1dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Rules for all domains. 2dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 3dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Allow reaping by init. 4dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:process sigchld; 5dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 6dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Intra-domain accesses. 7bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalleyallow domain self:process { 8bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley fork 9bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigchld 10bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigkill 11bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigstop 12bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley signull 13bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley signal 14bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getsched 15bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setsched 16bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getsession 17bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getpgid 18bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setpgid 19bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getcap 20bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setcap 21bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getattr 22bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setrlimit 23bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley}; 24dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:fd use; 25abf31acb01f85ade4b97b05f9893d270b915b7b6dcashmanallow domain proc:dir r_dir_perms; 268666bf25cf5de7c0bddfe858342dabfeea5ff823dcashmanallow domain proc_net:dir search; 27093ea6fb9a284acbce10641f8743de24abd70734SimHyunYongr_dir_file(domain, self) 28dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:{ fifo_file file } rw_file_perms; 291601132086b054adc70e7f8f38ed24574c90bc37Stephen Smalleyallow domain self:unix_dgram_socket { create_socket_perms sendto }; 301601132086b054adc70e7f8f38ed24574c90bc37Stephen Smalleyallow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 32dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Inherit or receive open files from others. 33dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:fd use; 34dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 357d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevichuserdebug_or_eng(` 367d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:fd use; 37f63759714c4145f96a8e3dee191163b39b6f8897Jeff Vander Stoep allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38f63759714c4145f96a8e3dee191163b39b6f8897Jeff Vander Stoep allow domain su:unix_dgram_socket sendto; 397d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 409119f12ee3a5ae56c61caef55fb3028128bd2df2Lorenzo Colitti allow { domain -init } su:binder { call transfer }; 413dad7b611a448fa43a678ff760c23a00f387947eStephen Smalley 427d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # Running something like "pm dump com.android.bluetooth" requires 437d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # fifo writes 447d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:fifo_file { write getattr }; 457d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 467d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # allow "gdbserver --attach" to work for su. 477d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:process sigchld; 48ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich 49ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich # Allow writing coredumps to /cores/* 50ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich allow domain coredump_file:file create_file_perms; 51ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich allow domain coredump_file:dir ra_dir_perms; 527d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich') 537d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 54dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Root fs. 556e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoepallow domain rootfs:dir search; 56c7125fa23072e2ff31e10b3327da81ee1ab3e447Dimitry Ivanovallow domain rootfs:lnk_file { read getattr }; 57dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 58dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Device accesses. 59dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain device:dir search; 60712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain dev_type:lnk_file r_file_perms; 61dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain devpts:dir search; 6220feb75b572a21a7a376d6780cc5c1d636cda610Robert Craigallow domain socket_device:dir r_dir_perms; 63dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain owntty_device:chr_file rw_file_perms; 64dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain null_device:chr_file rw_file_perms; 65f007d03628f98a40c01c12ad105ca6be14fd3c78Nick Kralevichallow domain zero_device:chr_file rw_file_perms; 66dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ashmem_device:chr_file rw_file_perms; 67f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# /dev/binder can be accessed by non-vendor domains and by apps 682ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubinallow { 692ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin coredomain 702ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin appdomain 712ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 722ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin -hwservicemanager 732ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin} binder_device:chr_file rw_file_perms; 74f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder 75f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubinnot_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') 7691d398d802b4fbd33c2b88da9f56ecee8bdc363cDan Cashmanallow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 77dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ptmx_device:chr_file rw_file_perms; 78dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain alarm_device:chr_file r_file_perms; 79a2477056ae6a702e7e71b671cd0c47afc1c7da8aAlex Klyubinallow domain random_device:chr_file rw_file_perms; 809d9c370f31556c33f62e7889f64ad3a2728f1863Nick Kralevichallow domain proc_random:dir r_dir_perms; 819d9c370f31556c33f62e7889f64ad3a2728f1863Nick Kralevichallow domain proc_random:file r_file_perms; 8232c4a27cf5d7f83b035a66f7da49867bba5efa81Nick Kralevichallow domain properties_device:dir { search getattr }; 83949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherryallow domain properties_serial:file r_file_perms; 848b5433a9cc52f0c9707f9c75a027027b12ef24dcTom Cherryallow domain property_info:file r_file_perms; 85949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry 865a570a4b6b89a2226970de93887f25a10a2e4548Nick Kralevich# For now, everyone can access core property files 875a570a4b6b89a2226970de93887f25a10a2e4548Nick Kralevich# Device specific properties are not granted by default 88e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seoknot_compatible_property(` 89e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, core_property_type) 90e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported_dalvik_prop) 91e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported_ffs_prop) 92e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported_system_radio_prop) 93e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported2_config_prop) 94e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported2_radio_prop) 95e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported2_system_prop) 96e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported2_vold_prop) 97e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported3_default_prop) 987d3bd8dbc3eb2ec6cd2247fe441395a6d11d0e76Jaekyun Seok get_prop(domain, exported3_radio_prop) 99e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, exported3_system_prop) 100e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(domain, vendor_default_prop) 101e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok') 102e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokcompatible_property_only(` 103e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, core_property_type) 104e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported_dalvik_prop) 105e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported_ffs_prop) 106e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported_system_radio_prop) 107e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported2_config_prop) 108e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported2_radio_prop) 109e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported2_system_prop) 110e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported2_vold_prop) 111e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported3_default_prop) 1127d3bd8dbc3eb2ec6cd2247fe441395a6d11d0e76Jaekyun Seok get_prop({coredomain appdomain shell}, exported3_radio_prop) 113e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({coredomain appdomain shell}, exported3_system_prop) 114e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok userdebug_or_eng(` 115e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, core_property_type) 116e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported_dalvik_prop) 117e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported_ffs_prop) 118e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported_system_radio_prop) 119e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported2_config_prop) 120e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported2_radio_prop) 121e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported2_system_prop) 122e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported2_vold_prop) 123e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported3_default_prop) 1247d3bd8dbc3eb2ec6cd2247fe441395a6d11d0e76Jaekyun Seok get_prop(su, exported3_radio_prop) 125e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop(su, exported3_system_prop) 126e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok ') 127e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok get_prop({domain -coredomain -appdomain}, vendor_default_prop) 128e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok') 129e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok 130e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok# Public readable properties 131e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, debug_prop) 132e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, exported_config_prop) 133e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, exported_default_prop) 134e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, exported_dumpstate_prop) 135f9d27887eb50aa97b1c356aa63ae90a54daf4639Jaekyun Seokget_prop(domain, exported_fingerprint_prop) 136e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, exported_radio_prop) 1376f3e73db0599f09ae5abaebc25bb9f2335482f88Jaekyun Seokget_prop(domain, exported_secure_prop) 138e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, exported_system_prop) 139e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, exported_vold_prop) 140e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, exported2_default_prop) 141e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokget_prop(domain, logd_prop) 142e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok 14384cfde229ce05f44944df1237c4e9465c04c67d3mukesh agrawal# Let everyone read log properties, so that liblog can avoid sending unloggable 14484cfde229ce05f44944df1237c4e9465c04c67d3mukesh agrawal# messages to logd. 14584cfde229ce05f44944df1237c4e9465c04c67d3mukesh agrawalget_prop(domain, log_property_type) 146949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherrydontaudit domain property_type:file audit_access; 14754a420013492504ee277d4ebf850724923a031b3Sandeep Patilallow domain property_contexts_file:file r_file_perms; 148949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry 1498138401d57520711bbf801e3f5f6dc029851fe46Paul Lawrenceallow domain init:key search; 15013dec5fa5b860871afea47f85842706095e40527Paul Lawrenceallow domain vold:key search; 151dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 1528ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# logd access 1538ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzynwrite_logd(domain) 1548ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn 155dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# System file accesses. 1569a3d1c6bbe73d3e5cfeb582564f971bc1cbe155aJeff Vander Stoepallow domain system_file:dir { search getattr }; 1574397f08288890ef397697b4d6dbff596bdca14c8Stephen Smalleyallow domain system_file:file { execute read open getattr map }; 15805d83dd407f0dbad6e6ce39cf88b03ea75f0f9b3Jeff Vander Stoepallow domain system_file:lnk_file { getattr read }; 159dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 160277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil# Make sure system/vendor split doesn not affect non-treble 161277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil# devices 162277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilnot_full_treble(` 163277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil allow domain vendor_file_type:dir { search getattr }; 16424537b2e9607dbc7aaf3687a9d6031cc811c06f0John Stultz allow domain vendor_file_type:file { execute read open getattr map }; 165277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil allow domain vendor_file_type:lnk_file { getattr read }; 166277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil') 167277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 168277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil# All domains are allowed to open and read directories 169277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil# that contain HAL implementations (e.g. passthrough 170277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil# HALs require clients to have these permissions) 171277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilallow domain vendor_hal_file:dir r_dir_perms; 172277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 173277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil# Everyone can read and execute all same process HALs 174277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilallow domain same_process_hal_file:dir r_dir_perms; 17524537b2e9607dbc7aaf3687a9d6031cc811c06f0John Stultzallow domain same_process_hal_file:file { execute read open getattr map }; 176277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 177ba23c8fa968a05a44d894b3b4fb3fe6f96fb7e5dJiyong Park# Any process can load vndk-sp libraries, which are system libraries 178a4768fa8b5f995414eb7e24ea2dac5507a93f537Jiyong Park# used by same process HALs 179ba23c8fa968a05a44d894b3b4fb3fe6f96fb7e5dJiyong Parkallow domain vndk_sp_file:dir r_dir_perms; 18024537b2e9607dbc7aaf3687a9d6031cc811c06f0John Stultzallow domain vndk_sp_file:file { execute read open getattr map }; 181a4768fa8b5f995414eb7e24ea2dac5507a93f537Jiyong Park 182277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil# All domains get access to /vendor/etc 183277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilallow domain vendor_configs_file:dir r_dir_perms; 184277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilallow domain vendor_configs_file:file { read open getattr }; 185277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 186277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilfull_treble_only(` 18707ddddafd250a4fde0e05d4aa5aac71926f46a10Bowgo Tsai # Allow all domains to be able to follow /system/vendor and/or 18807ddddafd250a4fde0e05d4aa5aac71926f46a10Bowgo Tsai # /vendor/odm symlinks. 18907ddddafd250a4fde0e05d4aa5aac71926f46a10Bowgo Tsai allow domain vendor_file_type:lnk_file { getattr open read }; 1903af3a13b3181f9dbeac563e0b35fb838d6c523dbSandeep Patil 1913af3a13b3181f9dbeac563e0b35fb838d6c523dbSandeep Patil # This is required to be able to search & read /vendor/lib64 192d84f20b2009cd42e36471ac71b2bcbfec7190152Alex Klyubin # in order to lookup vendor libraries. The execute permission 1933af3a13b3181f9dbeac563e0b35fb838d6c523dbSandeep Patil # for coredomains is granted *only* for same process HALs 194277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil allow domain vendor_file:dir { getattr search }; 195277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 196277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil # Allow reading and executing out of /vendor to all vendor domains 197277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 19824537b2e9607dbc7aaf3687a9d6031cc811c06f0John Stultz allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 199277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 200277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil') 201277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 2028d021a9496aebfadb0113f3d4f45e3331fbde7faJeff Vander Stoep# read and stat any sysfs symlinks 2038d021a9496aebfadb0113f3d4f45e3331fbde7faJeff Vander Stoepallow domain sysfs:lnk_file { getattr read }; 204cee729240e8c6a8aec63d10b4dae5d0e619229d8dcashman 2058ca19368dae676ba8769c15ead2469a9f44e562eNick Kralevich# libc references /data/misc/zoneinfo for timezone related information 2065aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep# This directory is considered to be a VNDK-stable 207c80f9e037bedb09d08a261f255f87ea105fa371bPrimiano Tucciallow domain zoneinfo_data_file:file r_file_perms; 208c80f9e037bedb09d08a261f255f87ea105fa371bPrimiano Tucciallow domain zoneinfo_data_file:dir r_dir_perms; 2098ca19368dae676ba8769c15ead2469a9f44e562eNick Kralevich 2104e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9Nick Kralevich# Lots of processes access current CPU information 2114e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9Nick Kralevichr_dir_file(domain, sysfs_devices_system_cpu) 2124e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9Nick Kralevich 213b144ebab482891cef32ee84c06dbb0f943823573dcashmanr_dir_file(domain, sysfs_usb); 214b144ebab482891cef32ee84c06dbb0f943823573dcashman 2156e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep# files under /data. 216d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoepnot_full_treble(` 217d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep allow domain system_data_file:dir getattr; 218d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep') 2194a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoepallow { coredomain appdomain } system_data_file:dir getattr; 2204a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep# /data has the label system_data_file. Vendor components need the search 2214a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep# permission on system_data_file for path traversal to /data/vendor. 2224a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoepallow domain system_data_file:dir search; 223d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep# TODO restrict this to non-coredomain 224d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoepallow domain vendor_data_file:dir { getattr search }; 2256e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep 2266e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep# required by the dynamic linker 22774ae21b31a94f584ce656307936de93c13e524b6dcashmanallow domain proc:lnk_file { getattr read }; 2286e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep 229f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73Nick Kralevich# /proc/cpuinfo 230f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73Nick Kralevichallow domain proc_cpuinfo:file r_file_perms; 231f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73Nick Kralevich 232bc1986fbff3e4def8d28b78fae02a96bd0899a65Jeff Vander Stoep# jemalloc needs to read /proc/sys/vm/overcommit_memory 233bc1986fbff3e4def8d28b78fae02a96bd0899a65Jeff Vander Stoepallow domain proc_overcommit_memory:file r_file_perms; 234bc1986fbff3e4def8d28b78fae02a96bd0899a65Jeff Vander Stoep 2355b15baeb1ea3143ada653b9292ad851c02ad574eYabin Cui# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 2365b15baeb1ea3143ada653b9292ad851c02ad574eYabin Cuiallow domain proc_perf:file r_file_perms; 2375b15baeb1ea3143ada653b9292ad851c02ad574eYabin Cui 2386e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep# toybox loads libselinux which stats /sys/fs/selinux/ 23945517a7547de0a9f0c13b5907c243456ec61bf04Jeff Vander Stoepallow domain selinuxfs:dir search; 2406e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoepallow domain selinuxfs:file getattr; 2416e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoepallow domain sysfs:dir search; 242aef68b779909fe85a0f98bf443851bb30eb8b236Jeff Vander Stoepallow domain selinuxfs:filesystem getattr; 24348b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig 244be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoep# For /acct/uid/*/tasks. 245be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoepallow domain cgroup:dir { search write }; 246be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoepallow domain cgroup:file w_file_perms; 247be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoep 24844826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich# Almost all processes log tracing information to 24944826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich# /sys/kernel/debug/tracing/trace_marker 25044826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich# The reason behind this is documented in b/6513400 25144826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevichallow domain debugfs:dir search; 252fe12b61642a0013e04848b399e59d310926c796fNick Kralevichallow domain debugfs_tracing:dir search; 2532c8ca45d2dd60ce40b236d7f35b41801744da0daCarmen Jacksonallow domain debugfs_tracing_debug:dir search; 25444826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevichallow domain debugfs_trace_marker:file w_file_perms; 25544826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich 256fcea7263903b0e953f393ddb15fbfc071b992499dcashman# Filesystem access. 257fcea7263903b0e953f393ddb15fbfc071b992499dcashmanallow domain fs_type:filesystem getattr; 258fcea7263903b0e953f393ddb15fbfc071b992499dcashmanallow domain fs_type:dir getattr; 259fcea7263903b0e953f393ddb15fbfc071b992499dcashman 260bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# Restrict all domains to a whitelist for common socket types. Additional 261bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# ioctl commands may be added to individual domains, but this sets safe 262bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# defaults for all processes. Note that granting this whitelist to domain does 263bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# not grant the ioctl permission on these socket types. That must be granted 264bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# separately. 265bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoepallowxperm domain domain:{ rawip_socket tcp_socket udp_socket } 266bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 267bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# default whitelist for unix sockets. 268bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoepallowxperm domain domain:{ unix_dgram_socket unix_stream_socket } 269bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep ioctl unpriv_unix_sock_ioctls; 270bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep 27107c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# Restrict PTYs to only whitelisted ioctls. 27207c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# Note that granting this whitelist to domain does 27307c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# not grant the wider ioctl permission. That must be granted 27407c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# separately. 27507c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevichallowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 276bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep 277d9745f3dec53e9df1a944982d3cdc00510bffb54Alex Klyubin# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 278d9745f3dec53e9df1a944982d3cdc00510bffb54Alex Klyubin# when it's not explicitly used in allow rules 279d9745f3dec53e9df1a944982d3cdc00510bffb54Alex Klyubinallow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 280d9745f3dec53e9df1a944982d3cdc00510bffb54Alex Klyubin# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 281d9745f3dec53e9df1a944982d3cdc00510bffb54Alex Klyubin# when it's not explicitly used in allow rules 2822f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashmanallow { domain -domain } vndservice_manager_type:service_manager { add find }; 2833ea47b9249d4f9a4a90cae7867a119cbfdb7d4b6Martijn Coenen 28491d398d802b4fbd33c2b88da9f56ecee8bdc363cDan Cashman# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 28591d398d802b4fbd33c2b88da9f56ecee8bdc363cDan Cashmanwith_asan(`allow domain system_data_file:dir getattr;') 28691d398d802b4fbd33c2b88da9f56ecee8bdc363cDan Cashman 2872637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 2882637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### neverallow rules 2892637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 2902637198f92d5d9c65262e42d78123d216889d546Nick Kralevich 291bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# All socket ioctls must be restricted to a whitelist. 29258305da9806543d358bfd13f1c09d73a458f517eNick Kralevichneverallowxperm domain domain:socket_class_set ioctl { 0 }; 293bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep 29493615b144dbbf56df7f76c1e743e47aea72be7c3Nick Kralevich# b/68014825 and https://android-review.googlesource.com/516535 29593615b144dbbf56df7f76c1e743e47aea72be7c3Nick Kralevich# rfc6093 says that processes should not use the TCP urgent mechanism 29693615b144dbbf56df7f76c1e743e47aea72be7c3Nick Kralevichneverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 29793615b144dbbf56df7f76c1e743e47aea72be7c3Nick Kralevich 29807c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# TIOCSTI is only ever used for exploits. Block it. 29907c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# b/33073072, b/7530569 30007c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# http://www.openwall.com/lists/oss-security/2016/09/26/14 30107c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevichneverallowxperm * devpts:chr_file ioctl TIOCSTI; 30207c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich 303b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# Do not allow any domain other than init to create unlabeled files. 30487dd195b783ffa9fef0527ec79254886df0fa4dfJeff Vander Stoepneverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 305cb23ca92f303fca6bb0f48a1beb384e220afe39eStephen Smalley 306b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevich# Limit device node creation to these whitelisted domains. 307e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevichneverallow { 308e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich domain 309e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -kernel 310e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -init 311e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -ueventd 312e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -vold 3139b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76Benjamin Gordon} self:global_capability_class_set mknod; 314b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevich 3157141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. 3167141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoepneverallow { 3177141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep domain 3187141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep userdebug_or_eng(`-domain') 3197141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -kernel 3207141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -init 3217141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -recovery 3227141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -ueventd 3237141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -healthd 3247141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -uncrypt 3257141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -tee 3269b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76Benjamin Gordon} self:global_capability_class_set sys_rawio; 3275487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley 3287ffb9972076bfbd2abab1df6b4d759d14d55af96Stephen Smalley# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 32935a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * self:memprotect mmap_zero; 3307ffb9972076bfbd2abab1df6b4d759d14d55af96Stephen Smalley 3315487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley# No domain needs mac_override as it is unused by SELinux. 3329b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76Benjamin Gordonneverallow * self:global_capability2_class_set mac_override; 3335487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley 334b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# Disallow attempts to set contexts not defined in current policy 335b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# This helps guarantee that unknown or dangerous contents will not ever 336b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# be set. 337b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevichneverallow * self:global_capability2_class_set mac_admin; 33804ee5dfb80491f8493fedcd099bd4551c9503c83Stephen Smalley 3391c983327cf7e841183da15934c7ba2e99d0979c0Janis Danisevskis# Once the policy has been loaded there shall be none to modify the policy. 3401c983327cf7e841183da15934c7ba2e99d0979c0Janis Danisevskis# It is sealed. 3411c983327cf7e841183da15934c7ba2e99d0979c0Janis Danisevskisneverallow * kernel:security load_policy; 3423235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley 343fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Only init prior to switching context should be able to set enforcing mode. 344fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# init starts in kernel domain and switches to init domain via setcon in 345fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# the init.rc, so the setenforce occurs while still in kernel. After 346fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# switching domains, there is never any need to setenforce again by init. 34735a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * kernel:security setenforce; 348abae8a9b586c98cf3e7bd08e63473a5ce99ccd27Nick Kralevichneverallow { domain -kernel } kernel:security setcheckreqprot; 3490130154985aa5042b9e40c45fe60492e40004761Stephen Smalley 350853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# No booleans in AOSP policy, so no need to ever set them. 35135a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * kernel:security setbool; 352853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley 353853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# Adjusting the AVC cache threshold. 354853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# Not presently allowed to anything in policy, but possibly something 355853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# that could be set from init.rc. 356853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalleyneverallow { domain -init } kernel:security setsecparam; 357853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley 35872c16e32f5dfbf889819973cc2d842a094636d23William Roberts# Only init, ueventd, shell and system_server should be able to access HW RNG 35972c16e32f5dfbf889819973cc2d842a094636d23William Robertsneverallow { 36072c16e32f5dfbf889819973cc2d842a094636d23William Roberts domain 36172c16e32f5dfbf889819973cc2d842a094636d23William Roberts -init 36272c16e32f5dfbf889819973cc2d842a094636d23William Roberts -shell # For CTS and is restricted to getattr in shell.te 36372c16e32f5dfbf889819973cc2d842a094636d23William Roberts -system_server 36472c16e32f5dfbf889819973cc2d842a094636d23William Roberts -ueventd 36572c16e32f5dfbf889819973cc2d842a094636d23William Roberts} hw_random_device:chr_file *; 3668daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzyn# b/78174219 b/64114943 3678daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzynneverallow { 3688daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzyn domain 3698daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzyn -init 3708daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzyn -shell # stat of /dev, getattr only 3718daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzyn -vendor_init 3728daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzyn -ueventd 3738daacf64f1a1683f67ff4eeaaef0712cdf7bcfa4Mark Salyzyn} keychord_device:chr_file *; 3748d688315aeb053eadc2606badbe4ce52899bb694Alex Klyubin 375a9671c6b9eff0b72ad797e2339865bd24222391bAlex Deymo# Ensure that all entrypoint executables are in exec_type or postinstall_file. 376a9671c6b9eff0b72ad797e2339865bd24222391bAlex Deymoneverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 377ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra 378ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 37972c16e32f5dfbf889819973cc2d842a094636d23William Robertsneverallow { 38072c16e32f5dfbf889819973cc2d842a094636d23William Roberts domain 38172c16e32f5dfbf889819973cc2d842a094636d23William Roberts -shell # For CTS and is restricted to getattr in shell.te 382cd109d447336808426059a81cc6bfa781126ecf8William Roberts -ueventd # Further restricted in ueventd.te 38372c16e32f5dfbf889819973cc2d842a094636d23William Roberts} kmem_device:chr_file *; 38472c16e32f5dfbf889819973cc2d842a094636d23William Robertsneverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; 3857adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley 386c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max#Ensure that nothing in userspace can access /dev/port 387c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Maxneverallow { 388c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max domain 389c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max -shell # Shell user should not have any abilities outside of getattr 390c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max -ueventd 391c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max} port_device:chr_file *; 392c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Maxneverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 3937adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# Only init should be able to configure kernel usermodehelpers or 3947adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# security-sensitive proc settings. 3957adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalleyneverallow { domain -init } usermodehelper:file { append write }; 39691d398d802b4fbd33c2b88da9f56ecee8bdc363cDan Cashmanneverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 397621c24cbab278416d8a17eeb26188cc0a3f38418Tom Cherryneverallow { domain -init -vendor_init } proc_security:file { append open read write }; 39895e0842e341352af16bed4055ccf67878c322985Stephen Smalley 39995e0842e341352af16bed4055ccf67878c322985Stephen Smalley# No domain should be allowed to ptrace init. 40035a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * init:process ptrace; 401a730e50bd93cd058b271ce3a4affcc6ac75da58bNick Kralevich 40265feafce6c72ded001619e4f6b975de095941acdNick Kralevich# Init can't do anything with binder calls. If this neverallow rule is being 403a730e50bd93cd058b271ce3a4affcc6ac75da58bNick Kralevich# triggered, it's probably due to a service with no SELinux domain. 40435a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * init:binder *; 405a099830e3df674a8cded09e66aec1aef5634bbe1Tom Cherryneverallow * vendor_init:binder *; 406d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts 407d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts# Don't allow raw read/write/open access to block_device 408d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts# Rather force a relabel to a more specific type 409eb43e6548e1c23d9b47b98d6dd429f9887223dfaNick Kralevichneverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 410a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts 411626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires# Do not allow renaming of block files or character files 412626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires# Ability to do so can lead to possible use in an exploit chain 413626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 414626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Biresneverallow * *:{ blk_file chr_file } rename; 415626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires 416a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts# Don't allow raw read/write/open access to generic devices. 417a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts# Rather force a relabel to a more specific type. 4183171829af321113841b1d0da0ce82490190b8367Max Biresneverallow domain device:chr_file { open read write }; 419b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley 420b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# Limit what domains can mount filesystems or change their mount flags. 421b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# sdcard_type / vfat is exempt as a larger set of domains need 422b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# this capability, including device-specific domains. 423c9ce12bae64e123859847e311055d87685f0c493Andreas Gampeneverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 424629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich 425629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# 426629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# Assert that, to the extent possible, we're not loading executable content from 4274644ac483667befac441bb541733e489d902bacfStephen Smalley# outside the rootfs or /system partition except for a few whitelisted domains. 428629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# 429629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevichneverallow { 430629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich domain 431629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -appdomain 43282071b6859ca2c682178ea4b96323fc980d5101fAndreas Gampe with_asan(`-asan_extract') 433629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -dumpstate 43442fb824ca9f3e46b4419f05083f2694ac67a8229Stephen Smalley -shell 435629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich userdebug_or_eng(`-su') 436dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesek -webview_zygote 437629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -zygote 4381134bd001e51f0fb43bae24b32d03a3067bb5accDongwon Kang userdebug_or_eng(`-mediaextractor') 439277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil} { 440277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil file_type 441277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil -system_file 442277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil -vendor_file_type 443277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil -exec_type 444277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil -postinstall_file 445277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil}:file execute; 446277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 4474644ac483667befac441bb541733e489d902bacfStephen Smalleyneverallow { 4484644ac483667befac441bb541733e489d902bacfStephen Smalley domain 4494644ac483667befac441bb541733e489d902bacfStephen Smalley -appdomain # for oemfs 4506a1e6a9c525fc3a6b422b329d9e3e852cc853080Ed Coyne -bootanim # for oemfs 4514644ac483667befac441bb541733e489d902bacfStephen Smalley -recovery # for /tmp/update_binary in tmpfs 4524644ac483667befac441bb541733e489d902bacfStephen Smalley} { fs_type -rootfs }:file execute; 453b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich 4546c30016136b8ad0bc52a14fb50c6ddd449811cdeWilliam Roberts# Files from cache should never be executed 455b8104a47dd361050c9ebadcbeabf515a29cf94e4Christopher Tateneverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 456ad0d0fc722d04e465ce2b0bfd2f8e04714c75391Stephen Smalley 4577028bdccd5b3e91928d345990587738212973f1dWilliam Roberts# Protect most domains from executing arbitrary content from /data. 4587028bdccd5b3e91928d345990587738212973f1dWilliam Robertsneverallow { 4597028bdccd5b3e91928d345990587738212973f1dWilliam Roberts domain 4606bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala -appdomain 4617028bdccd5b3e91928d345990587738212973f1dWilliam Roberts} { 4627028bdccd5b3e91928d345990587738212973f1dWilliam Roberts data_file_type 4637028bdccd5b3e91928d345990587738212973f1dWilliam Roberts -dalvikcache_data_file 4647028bdccd5b3e91928d345990587738212973f1dWilliam Roberts -system_data_file # shared libs in apks 4657028bdccd5b3e91928d345990587738212973f1dWilliam Roberts -apk_data_file 4667028bdccd5b3e91928d345990587738212973f1dWilliam Roberts}:file no_x_file_perms; 4677028bdccd5b3e91928d345990587738212973f1dWilliam Roberts 46834e35e9e9500608409920471dc05f12b9317338eSandeep Patil# The test files and executables MUST not be accessible to any domain 4698c3a74ad6467b9117594563a51f8160c63a61983Yongqin Liuneverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 47034e35e9e9500608409920471dc05f12b9317338eSandeep Patilneverallow domain nativetest_data_file:dir no_w_dir_perms; 471e9d261ff17648e7d08f8fe86909ad0522fbbafb3Nick Kralevichneverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 472e9d261ff17648e7d08f8fe86909ad0522fbbafb3Nick Kralevich 47345737b9f583c0805ea11ed1702e118b4fa720cdbNick Kralevich# Only the init property service should write to /data/property and /dev/__properties__ 474a17a266e7e466d281f0730449c492de46390fc76Nick Kralevichneverallow { domain -init } property_data_file:dir no_w_dir_perms; 47550ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 47650ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 47750ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 47850ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 47903ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevich 480b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# Nobody should be doing writes to /system & /vendor 481b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# These partitions are intended to be read-only and must never be 482b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# modified. Doing so would violate important Android security guarantees 483b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# and invalidate dm-verity signatures. 484277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilneverallow { 485277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil domain 486277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil with_asan(`-asan_extract') 487277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil} { 488277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil system_file 489277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil vendor_file_type 490277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil exec_type 491277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 492277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patil 493b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevichneverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; 49475e2ef92601c485348c40cc8884839fba27046baStephen Smalley 49574df7f593494a00dcc3be410b2d82267b6b31ca0Nick Kralevich# Don't allow mounting on top of /system files or directories 49635a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * exec_type:dir_file_class_set mounton; 497277a20ebecda8f9d12a10c4f8eb52dbf04c30e43Sandeep Patilneverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton; 49874df7f593494a00dcc3be410b2d82267b6b31ca0Nick Kralevich 49904b8a75c2f7532821a2a098a95d884931a91807cStephen Smalley# Nothing should be writing to files in the rootfs. 50035a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 50104b8a75c2f7532821a2a098a95d884931a91807cStephen Smalley 50275e2ef92601c485348c40cc8884839fba27046baStephen Smalley# Restrict context mounts to specific types marked with 50375e2ef92601c485348c40cc8884839fba27046baStephen Smalley# the contextmount_type attribute. 50435a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * {fs_type -contextmount_type}:filesystem relabelto; 50575e2ef92601c485348c40cc8884839fba27046baStephen Smalley 50675e2ef92601c485348c40cc8884839fba27046baStephen Smalley# Ensure that context mount types are not writable, to ensure that 50775e2ef92601c485348c40cc8884839fba27046baStephen Smalley# the write to /system restriction above is not bypassed via context= 50875e2ef92601c485348c40cc8884839fba27046baStephen Smalley# mount to another type. 509b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevichneverallow * contextmount_type:dir_file_class_set 51075e2ef92601c485348c40cc8884839fba27046baStephen Smalley { create write setattr relabelfrom relabelto append unlink link rename }; 51176206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn 512082eae4e515a03e393376689313f234395c1de14Jeff Vander Stoep# Do not allow service_manager add for default service labels. 51376206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Instead domains should use a more specific type such as 51476206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# system_app_service rather than the generic type. 515082eae4e515a03e393376689313f234395c1de14Jeff Vander Stoep# New service_types are defined in {,hw,vnd}service.te and new mappings 516082eae4e515a03e393376689313f234395c1de14Jeff Vander Stoep# from service name to service_type are defined in {,hw,vnd}service_contexts. 51735a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * default_android_service:service_manager add; 518082eae4e515a03e393376689313f234395c1de14Jeff Vander Stoepneverallow * default_android_vndservice:service_manager { add find }; 51953656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubinneverallow * default_android_hwservice:hwservice_manager { add find }; 52053656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin 52153656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin# Looking up the base class/interface of all HwBinder services is a bad idea. 52253656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin# hwservicemanager currently offer such lookups only to make it so that security 52353656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin# decisions are expressed in SELinux policy. However, it's unclear whether this 52453656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin# lookup has security implications. If it doesn't, hwservicemanager should be 52553656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin# modified to not offer this lookup. 52653656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin# This rule can be removed if hwservicemanager is modified to not permit these 52753656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin# lookups. 52853656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubinneverallow * hidl_base_hwservice:hwservice_manager find; 52953656c1742c126c92df178ee143dec5dcf93c88aAlex Klyubin 53099aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich# Require that domains explicitly label unknown properties, and do not allow 53199aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich# anyone but init to modify unknown properties. 5326473ae83075fd0a442becdc5120e17477563e2f6Tom Cherryneverallow { domain -init -vendor_init } default_prop:property_service set; 5336473ae83075fd0a442becdc5120e17477563e2f6Tom Cherryneverallow { domain -init -vendor_init } mmc_prop:property_service set; 534f37ce3f3e2ad68da61f709567cd166a83316e3f3dcashman 535e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokcompatible_property_only(` 5366473ae83075fd0a442becdc5120e17477563e2f6Tom Cherry neverallow { domain -init } default_prop:property_service set; 5376473ae83075fd0a442becdc5120e17477563e2f6Tom Cherry neverallow { domain -init } mmc_prop:property_service set; 538e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 5396f3e73db0599f09ae5abaebc25bb9f2335482f88Jaekyun Seok neverallow { domain -init } exported_secure_prop:property_service set; 5406f3e73db0599f09ae5abaebc25bb9f2335482f88Jaekyun Seok neverallow { domain -init } exported2_default_prop:property_service set; 541e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok neverallow { domain -init -vendor_init } exported3_default_prop:property_service set; 542e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 543e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok') 544e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok 5450f5ad4e593c8e87845fd0d90f5276bf0f47b45f0Jeff Vander Stoep# Only core domains are allowed to access package_manager properties 5460f5ad4e593c8e87845fd0d90f5276bf0f47b45f0Jeff Vander Stoepneverallow { domain -init -system_server } pm_prop:property_service set; 5470f5ad4e593c8e87845fd0d90f5276bf0f47b45f0Jeff Vander Stoepneverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 5480f5ad4e593c8e87845fd0d90f5276bf0f47b45f0Jeff Vander Stoep 549e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seokcompatible_property_only(` 550e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 551e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 552e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok') 553e49714542ee846a7b14c8edb78303ec94cb4836eJaekyun Seok 55420151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin# Do not allow reading device's serial number from system properties except form 55520151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin# a few whitelisted domains. 55620151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubinneverallow { 55720151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin domain 55820151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -adbd 55920151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -dumpstate 5606a28b68d5479bb51035fb878f9bb3e7019d65180Jeff Vander Stoep -hal_drm_server 5616a28b68d5479bb51035fb878f9bb3e7019d65180Jeff Vander Stoep -hal_cas_server 56220151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -init 56320151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -mediadrmserver 56420151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -recovery 565cba41e5a06d894dd42d3521ddeadd11c2b6b55f1Alex Klyubin -shell 56620151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -system_server 567621c24cbab278416d8a17eeb26188cc0a3f38418Tom Cherry -vendor_init 56820151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin} serialno_prop:file r_file_perms; 56920151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin 570062236a8c9c7467222b1780c2fb6ce014d5fe14bAlex Klyubin# Do not allow reading the last boot timestamp from system properties 571f99c74ccf8759c36f203e204743399c1e1ea9432Jaekyun Seokneverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 572062236a8c9c7467222b1780c2fb6ce014d5fe14bAlex Klyubin 573e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Robertsneverallow { 574e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts domain 575e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -init 576e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -recovery 577e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -system_server 578e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -shell # Shell is further restricted in shell.te 579cd109d447336808426059a81cc6bfa781126ecf8William Roberts -ueventd # Further restricted in ueventd.te 580585d9767c0c28534972b5e27dc8feabd15660fc1Nick Kralevich} frp_block_device:blk_file no_rw_file_perms; 581206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley 5825207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich# The metadata block device is set aside for device encryption and 5835207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich# verified boot metadata. It may be reset at will and should not 5845207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich# be used by other domains. 585ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowleyneverallow { 586ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowley domain 587ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowley -init 588ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowley -recovery 589ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowley -vold 590ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowley -e2fs 591ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowley -fsck 592ab318e30d3dcfa0a7ab7a21c48fe395579732332Paul Crowley} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 5935207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich 594a10f789d286d0f28c85488629cc92f5ab6ca8e00David Zeuthen# No domain other than recovery and update_engine can write to system partition(s). 595fc2449b4de0e50d39a77f3411e11d8bb1f8cac21Nick Kralevichneverallow { domain -recovery -update_engine } system_block_device:blk_file { write append }; 596206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley 597206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley# No domains other than install_recovery or recovery can write to recovery. 598fc2449b4de0e50d39a77f3411e11d8bb1f8cac21Nick Kralevichneverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append }; 59910ecd05df39b25f4b504f795adafae5f45084a59dcashman 6002c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# No domains other than a select few can access the misc_block_device. This 6012c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# block device is reserved for OTA use. 6022c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# Do not assert this rule on userdebug/eng builds, due to some devices using 6032c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# this partition for testing purposes. 6042c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevichneverallow { 6052c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich domain 6062c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich userdebug_or_eng(`-domain') # exclude debuggable builds 6076a28b68d5479bb51035fb878f9bb3e7019d65180Jeff Vander Stoep -hal_bootctl_server 6082c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -init 6092c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -uncrypt 6102c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -update_engine 6111f6018ea62a2321d3d2f30f578d71d2455307ff7Tom Cherry -vendor_init 6122c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -vold 6132c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -recovery 614d41ad551189c1b7be26a1807980418858b2a132eMihai Serban -ueventd 6152c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 6162c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich 617e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 618e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 6196b952393f67a50db69ad7c450de852c68a6fb9b9Martijn Coenen# The service managers are only allowed to access their own device node 6206b952393f67a50db69ad7c450de852c68a6fb9b9Martijn Coenenneverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 621e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 6226b952393f67a50db69ad7c450de852c68a6fb9b9Martijn Coenenneverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 623e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 624e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 625e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 6263c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich 627f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core 628f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# domain apps need this because Android framework offers many of its services to apps as Binder 629f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# services. 630f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubinfull_treble_only(` 631f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin neverallow { 632f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin domain 633f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -coredomain 634f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -appdomain 635f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 636f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin } binder_device:chr_file rw_file_perms; 6377636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 6387636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 639f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin neverallow { 640f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin domain 641f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -coredomain 6420052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -appdomain # restrictions for vendor apps are declared lower down 6430052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 6440052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin } service_manager_type:service_manager find; 6457636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 6467636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 6470052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin # Vendor apps are permited to use only stable public services. If they were to use arbitrary 6480052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin # services which can change any time framework/core is updated, breakage is likely. 6490052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin neverallow { 6500052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin appdomain 6510052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -coredomain 6520052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin } { 6530052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin service_manager_type 6540052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -app_api_service 6550052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -ephemeral_app_api_service 6560052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 6570052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -cameraserver_service 6580052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -drmserver_service 6590052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -keystore_service 6600052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediadrmserver_service 6610052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediaextractor_service 6620052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediametrics_service 6630052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediaserver_service 6640052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -nfc_service 6650052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -radio_service 66652276383944a298fa5e10175cfc6509fbb76647fDaniel Nicoara -virtual_touchpad_service 66752276383944a298fa5e10175cfc6509fbb76647fDaniel Nicoara -vr_hwc_service 6680052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -vr_manager_service 6690052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin }:service_manager find; 6707636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 6717636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 6720052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin neverallow { 6730052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin domain 6740052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -coredomain 675f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -appdomain 676f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 677f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin } servicemanager:binder { call transfer }; 6780052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin') 6794a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep 68000657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 68100657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubinfull_treble_only(` 68200657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin neverallow { 68300657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin coredomain 68400657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin -shell 68500657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin userdebug_or_eng(`-su') 68600657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin -ueventd # uevent is granted create for this device, but we still neverallow I/O below 68700657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin } vndbinder_device:chr_file rw_file_perms; 6887636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 6897636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 69000657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 6917636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 6927636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 69300657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin neverallow { 69400657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin coredomain 69500657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin -shell 69600657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin userdebug_or_eng(`-su') 69700657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin } vndservice_manager_type:service_manager *; 6987636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 6997636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 70000657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin neverallow { 70100657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin coredomain 70200657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin -shell 70300657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin userdebug_or_eng(`-su') 70400657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin } vndservicemanager:binder *; 70500657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin') 70600657834b8a0200f9000a81237b7f45d6ea966d9Alex Klyubin 7072746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin# On full TREBLE devices, socket communications between core components and vendor components are 7082746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin# not permitted. 7092746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Most general rules first, more specific rules below. 7102746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin 7112746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Core domains are not permitted to initiate communications to vendor domain sockets. 7122746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # We are not restricting the use of already established sockets because it is fine for a process 7132746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # to obtain an already established socket via some public/official/stable API and then exchange 7142746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # data with its peer over that socket. The wire format in this scenario is dicatated by the API 7152746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # and thus does not break the core-vendor separation. 716bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoepfull_treble_only(` 7172746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin neverallow_establish_socket_comms({ 7182746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin coredomain 7192746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -init 7202746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -adbd 7212746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }, { 7222746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin domain 7232746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -coredomain 7242746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -socket_between_core_and_vendor_violators 7252746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }); 726bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoep') 7272746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Vendor domains are not permitted to initiate communications to core domain sockets 728bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoepfull_treble_only(` 7292746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin neverallow_establish_socket_comms({ 7302746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin domain 7312746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -coredomain 7322746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -appdomain 7332746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -socket_between_core_and_vendor_violators 7342746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }, { 7352746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin coredomain 7362746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -logd # Logging by writing to logd Unix domain socket is public API 7372746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -netd # netdomain needs this 7382746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -mdnsd # netdomain needs this 7392746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 7402746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -init 7412746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services 7422746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services 7432746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }); 744bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoep') 7452746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin 7462746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets 747bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoepfull_treble_only(` 7482746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin neverallow_establish_socket_comms({ 7492746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin domain 7502746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -coredomain 7512746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -netdomain 7522746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -socket_between_core_and_vendor_violators 7532746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }, netd); 754bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoep') 7552f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin 7562f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin # Vendor domains are not permitted to initiate create/open sockets owned by core domains 757bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoepfull_treble_only(` 7582f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin neverallow { 7592f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin domain 7602f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -coredomain 7612f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -appdomain # appdomain restrictions below 762bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoep -data_between_core_and_vendor_violators # b/70393317 7632f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -socket_between_core_and_vendor_violators 76470e8f4214f7899bf8df47dc4fa961bedc88e636fTom Cherry -vendor_init 7652f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin } { 7662f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin coredomain_socket 7672f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin core_data_file_type 7682f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin unlabeled # used only by core domains 7692f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin }:sock_file ~{ append getattr ioctl read write }; 770bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoep') 771bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoepfull_treble_only(` 7722f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin neverallow { 7732f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin appdomain 7742f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -coredomain 7752f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin } { 7762f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin coredomain_socket 7772f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin unlabeled # used only by core domains 7782f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin core_data_file_type 7792f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -app_data_file 78041daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko -pdx_endpoint_socket_type # used by VR layer 78141daa7f859be06a49e4770a1f1d33b0d3070fa5aAlex Vakulenko -pdx_channel_socket_type # used by VR layer 7822f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin }:sock_file ~{ append getattr ioctl read write }; 783bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoep') 7842f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin 7852f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin # Core domains are not permitted to create/open sockets owned by vendor domains 786bdd454792d52719f3b8b1fe8c3fd08cb13a393f1Jeff Vander Stoepfull_treble_only(` 7872f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin neverallow { 7882f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin coredomain 7892f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -init 7902f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -ueventd 7912f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -socket_between_core_and_vendor_violators 7922f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin } { 7932f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin file_type 7942f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin dev_type 7952f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -coredomain_socket 7962f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -core_data_file_type 7972f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin -unlabeled 7982f6151ea445f9fab01296bf740c6714a371313b0Alex Klyubin }:sock_file ~{ append getattr ioctl read write }; 7992746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin') 8002746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin 801d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# On TREBLE devices, vendor and system components are only allowed to share 802d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# files by passing open FDs over hwbinder. Ban all directory access and all file 803d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# accesses other than what can be applied to an open FD such as 804d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# ioctl/stat/read/write/append. This is enforced by segregating /data. 805d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# Vendor domains may directly access file in /data/vendor by path, but may only 806d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# access files outside of /data/vendor via an open FD passed over hwbinder. 807d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# Likewise, core domains may only directly access files outside /data/vendor by 808d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep# path and files in /data/vendor by open FD. 809d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoepfull_treble_only(` 810d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # only coredomains may only access core_data_file_type, particularly not 811d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # /data/vendor 812d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep neverallow { 813d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep coredomain 814d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -appdomain # TODO(b/34980020) remove exemption for appdomain 815d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -data_between_core_and_vendor_violators 816d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -init 8176116daa71a226dc848978717064b805272801ff4Andreas Huber -vold_prepare_subdirs 818d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep } { 819d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep data_file_type 820d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -core_data_file_type 821d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep }:file_class_set ~{ append getattr ioctl read write }; 8227636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 8237636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 824d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep neverallow { 825d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep coredomain 826d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -appdomain # TODO(b/34980020) remove exemption for appdomain 827d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -data_between_core_and_vendor_violators 828d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -init 8296116daa71a226dc848978717064b805272801ff4Andreas Huber -vold_prepare_subdirs 830d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep } { 831d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep data_file_type 832d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -core_data_file_type 833d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 834d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep # neverallow. Currently only getattr and search are allowed. 835d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep -vendor_data_file 836d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep }:dir *; 837d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep 838d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep') 839d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoepfull_treble_only(` 840d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # vendor domains may only access files in /data/vendor, never core_data_file_types 841d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep neverallow { 842d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep domain 843d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -appdomain # TODO(b/34980020) remove exemption for appdomain 844d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -coredomain 845d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 84618a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -vendor_init 847d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep } { 848d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep core_data_file_type 849d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # libc includes functions like mktime and localtime which attempt to access 850d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # files in /data/misc/zoneinfo/tzdata file. These functions are considered 851d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # vndk-stable and thus must be allowed for all processes. 852d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -zoneinfo_data_file 85318a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry }:file_class_set ~{ append getattr ioctl read write }; 85418a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry neverallow { 85518a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry vendor_init 85618a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -data_between_core_and_vendor_violators 85718a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry } { 85818a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry core_data_file_type 85918a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -unencrypted_data_file 86018a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -zoneinfo_data_file 86118a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry }:file_class_set ~{ append getattr ioctl read write }; 86218a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 86318a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry # The vendor init binary lives on the system partition so there is not a concern with stability. 86418a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 865d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep') 866d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoepfull_treble_only(` 867d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # vendor domains may only access dirs in /data/vendor, never core_data_file_types 868d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep neverallow { 869d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep domain 870d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -appdomain # TODO(b/34980020) remove exemption for appdomain 871d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -coredomain 872d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -data_between_core_and_vendor_violators 87318a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -vendor_init 87418a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry } { 87518a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry core_data_file_type 87618a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -system_data_file # default label for files on /data. Covered below... 87718a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -vendor_data_file 87818a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -zoneinfo_data_file 87918a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry }:dir *; 88018a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry neverallow { 88118a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry vendor_init 88218a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -data_between_core_and_vendor_violators 88318a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry } { 88418a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry core_data_file_type 88518a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -unencrypted_data_file 88618a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -system_data_file 88718a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -vendor_data_file 88818a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry -zoneinfo_data_file 88918a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry }:dir *; 89018a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 89118a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry # The vendor init binary lives on the system partition so there is not a concern with stability. 89218a284405f519ae49898031a4bea70e5e2d2fdacTom Cherry neverallow vendor_init unencrypted_data_file:dir ~search; 893d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep') 894d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoepfull_treble_only(` 895d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep # vendor domains may only access dirs in /data/vendor, never core_data_file_types 896d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep neverallow { 897d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep domain 898d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -appdomain # TODO(b/34980020) remove exemption for appdomain 899d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -coredomain 900d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 901d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep } { 902d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep system_data_file # default label for files on /data. Covered below 903d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep }:dir ~{ getattr search }; 904d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep') 905d4785c37073b8d87a9caa1a3a053d4c05735751dJeff Vander Stoep 906d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoepfull_treble_only(` 907d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep # coredomains may not access dirs in /data/vendor. 908d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep neverallow { 909d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep coredomain 910d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 911d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep -init 912d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep -vold # vold creates per-user storage for both system and vendor 913d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep -vold_prepare_subdirs 914d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep } { 915d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep vendor_data_file # default label for files on /data. Covered below 916d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep }:dir ~{ getattr search }; 917d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep') 918d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep 919d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoepfull_treble_only(` 920d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep # coredomains may not access dirs in /data/vendor. 921d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep neverallow { 922d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep coredomain 923d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 924d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep -init 925d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep } { 926d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 927d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep }:file_class_set ~{ append getattr ioctl read write }; 928d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep') 929d25ccabd24339938b6b3bb93cb3cb96b4aa55958Jeff Vander Stoep 9301b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil# On TREBLE devices, a limited set of files in /vendor are accessible to 9311b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil# only a few whitelisted coredomains to keep system/vendor separation. 9321b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patilfull_treble_only(` 9339075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil # Limit access to /vendor/app 9341b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil neverallow { 9351b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil coredomain 9361b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -appdomain 9371b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -dex2oat 9381b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -idmap 9391b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -init 9401b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -installd 941e40d6760589855f59f30d5c1b5a3d9fa47e9c29bAndreas Gampe userdebug_or_eng(`-perfprofd') 942e843044cc1837e12060cf120edb265b2fc874ab3Andreas Gampe -postinstall_dexopt 9431b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -system_server 9441b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil } vendor_app_file:dir { open read getattr search }; 9457636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 9461b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil 9477636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 9481b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil neverallow { 9491b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil coredomain 9501b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -appdomain 9511b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -dex2oat 9521b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -idmap 9531b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -init 9541b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -installd 955e40d6760589855f59f30d5c1b5a3d9fa47e9c29bAndreas Gampe userdebug_or_eng(`-perfprofd') 956e843044cc1837e12060cf120edb265b2fc874ab3Andreas Gampe -postinstall_dexopt 9571b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil -system_server 95807ddddafd250a4fde0e05d4aa5aac71926f46a10Bowgo Tsai } vendor_app_file:file r_file_perms; 9597636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 9609075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil 9617636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 9629075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil # Limit access to /vendor/overlay 9639075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil neverallow { 9649075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil coredomain 9659075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -appdomain 9669075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -idmap 9670ca17178a001df196b9c20ce6e8a072e0bb5e48dSandeep Patil -init 968aeada24741ebf3a93422881d51fd72ba77593a6bJaekyun Seok -installd 9699075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -system_server 970bacb19b9add0fede8627f8add24669500a0c4bb0Robert Sesek -webview_zygote 9719075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -zygote 9729075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil } vendor_overlay_file:dir { getattr open read search }; 9737636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 9749075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil 9757636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 9769075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil neverallow { 9779075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil coredomain 9789075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -appdomain 9799075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -idmap 9800ca17178a001df196b9c20ce6e8a072e0bb5e48dSandeep Patil -init 981aeada24741ebf3a93422881d51fd72ba77593a6bJaekyun Seok -installd 9829075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -system_server 983bacb19b9add0fede8627f8add24669500a0c4bb0Robert Sesek -webview_zygote 9849075699a28fe0f369427e0c7c07a1034e804ff41Sandeep Patil -zygote 98507ddddafd250a4fde0e05d4aa5aac71926f46a10Bowgo Tsai } vendor_overlay_file:file r_file_perms; 9867636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 987c96bb1ed8ca3eae2d8a681428c3a828cf8865028Sandeep Patil 9887636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 989c96bb1ed8ca3eae2d8a681428c3a828cf8865028Sandeep Patil # Non-vendor domains are not allowed to file execute shell 990c96bb1ed8ca3eae2d8a681428c3a828cf8865028Sandeep Patil # from vendor 991c96bb1ed8ca3eae2d8a681428c3a828cf8865028Sandeep Patil neverallow { 992c96bb1ed8ca3eae2d8a681428c3a828cf8865028Sandeep Patil coredomain 993c96bb1ed8ca3eae2d8a681428c3a828cf8865028Sandeep Patil -init 99400ab5d86beef4a70b8ed32240587af08002e56d8Yifan Hong -shell 995c96bb1ed8ca3eae2d8a681428c3a828cf8865028Sandeep Patil } vendor_shell_exec:file { execute execute_no_trans }; 9967636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 9970ca17178a001df196b9c20ce6e8a072e0bb5e48dSandeep Patil 9987636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 9990ca17178a001df196b9c20ce6e8a072e0bb5e48dSandeep Patil # Do not allow vendor components to execute files from system 10000ca17178a001df196b9c20ce6e8a072e0bb5e48dSandeep Patil # except for the ones whitelist here. 1001b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil neverallow { 1002b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil domain 1003b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil -coredomain 1004b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil -appdomain 1005b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil -vendor_executes_system_violators 1006621c24cbab278416d8a17eeb26188cc0a3f38418Tom Cherry -vendor_init 1007b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil } { 1008b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil exec_type 1009b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil -vendor_file_type 1010b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil -crash_dump_exec 1011b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil -netutils_wrapper_exec 1012b99676eece98d8fa732dc64dabca4dd2cbbbcac5Sandeep Patil }:file { entrypoint execute execute_no_trans }; 10137636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 1014e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo 10157636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 1016e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo # Do not allow system components to execute files from vendor 1017e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo # except for the ones whitelisted here. 1018e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo neverallow { 1019e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo coredomain 1020e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo -init 1021bfe51254ee0f4386a07a15e79125891d02936cccTri Vo -shell 1022e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo -system_executes_vendor_violators 1023e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo } { 1024e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo vendor_file_type 1025e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo -same_process_hal_file 1026e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo -vndk_sp_file 1027e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo -vendor_app_file 1028e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo }:file execute; 10297636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoep') 1030e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo 10317636d6071a2381fd21f13304b7dda4432cabc54aJeff Vander Stoepfull_treble_only(` 1032e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo neverallow { 1033e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo coredomain 1034bfe51254ee0f4386a07a15e79125891d02936cccTri Vo -shell 1035e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo -system_executes_vendor_violators 1036e26da71344a2cfe54a4f711b0f01b7984287690dTri Vo } vendor_file_type:file execute_no_trans; 10371b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil') 10381b5f81a2d2fd0a09de75b416c3e995c4b9728192Sandeep Patil 10393c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich# Only authorized processes should be writing to files in /data/dalvik-cache 10403c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevichneverallow { 10413c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich domain 10423c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -init # TODO: limit init to relabelfrom for files 10433c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -zygote 10443c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -installd 1045e5d8a947bdde4face86b9387b9024faaeb7724c7Andreas Gampe -postinstall_dexopt 1046b7ebb32fb2ef140c5f4285f73261af2b22f54a36Alex Light -cppreopts 10473c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -dex2oat 1048a3a0bb446b310aba541d68eeb031b084af41ba99Andreas Gampe -otapreopt_slot 10493c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich} dalvikcache_data_file:file no_w_file_perms; 105014d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich 1051d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalleyneverallow { 1052d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley domain 1053d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -init 1054d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -installd 1055e5d8a947bdde4face86b9387b9024faaeb7724c7Andreas Gampe -postinstall_dexopt 1056b7ebb32fb2ef140c5f4285f73261af2b22f54a36Alex Light -cppreopts 1057d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -dex2oat 1058d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -zygote 1059a3a0bb446b310aba541d68eeb031b084af41ba99Andreas Gampe -otapreopt_slot 1060d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley} dalvikcache_data_file:dir no_w_dir_perms; 1061d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley 10628f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashman# Only system_server should be able to send commands via the zygote socket 10638f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashmanneverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 10648f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashmanneverallow { domain -system_server } zygote_socket:sock_file write; 10658f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashman 1066dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesekneverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; 1067ca4c4e57b2db4b856f0cb28ff2f02b7a1da614b8Robert Sesekneverallow { domain -system_server } webview_zygote:sock_file write; 1068dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesek 1069cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gaoneverallow { 1070cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao domain 1071cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -tombstoned 1072cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -crash_dump 1073cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -dumpstate 10740fa3d2766f4d9d84dd01d2e2d75d366734cfcc5fKweku Adams -incidentd 1075cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -system_server 107612b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao 107712b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao # Processes that can't exec crash_dump 107812b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao -mediacodec 107912b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao -mediaextractor 1080f194aad2086444baa6c16095ef99c4d8d835b79bNarayan Kamath} tombstoned_crash_socket:unix_stream_socket connectto; 1081f194aad2086444baa6c16095ef99c4d8d835b79bNarayan Kamath 10820fa3d2766f4d9d84dd01d2e2d75d366734cfcc5fKweku Adams# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1083f194aad2086444baa6c16095ef99c4d8d835b79bNarayan Kamath# the tombstoned intercept socket. 10840fa3d2766f4d9d84dd01d2e2d75d366734cfcc5fKweku Adamsneverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 10850fa3d2766f4d9d84dd01d2e2d75d366734cfcc5fKweku Adamsneverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1086cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao 108714d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# Android does not support System V IPCs. 108814d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 108914d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# The reason for this is due to the fact that, by design, they lead to global 109014d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# kernel resource leakage. 109114d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 109214d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# For example, there is no way to automatically release a SysV semaphore 109314d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# allocated in the kernel when: 109414d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 109514d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# - a buggy or malicious process exits 109614d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# - a non-buggy and non-malicious process crashes or is explicitly killed. 109714d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 109814d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# Killing processes automatically to make room for new ones is an 109914d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# important part of Android's application lifecycle implementation. This means 110014d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# that, even assuming only non-buggy and non-malicious code, it is very likely 110114d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# that over time, the kernel global tables used to implement SysV IPCs will fill 110214d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# up. 110335a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * *:{ shm sem msg msgq } *; 110474ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich 110574ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich# Do not mount on top of symlinks, fifos, or sockets. 110674ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich# Feature parity with Chromium LSM. 110735a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 11088bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich 11098bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich# Nobody should be able to execute su on user builds. 11108bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich# On userdebug/eng builds, only dumpstate, shell, and 11118bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich# su itself execute su. 11128bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevichneverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1113359101ac289ad75653c954c07166bc658900bd28Nick Kralevich 1114359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# Do not allow the introduction of new execmod rules. Text relocations 1115359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# and modification of executable pages are unsafe. 1116359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# The only exceptions are for NDK text relocations associated with 1117359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# https://code.google.com/p/android/issues/detail?id=23203 1118359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# which, long term, need to go away. 111935a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * { 1120359101ac289ad75653c954c07166bc658900bd28Nick Kralevich file_type 1121359101ac289ad75653c954c07166bc658900bd28Nick Kralevich -apk_data_file 1122359101ac289ad75653c954c07166bc658900bd28Nick Kralevich -app_data_file 1123359101ac289ad75653c954c07166bc658900bd28Nick Kralevich -asec_public_file 1124359101ac289ad75653c954c07166bc658900bd28Nick Kralevich}:file execmod; 1125359101ac289ad75653c954c07166bc658900bd28Nick Kralevich 11265328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley# Do not allow making the stack or heap executable. 11275328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley# We would also like to minimize execmem but it seems to be 11285328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley# required by some device-specific service domains. 112935a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * self:process { execstack execheap }; 11305328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley 113189424bf9470931df90afa4f6d141b3696ad5a632Nick Kralevich# prohibit non-zygote spawned processes from using shared libraries 1132998ce77f845cba7f14d4f54de3e87ebf9deafaedNick Kralevich# with text relocations. b/20013628 . 11339be90fb6e131df8d8efb88b02873af2ca1b87803Nick Kralevichneverallow { domain -untrusted_app_all } file_type:file execmod; 1134e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1dcashman 1135e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1dcashmanneverallow { domain -init } proc:{ file dir } mounton; 11364a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley 11374a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# Ensure that all types assigned to processes are included 11384a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# in the domain attribute, so that all allow and neverallow rules 11394a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# written on domain are applied to all processes. 11404a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# This is achieved by ensuring that it is impossible to transition 11414a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# from a domain to a non-domain type and vice versa. 11422e00e6373faa6271d7839d33c5b9e69d998ff020dcashman# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 11434a12d9630ad22566bda75166e088cb05316e1934Stephen Smalleyneverallow ~domain domain:process { transition dyntransition }; 1144529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts 1145529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# 1146529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# Only system_app and system_server should be creating or writing 1147529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# their files. The proper way to share files is to setup 1148529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# type transitions to a more specific type or assigning a type 1149529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# to its parent directory via a file_contexts entry. 1150529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# Example type transition: 1151529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1152529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# 1153529a8634e1d31967db2600ba27e55fc35b7d0195William Robertsneverallow { 1154529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts domain 1155529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -system_server 1156529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -system_app 1157529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -init 1158529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -installd # for relabelfrom and unlink, check for this in explicit neverallow 11592bae5b96939047aedd4f0c9243ae24df74e79a16Joel Galenson -vold_prepare_subdirs # For unlink 116082071b6859ca2c682178ea4b96323fc980d5101fAndreas Gampe with_asan(`-asan_extract') 1161529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts} system_data_file:file no_w_file_perms; 1162529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# do not grant anything greater than r_file_perms and relabelfrom unlink 1163529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# to installd 1164529a8634e1d31967db2600ba27e55fc35b7d0195William Robertsneverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1165d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts 11665470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts# respect system_app sandboxes 11675470ffeb70617481b75b540fb1ba55bcc0fdb937William Robertsneverallow { 11685470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts domain 1169f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin -appdomain # finer-grained rules for appdomain are listed below 11705470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts -system_server #populate com.android.providers.settings/databases/settings.db. 11715470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts -installd # creation of app sandbox 11728d8190556792f20b71157861900085f51da0f5a7Florian Mayer -traced_probes # resolve inodes for i/o tracing. 11738d8190556792f20b71157861900085f51da0f5a7Florian Mayer # only needs open and read, the rest is neverallow in 11748d8190556792f20b71157861900085f51da0f5a7Florian Mayer # traced_probes.te. 11751cf262daed9f5cb6fd08b1942208b612492c7bbaWilliam Roberts} system_app_data_file:dir_file_class_set { create unlink open }; 1176f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubinneverallow { 1177f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin isolated_app 1178f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin untrusted_app_all # finer-grained rules for appdomain are listed below 1179f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin ephemeral_app 1180f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin priv_app 1181f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin} system_app_data_file:dir_file_class_set { create unlink open }; 1182f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin 11835470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts 1184d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts# Services should respect app sandboxes 1185d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Robertsneverallow { 1186d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts domain 1187d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts -appdomain 1188d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts -installd # creation of sandbox 1189d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts} app_data_file:dir_file_class_set { create unlink }; 1190d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts 1191d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# 1192d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# Only these domains should transition to shell domain. This domain is 1193d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# permissible for the "shell user". If you need a process to exec a shell 1194d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# script with differing privilege, define a domain and set up a transition. 1195d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# 1196d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Robertsneverallow { 1197d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts domain 1198d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -adbd 1199d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -init 1200d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -runas 1201d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -zygote 1202d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts} shell:process { transition dyntransition }; 12039d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley 12046bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala# Only domains spawned from zygote and runas may have the appdomain attribute. 1205dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesekneverallow { domain -runas -webview_zygote -zygote } { 120667b4037879de4f9a784d6c3617dc9b1e1cebb95bJeff Vander Stoep appdomain -shell userdebug_or_eng(`-su') 12076bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala}:process { transition dyntransition }; 12086bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala 12099d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley# Minimize read access to shell- or app-writable symlinks. 12109d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley# This is to prevent malicious symlink attacks. 12119d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalleyneverallow { 12129d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley domain 12139d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -appdomain 12149d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -installd 12159d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -uncrypt # TODO: see if we can remove 12169d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley} app_data_file:lnk_file read; 12179d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley 12189d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalleyneverallow { 12199d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley domain 12209d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -shell 12219d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley userdebug_or_eng(`-uncrypt') 12229d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -installd 12239d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley} shell_data_file:lnk_file read; 1224f2c4e1283e91f7a91963d1d68a27f515027d97b4Nick Kralevich 1225be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# In addition to the symlink reading restrictions above, restrict 1226be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# write access to shell owned directories. The /data/local/tmp 1227be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# directory is untrustworthy, and non-whitelisted domains should 1228be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# not be trusting any content in those directories. 1229be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevichneverallow { 1230be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich domain 1231be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -adbd 1232be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -dumpstate 1233be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -installd 1234be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -init 1235be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -shell 1236be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -vold 1237be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich} shell_data_file:dir no_w_dir_perms; 1238be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich 1239be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevichneverallow { 1240be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich domain 1241be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -adbd 1242be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -appdomain 1243be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -dumpstate 1244be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -init 1245be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -installd 1246be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -system_server # why? 1247be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich userdebug_or_eng(`-uncrypt') 1248be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich} shell_data_file:dir { open search }; 1249be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich 1250be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# Same as above for /data/local/tmp files. We allow shell files 1251be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# to be passed around by file descriptor, but not directly opened. 1252be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevichneverallow { 1253be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich domain 1254be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -adbd 1255be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -appdomain 1256be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -dumpstate 1257be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -installd 12589e6effa15f17e7951ad63ddd01fd22c1a42be616Nick Kralevich userdebug_or_eng(`-uncrypt') 1259be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich} shell_data_file:file open; 1260be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich 12612f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman# servicemanager and vndservicemanager are the only processes which handle the 12622f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman# service_manager list request 12632f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashmanneverallow * ~{ 12642f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman servicemanager 12652f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman vndservicemanager 12662f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman }:service_manager list; 12672f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman 12682f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman# hwservicemanager is the only process which handles hw list requests 12692f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashmanneverallow * ~{ 12702f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman hwservicemanager 12712f1c7ba75e823b1cdcd6115c5504dcad6c2eab0fDan Cashman }:hwservice_manager list; 1272f2c4e1283e91f7a91963d1d68a27f515027d97b4Nick Kralevich 1273f2c4e1283e91f7a91963d1d68a27f515027d97b4Nick Kralevich# only service_manager_types can be added to service_manager 12742e00e6373faa6271d7839d33c5b9e69d998ff020dcashman# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1275483fd267359a457ca4ac4c4a2cbce38af6c15981Jeff Vander Stoep 127659c23d78c894198f39d9af563f17c05fb266ec3eWilliam Roberts# Prevent assigning non property types to properties 127701ee59a7b48fd35efef08ab71501d1db88e68872Calin Juravle# TODO - rework this: neverallow * ~property_type:property_service set; 1278f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts 1279f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# Domain types should never be assigned to any files other 1280f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# than the /proc/pid files associated with a process. The 1281f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# executable file used to enter a domain should be labeled 1282f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# with its own _exec type, not with the domain type. 1283f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# Conventionally, this looks something like: 1284f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# $ cat mydaemon.te 1285f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# type mydaemon, domain; 1286f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# type mydaemon_exec, exec_type, file_type; 1287f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# init_daemon_domain(mydaemon) 1288f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# $ grep mydaemon file_contexts 1289f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 129035a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * domain:file { execute execute_no_trans entrypoint }; 129196b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich 129296b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# Do not allow access to the generic debugfs label. This is too broad. 129396b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# Instead, if access to part of debugfs is desired, it should have a 129496b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# more specific label. 129596b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# TODO: fix system_server and dumpstate 1296621c24cbab278416d8a17eeb26188cc0a3f38418Tom Cherryneverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms; 1297a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono 129889625c9a6488d01466e5b21856f8fdede047f128Calin Juravle# Profiles contain untrusted data and profman parses that. We should only run 129989625c9a6488d01466e5b21856f8fdede047f128Calin Juravle# in from installd forked processes. 130089625c9a6488d01466e5b21856f8fdede047f128Calin Juravleneverallow { 130189625c9a6488d01466e5b21856f8fdede047f128Calin Juravle domain 130289625c9a6488d01466e5b21856f8fdede047f128Calin Juravle -installd 130389625c9a6488d01466e5b21856f8fdede047f128Calin Juravle -profman 130489625c9a6488d01466e5b21856f8fdede047f128Calin Juravle} profman_exec:file no_x_file_perms; 13056634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep 13066634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep# Enforce restrictions on kernel module origin. 13076634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep# Do not allow kernel module loading except from system, 13086634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep# vendor, and boot partitions. 1309a6ac1147c3ebd236389d98cd34bb3b77b5a558e8Jaesoo Leeneverallow * ~{ system_file vendor_file rootfs }:system module_load; 1310c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Roberts 1311b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# Only allow filesystem caps to be set at build time. Runtime changes 1312b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevich# to filesystem capabilities are not permitted. 1313b8b4f5d649fb80adbad1e5f2329afc4f8e691816Nick Kralevichneverallow * self:global_capability_class_set setfcap; 1314cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao 1315cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao# Enforce AT_SECURE for executing crash_dump. 1316cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gaoneverallow domain crash_dump:process noatsecure; 13172a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubin 13182a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubin# Do not permit non-core domains to register HwBinder services which are 13192a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubin# guaranteed to be provided by core domains only. 13202a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubinneverallow ~coredomain coredomain_hwservice:hwservice_manager add; 13212a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubin 13222a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubin# Do not permit the registeration of HwBinder services which are guaranteed to 13232a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubin# be passthrough only (i.e., run in the process of their clients instead of a 13242a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubin# separate server process). 13252a7f4fb069a574fb9bd34acbf27ba86cd804005bAlex Klyubinneverallow * same_process_hwservice:hwservice_manager add; 132652e11be07a20df128f0420192847393d7636a1a3Joel Galenson 132752e11be07a20df128f0420192847393d7636a1a3Joel Galenson# On TREBLE devices, most coredomains should not access vendor_files. 13288d92a9a16c7783932693527dc4ac97aa2565ce65Joel Galenson# TODO(b/71553434): Remove exceptions here. 132952e11be07a20df128f0420192847393d7636a1a3Joel Galensonfull_treble_only(` 133052e11be07a20df128f0420192847393d7636a1a3Joel Galenson neverallow { 133152e11be07a20df128f0420192847393d7636a1a3Joel Galenson coredomain 13328d92a9a16c7783932693527dc4ac97aa2565ce65Joel Galenson -appdomain 13338d92a9a16c7783932693527dc4ac97aa2565ce65Joel Galenson -bootanim 133452e11be07a20df128f0420192847393d7636a1a3Joel Galenson -crash_dump 13351242c940ef57b4c38b30000003c3a3dfbb095765Jeff Vander Stoep -init 13361242c940ef57b4c38b30000003c3a3dfbb095765Jeff Vander Stoep -kernel 133752e11be07a20df128f0420192847393d7636a1a3Joel Galenson -perfprofd 13381242c940ef57b4c38b30000003c3a3dfbb095765Jeff Vander Stoep -ueventd 13391242c940ef57b4c38b30000003c3a3dfbb095765Jeff Vander Stoep } vendor_file:file { no_w_file_perms no_x_file_perms open }; 134052e11be07a20df128f0420192847393d7636a1a3Joel Galenson') 134160575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson 134260575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson# Minimize dac_override and dac_read_search. 134360575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson# Instead of granting them it is usually better to add the domain to 134460575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson# a Unix group or change the permissions of a file. 134560575233bcba10e9a9063735cb1bcd747cf4730fJoel Galensonneverallow { 134660575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson domain 134760575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -dnsmasq 134860575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -dumpstate 134960575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -init 135060575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -installd 135160575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -install_recovery 135260575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -lmkd 135360575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -netd 135460575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -perfprofd 135560575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -postinstall_dexopt 135660575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -recovery 135760575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -sdcardd 135860575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -tee 135960575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -ueventd 136060575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -uncrypt 136160575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -vendor_init 136260575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -vold 136360575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -vold_prepare_subdirs 136460575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson -zygote 136560575233bcba10e9a9063735cb1bcd747cf4730fJoel Galenson} self:capability dac_override; 13668d8190556792f20b71157861900085f51da0f5a7Florian Mayerneverallow { domain -traced_probes } self:capability dac_read_search; 1367f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vo 13688e8c109350f4cd636a7bc9dee154e8a295538681Alan Stokes# If an already existing file is opened with O_CREAT, the kernel might generate 1369f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vo# a false report of a create denial. Silence these denials and make sure that 1370f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vo# inappropriate permissions are not granted. 13718e8c109350f4cd636a7bc9dee154e8a295538681Alan Stokes 13728e8c109350f4cd636a7bc9dee154e8a295538681Alan Stokes# These filesystems don't allow files or directories to be created, so the permission 13738e8c109350f4cd636a7bc9dee154e8a295538681Alan Stokes# to do so should never be granted. 1374f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Voneverallow domain { 1375f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vo proc_type 1376f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vo sysfs_type 1377f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vo}:dir { add_name create link remove_name rename reparent rmdir write }; 1378f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vo 13798e8c109350f4cd636a7bc9dee154e8a295538681Alan Stokes# cgroupfs directories can be created, but not files within them. 13808e8c109350f4cd636a7bc9dee154e8a295538681Alan Stokesneverallow domain cgroup:file create; 138192c149d07744ae589d47602c7971371ee7dc7ab0Alan Stokes 1382f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vodontaudit domain proc_type:dir write; 1383f170dfb789c78dcbbbee3e9493499e8fb7b37c99Tri Vodontaudit domain sysfs_type:dir write; 13848e8c109350f4cd636a7bc9dee154e8a295538681Alan Stokesdontaudit domain cgroup:file create; 13857d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes 13867d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes# These are only needed in permissive mode - in enforcing mode the 13877d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes# directory write check fails and so these are never attempted. 13887d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokesuserdebug_or_eng(` 13897d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes dontaudit domain proc_type:dir add_name; 13907d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes dontaudit domain sysfs_type:dir add_name; 13917d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes dontaudit domain proc_type:file create; 13927d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes dontaudit domain sysfs_type:file create; 13937d4294cb4f49057300b69fe77deca8bd0a0604a0Alan Stokes') 1394210a805b46782a2a49bf5338732cf8c6abaf95deTri Vo 1395210a805b46782a2a49bf5338732cf8c6abaf95deTri Vo# Platform must not have access to /mnt/vendor. 1396210a805b46782a2a49bf5338732cf8c6abaf95deTri Voneverallow { 1397210a805b46782a2a49bf5338732cf8c6abaf95deTri Vo coredomain 1398210a805b46782a2a49bf5338732cf8c6abaf95deTri Vo -init 1399210a805b46782a2a49bf5338732cf8c6abaf95deTri Vo} mnt_vendor_file:dir *; 1400