chr_file *;
593
594# Profiles contain untrusted data and profman parses that. We should only run
595# in from installd forked processes.
596neverallow {
597  domain
598  -installd
599  -profman
600} profman_exec:file no_x_file_perms;
601
602# Enforce restrictions on kernel module origin.
603# Do not allow kernel module loading except from system,
604# vendor, and boot partitions.
605neverallow * ~{ system_file rootfs }:system module_load;
606