12dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 22dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# domain_trans(olddomain, type, newdomain) 32dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow a transition from olddomain to newdomain 42dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# upon executing a file labeled with type. 52dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# This only allows the transition; it does not 62dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# cause it to occur automatically - use domain_auto_trans 72dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# if that is what you want. 82dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# 92dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`domain_trans', ` 102dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Old domain may exec the file and transition to the new domain. 114397f08288890ef397697b4d6dbff596bdca14c8Stephen Smalleyallow $1 $2:file { getattr open read execute map }; 122dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $3:process transition; 132dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# New domain is entered by executing the file. 144397f08288890ef397697b4d6dbff596bdca14c8Stephen Smalleyallow $3 $2:file { entrypoint open read execute getattr map }; 152dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# New domain can send SIGCHLD to its caller. 16349368244cb2c76d4b394035b8b7488f4f46bdd2Nick Kralevichifelse($1, `init', `', `allow $3 $1:process sigchld;') 172dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Enable AT_SECURE, i.e. libc secure mode. 182dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydontaudit $1 $3:process noatsecure; 192dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# XXX dontaudit candidate but requires further study. 202dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $3:process { siginh rlimitinh }; 212dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 222dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 232dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 242dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# domain_auto_trans(olddomain, type, newdomain) 252dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Automatically transition from olddomain to newdomain 262dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# upon executing a file labeled with type. 272dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# 282dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`domain_auto_trans', ` 292dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow the necessary permissions. 302dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydomain_trans($1,$2,$3) 312dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Make the transition occur by default. 322dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytype_transition $1 $2:process $3; 332dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 342dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 352dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 362dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# file_type_trans(domain, dir_type, file_type) 372dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow domain to create a file labeled file_type in a 382dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# directory labeled dir_type. 392dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# This only allows the transition; it does not 402dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# cause it to occur automatically - use file_type_auto_trans 412dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# if that is what you want. 422dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# 432dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`file_type_trans', ` 442dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow the domain to add entries to the directory. 452dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $2:dir ra_dir_perms; 462dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow the domain to create the file. 472dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $3:notdevfile_class_set create_file_perms; 482dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $3:dir create_dir_perms; 492dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 502dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 512dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 522dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# file_type_auto_trans(domain, dir_type, file_type) 532dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Automatically label new files with file_type when 542dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# they are created by domain in directories labeled dir_type. 552dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# 562dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`file_type_auto_trans', ` 572dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow the necessary permissions. 582dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyfile_type_trans($1, $2, $3) 592dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Make the transition occur by default. 602dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytype_transition $1 $2:dir $3; 612dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytype_transition $1 $2:notdevfile_class_set $3; 622dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 632dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 642dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 652dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# r_dir_file(domain, type) 662dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow the specified domain to read directories, files 672dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# and symbolic links of the specified type. 682dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`r_dir_file', ` 692dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $2:dir r_dir_perms; 702dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $2:{ file lnk_file } r_file_perms; 712dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 722dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 732dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 742dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# tmpfs_domain(domain) 752dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Define and allow access to a unique type for 762dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# this domain when creating tmpfs / shmem / ashmem files. 772dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`tmpfs_domain', ` 782dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytype $1_tmpfs, file_type; 792dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytype_transition $1 tmpfs:file $1_tmpfs; 80a0d3ff8edd10cea691b56a22a9ca389eab34472bDimitry Ivanovallow $1 $1_tmpfs:file { read write getattr }; 817ef80731f20bdafc23eb5bedeb063247933fc8aaJeff Vander Stoepallow $1 tmpfs:dir { getattr search }; 822dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 832dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 84084faf025903795fe223a31d7e626d0439b459c2Nick Bray# pdx macros for IPC. pdx is a high-level name which contains transport-specific 85084faf025903795fe223a31d7e626d0439b459c2Nick Bray# rules from underlying transport (e.g. UDS-based implementation). 86084faf025903795fe223a31d7e626d0439b459c2Nick Bray 87084faf025903795fe223a31d7e626d0439b459c2Nick Bray##################################### 8841daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# pdx_service_attributes(service) 8941daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Defines type attribute used to identify various service-related types. 9041daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkodefine(`pdx_service_attributes', ` 9141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoattribute pdx_$1_endpoint_dir_type; 9241daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoattribute pdx_$1_endpoint_socket_type; 9341daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoattribute pdx_$1_channel_socket_type; 9441daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoattribute pdx_$1_server_type; 9541daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko') 9641daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko 9741daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko##################################### 9841daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# pdx_service_socket_types(service, endpoint_dir_t) 9941daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Define types for endpoint and channel sockets. 10041daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkodefine(`pdx_service_socket_types', ` 10141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkotypeattribute $2 pdx_$1_endpoint_dir_type; 10241daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkotype pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; 10341daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkotype pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket; 1044b7cf4fba15274386ddc3bf004e648dbe65140b8Jeff Vander Stoepuserdebug_or_eng(` 1054b7cf4fba15274386ddc3bf004e648dbe65140b8Jeff Vander Stoepdontaudit su pdx_$1_endpoint_socket:unix_stream_socket *; 1064b7cf4fba15274386ddc3bf004e648dbe65140b8Jeff Vander Stoepdontaudit su pdx_$1_channel_socket:unix_stream_socket *; 1074b7cf4fba15274386ddc3bf004e648dbe65140b8Jeff Vander Stoep') 10841daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko') 10941daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko 11041daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko##################################### 11141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# pdx_server(server_domain, service) 112084faf025903795fe223a31d7e626d0439b459c2Nick Braydefine(`pdx_server', ` 11341daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Mark the server domain as a PDX server. 11441daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkotypeattribute $1 pdx_$2_server_type; 11541daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Allow the init process to create the initial endpoint socket. 11641daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind }; 11741daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Allow the server domain to use the endpoint socket and accept connections on it. 11841daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights 11941daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# than we need (e.g. we don"t need "bind" or "connect"). 12041daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; 12141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). 12241daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 self:process setsockcreate; 12341daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Allow the server domain to create a client channel socket. 12441daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms; 12541daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Prevent other processes from claiming to be a server for the same service. 12641daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoneverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept }; 127084faf025903795fe223a31d7e626d0439b459c2Nick Bray') 128084faf025903795fe223a31d7e626d0439b459c2Nick Bray 129084faf025903795fe223a31d7e626d0439b459c2Nick Bray##################################### 13041daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# pdx_connect(client, service) 13141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkodefine(`pdx_connect', ` 13241daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Allow client to open the service endpoint file. 13341daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms; 13441daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms; 13541daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Allow the client to connect to endpoint socket. 13641daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; 13741daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko') 13841daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko 13941daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko##################################### 14041daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# pdx_use(client, service) 14141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkodefine(`pdx_use', ` 14241daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Allow the client to use the PDX channel socket. 14341daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights 14441daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# than we need (e.g. we don"t need "bind" or "connect"). 14541daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; 14641daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# Client needs to use an channel event fd from the server. 14741daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow $1 pdx_$2_server_type:fd use; 148084faf025903795fe223a31d7e626d0439b459c2Nick Bray# Servers may receive sync fences, gralloc buffers, etc, from clients. 149084faf025903795fe223a31d7e626d0439b459c2Nick Bray# This could be tightened on a per-server basis, but keeping track of service 150084faf025903795fe223a31d7e626d0439b459c2Nick Bray# clients is error prone. 15141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkoallow pdx_$2_server_type $1:fd use; 15241daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko') 15341daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko 15441daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko##################################### 15541daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko# pdx_client(client, service) 15641daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkodefine(`pdx_client', ` 15741daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkopdx_connect($1, $2) 15841daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenkopdx_use($1, $2) 159084faf025903795fe223a31d7e626d0439b459c2Nick Bray') 160084faf025903795fe223a31d7e626d0439b459c2Nick Bray 1612dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 1622dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# init_daemon_domain(domain) 1632dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Set up a transition from init to the daemon domain 1642dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# upon executing its binary. 1652dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`init_daemon_domain', ` 1662dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydomain_auto_trans(init, $1_exec, $1) 1672dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytmpfs_domain($1) 1682dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 1692dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 1702dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 1712dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# app_domain(domain) 1722dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow a base set of permissions required for all apps. 1732dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`app_domain', ` 1742dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytypeattribute $1 appdomain; 1753e8dbf01ef3a5e2c53a27ab6b068d22c1a8fe02fdcashman# Label ashmem objects with our own unique type. 1763e8dbf01ef3a5e2c53a27ab6b068d22c1a8fe02fdcashmantmpfs_domain($1) 1773e8dbf01ef3a5e2c53a27ab6b068d22c1a8fe02fdcashman# Map with PROT_EXEC. 1783e8dbf01ef3a5e2c53a27ab6b068d22c1a8fe02fdcashmanallow $1 $1_tmpfs:file execute; 1792dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 1802dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 1812dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 182bacb6d79360f3591680b215177602dcdc3181bf3Jeff Vander Stoep# untrusted_app_domain(domain) 183bacb6d79360f3591680b215177602dcdc3181bf3Jeff Vander Stoep# Allow a base set of permissions required for all untrusted apps. 184bacb6d79360f3591680b215177602dcdc3181bf3Jeff Vander Stoepdefine(`untrusted_app_domain', ` 185bacb6d79360f3591680b215177602dcdc3181bf3Jeff Vander Stoeptypeattribute $1 untrusted_app_all; 186bacb6d79360f3591680b215177602dcdc3181bf3Jeff Vander Stoep') 187bacb6d79360f3591680b215177602dcdc3181bf3Jeff Vander Stoep 188bacb6d79360f3591680b215177602dcdc3181bf3Jeff Vander Stoep##################################### 1892dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# net_domain(domain) 1902dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow a base set of permissions required for network access. 1912dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`net_domain', ` 1922dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytypeattribute $1 netdomain; 1932dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 1942dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 1952dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 1962dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# bluetooth_domain(domain) 1972dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow a base set of permissions required for bluetooth access. 1982dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`bluetooth_domain', ` 1992dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytypeattribute $1 bluetoothdomain; 2002dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 2012dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 202f41d89eb249ca1f9fce41d86852047f924b1714eAlex Klyubin##################################### 203ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# hal_server_domain(domain, hal_type) 204ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# Allow a base set of permissions required for a domain to offer a 205ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# HAL implementation of the specified type over HwBinder. 206ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# 207ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# For example, default implementation of Foo HAL: 208ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# type hal_foo_default, domain; 209ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# hal_server_domain(hal_foo_default, hal_foo) 210ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# 211ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubindefine(`hal_server_domain', ` 212ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubintypeattribute $1 halserverdomain; 213ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubintypeattribute $1 $2_server; 214ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubintypeattribute $1 $2; 215ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin') 216ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin 217ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin##################################### 218ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# hal_client_domain(domain, hal_type) 219ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# Allow a base set of permissions required for a domain to be a 220ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# client of a HAL of the specified type. 221ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# 222ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# For example, make some_domain a client of Foo HAL: 223ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# hal_client_domain(some_domain, hal_foo) 224ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# 225ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubindefine(`hal_client_domain', ` 226ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubintypeattribute $1 halclientdomain; 227ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubintypeattribute $1 $2_client; 228ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin 22922157e7a86e6d64bf55cea923e92999d05241c5dAlex Klyubin# TODO(b/34170079): Make the inclusion of the rules below conditional also on 23022157e7a86e6d64bf55cea923e92999d05241c5dAlex Klyubin# non-Treble devices. For now, on non-Treble device, always grant clients of a 23122157e7a86e6d64bf55cea923e92999d05241c5dAlex Klyubin# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). 23222157e7a86e6d64bf55cea923e92999d05241c5dAlex Klyubinnot_full_treble(` 233ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubintypeattribute $1 $2; 234ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin# Find passthrough HAL implementations 235ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubinallow $2 system_file:dir r_dir_perms; 236277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilallow $2 vendor_file:dir r_dir_perms; 2379f3f3784504e466973d5bbf1ce72e3f12dcc9c17John Stultzallow $2 vendor_file:file { read open getattr execute map }; 238ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin') 23922157e7a86e6d64bf55cea923e92999d05241c5dAlex Klyubin') 240ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin 241ac2b4cd2cb69b9182725e536f395b64db258d4b8Alex Klyubin##################################### 24200a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# passthrough_hal_client_domain(domain, hal_type) 24300a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# Allow a base set of permissions required for a domain to be a 24400a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# client of a passthrough HAL of the specified type. 24500a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# 24600a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# For example, make some_domain a client of passthrough Foo HAL: 24700a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# passthrough_hal_client_domain(some_domain, hal_foo) 24800a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# 24900a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubindefine(`passthrough_hal_client_domain', ` 25000a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubintypeattribute $1 halclientdomain; 25100a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubintypeattribute $1 $2_client; 25200a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubintypeattribute $1 $2; 25300a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin# Find passthrough HAL implementations 25400a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubinallow $2 system_file:dir r_dir_perms; 255277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilallow $2 vendor_file:dir r_dir_perms; 2569f3f3784504e466973d5bbf1ce72e3f12dcc9c17John Stultzallow $2 vendor_file:file { read open getattr execute map }; 25700a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin') 25800a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin 25900a03d424fbaf96c62863eae8a5cf279fcd7b8abAlex Klyubin##################################### 2602dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# unix_socket_connect(clientdomain, socket, serverdomain) 2612dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow a local socket connection from clientdomain via 2622dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# socket to serverdomain. 263625a3526f1ebaaa014bb563239cc33829f616232William Roberts# 264625a3526f1ebaaa014bb563239cc33829f616232William Roberts# Note: If you see denial records that distill to the 265625a3526f1ebaaa014bb563239cc33829f616232William Roberts# following allow rules: 266625a3526f1ebaaa014bb563239cc33829f616232William Roberts# allow clientdomain property_socket:sock_file write; 267625a3526f1ebaaa014bb563239cc33829f616232William Roberts# allow clientdomain init:unix_stream_socket connectto; 268625a3526f1ebaaa014bb563239cc33829f616232William Roberts# allow clientdomain something_prop:property_service set; 269625a3526f1ebaaa014bb563239cc33829f616232William Roberts# 270625a3526f1ebaaa014bb563239cc33829f616232William Roberts# This sequence is indicative of attempting to set a property. 271625a3526f1ebaaa014bb563239cc33829f616232William Roberts# use set_prop(sourcedomain, targetproperty) 272625a3526f1ebaaa014bb563239cc33829f616232William Roberts# 2732dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`unix_socket_connect', ` 2741b4e69a734c1dfa57e945799d47266da45281b0eWilliam Robertsifelse($2, `property', ` 2751b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts ifelse($3,`init', ` 2761b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.') 2771b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts ') 2781b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts') 2791b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts__unix_socket_connect__($1, $2, $3) 2801b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts') 2811b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts 2821b4e69a734c1dfa57e945799d47266da45281b0eWilliam Robertsdefine(`__unix_socket_connect__', ` 2832dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $2_socket:sock_file write; 2842dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $3:unix_stream_socket connectto; 2852dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 2862dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 2872dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 288625a3526f1ebaaa014bb563239cc33829f616232William Roberts# set_prop(sourcedomain, targetproperty) 289625a3526f1ebaaa014bb563239cc33829f616232William Roberts# Allows source domain to set the 290625a3526f1ebaaa014bb563239cc33829f616232William Roberts# targetproperty. 291625a3526f1ebaaa014bb563239cc33829f616232William Roberts# 292625a3526f1ebaaa014bb563239cc33829f616232William Robertsdefine(`set_prop', ` 2931b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts__unix_socket_connect__($1, property, init) 294625a3526f1ebaaa014bb563239cc33829f616232William Robertsallow $1 $2:property_service set; 2955a570a4b6b89a2226970de93887f25a10a2e4548Nick Kralevichget_prop($1, $2) 296625a3526f1ebaaa014bb563239cc33829f616232William Roberts') 297625a3526f1ebaaa014bb563239cc33829f616232William Roberts 298625a3526f1ebaaa014bb563239cc33829f616232William Roberts##################################### 299949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry# get_prop(sourcedomain, targetproperty) 300949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry# Allows source domain to read the 301949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry# targetproperty. 302949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry# 303949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherrydefine(`get_prop', ` 304949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherryallow $1 $2:file r_file_perms; 305949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry') 306949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry 307949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry##################################### 3082dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# unix_socket_send(clientdomain, socket, serverdomain) 3092dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow a local socket send from clientdomain via 3102dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# socket to serverdomain. 3112dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`unix_socket_send', ` 3122dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $2_socket:sock_file write; 3132dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $3:unix_dgram_socket sendto; 3142dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 3152dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 3162dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 3172dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# binder_use(domain) 3182dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow domain to use Binder IPC. 3192dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`binder_use', ` 3209ce99e3908fcd81430bc9612e5d86819939b6db2Stephen Smalley# Call the servicemanager and transfer references to it. 3219ce99e3908fcd81430bc9612e5d86819939b6db2Stephen Smalleyallow $1 servicemanager:binder { call transfer }; 322b8511e0d98880a683c276589ab7d8d7666b7f8c1Riley Spahn# servicemanager performs getpidcon on clients. 323b8511e0d98880a683c276589ab7d8d7666b7f8c1Riley Spahnallow servicemanager $1:dir search; 324b8511e0d98880a683c276589ab7d8d7666b7f8c1Riley Spahnallow servicemanager $1:file { read open }; 325b8511e0d98880a683c276589ab7d8d7666b7f8c1Riley Spahnallow servicemanager $1:process getattr; 3262dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# rw access to /dev/binder and /dev/ashmem is presently granted to 3272dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# all domains in domain.te. 3282dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 3292dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 3302dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 33150ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen# hwbinder_use(domain) 33250ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen# Allow domain to use HwBinder IPC. 33350ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenendefine(`hwbinder_use', ` 33450ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen# Call the hwservicemanager and transfer references to it. 33550ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenenallow $1 hwservicemanager:binder { call transfer }; 3369147a23835828561253e89bb32f8cdcff4d20f96Glen Kuhne# Allow hwservicemanager to send out callbacks 3379147a23835828561253e89bb32f8cdcff4d20f96Glen Kuhneallow hwservicemanager $1:binder { call transfer }; 33850ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen# hwservicemanager performs getpidcon on clients. 33950ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenenallow hwservicemanager $1:dir search; 34050ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenenallow hwservicemanager $1:file { read open }; 34150ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenenallow hwservicemanager $1:process getattr; 34250ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen# rw access to /dev/hwbinder and /dev/ashmem is presently granted to 34350ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen# all domains in domain.te. 34450ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen') 34550ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen 34650ab0b1acec0bbd48d1cb8e831bfbedfad456a15Martijn Coenen##################################### 347e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen# vndbinder_use(domain) 348e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen# Allow domain to use Binder IPC. 349e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenendefine(`vndbinder_use', ` 350e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen# Talk to the vndbinder device node 351e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenallow $1 vndbinder_device:chr_file rw_file_perms; 352e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen# Call the vndservicemanager and transfer references to it. 353e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenallow $1 vndservicemanager:binder { call transfer }; 354e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen# vndservicemanager performs getpidcon on clients. 355e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenallow vndservicemanager $1:dir search; 356e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenallow vndservicemanager $1:file { read open }; 357e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenallow vndservicemanager $1:process getattr; 358e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen') 359e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen 360e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen##################################### 3612dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# binder_call(clientdomain, serverdomain) 3622dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow clientdomain to perform binder IPC to serverdomain. 3632dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`binder_call', ` 3649ce99e3908fcd81430bc9612e5d86819939b6db2Stephen Smalley# Call the server domain and optionally transfer references to it. 3659ce99e3908fcd81430bc9612e5d86819939b6db2Stephen Smalleyallow $1 $2:binder { call transfer }; 3669ce99e3908fcd81430bc9612e5d86819939b6db2Stephen Smalley# Allow the serverdomain to transfer references to the client on the reply. 3679ce99e3908fcd81430bc9612e5d86819939b6db2Stephen Smalleyallow $2 $1:binder transfer; 3682dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Receive and use open files from the server. 3692dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 $2:fd use; 3702dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 3712dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 3722dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 3732dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# binder_service(domain) 3742dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Mark a domain as being a Binder service domain. 3752dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Used to allow binder IPC to the various system services. 3762dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`binder_service', ` 3772dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleytypeattribute $1 binderservicedomain; 3782dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 3792dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 3802dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 3818599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevich# wakelock_use(domain) 3828599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevich# Allow domain to manage wake locks 3838599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevichdefine(`wakelock_use', ` 3848599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevich# Access /sys/power/wake_lock and /sys/power/wake_unlock 3858599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevichallow $1 sysfs_wake_lock:file rw_file_perms; 3868599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevich# Accessing these files requires CAP_BLOCK_SUSPEND 3878599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevichallow $1 self:capability2 block_suspend; 3888599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevich') 3898599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevich 3908599e34b95705638034b798c56bc2cc8bb2e6372Nick Kralevich##################################### 3912dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# selinux_check_access(domain) 3922dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow domain to check SELinux permissions via selinuxfs. 3932dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`selinux_check_access', ` 3947ef80731f20bdafc23eb5bedeb063247933fc8aaJeff Vander Stoepr_dir_file($1, selinuxfs) 3957ef80731f20bdafc23eb5bedeb063247933fc8aaJeff Vander Stoepallow $1 selinuxfs:file w_file_perms; 3962dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 kernel:security compute_av; 39711dc03e5a2c65c4f3ca9a5b6fd0eb688447433bdNick Kralevichallow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; 3982dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 3992dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 4002dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 4012dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# selinux_check_context(domain) 4022dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley# Allow domain to check SELinux contexts via selinuxfs. 4032dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleydefine(`selinux_check_context', ` 4047ef80731f20bdafc23eb5bedeb063247933fc8aaJeff Vander Stoepr_dir_file($1, selinuxfs) 4057ef80731f20bdafc23eb5bedeb063247933fc8aaJeff Vander Stoepallow $1 selinuxfs:file w_file_perms; 4062dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalleyallow $1 kernel:security check_context; 4072dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley') 4082dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley 4092dd4e51d5c2a2dfc0bfdee9303269f5a665f6e3Stephen Smalley##################################### 4102dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley# create_pty(domain) 4112dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley# Allow domain to create and use a pty, isolated from any other domain ptys. 4122dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleydefine(`create_pty', ` 4132dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley# Each domain gets a unique devpts type. 4142dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleytype $1_devpts, fs_type; 4152dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley# Label the pty with the unique type when created. 4162dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleytype_transition $1 devpts:chr_file $1_devpts; 4172dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley# Allow use of the pty after creation. 4182dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalleyallow $1 $1_devpts:chr_file { open getattr read write ioctl }; 41907c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevichallowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls; 42007c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# TIOCSTI is only ever used for exploits. Block it. 42107c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# b/33073072, b/7530569 42207c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# http://www.openwall.com/lists/oss-security/2016/09/26/14 42307c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevichneverallowxperm * $1_devpts:chr_file ioctl TIOCSTI; 4242dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms 4252dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley# allowed to everyone via domain.te. 4262dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley') 4272dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley 4282dc4acf33b78284f514fe9a6c5102cc783c4309fStephen Smalley##################################### 4298cd20ef9fa490b82b42b06b7656f89cb3b75d897William Roberts# Non system_app application set 4308cd20ef9fa490b82b42b06b7656f89cb3b75d897William Roberts# 4318cd20ef9fa490b82b42b06b7656f89cb3b75d897William Robertsdefine(`non_system_app_set', `{ appdomain -system_app }') 43288ce951d89c4c4ad4d870ca34cc5bdcc8b60f54dNick Kralevich 43388ce951d89c4c4ad4d870ca34cc5bdcc8b60f54dNick Kralevich##################################### 434e60723ab59f48626c6a700ba645bfe5eac6f0fc3Stephen Smalley# Recovery only 435e60723ab59f48626c6a700ba645bfe5eac6f0fc3Stephen Smalley# SELinux rules which apply only to recovery mode 436e60723ab59f48626c6a700ba645bfe5eac6f0fc3Stephen Smalley# 437e60723ab59f48626c6a700ba645bfe5eac6f0fc3Stephen Smalleydefine(`recovery_only', ifelse(target_recovery, `true', $1, )) 438e60723ab59f48626c6a700ba645bfe5eac6f0fc3Stephen Smalley 439e60723ab59f48626c6a700ba645bfe5eac6f0fc3Stephen Smalley##################################### 440f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# Full TREBLE only 441f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# SELinux rules which apply only to full TREBLE devices 442f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# 443446279a6b9bcc9689c73c5e27f3f4757e1edd661Alex Klyubindefine(`full_treble_only', ifelse(target_full_treble, `true', $1, 444446279a6b9bcc9689c73c5e27f3f4757e1edd661Alex Klyubinifelse(target_full_treble, `cts', 445446279a6b9bcc9689c73c5e27f3f4757e1edd661Alex Klyubin# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify 446446279a6b9bcc9689c73c5e27f3f4757e1edd661Alex Klyubin$1 447446279a6b9bcc9689c73c5e27f3f4757e1edd661Alex Klyubin# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify 448446279a6b9bcc9689c73c5e27f3f4757e1edd661Alex Klyubin, ))) 449f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin 450f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin##################################### 451f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# Not full TREBLE 452f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# SELinux rules which apply only to devices which are not full TREBLE devices 453f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# 454f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubindefine(`not_full_treble', ifelse(target_full_treble, `true', , $1)) 455f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin 456f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin##################################### 45788ce951d89c4c4ad4d870ca34cc5bdcc8b60f54dNick Kralevich# Userdebug or eng builds 45888ce951d89c4c4ad4d870ca34cc5bdcc8b60f54dNick Kralevich# SELinux rules which apply only to userdebug or eng builds 45988ce951d89c4c4ad4d870ca34cc5bdcc8b60f54dNick Kralevich# 46088ce951d89c4c4ad4d870ca34cc5bdcc8b60f54dNick Kralevichdefine(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) 461623975fa5aece708032aaf29689d73e1f3a615e7Nick Kralevich 4627443484831a858848d71b95c3e9fa4e96dcbf830Jeff Vander Stoep##################################### 463994cbf4d3905b6ce561d0198aa9fdd6ee27e5984Jeff Vander Stoep# User builds 464994cbf4d3905b6ce561d0198aa9fdd6ee27e5984Jeff Vander Stoep# SELinux rules which apply only to user builds 465994cbf4d3905b6ce561d0198aa9fdd6ee27e5984Jeff Vander Stoep# 466994cbf4d3905b6ce561d0198aa9fdd6ee27e5984Jeff Vander Stoepdefine(`userbuild', ifelse(target_build_variant, `user', $1, )) 467994cbf4d3905b6ce561d0198aa9fdd6ee27e5984Jeff Vander Stoep 468994cbf4d3905b6ce561d0198aa9fdd6ee27e5984Jeff Vander Stoep##################################### 4697443484831a858848d71b95c3e9fa4e96dcbf830Jeff Vander Stoep# asan builds 4707443484831a858848d71b95c3e9fa4e96dcbf830Jeff Vander Stoep# SELinux rules which apply only to asan builds 4717443484831a858848d71b95c3e9fa4e96dcbf830Jeff Vander Stoep# 4727443484831a858848d71b95c3e9fa4e96dcbf830Jeff Vander Stoepdefine(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) 4737443484831a858848d71b95c3e9fa4e96dcbf830Jeff Vander Stoep 47412b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao#################################### 47512b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). 47612b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao# 47712b4750fec765524e8201c763baefd70eeb1dbfbJosh Gaodefine(`crash_dump_fallback', ` 47812b4750fec765524e8201c763baefd70eeb1dbfbJosh Gaouserdebug_or_eng(` 47912b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao allow $1 su:fifo_file append; 48012b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao') 48112b4750fec765524e8201c763baefd70eeb1dbfbJosh Gaoallow $1 anr_data_file:file append; 4822a00056a95d19899aa3a8160a2ecb2f4921dbb91Josh Gaoallow $1 dumpstate:fd use; 483fde0e02a2c961efcf7552c0ea95ad170bbf3e15fJosh Gao# TODO: Figure out why write is needed. 484715955b78af4f24140e54c47c5f8bcc52f559142Josh Gaoallow $1 dumpstate:fifo_file { append write }; 485fde0e02a2c961efcf7552c0ea95ad170bbf3e15fJosh Gaoallow $1 system_server:fifo_file { append write }; 48612b4750fec765524e8201c763baefd70eeb1dbfbJosh Gaoallow $1 tombstoned:unix_stream_socket connectto; 487a10008c797c5bc7ca639a75ceb547cebd957067bJosh Gaoallow $1 tombstoned:fd use; 48812b4750fec765524e8201c763baefd70eeb1dbfbJosh Gaoallow $1 tombstoned_crash_socket:sock_file write; 489a10008c797c5bc7ca639a75ceb547cebd957067bJosh Gaoallow $1 tombstone_data_file:file append; 49012b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao') 49112b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao 492623975fa5aece708032aaf29689d73e1f3a615e7Nick Kralevich##################################### 49384db84e6cdc6a04ac85fb4413c813412c0dea600Jorge Lucangeli Obes# WITH_DEXPREOPT builds 494c5c3abc6bc14357fa3c537094514d2a23bac21e3Richard Uhler# SELinux rules which apply only when pre-opting. 49584db84e6cdc6a04ac85fb4413c813412c0dea600Jorge Lucangeli Obes# 496c5c3abc6bc14357fa3c537094514d2a23bac21e3Richard Uhlerdefine(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1)) 49784db84e6cdc6a04ac85fb4413c813412c0dea600Jorge Lucangeli Obes 49884db84e6cdc6a04ac85fb4413c813412c0dea600Jorge Lucangeli Obes##################################### 4998ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# write_logd(domain) 5008ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# Ability to write to android log 5018ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# daemon via sockets 5028ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyndefine(`write_logd', ` 5038ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzynunix_socket_send($1, logdw, logd) 50434d32ea1647655ee8dbf4faa19992a8a625c40d9Mark Salyzynallow $1 pmsg_device:chr_file w_file_perms; 5058ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn') 5068ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn 5078ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn##################################### 5088ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# read_logd(domain) 50954e9bc4514bc29b29e5450828cdd8953163cb44cStephen Smalley# Ability to run logcat and read from android 5108ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# log daemon via sockets 5118ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyndefine(`read_logd', ` 51254e9bc4514bc29b29e5450828cdd8953163cb44cStephen Smalleyallow $1 logcat_exec:file rx_file_perms; 5138ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzynunix_socket_connect($1, logdr, logd) 5148ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn') 5158ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn 5168ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn##################################### 517d33a9a194b1333113671a1353fab60d2df3478a5Mark Salyzyn# read_runtime_log_tags(domain) 518d33a9a194b1333113671a1353fab60d2df3478a5Mark Salyzyn# ability to directly map the runtime event log tags 519d33a9a194b1333113671a1353fab60d2df3478a5Mark Salyzyndefine(`read_runtime_log_tags', ` 520d33a9a194b1333113671a1353fab60d2df3478a5Mark Salyzynallow $1 runtime_event_log_tags_file:file r_file_perms; 521d33a9a194b1333113671a1353fab60d2df3478a5Mark Salyzyn') 522d33a9a194b1333113671a1353fab60d2df3478a5Mark Salyzyn 523d33a9a194b1333113671a1353fab60d2df3478a5Mark Salyzyn##################################### 5248ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# control_logd(domain) 5258ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# Ability to control 5268ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# android log daemon via sockets 5278ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyndefine(`control_logd', ` 5288ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# Group AID_LOG checked by filesystem & logd 5298ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# to permit control commands 5308ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzynunix_socket_connect($1, logd, logd) 5318ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn') 5321196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn 5331196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn##################################### 5341196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn# use_keystore(domain) 5351196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn# Ability to use keystore. 5361196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn# Keystore is requires the following permissions 5371196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn# to call getpidcon. 5381196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahndefine(`use_keystore', ` 5391196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn allow keystore $1:dir search; 5401196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn allow keystore $1:file { read open }; 5411196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn allow keystore $1:process getattr; 5426a2451b580487a07a7e9919efa3ea5289f3ed696dcashman allow $1 keystore_service:service_manager find; 5431196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn binder_call($1, keystore) 5441196d2a5763c9a99be99ba81a4a29d938a83cc06Riley Spahn') 545b8511e0d98880a683c276589ab7d8d7666b7f8c1Riley Spahn 546b8511e0d98880a683c276589ab7d8d7666b7f8c1Riley Spahn########################################### 54770f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahn# use_drmservice(domain) 54870f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahn# Ability to use DrmService which requires 54970f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahn# DrmService to call getpidcon. 55070f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahndefine(`use_drmservice', ` 55170f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahn allow drmserver $1:dir search; 55270f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahn allow drmserver $1:file { read open }; 55370f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahn allow drmserver $1:process getattr; 55470f75ce9e5975df47d0ccb32660bb618c22ef181Riley Spahn') 5551b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts 556606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts########################################### 557606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts# add_service(domain, service) 558606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts# Ability for domain to add a service to service_manager 559606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts# and find it. It also creates a neverallow preventing 560606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts# others from adding it. 561606d2fd6651027204727b5141c03e5e47ed1f6e4William Robertsdefine(`add_service', ` 562606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts allow $1 $2:service_manager { add find }; 563606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts neverallow { domain -$1 } $2:service_manager add; 564606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts') 565606d2fd6651027204727b5141c03e5e47ed1f6e4William Roberts 566ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin########################################### 567ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin# add_hwservice(domain, service) 568ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin# Ability for domain to add a service to hwservice_manager 569ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin# and find it. It also creates a neverallow preventing 570ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin# others from adding it. 571ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubindefine(`add_hwservice', ` 572ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin allow $1 $2:hwservice_manager { add find }; 57353656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin allow $1 hidl_base_hwservice:hwservice_manager add; 574d9745f3dec53e9df1a944982d3cdc00510bffb54Alex Klyubin neverallow { domain -$1 } $2:hwservice_manager add; 575ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin') 576ab2c681fb181839ac7beee49ebd51dc4781f0c56Alex Klyubin 5771b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts########################################## 5781b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts# print a message with a trailing newline 5791b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts# print(`args') 5801b4e69a734c1dfa57e945799d47266da45281b0eWilliam Robertsdefine(`print', `errprint(`m4: '__file__: __line__`: $* 5811b4e69a734c1dfa57e945799d47266da45281b0eWilliam Roberts')') 582