1# rules removed from the domain attribute 2 3# Search /storage/emulated tmpfs mount. 4allow { domain_deprecated -installd } tmpfs:dir r_dir_perms; 5userdebug_or_eng(` 6auditallow { 7 domain_deprecated 8 -appdomain 9 -installd 10 -sdcardd 11 -surfaceflinger 12 -system_server 13 -vold 14 -zygote 15} tmpfs:dir r_dir_perms; 16') 17 18# Inherit or receive open files from others. 19allow domain_deprecated system_server:fd use; 20userdebug_or_eng(` 21auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use; 22') 23 24# Connect to adbd and use a socket transferred from it. 25# This is used for e.g. adb backup/restore. 26allow domain_deprecated adbd:fd use; 27userdebug_or_eng(` 28auditallow { domain_deprecated -appdomain -system_server } adbd:fd use; 29') 30 31# Root fs. 32allow domain_deprecated rootfs:dir r_dir_perms; 33allow domain_deprecated rootfs:file r_file_perms; 34allow domain_deprecated rootfs:lnk_file r_file_perms; 35userdebug_or_eng(` 36auditallow { 37 domain_deprecated 38 -fsck 39 -healthd 40 -installd 41 -servicemanager 42 -system_server 43 -ueventd 44 -uncrypt 45 -vold 46 -zygote 47} rootfs:dir { open getattr read ioctl lock }; # search granted in domain 48auditallow { 49 domain_deprecated 50 -healthd 51 -installd 52 -servicemanager 53 -system_server 54 -ueventd 55 -uncrypt 56 -vold 57 -zygote 58} rootfs:file r_file_perms; 59auditallow { 60 domain_deprecated 61 -appdomain 62 -healthd 63 -installd 64 -servicemanager 65 -system_server 66 -ueventd 67 -uncrypt 68 -vold 69 -zygote 70} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain 71') 72 73# System file accesses. 74allow domain_deprecated system_file:dir r_dir_perms; 75userdebug_or_eng(` 76auditallow { 77 domain_deprecated 78 -appdomain 79 -fingerprintd 80 -installd 81 -keystore 82 -surfaceflinger 83 -system_server 84 -update_engine 85 -vold 86 -zygote 87} system_file:dir { open read ioctl lock }; # search getattr in domain 88') 89 90# Read files already opened under /data. 91allow domain_deprecated system_data_file:file { getattr read }; 92allow domain_deprecated system_data_file:lnk_file r_file_perms; 93userdebug_or_eng(` 94auditallow { 95 domain_deprecated 96 -appdomain 97 -sdcardd 98 -system_server 99 -tee 100} system_data_file:file { getattr read }; 101auditallow { 102 domain_deprecated 103 -appdomain 104 -system_server 105 -tee 106} system_data_file:lnk_file r_file_perms; 107') 108 109# Read apk files under /data/app. 110allow domain_deprecated apk_data_file:dir { getattr search }; 111allow domain_deprecated apk_data_file:file r_file_perms; 112allow domain_deprecated apk_data_file:lnk_file r_file_perms; 113userdebug_or_eng(` 114auditallow { 115 domain_deprecated 116 -appdomain 117 -dex2oat 118 -installd 119 -system_server 120} apk_data_file:dir { getattr search }; 121auditallow { 122 domain_deprecated 123 -appdomain 124 -dex2oat 125 -installd 126 -system_server 127} apk_data_file:file r_file_perms; 128auditallow { 129 domain_deprecated 130 -appdomain 131 -dex2oat 132 -installd 133 -system_server 134} apk_data_file:lnk_file r_file_perms; 135') 136 137# Read already opened /cache files. 138allow domain_deprecated cache_file:dir r_dir_perms; 139allow domain_deprecated cache_file:file { getattr read }; 140allow domain_deprecated cache_file:lnk_file r_file_perms; 141userdebug_or_eng(` 142auditallow { 143 domain_deprecated 144 -system_server 145 -vold 146} cache_file:dir { open read search ioctl lock }; 147auditallow { 148 domain_deprecated 149 -appdomain 150 -system_server 151 -vold 152} cache_file:dir getattr; 153auditallow { 154 domain_deprecated 155 -system_server 156 -vold 157} cache_file:file { getattr read }; 158auditallow { 159 domain_deprecated 160 -system_server 161 -vold 162} cache_file:lnk_file r_file_perms; 163') 164 165# Allow access to ion memory allocation device 166allow domain_deprecated ion_device:chr_file rw_file_perms; 167# split this auditallow into read and write perms since most domains seem to 168# only require read 169userdebug_or_eng(` 170auditallow { 171 domain_deprecated 172 -appdomain 173 -fingerprintd 174 -keystore 175 -surfaceflinger 176 -system_server 177 -tee 178 -vold 179 -zygote 180} ion_device:chr_file r_file_perms; 181auditallow domain_deprecated ion_device:chr_file { write append }; 182') 183 184# Read access to pseudo filesystems. 185r_dir_file(domain_deprecated, proc) 186r_dir_file(domain_deprecated, sysfs) 187r_dir_file(domain_deprecated, cgroup) 188allow domain_deprecated proc_meminfo:file r_file_perms; 189 190userdebug_or_eng(` 191auditallow { 192 domain_deprecated 193 -fsck 194 -fsck_untrusted 195 -sdcardd 196 -system_server 197 -update_engine 198 -vold 199} proc:file r_file_perms; 200auditallow { 201 domain_deprecated 202 -fsck 203 -fsck_untrusted 204 -system_server 205 -vold 206} proc:lnk_file { open ioctl lock }; # getattr read granted in domain 207auditallow { 208 domain_deprecated 209 -bluetooth 210 -fingerprintd 211 -healthd 212 -netd 213 -system_app 214 -surfaceflinger 215 -system_server 216 -tee 217 -ueventd 218 -vold 219} sysfs:dir { open getattr read ioctl lock }; # search granted in domain 220auditallow { 221 domain_deprecated 222 -bluetooth 223 -fingerprintd 224 -healthd 225 -netd 226 -system_app 227 -surfaceflinger 228 -system_server 229 -tee 230 -ueventd 231 -vold 232} sysfs:file r_file_perms; 233auditallow { 234 domain_deprecated 235 -bluetooth 236 -fingerprintd 237 -healthd 238 -netd 239 -system_app 240 -surfaceflinger 241 -system_server 242 -tee 243 -ueventd 244 -vold 245} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain 246auditallow { 247 domain_deprecated 248 -appdomain 249 -dumpstate 250 -fingerprintd 251 -healthd 252 -inputflinger 253 -installd 254 -keystore 255 -netd 256 -surfaceflinger 257 -system_server 258 -zygote 259} cgroup:dir r_dir_perms; 260auditallow { 261 domain_deprecated 262 -appdomain 263 -dumpstate 264 -fingerprintd 265 -healthd 266 -inputflinger 267 -installd 268 -keystore 269 -netd 270 -surfaceflinger 271 -system_server 272 -zygote 273} cgroup:{ file lnk_file } r_file_perms; 274auditallow { 275 domain_deprecated 276 -appdomain 277 -surfaceflinger 278 -system_server 279 -vold 280} proc_meminfo:file r_file_perms; 281') 282 283# Get SELinux enforcing status. 284allow domain_deprecated selinuxfs:dir r_dir_perms; 285allow domain_deprecated selinuxfs:file r_file_perms; 286userdebug_or_eng(` 287auditallow { 288 domain_deprecated 289 -appdomain 290 -installd 291 -keystore 292 -postinstall_dexopt 293 -runas 294 -servicemanager 295 -system_server 296 -ueventd 297 -zygote 298} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain 299auditallow { 300 domain_deprecated 301 -appdomain 302 -installd 303 -keystore 304 -postinstall_dexopt 305 -runas 306 -servicemanager 307 -system_server 308 -ueventd 309 -zygote 310} selinuxfs:file { open read ioctl lock }; # getattr granted in domain 311') 312