domain.te revision 712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2
1dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Rules for all domains. 2dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 3dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Allow reaping by init. 4dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:process sigchld; 5dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 6dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read access to properties mapping. 7dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain kernel:fd use; 8dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain tmpfs:file { read getattr }; 9dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 10dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Search /storage/emulated tmpfs mount. 11dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain tmpfs:dir r_dir_perms; 12dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 13dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Intra-domain accesses. 149a19885c4cbb2ded4dd0833d38636e6bd2c2c802Nick Kralevichallow domain self:process ~{ execstack execheap ptrace }; 15dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:fd use; 16dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:dir r_dir_perms; 17dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:lnk_file r_file_perms; 18dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:{ fifo_file file } rw_file_perms; 19dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:{ unix_dgram_socket unix_stream_socket } *; 20dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 21dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Inherit or receive open files from others. 22dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:fd use; 231fdee11df2552e29da0c48e3432f26f7a93e3bffAlex Klyubinallow domain system_server:fd use; 24dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 25dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Connect to adbd and use a socket transferred from it. 26dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain adbd:unix_stream_socket connectto; 27dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain adbd:fd use; 28dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain adbd:unix_stream_socket { getattr read write shutdown }; 29dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 305919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich### 315919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich### Talk to debuggerd. 325919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich### 33dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain debuggerd:process sigchld; 34dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain debuggerd:unix_stream_socket connectto; 355919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich# b/9858255 - debuggerd sockets are not getting properly labeled. 365919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich# TODO: Remove this temporary workaround. 375919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevichallow domain init:unix_stream_socket connectto; 38dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 39dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Root fs. 40dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain rootfs:dir r_dir_perms; 416634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow domain rootfs:file r_file_perms; 42712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain rootfs:lnk_file r_file_perms; 43dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 44dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Device accesses. 45dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain device:dir search; 46712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain dev_type:lnk_file r_file_perms; 47dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain devpts:dir search; 48dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain device:file read; 49dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain socket_device:dir search; 50dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain owntty_device:chr_file rw_file_perms; 51dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain null_device:chr_file rw_file_perms; 52dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain zero_device:chr_file r_file_perms; 53dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ashmem_device:chr_file rw_file_perms; 54dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain binder_device:chr_file rw_file_perms; 55dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ptmx_device:chr_file rw_file_perms; 56dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain powervr_device:chr_file rw_file_perms; 57dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain log_device:dir search; 58dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain log_device:chr_file rw_file_perms; 59dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain alarm_device:chr_file r_file_perms; 60a2477056ae6a702e7e71b671cd0c47afc1c7da8aAlex Klyubinallow domain urandom_device:chr_file rw_file_perms; 61a2477056ae6a702e7e71b671cd0c47afc1c7da8aAlex Klyubinallow domain random_device:chr_file rw_file_perms; 62dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain properties_device:file r_file_perms; 63dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 64dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Filesystem accesses. 65dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain fs_type:filesystem getattr; 66dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain fs_type:dir getattr; 67dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 68dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# System file accesses. 69dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_file:dir r_dir_perms; 70dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_file:file r_file_perms; 71dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_file:file execute; 72712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain system_file:lnk_file r_file_perms; 73dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 74dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read files already opened under /data. 75dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_data_file:dir { search getattr }; 76dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_data_file:file { getattr read }; 77712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain system_data_file:lnk_file r_file_perms; 78dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 79dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read apk files under /data/app. 8081560733a47633036133ce548bf638bc3d91f5cfGeremy Condraallow domain apk_data_file:dir { getattr search }; 81dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain apk_data_file:file r_file_perms; 82dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 83dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read /data/dalvik-cache. 84dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain dalvikcache_data_file:dir { search getattr }; 85dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain dalvikcache_data_file:file r_file_perms; 86dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 87dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read already opened /cache files. 88dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cache_file:dir r_dir_perms; 89dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cache_file:file { getattr read }; 90712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain cache_file:lnk_file r_file_perms; 91dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 927466f9b69341e3d86b0242d8ad18ae98d22f05a2Nick Kralevich# Read timezone related information 937466f9b69341e3d86b0242d8ad18ae98d22f05a2Nick Kralevichr_dir_file(domain, zoneinfo_data_file) 947466f9b69341e3d86b0242d8ad18ae98d22f05a2Nick Kralevich 95dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# For /acct/uid/*/tasks. 96dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cgroup:dir { search write }; 97dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cgroup:file w_file_perms; 98dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 99dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich#Allow access to ion memory allocation device 100dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ion_device:chr_file rw_file_perms; 101dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 102dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read access to pseudo filesystems. 103dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, proc) 104dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, sysfs) 105967f39a6e88c60b5f65a37397d6619197a1d0514Nick Kralevichr_dir_file(domain, sysfs_devices_system_cpu) 106dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, inotify) 107dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, cgroup) 108dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 109dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# debugfs access 110dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain debugfs:dir r_dir_perms; 1118758cc5f8b341352e553e62989e7eab57b094e1dNick Kralevichallow domain debugfs:file w_file_perms; 112dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 113712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalley# Get SELinux enforcing status. 114712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyselinux_getenforce(domain) 115712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalley 116dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# security files 117dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain security_file:dir { search getattr }; 118dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain security_file:file getattr; 1190c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich 1200c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich######## Backwards compatibility - Unlabeled files ############ 1210c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich 1220c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# Revert to DAC rules when looking at unlabeled files. Over time, the number 1230c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# of unlabeled files should decrease. 1240c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# TODO: delete these rules in the future. 1250c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# 1260c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto 1270c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# capability, it's essentially useless. This is needed to allow an app with 1280c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# relabelto to relabel unlabeled files. 1290c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich# 1300c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevichallow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom }; 1310c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevichallow domain unlabeled:dir { create_dir_perms relabelfrom }; 1320c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevichallow domain unlabeled:lnk_file { create_file_perms }; 1330c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevichneverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; 1342637198f92d5d9c65262e42d78123d216889d546Nick Kralevich 1352637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 1362637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### neverallow rules 1372637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 1382637198f92d5d9c65262e42d78123d216889d546Nick Kralevich 139fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Only init should be able to load SELinux policies. 140fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# The first load technically occurs while still in the kernel domain, 141fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# but this does not trigger a denial since there is no policy yet. 142fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Policy reload requires allowing this to the init domain. 143fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalleyneverallow { domain -init } kernel:security load_policy; 144fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley 145fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Only init prior to switching context should be able to set enforcing mode. 146fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# init starts in kernel domain and switches to init domain via setcon in 147fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# the init.rc, so the setenforce occurs while still in kernel. After 148fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# switching domains, there is never any need to setenforce again by init. 149fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalleyneverallow { domain -kernel } kernel:security setenforce; 1500130154985aa5042b9e40c45fe60492e40004761Stephen Smalley 15185c5fc21c8a6259ec74686d62cf2c9a3fe01a56eWilliam Roberts# Only init, ueventd and system_server should be able to access HW RNG 15285c5fc21c8a6259ec74686d62cf2c9a3fe01a56eWilliam Robertsneverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; 1538d688315aeb053eadc2606badbe4ce52899bb694Alex Klyubin 1540130154985aa5042b9e40c45fe60492e40004761Stephen Smalley# Ensure that all entrypoint executables are in exec_type. 1550130154985aa5042b9e40c45fe60492e40004761Stephen Smalleyneverallow domain { file_type -exec_type }:file entrypoint; 156ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra 157ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 158ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condraneverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; 159ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condraneverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; 1607adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley 1617adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# Only init should be able to configure kernel usermodehelpers or 1627adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# security-sensitive proc settings. 1637adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalleyneverallow { domain -init } usermodehelper:file { append write }; 1647adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalleyneverallow { domain -init } proc_security:file { append write }; 16595e0842e341352af16bed4055ccf67878c322985Stephen Smalley 16695e0842e341352af16bed4055ccf67878c322985Stephen Smalley# No domain should be allowed to ptrace init. 16795e0842e341352af16bed4055ccf67878c322985Stephen Smalleyneverallow domain init:process ptrace; 168