domain.te revision 5aebe5123c6e78a36fecfb8873aacd53e0989eaa
1dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Rules for all domains. 2dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 3dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Allow reaping by init. 4dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:process sigchld; 5dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 6dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Intra-domain accesses. 7bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalleyallow domain self:process { 8bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley fork 9bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigchld 10bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigkill 11bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigstop 12bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley signull 13bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley signal 14bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getsched 15bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setsched 16bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getsession 17bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getpgid 18bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setpgid 19bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getcap 20bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setcap 21bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getattr 22bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setrlimit 23bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley}; 24dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:fd use; 25abf31acb01f85ade4b97b05f9893d270b915b7b6dcashmanallow domain proc:dir r_dir_perms; 268666bf25cf5de7c0bddfe858342dabfeea5ff823dcashmanallow domain proc_net:dir search; 27093ea6fb9a284acbce10641f8743de24abd70734SimHyunYongr_dir_file(domain, self) 28dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:{ fifo_file file } rw_file_perms; 291601132086b054adc70e7f8f38ed24574c90bc37Stephen Smalleyallow domain self:unix_dgram_socket { create_socket_perms sendto }; 301601132086b054adc70e7f8f38ed24574c90bc37Stephen Smalleyallow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 32dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Inherit or receive open files from others. 33dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:fd use; 34dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 357d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevichuserdebug_or_eng(` 367d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # Same as adbd rules above, except allow su to do the same thing 377d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:unix_stream_socket connectto; 387d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:fd use; 397d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:unix_stream_socket { getattr getopt read write shutdown }; 407d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 419119f12ee3a5ae56c61caef55fb3028128bd2df2Lorenzo Colitti allow { domain -init } su:binder { call transfer }; 429119f12ee3a5ae56c61caef55fb3028128bd2df2Lorenzo Colitti allow { domain -init } su:fd use; 433dad7b611a448fa43a678ff760c23a00f387947eStephen Smalley 447d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # Running something like "pm dump com.android.bluetooth" requires 457d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # fifo writes 467d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:fifo_file { write getattr }; 477d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 487d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # allow "gdbserver --attach" to work for su. 497d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:process sigchld; 50ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich 51ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich # Allow writing coredumps to /cores/* 52ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich allow domain coredump_file:file create_file_perms; 53ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich allow domain coredump_file:dir ra_dir_perms; 547d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich') 557d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 56dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Root fs. 576e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoepallow domain rootfs:dir search; 58c7125fa23072e2ff31e10b3327da81ee1ab3e447Dimitry Ivanovallow domain rootfs:lnk_file { read getattr }; 59dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 60dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Device accesses. 61dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain device:dir search; 62712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain dev_type:lnk_file r_file_perms; 63dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain devpts:dir search; 6420feb75b572a21a7a376d6780cc5c1d636cda610Robert Craigallow domain socket_device:dir r_dir_perms; 65dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain owntty_device:chr_file rw_file_perms; 66dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain null_device:chr_file rw_file_perms; 67f007d03628f98a40c01c12ad105ca6be14fd3c78Nick Kralevichallow domain zero_device:chr_file rw_file_perms; 68dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ashmem_device:chr_file rw_file_perms; 69f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# /dev/binder can be accessed by non-vendor domains and by apps 702ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubinallow { 712ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin coredomain 722ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin appdomain 732ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 742ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin -hwservicemanager 752ab99a1389c92a4d8023d6ad2e2f4530f6429cf9Alex Klyubin} binder_device:chr_file rw_file_perms; 76f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder 77f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubinnot_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') 78e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenallow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms; 79dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ptmx_device:chr_file rw_file_perms; 80dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain alarm_device:chr_file r_file_perms; 81a2477056ae6a702e7e71b671cd0c47afc1c7da8aAlex Klyubinallow domain random_device:chr_file rw_file_perms; 8232c4a27cf5d7f83b035a66f7da49867bba5efa81Nick Kralevichallow domain properties_device:dir { search getattr }; 83949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherryallow domain properties_serial:file r_file_perms; 84949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry 855a570a4b6b89a2226970de93887f25a10a2e4548Nick Kralevich# For now, everyone can access core property files 865a570a4b6b89a2226970de93887f25a10a2e4548Nick Kralevich# Device specific properties are not granted by default 875a570a4b6b89a2226970de93887f25a10a2e4548Nick Kralevichget_prop(domain, core_property_type) 8884cfde229ce05f44944df1237c4e9465c04c67d3mukesh agrawal# Let everyone read log properties, so that liblog can avoid sending unloggable 8984cfde229ce05f44944df1237c4e9465c04c67d3mukesh agrawal# messages to logd. 9084cfde229ce05f44944df1237c4e9465c04c67d3mukesh agrawalget_prop(domain, log_property_type) 91949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherrydontaudit domain property_type:file audit_access; 9254a420013492504ee277d4ebf850724923a031b3Sandeep Patilallow domain property_contexts_file:file r_file_perms; 93949d7cbc29c1a658f00b966a81fd3f710c065fecTom Cherry 948138401d57520711bbf801e3f5f6dc029851fe46Paul Lawrenceallow domain init:key search; 9513dec5fa5b860871afea47f85842706095e40527Paul Lawrenceallow domain vold:key search; 96dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 978ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# logd access 988ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzynwrite_logd(domain) 998ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn 100dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# System file accesses. 1019a3d1c6bbe73d3e5cfeb582564f971bc1cbe155aJeff Vander Stoepallow domain system_file:dir { search getattr }; 1026e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoepallow domain system_file:file { execute read open getattr }; 10305d83dd407f0dbad6e6ce39cf88b03ea75f0f9b3Jeff Vander Stoepallow domain system_file:lnk_file { getattr read }; 104dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 105cee729240e8c6a8aec63d10b4dae5d0e619229d8dcashman# read any sysfs symlinks 106cee729240e8c6a8aec63d10b4dae5d0e619229d8dcashmanallow domain sysfs:lnk_file read; 107cee729240e8c6a8aec63d10b4dae5d0e619229d8dcashman 1088ca19368dae676ba8769c15ead2469a9f44e562eNick Kralevich# libc references /data/misc/zoneinfo for timezone related information 1095aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep# This directory is considered to be a VNDK-stable 1105aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoepr_dir_file(domain, zoneinfo_data_file) 1118ca19368dae676ba8769c15ead2469a9f44e562eNick Kralevich 1124e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9Nick Kralevich# Lots of processes access current CPU information 1134e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9Nick Kralevichr_dir_file(domain, sysfs_devices_system_cpu) 1144e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9Nick Kralevich 115b144ebab482891cef32ee84c06dbb0f943823573dcashmanr_dir_file(domain, sysfs_usb); 116b144ebab482891cef32ee84c06dbb0f943823573dcashman 1176e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep# files under /data. 1184a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoepnot_full_treble(`allow domain system_data_file:dir getattr;') 1194a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoepallow { coredomain appdomain } system_data_file:dir getattr; 1204a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep# /data has the label system_data_file. Vendor components need the search 1214a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep# permission on system_data_file for path traversal to /data/vendor. 1224a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoepallow domain system_data_file:dir search; 1236e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep 1246e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep# required by the dynamic linker 12574ae21b31a94f584ce656307936de93c13e524b6dcashmanallow domain proc:lnk_file { getattr read }; 1266e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep 127f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73Nick Kralevich# /proc/cpuinfo 128f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73Nick Kralevichallow domain proc_cpuinfo:file r_file_perms; 129f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73Nick Kralevich 130bc1986fbff3e4def8d28b78fae02a96bd0899a65Jeff Vander Stoep# jemalloc needs to read /proc/sys/vm/overcommit_memory 131bc1986fbff3e4def8d28b78fae02a96bd0899a65Jeff Vander Stoepallow domain proc_overcommit_memory:file r_file_perms; 132bc1986fbff3e4def8d28b78fae02a96bd0899a65Jeff Vander Stoep 1335b15baeb1ea3143ada653b9292ad851c02ad574eYabin Cui# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 1345b15baeb1ea3143ada653b9292ad851c02ad574eYabin Cuiallow domain proc_perf:file r_file_perms; 1355b15baeb1ea3143ada653b9292ad851c02ad574eYabin Cui 1366e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoep# toybox loads libselinux which stats /sys/fs/selinux/ 13745517a7547de0a9f0c13b5907c243456ec61bf04Jeff Vander Stoepallow domain selinuxfs:dir search; 1386e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoepallow domain selinuxfs:file getattr; 1396e3506e1ba83fb47297c8908016397c8f17840c4Jeff Vander Stoepallow domain sysfs:dir search; 140aef68b779909fe85a0f98bf443851bb30eb8b236Jeff Vander Stoepallow domain selinuxfs:filesystem getattr; 14148b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig 142be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoep# For /acct/uid/*/tasks. 143be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoepallow domain cgroup:dir { search write }; 144be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoepallow domain cgroup:file w_file_perms; 145be0616baf0c0caf8e1c8a4fdc9b488839f6af27dJeff Vander Stoep 14644826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich# Almost all processes log tracing information to 14744826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich# /sys/kernel/debug/tracing/trace_marker 14844826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich# The reason behind this is documented in b/6513400 14944826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevichallow domain debugfs:dir search; 150fe12b61642a0013e04848b399e59d310926c796fNick Kralevichallow domain debugfs_tracing:dir search; 15144826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevichallow domain debugfs_trace_marker:file w_file_perms; 15244826cb5e4b20e0f7b7bfa72f64767e5fcc4f253Nick Kralevich 153fcea7263903b0e953f393ddb15fbfc071b992499dcashman# Filesystem access. 154fcea7263903b0e953f393ddb15fbfc071b992499dcashmanallow domain fs_type:filesystem getattr; 155fcea7263903b0e953f393ddb15fbfc071b992499dcashmanallow domain fs_type:dir getattr; 156fcea7263903b0e953f393ddb15fbfc071b992499dcashman 157bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# Restrict all domains to a whitelist for common socket types. Additional 158bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# ioctl commands may be added to individual domains, but this sets safe 159bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# defaults for all processes. Note that granting this whitelist to domain does 160bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# not grant the ioctl permission on these socket types. That must be granted 161bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# separately. 162bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoepallowxperm domain domain:{ rawip_socket tcp_socket udp_socket } 163bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 164bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# default whitelist for unix sockets. 165bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoepallowxperm domain domain:{ unix_dgram_socket unix_stream_socket } 166bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep ioctl unpriv_unix_sock_ioctls; 167bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep 16807c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# Restrict PTYs to only whitelisted ioctls. 16907c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# Note that granting this whitelist to domain does 17007c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# not grant the wider ioctl permission. That must be granted 17107c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# separately. 17207c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevichallowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 173bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep 1742637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 1752637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### neverallow rules 1762637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 1772637198f92d5d9c65262e42d78123d216889d546Nick Kralevich 178bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep# All socket ioctls must be restricted to a whitelist. 17958305da9806543d358bfd13f1c09d73a458f517eNick Kralevichneverallowxperm domain domain:socket_class_set ioctl { 0 }; 180bff9801521abb36a243131114e70f905fb1238efJeff Vander Stoep 18107c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# TIOCSTI is only ever used for exploits. Block it. 18207c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# b/33073072, b/7530569 18307c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich# http://www.openwall.com/lists/oss-security/2016/09/26/14 18407c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevichneverallowxperm * devpts:chr_file ioctl TIOCSTI; 18507c3a5a5222c8c0306cd62575f7f9279f7ca6093Nick Kralevich 1860d08d4721a8c18b7d5f7dccde467c3840c03b9a8Stephen Smalley# Do not allow any domain other than init or recovery to create unlabeled files. 1870d08d4721a8c18b7d5f7dccde467c3840c03b9a8Stephen Smalleyneverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 188cb23ca92f303fca6bb0f48a1beb384e220afe39eStephen Smalley 189b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevich# Limit device node creation to these whitelisted domains. 190e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevichneverallow { 191e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich domain 192e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -kernel 193e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -init 194e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -ueventd 195e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich -vold 196e2651972c13a2aa3f930f5c39d81d41177387bf0Nick Kralevich} self:capability mknod; 197b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevich 1987141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. 1997141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoepneverallow { 2007141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep domain 2017141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep userdebug_or_eng(`-domain') 2027141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -kernel 2037141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -init 2047141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -recovery 2057141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -ueventd 2067141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -healthd 2077141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -uncrypt 2087141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep -tee 2097141f1055efae6a9060c5ab9c29a8f8a476f32a6Jeff Vander Stoep} self:capability sys_rawio; 2105487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley 2117ffb9972076bfbd2abab1df6b4d759d14d55af96Stephen Smalley# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 21235a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * self:memprotect mmap_zero; 2137ffb9972076bfbd2abab1df6b4d759d14d55af96Stephen Smalley 2145487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley# No domain needs mac_override as it is unused by SELinux. 21535a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * self:capability2 mac_override; 2165487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley 2175487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley# Only recovery needs mac_admin to set contexts not defined in current policy. 21804ee5dfb80491f8493fedcd099bd4551c9503c83Stephen Smalleyneverallow { domain -recovery } self:capability2 mac_admin; 21904ee5dfb80491f8493fedcd099bd4551c9503c83Stephen Smalley 2201c983327cf7e841183da15934c7ba2e99d0979c0Janis Danisevskis# Once the policy has been loaded there shall be none to modify the policy. 2211c983327cf7e841183da15934c7ba2e99d0979c0Janis Danisevskis# It is sealed. 2221c983327cf7e841183da15934c7ba2e99d0979c0Janis Danisevskisneverallow * kernel:security load_policy; 2233235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley 224fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Only init prior to switching context should be able to set enforcing mode. 225fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# init starts in kernel domain and switches to init domain via setcon in 226fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# the init.rc, so the setenforce occurs while still in kernel. After 227fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# switching domains, there is never any need to setenforce again by init. 22835a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * kernel:security setenforce; 229abae8a9b586c98cf3e7bd08e63473a5ce99ccd27Nick Kralevichneverallow { domain -kernel } kernel:security setcheckreqprot; 2300130154985aa5042b9e40c45fe60492e40004761Stephen Smalley 231853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# No booleans in AOSP policy, so no need to ever set them. 23235a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * kernel:security setbool; 233853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley 234853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# Adjusting the AVC cache threshold. 235853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# Not presently allowed to anything in policy, but possibly something 236853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# that could be set from init.rc. 237853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalleyneverallow { domain -init } kernel:security setsecparam; 238853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley 23972c16e32f5dfbf889819973cc2d842a094636d23William Roberts# Only init, ueventd, shell and system_server should be able to access HW RNG 24072c16e32f5dfbf889819973cc2d842a094636d23William Robertsneverallow { 24172c16e32f5dfbf889819973cc2d842a094636d23William Roberts domain 24272c16e32f5dfbf889819973cc2d842a094636d23William Roberts -init 24372c16e32f5dfbf889819973cc2d842a094636d23William Roberts -shell # For CTS and is restricted to getattr in shell.te 24472c16e32f5dfbf889819973cc2d842a094636d23William Roberts -system_server 24572c16e32f5dfbf889819973cc2d842a094636d23William Roberts -ueventd 24672c16e32f5dfbf889819973cc2d842a094636d23William Roberts} hw_random_device:chr_file *; 2478d688315aeb053eadc2606badbe4ce52899bb694Alex Klyubin 248a9671c6b9eff0b72ad797e2339865bd24222391bAlex Deymo# Ensure that all entrypoint executables are in exec_type or postinstall_file. 249a9671c6b9eff0b72ad797e2339865bd24222391bAlex Deymoneverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 250ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra 251ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 25272c16e32f5dfbf889819973cc2d842a094636d23William Robertsneverallow { 25372c16e32f5dfbf889819973cc2d842a094636d23William Roberts domain 25472c16e32f5dfbf889819973cc2d842a094636d23William Roberts -shell # For CTS and is restricted to getattr in shell.te 255cd109d447336808426059a81cc6bfa781126ecf8William Roberts -ueventd # Further restricted in ueventd.te 25672c16e32f5dfbf889819973cc2d842a094636d23William Roberts} kmem_device:chr_file *; 25772c16e32f5dfbf889819973cc2d842a094636d23William Robertsneverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; 2587adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley 259c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max#Ensure that nothing in userspace can access /dev/port 260c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Maxneverallow { 261c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max domain 262c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max -shell # Shell user should not have any abilities outside of getattr 263c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max -ueventd 264c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Max} port_device:chr_file *; 265c27c23fbdbe45fd6d08b16c0d86b42865f0403f4Maxneverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 2667adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# Only init should be able to configure kernel usermodehelpers or 2677adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# security-sensitive proc settings. 2687adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalleyneverallow { domain -init } usermodehelper:file { append write }; 26964a0503831f3f6c44e350a112f5e36a4569f3e1aLuis Hector Chavezneverallow { domain -init } proc_security:file { append open read write }; 27095e0842e341352af16bed4055ccf67878c322985Stephen Smalley 27195e0842e341352af16bed4055ccf67878c322985Stephen Smalley# No domain should be allowed to ptrace init. 27235a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * init:process ptrace; 273a730e50bd93cd058b271ce3a4affcc6ac75da58bNick Kralevich 27465feafce6c72ded001619e4f6b975de095941acdNick Kralevich# Init can't do anything with binder calls. If this neverallow rule is being 275a730e50bd93cd058b271ce3a4affcc6ac75da58bNick Kralevich# triggered, it's probably due to a service with no SELinux domain. 27635a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * init:binder *; 277d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts 278d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts# Don't allow raw read/write/open access to block_device 279d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts# Rather force a relabel to a more specific type 280eb43e6548e1c23d9b47b98d6dd429f9887223dfaNick Kralevichneverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 281a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts 282626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires# Do not allow renaming of block files or character files 283626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires# Ability to do so can lead to possible use in an exploit chain 284626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 285626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Biresneverallow * *:{ blk_file chr_file } rename; 286626f90c541add3560e5eb23cca6c2c9d6cebdcf4Max Bires 287a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts# Don't allow raw read/write/open access to generic devices. 288a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts# Rather force a relabel to a more specific type. 2893171829af321113841b1d0da0ce82490190b8367Max Biresneverallow domain device:chr_file { open read write }; 290b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley 291b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# Limit what domains can mount filesystems or change their mount flags. 292b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# sdcard_type / vfat is exempt as a larger set of domains need 293b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# this capability, including device-specific domains. 294c9ce12bae64e123859847e311055d87685f0c493Andreas Gampeneverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 295629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich 296629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# 297629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# Assert that, to the extent possible, we're not loading executable content from 2984644ac483667befac441bb541733e489d902bacfStephen Smalley# outside the rootfs or /system partition except for a few whitelisted domains. 299629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# 300629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevichneverallow { 301629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich domain 302629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -appdomain 303629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -dumpstate 30442fb824ca9f3e46b4419f05083f2694ac67a8229Stephen Smalley -shell 305629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich userdebug_or_eng(`-su') 306629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -system_server 307dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesek -webview_zygote 308629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -zygote 30901ee59a7b48fd35efef08ab71501d1db88e68872Calin Juravle} { file_type -system_file -exec_type -postinstall_file }:file execute; 3104644ac483667befac441bb541733e489d902bacfStephen Smalleyneverallow { 3114644ac483667befac441bb541733e489d902bacfStephen Smalley domain 3124644ac483667befac441bb541733e489d902bacfStephen Smalley -appdomain # for oemfs 3134644ac483667befac441bb541733e489d902bacfStephen Smalley -recovery # for /tmp/update_binary in tmpfs 3144644ac483667befac441bb541733e489d902bacfStephen Smalley} { fs_type -rootfs }:file execute; 3156c30016136b8ad0bc52a14fb50c6ddd449811cdeWilliam Roberts# Files from cache should never be executed 316b8104a47dd361050c9ebadcbeabf515a29cf94e4Christopher Tateneverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 317ad0d0fc722d04e465ce2b0bfd2f8e04714c75391Stephen Smalley 3187028bdccd5b3e91928d345990587738212973f1dWilliam Roberts# Protect most domains from executing arbitrary content from /data. 3197028bdccd5b3e91928d345990587738212973f1dWilliam Robertsneverallow { 3207028bdccd5b3e91928d345990587738212973f1dWilliam Roberts domain 3216bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala -appdomain 3227028bdccd5b3e91928d345990587738212973f1dWilliam Roberts} { 3237028bdccd5b3e91928d345990587738212973f1dWilliam Roberts data_file_type 3247028bdccd5b3e91928d345990587738212973f1dWilliam Roberts -dalvikcache_data_file 3257028bdccd5b3e91928d345990587738212973f1dWilliam Roberts -system_data_file # shared libs in apks 3267028bdccd5b3e91928d345990587738212973f1dWilliam Roberts -apk_data_file 3277028bdccd5b3e91928d345990587738212973f1dWilliam Roberts}:file no_x_file_perms; 3287028bdccd5b3e91928d345990587738212973f1dWilliam Roberts 329e9d261ff17648e7d08f8fe86909ad0522fbbafb3Nick Kralevichneverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 330e9d261ff17648e7d08f8fe86909ad0522fbbafb3Nick Kralevich 33145737b9f583c0805ea11ed1702e118b4fa720cdbNick Kralevich# Only the init property service should write to /data/property and /dev/__properties__ 332a17a266e7e466d281f0730449c492de46390fc76Nick Kralevichneverallow { domain -init } property_data_file:dir no_w_dir_perms; 33350ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 33450ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 33550ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 33650ba6318419fc56366377c042f56cec5a2414c51Nick Kralevichneverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 33703ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevich 33803ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevich# Only recovery should be doing writes to /system 33903ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevichneverallow { domain -recovery } { system_file exec_type }:dir_file_class_set 3405aac86dc065c069a593e772300f6538e2b88d6beElliott Hughes { create write setattr relabelfrom append unlink link rename }; 3415aac86dc065c069a593e772300f6538e2b88d6beElliott Hughesneverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto; 34275e2ef92601c485348c40cc8884839fba27046baStephen Smalley 34374df7f593494a00dcc3be410b2d82267b6b31ca0Nick Kralevich# Don't allow mounting on top of /system files or directories 34435a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * exec_type:dir_file_class_set mounton; 345e244f2d3552b312d600b8f08cff33789c1d32894Daniel Rosenbergneverallow { domain -init } system_file:dir_file_class_set mounton; 34674df7f593494a00dcc3be410b2d82267b6b31ca0Nick Kralevich 34704b8a75c2f7532821a2a098a95d884931a91807cStephen Smalley# Nothing should be writing to files in the rootfs. 34835a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 34904b8a75c2f7532821a2a098a95d884931a91807cStephen Smalley 35075e2ef92601c485348c40cc8884839fba27046baStephen Smalley# Restrict context mounts to specific types marked with 35175e2ef92601c485348c40cc8884839fba27046baStephen Smalley# the contextmount_type attribute. 35235a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * {fs_type -contextmount_type}:filesystem relabelto; 35375e2ef92601c485348c40cc8884839fba27046baStephen Smalley 35475e2ef92601c485348c40cc8884839fba27046baStephen Smalley# Ensure that context mount types are not writable, to ensure that 35575e2ef92601c485348c40cc8884839fba27046baStephen Smalley# the write to /system restriction above is not bypassed via context= 35675e2ef92601c485348c40cc8884839fba27046baStephen Smalley# mount to another type. 35775e2ef92601c485348c40cc8884839fba27046baStephen Smalleyneverallow { domain -recovery } contextmount_type:dir_file_class_set 35875e2ef92601c485348c40cc8884839fba27046baStephen Smalley { create write setattr relabelfrom relabelto append unlink link rename }; 35976206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn 36076206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Do not allow service_manager add for default_android_service. 36176206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Instead domains should use a more specific type such as 36276206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# system_app_service rather than the generic type. 36376206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# New service_types are defined in service.te and new mappings 36476206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# from service name to service_type are defined in service_contexts. 36535a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * default_android_service:service_manager add; 36699aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich 36799aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich# Require that domains explicitly label unknown properties, and do not allow 36899aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich# anyone but init to modify unknown properties. 36999aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevichneverallow { domain -init } default_prop:property_service set; 370d1435604455e5e274c88f6ee0308c7881cddaf20Mark Salyzynneverallow { domain -init } mmc_prop:property_service set; 371f37ce3f3e2ad68da61f709567cd166a83316e3f3dcashman 37220151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin# Do not allow reading device's serial number from system properties except form 37320151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin# a few whitelisted domains. 37420151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubinneverallow { 37520151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin domain 37620151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -adbd 37720151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -dumpstate 378c86f42b9a75a65e7b4651dd68d919a35dc30cf79Jeff Tinker -hal_drm 37920151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -init 38020151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -mediadrmserver 38120151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -recovery 382cba41e5a06d894dd42d3521ddeadd11c2b6b55f1Alex Klyubin -shell 38320151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin -system_server 38420151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin} serialno_prop:file r_file_perms; 38520151072a72bd6c86d044c8d1df3a93e846d63a7Alex Klyubin 386062236a8c9c7467222b1780c2fb6ce014d5fe14bAlex Klyubin# Do not allow reading the last boot timestamp from system properties 387062236a8c9c7467222b1780c2fb6ce014d5fe14bAlex Klyubinneverallow { domain -init -system_server } firstboot_prop:file r_file_perms; 388062236a8c9c7467222b1780c2fb6ce014d5fe14bAlex Klyubin 389e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Robertsneverallow { 390e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts domain 391e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -init 392e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -recovery 393e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -system_server 394e53d0b0bccf2fd58ce4b4ea3324891937056089aWilliam Roberts -shell # Shell is further restricted in shell.te 395cd109d447336808426059a81cc6bfa781126ecf8William Roberts -ueventd # Further restricted in ueventd.te 396585d9767c0c28534972b5e27dc8feabd15660fc1Nick Kralevich} frp_block_device:blk_file no_rw_file_perms; 397206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley 3985207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich# The metadata block device is set aside for device encryption and 3995207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich# verified boot metadata. It may be reset at will and should not 4005207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich# be used by other domains. 4015207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevichneverallow { domain -init -recovery -vold } metadata_block_device:blk_file 4025207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich { append link rename write open read ioctl lock }; 4035207ca6af4eca8d41d16b4017f25ba4cf3420a99Nick Kralevich 404a10f789d286d0f28c85488629cc92f5ab6ca8e00David Zeuthen# No domain other than recovery and update_engine can write to system partition(s). 405a10f789d286d0f28c85488629cc92f5ab6ca8e00David Zeuthenneverallow { domain -recovery -update_engine } system_block_device:blk_file write; 406206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley 407206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley# No domains other than install_recovery or recovery can write to recovery. 408206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalleyneverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; 40910ecd05df39b25f4b504f795adafae5f45084a59dcashman 4102c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# No domains other than a select few can access the misc_block_device. This 4112c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# block device is reserved for OTA use. 4122c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# Do not assert this rule on userdebug/eng builds, due to some devices using 4132c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich# this partition for testing purposes. 4142c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevichneverallow { 4152c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich domain 4162c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich userdebug_or_eng(`-domain') # exclude debuggable builds 4172c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -init 4182c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -uncrypt 4192c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -update_engine 4202c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -vold 4212c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich -recovery 422d41ad551189c1b7be26a1807980418858b2a132eMihai Serban -ueventd 4232c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 4242c7a5f26b96dc35310727b8e63c18445778dbbaaNick Kralevich 425e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenen# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 426e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 4276b952393f67a50db69ad7c450de852c68a6fb9b9Martijn Coenen# The service managers are only allowed to access their own device node 4286b952393f67a50db69ad7c450de852c68a6fb9b9Martijn Coenenneverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 429e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 4306b952393f67a50db69ad7c450de852c68a6fb9b9Martijn Coenenneverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 431e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 432e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 433e7d8f4c3c803038800ac0a5738a0a3d1f4415667Martijn Coenenneverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 4343c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich 435f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core 436f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# domain apps need this because Android framework offers many of its services to apps as Binder 437f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin# services. 438f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubinfull_treble_only(` 439f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin neverallow { 440f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin domain 441f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -coredomain 442f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -appdomain 443f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 444f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin } binder_device:chr_file rw_file_perms; 445f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin neverallow { 446f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin domain 447f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -coredomain 4480052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -appdomain # restrictions for vendor apps are declared lower down 4490052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 4500052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin } service_manager_type:service_manager find; 4510052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin # Vendor apps are permited to use only stable public services. If they were to use arbitrary 4520052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin # services which can change any time framework/core is updated, breakage is likely. 4530052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin neverallow { 4540052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin appdomain 4550052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -coredomain 4560052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin } { 4570052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin service_manager_type 4580052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -app_api_service 4590052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -ephemeral_app_api_service 4600052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 4610052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -cameraserver_service 4620052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -drmserver_service 4630052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -keystore_service 4640052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediacasserver_service 4650052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediadrmserver_service 4660052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediaextractor_service 4670052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediametrics_service 4680052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -mediaserver_service 4690052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -nfc_service 4700052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -radio_service 4710052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -surfaceflinger_service 4720052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -vr_manager_service 4730052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin }:service_manager find; 4740052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin neverallow { 4750052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin domain 4760052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin -coredomain 477f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -appdomain 478f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 479f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin } servicemanager:binder { call transfer }; 4800052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin') 4814a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep 4820052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin## 4830052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin# On full TREBLE devices core android components and vendor components may 4840052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin# not directly access each other's data types. All communication must occur 4850052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin# over HW binder. Open file descriptors may be passed and read/write/stat 4860052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubin# operations my be performed on those FDs. Disallow all other operations. 4870052bc69def316eaeadcbcfb3aa6d7e589b42340Alex Klyubinfull_treble_only(` 488edc53291d77c22c7ca1ae5c7b865504a9cb6a4c7Alex Klyubin # do not allow vendor component access to coredomains data types 4894a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep neverallow { 4904a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep domain 4914a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -coredomain 4924a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -appdomain 4934a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -coredata_in_vendor_violators 4945aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep } 4955aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep core_data_file_type 4965aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep -zoneinfo_data_file # VNDK stable API provided by libc 4975aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep :{ 4984a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep file_class_set 4994a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep } ~{ append getattr ioctl read write }; 500edc53291d77c22c7ca1ae5c7b865504a9cb6a4c7Alex Klyubin # do not allow vendor component access to coredomains data directories. 5014a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep # /data has the system_data_file type. Allow all domains to have dir 5024a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep # search permissions which allows path traversal. 5034a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep neverallow { 5044a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep domain 5054a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -coredomain 5064a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -appdomain 5074a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -coredata_in_vendor_violators 5085aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep } { 5095aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep core_data_file_type 5105aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep -system_data_file 5115aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep -zoneinfo_data_file # VNDK stable API provided by libc 5125aebe5123c6e78a36fecfb8873aacd53e0989eaaJeff Vander Stoep }:dir *; 5134a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep neverallow { 5144a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep domain 5154a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -coredomain 5164a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -appdomain 5174a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep -coredata_in_vendor_violators 5184a478c47f464f0f49f8802b3f49d03744450ac15Jeff Vander Stoep } system_data_file:dir ~search; 519f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin') 520f5446eb1486816c00136b2b5f0a3cc4a01706000Alex Klyubin 5212746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin# On full TREBLE devices, socket communications between core components and vendor components are 5222746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin# not permitted. 5232746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubinfull_treble_only(` 5242746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Most general rules first, more specific rules below. 5252746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin 5262746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Core domains are not permitted to initiate communications to vendor domain sockets. 5272746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # We are not restricting the use of already established sockets because it is fine for a process 5282746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # to obtain an already established socket via some public/official/stable API and then exchange 5292746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # data with its peer over that socket. The wire format in this scenario is dicatated by the API 5302746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # and thus does not break the core-vendor separation. 5312746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin neverallow_establish_socket_comms({ 5322746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin coredomain 5332746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -init 5342746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -adbd 5352746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }, { 5362746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin domain 5372746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -coredomain 5382746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -socket_between_core_and_vendor_violators 5392746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }); 5402746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Vendor domains are not permitted to initiate communications to core domain sockets 5412746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin neverallow_establish_socket_comms({ 5422746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin domain 5432746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -coredomain 5442746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -appdomain 5452746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -socket_between_core_and_vendor_violators 5462746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }, { 5472746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin coredomain 5482746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -logd # Logging by writing to logd Unix domain socket is public API 5492746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -netd # netdomain needs this 5502746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -mdnsd # netdomain needs this 5512746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 5522746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -init 5532746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services 5542746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services 5552746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }); 5562746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin 5572746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets 5582746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin neverallow_establish_socket_comms({ 5592746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin domain 5602746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -coredomain 5612746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -netdomain 5622746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin -socket_between_core_and_vendor_violators 5632746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin }, netd); 5642746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin') 5652746ae6822820ce8d3c74c510203a3a0c6ab543dAlex Klyubin 5663c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich# Only authorized processes should be writing to files in /data/dalvik-cache 5673c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevichneverallow { 5683c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich domain 5693c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -init # TODO: limit init to relabelfrom for files 5703c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -zygote 5713c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -installd 572e5d8a947bdde4face86b9387b9024faaeb7724c7Andreas Gampe -postinstall_dexopt 573b7ebb32fb2ef140c5f4285f73261af2b22f54a36Alex Light -cppreopts 5743c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -dex2oat 575a3a0bb446b310aba541d68eeb031b084af41ba99Andreas Gampe -otapreopt_slot 5763c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich} dalvikcache_data_file:file no_w_file_perms; 57714d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich 578d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalleyneverallow { 579d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley domain 580d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -init 581d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -installd 582e5d8a947bdde4face86b9387b9024faaeb7724c7Andreas Gampe -postinstall_dexopt 583b7ebb32fb2ef140c5f4285f73261af2b22f54a36Alex Light -cppreopts 584d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -dex2oat 585d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley -zygote 586a3a0bb446b310aba541d68eeb031b084af41ba99Andreas Gampe -otapreopt_slot 587d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley} dalvikcache_data_file:dir no_w_dir_perms; 588d9bf7b3fc008533a6552887a3451a311c3a2607aStephen Smalley 5898f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashman# Only system_server should be able to send commands via the zygote socket 5908f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashmanneverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 5918f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashmanneverallow { domain -system_server } zygote_socket:sock_file write; 5928f81dcad5bb322a75bc61c8b42f8287e2afeaddcdcashman 593dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesekneverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; 594dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesekneverallow { domain -system_server } webview_zygote_socket:sock_file write; 595dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesek 596cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gaoneverallow { 597cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao domain 598cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -tombstoned 599cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -crash_dump 600cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -dumpstate 601cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao -system_server 60212b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao 60312b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao # Processes that can't exec crash_dump 60412b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao -mediacodec 60512b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao -mediaextractor 606cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao} tombstoned:unix_stream_socket connectto; 60712b4750fec765524e8201c763baefd70eeb1dbfbJosh Gaoneverallow { 60812b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao domain 60912b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao -crash_dump 61012b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao -mediacodec 61112b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao -mediaextractor 61212b4750fec765524e8201c763baefd70eeb1dbfbJosh Gao} tombstoned_crash_socket:sock_file write; 613cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gaoneverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write; 614cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao 61514d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# Android does not support System V IPCs. 61614d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 61714d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# The reason for this is due to the fact that, by design, they lead to global 61814d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# kernel resource leakage. 61914d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 62014d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# For example, there is no way to automatically release a SysV semaphore 62114d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# allocated in the kernel when: 62214d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 62314d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# - a buggy or malicious process exits 62414d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# - a non-buggy and non-malicious process crashes or is explicitly killed. 62514d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 62614d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# Killing processes automatically to make room for new ones is an 62714d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# important part of Android's application lifecycle implementation. This means 62814d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# that, even assuming only non-buggy and non-malicious code, it is very likely 62914d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# that over time, the kernel global tables used to implement SysV IPCs will fill 63014d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# up. 63135a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * *:{ shm sem msg msgq } *; 63274ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich 63374ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich# Do not mount on top of symlinks, fifos, or sockets. 63474ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich# Feature parity with Chromium LSM. 63535a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 6368bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich 6378bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich# Nobody should be able to execute su on user builds. 6388bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich# On userdebug/eng builds, only dumpstate, shell, and 6398bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevich# su itself execute su. 6408bd13687b0a023ac2acf15175d52cafac9809b52Nick Kralevichneverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 641359101ac289ad75653c954c07166bc658900bd28Nick Kralevich 642359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# Do not allow the introduction of new execmod rules. Text relocations 643359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# and modification of executable pages are unsafe. 644359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# The only exceptions are for NDK text relocations associated with 645359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# https://code.google.com/p/android/issues/detail?id=23203 646359101ac289ad75653c954c07166bc658900bd28Nick Kralevich# which, long term, need to go away. 64735a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * { 648359101ac289ad75653c954c07166bc658900bd28Nick Kralevich file_type 649359101ac289ad75653c954c07166bc658900bd28Nick Kralevich -apk_data_file 650359101ac289ad75653c954c07166bc658900bd28Nick Kralevich -app_data_file 651359101ac289ad75653c954c07166bc658900bd28Nick Kralevich -asec_public_file 652359101ac289ad75653c954c07166bc658900bd28Nick Kralevich}:file execmod; 653359101ac289ad75653c954c07166bc658900bd28Nick Kralevich 6545328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley# Do not allow making the stack or heap executable. 6555328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley# We would also like to minimize execmem but it seems to be 6565328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley# required by some device-specific service domains. 65735a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * self:process { execstack execheap }; 6585328d9749db00e8bbb0587913e5cc8bd8281db24Stephen Smalley 65989424bf9470931df90afa4f6d141b3696ad5a632Nick Kralevich# prohibit non-zygote spawned processes from using shared libraries 660998ce77f845cba7f14d4f54de3e87ebf9deafaedNick Kralevich# with text relocations. b/20013628 . 6619be90fb6e131df8d8efb88b02873af2ca1b87803Nick Kralevichneverallow { domain -untrusted_app_all } file_type:file execmod; 662e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1dcashman 663e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1dcashmanneverallow { domain -init } proc:{ file dir } mounton; 6644a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley 6654a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# Ensure that all types assigned to processes are included 6664a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# in the domain attribute, so that all allow and neverallow rules 6674a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# written on domain are applied to all processes. 6684a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# This is achieved by ensuring that it is impossible to transition 6694a12d9630ad22566bda75166e088cb05316e1934Stephen Smalley# from a domain to a non-domain type and vice versa. 6702e00e6373faa6271d7839d33c5b9e69d998ff020dcashman# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 6714a12d9630ad22566bda75166e088cb05316e1934Stephen Smalleyneverallow ~domain domain:process { transition dyntransition }; 672529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts 673529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# 674529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# Only system_app and system_server should be creating or writing 675529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# their files. The proper way to share files is to setup 676529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# type transitions to a more specific type or assigning a type 677529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# to its parent directory via a file_contexts entry. 678529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# Example type transition: 679529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 680529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# 681529a8634e1d31967db2600ba27e55fc35b7d0195William Robertsneverallow { 682529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts domain 683529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -system_server 684529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -system_app 685529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -init 686529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts -installd # for relabelfrom and unlink, check for this in explicit neverallow 687529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts} system_data_file:file no_w_file_perms; 688529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# do not grant anything greater than r_file_perms and relabelfrom unlink 689529a8634e1d31967db2600ba27e55fc35b7d0195William Roberts# to installd 690529a8634e1d31967db2600ba27e55fc35b7d0195William Robertsneverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 691d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts 6925470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts# respect system_app sandboxes 6935470ffeb70617481b75b540fb1ba55bcc0fdb937William Robertsneverallow { 6945470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts domain 695f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin -appdomain # finer-grained rules for appdomain are listed below 6965470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts -system_server #populate com.android.providers.settings/databases/settings.db. 6975470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts -installd # creation of app sandbox 6981cf262daed9f5cb6fd08b1942208b612492c7bbaWilliam Roberts} system_app_data_file:dir_file_class_set { create unlink open }; 699f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubinneverallow { 700f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin isolated_app 701f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin untrusted_app_all # finer-grained rules for appdomain are listed below 702f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin ephemeral_app 703f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin priv_app 704f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin} system_app_data_file:dir_file_class_set { create unlink open }; 705f2e0776502dbe9950676a12fbc6330208569e2f8Alex Klyubin 7065470ffeb70617481b75b540fb1ba55bcc0fdb937William Roberts 707d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts# Services should respect app sandboxes 708d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Robertsneverallow { 709d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts domain 710d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts -appdomain 711d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts -installd # creation of sandbox 712d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts} app_data_file:dir_file_class_set { create unlink }; 713d7bd03c5bba06cce32dcd16bbd21b037927e347bWilliam Roberts 714d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# 715d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# Only these domains should transition to shell domain. This domain is 716d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# permissible for the "shell user". If you need a process to exec a shell 717d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# script with differing privilege, define a domain and set up a transition. 718d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts# 719d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Robertsneverallow { 720d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts domain 721d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -adbd 722d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -init 723d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -runas 724d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts -zygote 725d1fa4d3d92c88bde9ecd118c178d0297d0f30f9bWilliam Roberts} shell:process { transition dyntransition }; 7269d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley 7276bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala# Only domains spawned from zygote and runas may have the appdomain attribute. 728dc43f7cd84e7922973d7f37c5babfbed1c788329Robert Sesekneverallow { domain -runas -webview_zygote -zygote } { 729e1b00f392a30865e02e144b2cf33134bc787f389Nick Kralevich appdomain -shell userdebug_or_eng(`-su') -bluetooth 7306bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala}:process { transition dyntransition }; 7316bb6c16e85dec20c6c1a1c4fa335c49033ac8a44Eino-Ville Talvala 7329d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley# Minimize read access to shell- or app-writable symlinks. 7339d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley# This is to prevent malicious symlink attacks. 7349d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalleyneverallow { 7359d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley domain 7369d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -appdomain 7379d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -installd 7389d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -uncrypt # TODO: see if we can remove 7399d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley} app_data_file:lnk_file read; 7409d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley 7419d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalleyneverallow { 7429d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley domain 7439d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -shell 7449d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley userdebug_or_eng(`-uncrypt') 7459d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley -installd 7469d439d3d4f6d5aa30b090f638f20841a3e3e72b2Stephen Smalley} shell_data_file:lnk_file read; 747f2c4e1283e91f7a91963d1d68a27f515027d97b4Nick Kralevich 748be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# In addition to the symlink reading restrictions above, restrict 749be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# write access to shell owned directories. The /data/local/tmp 750be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# directory is untrustworthy, and non-whitelisted domains should 751be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# not be trusting any content in those directories. 752be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevichneverallow { 753be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich domain 754be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -adbd 755be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -dumpstate 756be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -installd 757be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -init 758be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -shell 759be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -vold 760be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich} shell_data_file:dir no_w_dir_perms; 761be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich 762be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevichneverallow { 763be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich domain 764be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -adbd 765be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -appdomain 766be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -dumpstate 767be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -init 768be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -installd 769be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -system_server # why? 770be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich userdebug_or_eng(`-uncrypt') 771be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich} shell_data_file:dir { open search }; 772be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich 773be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# Same as above for /data/local/tmp files. We allow shell files 774be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich# to be passed around by file descriptor, but not directly opened. 775be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevichneverallow { 776be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich domain 777be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -adbd 778be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -appdomain 779be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -dumpstate 780be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich -installd 7819e6effa15f17e7951ad63ddd01fd22c1a42be616Nick Kralevich userdebug_or_eng(`-uncrypt') 782be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich} shell_data_file:file open; 783be98d9cff3af80438239662605c5cf9b757a2df6Nick Kralevich 784f2c4e1283e91f7a91963d1d68a27f515027d97b4Nick Kralevich# servicemanager is the only process which handles list request 78535a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * ~servicemanager:service_manager list; 786f2c4e1283e91f7a91963d1d68a27f515027d97b4Nick Kralevich 787f2c4e1283e91f7a91963d1d68a27f515027d97b4Nick Kralevich# only service_manager_types can be added to service_manager 7882e00e6373faa6271d7839d33c5b9e69d998ff020dcashman# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 789483fd267359a457ca4ac4c4a2cbce38af6c15981Jeff Vander Stoep 79059c23d78c894198f39d9af563f17c05fb266ec3eWilliam Roberts# Prevent assigning non property types to properties 79101ee59a7b48fd35efef08ab71501d1db88e68872Calin Juravle# TODO - rework this: neverallow * ~property_type:property_service set; 792f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts 793f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# Domain types should never be assigned to any files other 794f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# than the /proc/pid files associated with a process. The 795f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# executable file used to enter a domain should be labeled 796f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# with its own _exec type, not with the domain type. 797f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# Conventionally, this looks something like: 798f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# $ cat mydaemon.te 799f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# type mydaemon, domain; 800f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# type mydaemon_exec, exec_type, file_type; 801f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# init_daemon_domain(mydaemon) 802f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# $ grep mydaemon file_contexts 803f25304ee8472c48e7cacdda10b950827017e5cf9William Roberts# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 80435a145143076ceee50f387025d8cb3c62e62569eNick Kralevichneverallow * domain:file { execute execute_no_trans entrypoint }; 80596b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich 80696b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# Do not allow access to the generic debugfs label. This is too broad. 80796b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# Instead, if access to part of debugfs is desired, it should have a 80896b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# more specific label. 80996b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevich# TODO: fix system_server and dumpstate 81096b1c9ca6f72f3adfa7f6051568efeb450c3756cNick Kralevichneverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms; 811a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono 812a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirononeverallow { 813a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono domain 814a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -init 815a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -recovery 816a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -sdcardd 817a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -vold 818a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono} fuse_device:chr_file open; 819a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirononeverallow { 820a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono domain 821a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -dumpstate 822a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -init 823a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -priv_app 824a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -recovery 825a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -sdcardd 82672c16e32f5dfbf889819973cc2d842a094636d23William Roberts -shell # Restricted by shell.te to only getattr 827a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -system_server 828a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -ueventd 829a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono -vold 830a20802ddb87befbbd80d19e0a206aeb493528319Daichi Hirono} fuse_device:chr_file *; 83189625c9a6488d01466e5b21856f8fdede047f128Calin Juravle 83289625c9a6488d01466e5b21856f8fdede047f128Calin Juravle# Profiles contain untrusted data and profman parses that. We should only run 83389625c9a6488d01466e5b21856f8fdede047f128Calin Juravle# in from installd forked processes. 83489625c9a6488d01466e5b21856f8fdede047f128Calin Juravleneverallow { 83589625c9a6488d01466e5b21856f8fdede047f128Calin Juravle domain 83689625c9a6488d01466e5b21856f8fdede047f128Calin Juravle -installd 83789625c9a6488d01466e5b21856f8fdede047f128Calin Juravle -profman 83889625c9a6488d01466e5b21856f8fdede047f128Calin Juravle} profman_exec:file no_x_file_perms; 8396634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep 8406634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep# Enforce restrictions on kernel module origin. 8416634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep# Do not allow kernel module loading except from system, 8426634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoep# vendor, and boot partitions. 8436634400922bf12390fbe8741426f984d7fedc3d1Jeff Vander Stoepneverallow * ~{ system_file rootfs }:system module_load; 844c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Roberts 845c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Roberts# Only allow filesystem caps to be set at build time or 846c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Roberts# during upgrade by recovery. 847c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Robertsneverallow { 848c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Roberts domain 849c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Roberts -recovery 850c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7William Roberts} self:capability setfcap; 851cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao 852cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gao# Enforce AT_SECURE for executing crash_dump. 853cb3eb4eef9733bbde2951a2a774392d0c8acc9feJosh Gaoneverallow domain crash_dump:process noatsecure; 854