1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute map };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint open read execute getattr map };
15# New domain can send SIGCHLD to its caller.
16ifelse($1, `init', `', `allow $3 $1:process sigchld;')
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# tmpfs_domain(domain)
75# Define and allow access to a unique type for
76# this domain when creating tmpfs / shmem / ashmem files.
77define(`tmpfs_domain', `
78type $1_tmpfs, file_type;
79type_transition $1 tmpfs:file $1_tmpfs;
80allow $1 $1_tmpfs:file { read write getattr map };
81allow $1 tmpfs:dir { getattr search };
82')
83
84# pdx macros for IPC. pdx is a high-level name which contains transport-specific
85# rules from underlying transport (e.g. UDS-based implementation).
86
87#####################################
88# pdx_service_attributes(service)
89# Defines type attribute used to identify various service-related types.
90define(`pdx_service_attributes', `
91attribute pdx_$1_endpoint_dir_type;
92attribute pdx_$1_endpoint_socket_type;
93attribute pdx_$1_channel_socket_type;
94attribute pdx_$1_server_type;
95')
96
97#####################################
98# pdx_service_socket_types(service, endpoint_dir_t)
99# Define types for endpoint and channel sockets.
100define(`pdx_service_socket_types', `
101typeattribute $2 pdx_$1_endpoint_dir_type;
102type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
103type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
104userdebug_or_eng(`
105dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
106dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
107')
108')
109
110#####################################
111# pdx_server(server_domain, service)
112define(`pdx_server', `
113# Mark the server domain as a PDX server.
114typeattribute $1 pdx_$2_server_type;
115# Allow the init process to create the initial endpoint socket.
116allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
117# Allow the server domain to use the endpoint socket and accept connections on it.
118# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
119# than we need (e.g. we don"t need "bind" or "connect").
120allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
121# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
122allow $1 self:process setsockcreate;
123# Allow the server domain to create a client channel socket.
124allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
125# Prevent other processes from claiming to be a server for the same service.
126neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
127')
128
129#####################################
130# pdx_connect(client, service)
131define(`pdx_connect', `
132# Allow client to open the service endpoint file.
133allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
134allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
135# Allow the client to connect to endpoint socket.
136allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
137')
138
139#####################################
140# pdx_use(client, service)
141define(`pdx_use', `
142# Allow the client to use the PDX channel socket.
143# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
144# than we need (e.g. we don"t need "bind" or "connect").
145allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
146# Client needs to use an channel event fd from the server.
147allow $1 pdx_$2_server_type:fd use;
148# Servers may receive sync fences, gralloc buffers, etc, from clients.
149# This could be tightened on a per-server basis, but keeping track of service
150# clients is error prone.
151allow pdx_$2_server_type $1:fd use;
152')
153
154#####################################
155# pdx_client(client, service)
156define(`pdx_client', `
157pdx_connect($1, $2)
158pdx_use($1, $2)
159')
160
161#####################################
162# init_daemon_domain(domain)
163# Set up a transition from init to the daemon domain
164# upon executing its binary.
165define(`init_daemon_domain', `
166domain_auto_trans(init, $1_exec, $1)
167tmpfs_domain($1)
168')
169
170#####################################
171# app_domain(domain)
172# Allow a base set of permissions required for all apps.
173define(`app_domain', `
174typeattribute $1 appdomain;
175# Label ashmem objects with our own unique type.
176tmpfs_domain($1)
177# Map with PROT_EXEC.
178allow $1 $1_tmpfs:file execute;
179neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
180neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
181')
182
183#####################################
184# untrusted_app_domain(domain)
185# Allow a base set of permissions required for all untrusted apps.
186define(`untrusted_app_domain', `
187typeattribute $1 untrusted_app_all;
188')
189
190#####################################
191# net_domain(domain)
192# Allow a base set of permissions required for network access.
193define(`net_domain', `
194typeattribute $1 netdomain;
195')
196
197#####################################
198# bluetooth_domain(domain)
199# Allow a base set of permissions required for bluetooth access.
200define(`bluetooth_domain', `
201typeattribute $1 bluetoothdomain;
202')
203
204#####################################
205# hal_attribute(hal_name)
206# Add an attribute for hal implementations along with necessary
207# restrictions.
208define(`hal_attribute', `
209attribute hal_$1;
210expandattribute hal_$1 true;
211attribute hal_$1_client;
212expandattribute hal_$1_client true;
213attribute hal_$1_server;
214expandattribute hal_$1_server false;
215
216neverallow { hal_$1_server -halserverdomain } domain:process fork;
217')
218
219#####################################
220# hal_server_domain(domain, hal_type)
221# Allow a base set of permissions required for a domain to offer a
222# HAL implementation of the specified type over HwBinder.
223#
224# For example, default implementation of Foo HAL:
225#   type hal_foo_default, domain;
226#   hal_server_domain(hal_foo_default, hal_foo)
227#
228define(`hal_server_domain', `
229typeattribute $1 halserverdomain;
230typeattribute $1 $2_server;
231typeattribute $1 $2;
232')
233
234#####################################
235# hal_client_domain(domain, hal_type)
236# Allow a base set of permissions required for a domain to be a
237# client of a HAL of the specified type.
238#
239# For example, make some_domain a client of Foo HAL:
240#   hal_client_domain(some_domain, hal_foo)
241#
242define(`hal_client_domain', `
243typeattribute $1 halclientdomain;
244typeattribute $1 $2_client;
245
246# TODO(b/34170079): Make the inclusion of the rules below conditional also on
247# non-Treble devices. For now, on non-Treble device, always grant clients of a
248# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
249not_full_treble(`
250typeattribute $1 $2;
251# Find passthrough HAL implementations
252allow $2 system_file:dir r_dir_perms;
253allow $2 vendor_file:dir r_dir_perms;
254allow $2 vendor_file:file { read open getattr execute map };
255')
256')
257
258#####################################
259# passthrough_hal_client_domain(domain, hal_type)
260# Allow a base set of permissions required for a domain to be a
261# client of a passthrough HAL of the specified type.
262#
263# For example, make some_domain a client of passthrough Foo HAL:
264#   passthrough_hal_client_domain(some_domain, hal_foo)
265#
266define(`passthrough_hal_client_domain', `
267typeattribute $1 halclientdomain;
268typeattribute $1 $2_client;
269typeattribute $1 $2;
270# Find passthrough HAL implementations
271allow $2 system_file:dir r_dir_perms;
272allow $2 vendor_file:dir r_dir_perms;
273allow $2 vendor_file:file { read open getattr execute map };
274')
275
276#####################################
277# unix_socket_connect(clientdomain, socket, serverdomain)
278# Allow a local socket connection from clientdomain via
279# socket to serverdomain.
280#
281# Note: If you see denial records that distill to the
282# following allow rules:
283# allow clientdomain property_socket:sock_file write;
284# allow clientdomain init:unix_stream_socket connectto;
285# allow clientdomain something_prop:property_service set;
286#
287# This sequence is indicative of attempting to set a property.
288# use set_prop(sourcedomain, targetproperty)
289#
290define(`unix_socket_connect', `
291allow $1 $2_socket:sock_file write;
292allow $1 $3:unix_stream_socket connectto;
293')
294
295#####################################
296# set_prop(sourcedomain, targetproperty)
297# Allows source domain to set the
298# targetproperty.
299#
300define(`set_prop', `
301unix_socket_connect($1, property, init)
302allow $1 $2:property_service set;
303get_prop($1, $2)
304')
305
306#####################################
307# get_prop(sourcedomain, targetproperty)
308# Allows source domain to read the
309# targetproperty.
310#
311define(`get_prop', `
312allow $1 $2:file r_file_perms;
313')
314
315#####################################
316# unix_socket_send(clientdomain, socket, serverdomain)
317# Allow a local socket send from clientdomain via
318# socket to serverdomain.
319define(`unix_socket_send', `
320allow $1 $2_socket:sock_file write;
321allow $1 $3:unix_dgram_socket sendto;
322')
323
324#####################################
325# binder_use(domain)
326# Allow domain to use Binder IPC.
327define(`binder_use', `
328# Call the servicemanager and transfer references to it.
329allow $1 servicemanager:binder { call transfer };
330# servicemanager performs getpidcon on clients.
331allow servicemanager $1:dir search;
332allow servicemanager $1:file { read open };
333allow servicemanager $1:process getattr;
334# rw access to /dev/binder and /dev/ashmem is presently granted to
335# all domains in domain.te.
336')
337
338#####################################
339# hwbinder_use(domain)
340# Allow domain to use HwBinder IPC.
341define(`hwbinder_use', `
342# Call the hwservicemanager and transfer references to it.
343allow $1 hwservicemanager:binder { call transfer };
344# Allow hwservicemanager to send out callbacks
345allow hwservicemanager $1:binder { call transfer };
346# hwservicemanager performs getpidcon on clients.
347allow hwservicemanager $1:dir search;
348allow hwservicemanager $1:file { read open };
349allow hwservicemanager $1:process getattr;
350# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
351# all domains in domain.te.
352')
353
354#####################################
355# vndbinder_use(domain)
356# Allow domain to use Binder IPC.
357define(`vndbinder_use', `
358# Talk to the vndbinder device node
359allow $1 vndbinder_device:chr_file rw_file_perms;
360# Call the vndservicemanager and transfer references to it.
361allow $1 vndservicemanager:binder { call transfer };
362# vndservicemanager performs getpidcon on clients.
363allow vndservicemanager $1:dir search;
364allow vndservicemanager $1:file { read open };
365allow vndservicemanager $1:process getattr;
366')
367
368#####################################
369# binder_call(clientdomain, serverdomain)
370# Allow clientdomain to perform binder IPC to serverdomain.
371define(`binder_call', `
372# Call the server domain and optionally transfer references to it.
373allow $1 $2:binder { call transfer };
374# Allow the serverdomain to transfer references to the client on the reply.
375allow $2 $1:binder transfer;
376# Receive and use open files from the server.
377allow $1 $2:fd use;
378')
379
380#####################################
381# binder_service(domain)
382# Mark a domain as being a Binder service domain.
383# Used to allow binder IPC to the various system services.
384define(`binder_service', `
385typeattribute $1 binderservicedomain;
386')
387
388#####################################
389# wakelock_use(domain)
390# Allow domain to manage wake locks
391define(`wakelock_use', `
392# Access /sys/power/wake_lock and /sys/power/wake_unlock
393allow $1 sysfs_wake_lock:file rw_file_perms;
394# Accessing these files requires CAP_BLOCK_SUSPEND
395allow $1 self:global_capability2_class_set block_suspend;
396')
397
398#####################################
399# selinux_check_access(domain)
400# Allow domain to check SELinux permissions via selinuxfs.
401define(`selinux_check_access', `
402r_dir_file($1, selinuxfs)
403allow $1 selinuxfs:file w_file_perms;
404allow $1 kernel:security compute_av;
405allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
406')
407
408#####################################
409# selinux_check_context(domain)
410# Allow domain to check SELinux contexts via selinuxfs.
411define(`selinux_check_context', `
412r_dir_file($1, selinuxfs)
413allow $1 selinuxfs:file w_file_perms;
414allow $1 kernel:security check_context;
415')
416
417#####################################
418# create_pty(domain)
419# Allow domain to create and use a pty, isolated from any other domain ptys.
420define(`create_pty', `
421# Each domain gets a unique devpts type.
422type $1_devpts, fs_type;
423# Label the pty with the unique type when created.
424type_transition $1 devpts:chr_file $1_devpts;
425# Allow use of the pty after creation.
426allow $1 $1_devpts:chr_file { open getattr read write ioctl };
427allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
428# TIOCSTI is only ever used for exploits. Block it.
429# b/33073072, b/7530569
430# http://www.openwall.com/lists/oss-security/2016/09/26/14
431neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
432# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
433# allowed to everyone via domain.te.
434')
435
436#####################################
437# Non system_app application set
438#
439define(`non_system_app_set', `{ appdomain -system_app }')
440
441#####################################
442# Recovery only
443# SELinux rules which apply only to recovery mode
444#
445define(`recovery_only', ifelse(target_recovery, `true', $1, ))
446
447#####################################
448# Full TREBLE only
449# SELinux rules which apply only to full TREBLE devices
450#
451define(`full_treble_only', ifelse(target_full_treble, `true', $1,
452ifelse(target_full_treble, `cts',
453# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
454$1
455# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
456, )))
457
458#####################################
459# Not full TREBLE
460# SELinux rules which apply only to devices which are not full TREBLE devices
461#
462define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
463
464#####################################
465# Compatible property only
466# SELinux rules which apply only to devices with compatible property
467#
468define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
469ifelse(target_compatible_property, `cts',
470# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
471$1
472# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
473, )))
474
475#####################################
476# Not compatible property
477# SELinux rules which apply only to devices without compatible property
478#
479define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
480
481#####################################
482# Userdebug or eng builds
483# SELinux rules which apply only to userdebug or eng builds
484#
485define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
486
487#####################################
488# asan builds
489# SELinux rules which apply only to asan builds
490#
491define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
492
493####################################
494# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
495#
496define(`crash_dump_fallback', `
497userdebug_or_eng(`
498  allow $1 su:fifo_file append;
499')
500allow $1 anr_data_file:file append;
501allow $1 dumpstate:fd use;
502allow $1 incidentd:fd use;
503# TODO: Figure out why write is needed.
504allow $1 dumpstate:fifo_file { append write };
505allow $1 incidentd:fifo_file { append write };
506allow $1 system_server:fifo_file { append write };
507allow $1 tombstoned:unix_stream_socket connectto;
508allow $1 tombstoned:fd use;
509allow $1 tombstoned_crash_socket:sock_file write;
510allow $1 tombstone_data_file:file append;
511')
512
513#####################################
514# WITH_DEXPREOPT builds
515# SELinux rules which apply only when pre-opting.
516#
517define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
518
519#####################################
520# write_logd(domain)
521# Ability to write to android log
522# daemon via sockets
523define(`write_logd', `
524unix_socket_send($1, logdw, logd)
525allow $1 pmsg_device:chr_file w_file_perms;
526')
527
528#####################################
529# read_logd(domain)
530# Ability to run logcat and read from android
531# log daemon via sockets
532define(`read_logd', `
533allow $1 logcat_exec:file rx_file_perms;
534unix_socket_connect($1, logdr, logd)
535')
536
537#####################################
538# read_runtime_log_tags(domain)
539# ability to directly map the runtime event log tags
540define(`read_runtime_log_tags', `
541allow $1 runtime_event_log_tags_file:file r_file_perms;
542')
543
544#####################################
545# control_logd(domain)
546# Ability to control
547# android log daemon via sockets
548define(`control_logd', `
549# Group AID_LOG checked by filesystem & logd
550# to permit control commands
551unix_socket_connect($1, logd, logd)
552')
553
554#####################################
555# use_keystore(domain)
556# Ability to use keystore.
557# Keystore is requires the following permissions
558# to call getpidcon.
559define(`use_keystore', `
560  allow keystore $1:dir search;
561  allow keystore $1:file { read open };
562  allow keystore $1:process getattr;
563  allow $1 keystore_service:service_manager find;
564  binder_call($1, keystore)
565  binder_call(keystore, $1)
566')
567
568###########################################
569# use_drmservice(domain)
570# Ability to use DrmService which requires
571# DrmService to call getpidcon.
572define(`use_drmservice', `
573  allow drmserver $1:dir search;
574  allow drmserver $1:file { read open };
575  allow drmserver $1:process getattr;
576')
577
578###########################################
579# add_service(domain, service)
580# Ability for domain to add a service to service_manager
581# and find it. It also creates a neverallow preventing
582# others from adding it.
583define(`add_service', `
584  allow $1 $2:service_manager { add find };
585  neverallow { domain -$1 } $2:service_manager add;
586')
587
588###########################################
589# add_hwservice(domain, service)
590# Ability for domain to add a service to hwservice_manager
591# and find it. It also creates a neverallow preventing
592# others from adding it.
593define(`add_hwservice', `
594  allow $1 $2:hwservice_manager { add find };
595  allow $1 hidl_base_hwservice:hwservice_manager add;
596  neverallow { domain -$1 } $2:hwservice_manager add;
597')
598