domain.te revision 74ddf301a086a829787ed4fd98154a86534cf5d7
1dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Rules for all domains. 2dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 3dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Allow reaping by init. 4dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:process sigchld; 5dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 6dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read access to properties mapping. 7dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain kernel:fd use; 8dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain tmpfs:file { read getattr }; 9dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 10dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Search /storage/emulated tmpfs mount. 11dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain tmpfs:dir r_dir_perms; 12dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 13dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Intra-domain accesses. 14bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalleyallow domain self:process { 15bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley fork 16bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigchld 17bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigkill 18bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley sigstop 19bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley signull 20bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley signal 21bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getsched 22bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setsched 23bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getsession 24bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getpgid 25bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setpgid 26bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getcap 27bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setcap 28bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley getattr 29bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley setrlimit 30bac4ccce8f1b06ec9c25b98e6690714ba8ad7bafStephen Smalley}; 31dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:fd use; 32dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:dir r_dir_perms; 33dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:lnk_file r_file_perms; 34dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain self:{ fifo_file file } rw_file_perms; 351601132086b054adc70e7f8f38ed24574c90bc37Stephen Smalleyallow domain self:unix_dgram_socket { create_socket_perms sendto }; 361601132086b054adc70e7f8f38ed24574c90bc37Stephen Smalleyallow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 37dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 38dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Inherit or receive open files from others. 39dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain init:fd use; 401fdee11df2552e29da0c48e3432f26f7a93e3bffAlex Klyubinallow domain system_server:fd use; 41dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 42dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Connect to adbd and use a socket transferred from it. 43c4021cebcf19a4c3f95395f7715a3cc9ed2b44c0Stephen Smalley# This is used for e.g. adb backup/restore. 44dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain adbd:unix_stream_socket connectto; 45dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain adbd:fd use; 46c4021cebcf19a4c3f95395f7715a3cc9ed2b44c0Stephen Smalleyallow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; 47dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 487d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevichuserdebug_or_eng(` 497d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # Same as adbd rules above, except allow su to do the same thing 507d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:unix_stream_socket connectto; 517d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:fd use; 527d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:unix_stream_socket { getattr getopt read write shutdown }; 537d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 5465feafce6c72ded001619e4f6b975de095941acdNick Kralevich binder_call({ domain -init }, su) 553dad7b611a448fa43a678ff760c23a00f387947eStephen Smalley 567d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # Running something like "pm dump com.android.bluetooth" requires 577d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # fifo writes 587d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:fifo_file { write getattr }; 597d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 607d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich # allow "gdbserver --attach" to work for su. 617d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich allow domain su:process sigchld; 62ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich 63ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich # Allow writing coredumps to /cores/* 64ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich allow domain coredump_file:file create_file_perms; 65ca62a8b72be35de3781c1f8f16600cfeca874ef5Nick Kralevich allow domain coredump_file:dir ra_dir_perms; 667d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich') 677d0f955ef09be5b2558da432a1f8cd525c5ccfe4Nick Kralevich 685919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich### 695919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich### Talk to debuggerd. 705919d1c86a2a1fea52f840ab30709048bd63f1f5Nick Kralevich### 71dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain debuggerd:process sigchld; 72dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain debuggerd:unix_stream_socket connectto; 73dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 74dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Root fs. 75dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain rootfs:dir r_dir_perms; 766634a1080e6617854d0b29bc65bb1c852ad3d5b6Nick Kralevichallow domain rootfs:file r_file_perms; 77712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain rootfs:lnk_file r_file_perms; 78dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 79dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Device accesses. 80dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain device:dir search; 81712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain dev_type:lnk_file r_file_perms; 82dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain devpts:dir search; 83dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain device:file read; 8420feb75b572a21a7a376d6780cc5c1d636cda610Robert Craigallow domain socket_device:dir r_dir_perms; 85dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain owntty_device:chr_file rw_file_perms; 86dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain null_device:chr_file rw_file_perms; 87f007d03628f98a40c01c12ad105ca6be14fd3c78Nick Kralevichallow domain zero_device:chr_file rw_file_perms; 88dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ashmem_device:chr_file rw_file_perms; 89dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain binder_device:chr_file rw_file_perms; 90dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ptmx_device:chr_file rw_file_perms; 91dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain alarm_device:chr_file r_file_perms; 92a2477056ae6a702e7e71b671cd0c47afc1c7da8aAlex Klyubinallow domain urandom_device:chr_file rw_file_perms; 93a2477056ae6a702e7e71b671cd0c47afc1c7da8aAlex Klyubinallow domain random_device:chr_file rw_file_perms; 94dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain properties_device:file r_file_perms; 95dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 968ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn# logd access 978ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzynwrite_logd(domain) 988ed750e9731e6e3a21785e91e9b1cf7390c16738Mark Salyzyn 99dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Filesystem accesses. 100dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain fs_type:filesystem getattr; 101dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain fs_type:dir getattr; 102dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 103dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# System file accesses. 104dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_file:dir r_dir_perms; 105dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_file:file r_file_perms; 106dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_file:file execute; 107712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain system_file:lnk_file r_file_perms; 108dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 1098a0c25efb0553576afadc157b86b65eedf2ef917Stephen Smalley# Run toolbox. 1108a0c25efb0553576afadc157b86b65eedf2ef917Stephen Smalley# Kernel and init never run anything without changing domains. 1118a0c25efb0553576afadc157b86b65eedf2ef917Stephen Smalleyallow { domain -kernel -init } toolbox_exec:file rx_file_perms; 1128a0c25efb0553576afadc157b86b65eedf2ef917Stephen Smalley 113dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read files already opened under /data. 114dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_data_file:dir { search getattr }; 115dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain system_data_file:file { getattr read }; 116712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain system_data_file:lnk_file r_file_perms; 117dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 118dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read apk files under /data/app. 11981560733a47633036133ce548bf638bc3d91f5cfGeremy Condraallow domain apk_data_file:dir { getattr search }; 120dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain apk_data_file:file r_file_perms; 1216f6c425563f4faa4e1e12bf430c32d0b81a78f64Christopher Tateallow domain apk_data_file:lnk_file r_file_perms; 122dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 123dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read /data/dalvik-cache. 124dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain dalvikcache_data_file:dir { search getattr }; 125dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain dalvikcache_data_file:file r_file_perms; 126dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 127dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read already opened /cache files. 128dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cache_file:dir r_dir_perms; 129dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cache_file:file { getattr read }; 130712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalleyallow domain cache_file:lnk_file r_file_perms; 131dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 1327466f9b69341e3d86b0242d8ad18ae98d22f05a2Nick Kralevich# Read timezone related information 1337466f9b69341e3d86b0242d8ad18ae98d22f05a2Nick Kralevichr_dir_file(domain, zoneinfo_data_file) 1347466f9b69341e3d86b0242d8ad18ae98d22f05a2Nick Kralevich 135dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# For /acct/uid/*/tasks. 136dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cgroup:dir { search write }; 137dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain cgroup:file w_file_perms; 138dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 139dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich#Allow access to ion memory allocation device 140dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain ion_device:chr_file rw_file_perms; 141dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 142dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# Read access to pseudo filesystems. 143dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, proc) 144dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, sysfs) 145967f39a6e88c60b5f65a37397d6619197a1d0514Nick Kralevichr_dir_file(domain, sysfs_devices_system_cpu) 146dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, inotify) 147dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichr_dir_file(domain, cgroup) 1482de02877a30e73bdf30fb2bf9cc4957f9ddbf996Nick Kralevichallow domain proc_cpuinfo:file r_file_perms; 1490f0324cc826afb9beefda802d496befe823a081eNick Kralevichallow domain proc_net:dir search; 1500f0324cc826afb9beefda802d496befe823a081eNick Kralevichallow domain proc_net_psched:file r_file_perms; 151dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 152dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich# debugfs access 153dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain debugfs:dir r_dir_perms; 1548758cc5f8b341352e553e62989e7eab57b094e1dNick Kralevichallow domain debugfs:file w_file_perms; 155dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevich 156712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalley# Get SELinux enforcing status. 15700b180dfb8195fa559f45e812c9c2a82bdbd9c40Stephen Smalleyallow domain selinuxfs:dir r_dir_perms; 15800b180dfb8195fa559f45e812c9c2a82bdbd9c40Stephen Smalleyallow domain selinuxfs:file r_file_perms; 159712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2Stephen Smalley 160f926817875dfabc7698013bead30f5aaf7867bdfStephen Smalley# /data/security files 161dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain security_file:dir { search getattr }; 162dbd28d91d3c6d970f1704df8350b0333b51758b1Nick Kralevichallow domain security_file:file getattr; 163f926817875dfabc7698013bead30f5aaf7867bdfStephen Smalleyallow domain security_file:lnk_file r_file_perms; 1640c9708b2af4ea345277a47ae7bc1ce890e90d2bcNick Kralevich 16548b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig# World readable asec image contents 16648b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craigallow domain asec_public_file:file r_file_perms; 16748b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craigallow domain { asec_public_file asec_apk_file }:dir r_dir_perms; 16848b18832c476f0bd8fcb8ee3e308258392f36aafRobert Craig 1694a89cdfa89448c8660308a31bfcb517fffaa239edcashman# log all access to specified system_server services 170616c787b531acf899a0b15352506d3472a6c3609dcashmanauditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find }; 1714a89cdfa89448c8660308a31bfcb517fffaa239edcashman 1722637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 1732637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### neverallow rules 1742637198f92d5d9c65262e42d78123d216889d546Nick Kralevich### 1752637198f92d5d9c65262e42d78123d216889d546Nick Kralevich 1760d08d4721a8c18b7d5f7dccde467c3840c03b9a8Stephen Smalley# Do not allow any domain other than init or recovery to create unlabeled files. 1770d08d4721a8c18b7d5f7dccde467c3840c03b9a8Stephen Smalleyneverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 178cb23ca92f303fca6bb0f48a1beb384e220afe39eStephen Smalley 1795487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley# Limit ability to ptrace or read sensitive /proc/pid files of processes 1805487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley# with other UIDs to these whitelisted domains. 1815487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalleyneverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; 1825487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley 183b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevich# Limit device node creation to these whitelisted domains. 184b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevichneverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod; 185b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevich 186b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevich# Limit raw I/O to these whitelisted domains. 187b59dc27a1b580a13c50477d2af1cbdaf95601d8fNick Kralevichneverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; 1885487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley 1897ffb9972076bfbd2abab1df6b4d759d14d55af96Stephen Smalley# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 1907ffb9972076bfbd2abab1df6b4d759d14d55af96Stephen Smalleyneverallow domain self:memprotect mmap_zero; 1917ffb9972076bfbd2abab1df6b4d759d14d55af96Stephen Smalley 1925487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley# No domain needs mac_override as it is unused by SELinux. 19304ee5dfb80491f8493fedcd099bd4551c9503c83Stephen Smalleyneverallow domain self:capability2 mac_override; 1945487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley 1955487ca00d4788de367a9d099714f6df4d86ef261Stephen Smalley# Only recovery needs mac_admin to set contexts not defined in current policy. 19604ee5dfb80491f8493fedcd099bd4551c9503c83Stephen Smalleyneverallow { domain -recovery } self:capability2 mac_admin; 19704ee5dfb80491f8493fedcd099bd4551c9503c83Stephen Smalley 198fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Only init should be able to load SELinux policies. 199fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# The first load technically occurs while still in the kernel domain, 200fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# but this does not trigger a denial since there is no policy yet. 201fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Policy reload requires allowing this to the init domain. 202fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalleyneverallow { domain -init } kernel:security load_policy; 203fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley 2043235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# Only init and the system_server can set selinux.reload_policy 1 2053235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# to trigger a policy reload. 2063235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalleyneverallow { domain -init -system_server } security_prop:property_service set; 2073235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley 2083235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# Only init and system_server can write to /data/security, where runtime 2093235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# policy updates live. 2103235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# Only init can relabel /data/security (for init.rc restorecon_recursive /data). 2113235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalleyneverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto }; 2123235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# Only init and system_server can create/setattr directories with this type. 2133235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# init is for init.rc mkdir /data/security. 2143235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# system_server is for creating subdirectories under /data/security. 2153235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalleyneverallow { domain -init -system_server } security_file:dir { create setattr }; 2163235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley# Only system_server can create subdirectories and files under /data/security. 2173235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalleyneverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir }; 2183235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalleyneverallow { domain -system_server } security_file:file { create setattr write append unlink link rename }; 2193235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalleyneverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename }; 2203235f61aa859af1d1c3d060eb55cf1929bc6914fStephen Smalley 221fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# Only init prior to switching context should be able to set enforcing mode. 222fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# init starts in kernel domain and switches to init domain via setcon in 223fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# the init.rc, so the setenforce occurs while still in kernel. After 224fea6e66fad0dd87e66d4df8255733b6840752316Stephen Smalley# switching domains, there is never any need to setenforce again by init. 225abae8a9b586c98cf3e7bd08e63473a5ce99ccd27Nick Kralevichneverallow domain kernel:security setenforce; 226abae8a9b586c98cf3e7bd08e63473a5ce99ccd27Nick Kralevichneverallow { domain -kernel } kernel:security setcheckreqprot; 2270130154985aa5042b9e40c45fe60492e40004761Stephen Smalley 228853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# No booleans in AOSP policy, so no need to ever set them. 229853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalleyneverallow domain kernel:security setbool; 230853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley 231853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# Adjusting the AVC cache threshold. 232853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# Not presently allowed to anything in policy, but possibly something 233853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley# that could be set from init.rc. 234853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalleyneverallow { domain -init } kernel:security setsecparam; 235853ffaad323b3e5db14d3f2e4fbe7fa96160ede4Stephen Smalley 23685c5fc21c8a6259ec74686d62cf2c9a3fe01a56eWilliam Roberts# Only init, ueventd and system_server should be able to access HW RNG 2370d08d4721a8c18b7d5f7dccde467c3840c03b9a8Stephen Smalleyneverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *; 2388d688315aeb053eadc2606badbe4ce52899bb694Alex Klyubin 2390130154985aa5042b9e40c45fe60492e40004761Stephen Smalley# Ensure that all entrypoint executables are in exec_type. 2400130154985aa5042b9e40c45fe60492e40004761Stephen Smalleyneverallow domain { file_type -exec_type }:file entrypoint; 241ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra 242ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condra# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 243ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condraneverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; 244ddf98fa8cf11000f91329945abc23ee791adfe69Geremy Condraneverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; 2457adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley 2467adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# Only init should be able to configure kernel usermodehelpers or 2477adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalley# security-sensitive proc settings. 2487adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalleyneverallow { domain -init } usermodehelper:file { append write }; 2497adb999e701ee96356c506ffa93fce190791e8b7Stephen Smalleyneverallow { domain -init } proc_security:file { append write }; 25095e0842e341352af16bed4055ccf67878c322985Stephen Smalley 25195e0842e341352af16bed4055ccf67878c322985Stephen Smalley# No domain should be allowed to ptrace init. 25295e0842e341352af16bed4055ccf67878c322985Stephen Smalleyneverallow domain init:process ptrace; 253a730e50bd93cd058b271ce3a4affcc6ac75da58bNick Kralevich 25465feafce6c72ded001619e4f6b975de095941acdNick Kralevich# Init can't do anything with binder calls. If this neverallow rule is being 255a730e50bd93cd058b271ce3a4affcc6ac75da58bNick Kralevich# triggered, it's probably due to a service with no SELinux domain. 25665feafce6c72ded001619e4f6b975de095941acdNick Kralevichneverallow domain init:binder *; 257d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts 258d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts# Don't allow raw read/write/open access to block_device 259d0919ec25361ffeda3aa44cc2ecaf875f99784c3William Roberts# Rather force a relabel to a more specific type 2603da1ffbad06bd0a9a98954fa0be229a8bd53ebecStephen Smalleyneverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write }; 261a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts 262a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts# Don't allow raw read/write/open access to generic devices. 263a637b2f21eda997f6d1bcb8f2600a5ee3195785dWilliam Roberts# Rather force a relabel to a more specific type. 2640d08d4721a8c18b7d5f7dccde467c3840c03b9a8Stephen Smalley# init is exempt from this as there are character devices that only it uses. 2650d08d4721a8c18b7d5f7dccde467c3840c03b9a8Stephen Smalley# ueventd is exempt from this, as it is managing these devices. 2661795b665bf89b2755b070bab43adfd521ab88ff4Nick Kralevichneverallow { domain -init -ueventd -recovery } device:chr_file { open read write }; 267b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley 268b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# Limit what domains can mount filesystems or change their mount flags. 269b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# sdcard_type / vfat is exempt as a larger set of domains need 270b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalley# this capability, including device-specific domains. 271b081cc1e050843ecb7dff687f780787ad05d6143Stephen Smalleyneverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 272629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich 273629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# 274629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# Assert that, to the extent possible, we're not loading executable content from 2754644ac483667befac441bb541733e489d902bacfStephen Smalley# outside the rootfs or /system partition except for a few whitelisted domains. 276629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich# 277629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevichneverallow { 278629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich domain 279629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -appdomain 280629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -dumpstate 28142fb824ca9f3e46b4419f05083f2694ac67a8229Stephen Smalley -shell 282629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich userdebug_or_eng(`-su') 283629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -system_server 284629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich -zygote 285629fbc9540b4ab6d780cfa8442160b4923373021Nick Kralevich} { file_type -system_file -exec_type }:file execute; 2864644ac483667befac441bb541733e489d902bacfStephen Smalleyneverallow { 2874644ac483667befac441bb541733e489d902bacfStephen Smalley domain 2884644ac483667befac441bb541733e489d902bacfStephen Smalley -appdomain # for oemfs 2894644ac483667befac441bb541733e489d902bacfStephen Smalley -recovery # for /tmp/update_binary in tmpfs 2904644ac483667befac441bb541733e489d902bacfStephen Smalley} { fs_type -rootfs }:file execute; 291ad0d0fc722d04e465ce2b0bfd2f8e04714c75391Stephen Smalley 292ad0d0fc722d04e465ce2b0bfd2f8e04714c75391Stephen Smalley# Only the init property service should write to /data/property. 293a17a266e7e466d281f0730449c492de46390fc76Nick Kralevichneverallow { domain -init } property_data_file:dir no_w_dir_perms; 294a17a266e7e466d281f0730449c492de46390fc76Nick Kralevichneverallow { domain -init } property_data_file:file no_w_file_perms; 29503ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevich 29603ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevich# Only recovery should be doing writes to /system 29703ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevichneverallow { domain -recovery } { system_file exec_type }:dir_file_class_set 29803ce5120722b3b5cb9cd0fec08c22681a96ee3d6Nick Kralevich { create write setattr relabelfrom relabelto append unlink link rename }; 29975e2ef92601c485348c40cc8884839fba27046baStephen Smalley 30074df7f593494a00dcc3be410b2d82267b6b31ca0Nick Kralevich# Don't allow mounting on top of /system files or directories 30174df7f593494a00dcc3be410b2d82267b6b31ca0Nick Kralevichneverallow domain { system_file exec_type }:dir_file_class_set mounton; 30274df7f593494a00dcc3be410b2d82267b6b31ca0Nick Kralevich 30304b8a75c2f7532821a2a098a95d884931a91807cStephen Smalley# Nothing should be writing to files in the rootfs. 3041795b665bf89b2755b070bab43adfd521ab88ff4Nick Kralevichneverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; 30504b8a75c2f7532821a2a098a95d884931a91807cStephen Smalley 30675e2ef92601c485348c40cc8884839fba27046baStephen Smalley# Restrict context mounts to specific types marked with 30775e2ef92601c485348c40cc8884839fba27046baStephen Smalley# the contextmount_type attribute. 30875e2ef92601c485348c40cc8884839fba27046baStephen Smalleyneverallow domain {fs_type -contextmount_type}:filesystem relabelto; 30975e2ef92601c485348c40cc8884839fba27046baStephen Smalley 31075e2ef92601c485348c40cc8884839fba27046baStephen Smalley# Ensure that context mount types are not writable, to ensure that 31175e2ef92601c485348c40cc8884839fba27046baStephen Smalley# the write to /system restriction above is not bypassed via context= 31275e2ef92601c485348c40cc8884839fba27046baStephen Smalley# mount to another type. 31375e2ef92601c485348c40cc8884839fba27046baStephen Smalleyneverallow { domain -recovery } contextmount_type:dir_file_class_set 31475e2ef92601c485348c40cc8884839fba27046baStephen Smalley { create write setattr relabelfrom relabelto append unlink link rename }; 31576206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn 31676206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Do not allow service_manager add for default_android_service. 31776206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# Instead domains should use a more specific type such as 31876206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# system_app_service rather than the generic type. 31976206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# New service_types are defined in service.te and new mappings 32076206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahn# from service name to service_type are defined in service_contexts. 32176206abc9f5140e85da2d4e4845eca2c4f3a6ad5Riley Spahnneverallow domain default_android_service:service_manager add; 32299aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich 32399aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich# Require that domains explicitly label unknown properties, and do not allow 32499aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevich# anyone but init to modify unknown properties. 32599aa03dce31ae933b28533901316a9a7c36cbb38Nick Kralevichneverallow { domain -init } default_prop:property_service set; 326f37ce3f3e2ad68da61f709567cd166a83316e3f3dcashman 327f37ce3f3e2ad68da61f709567cd166a83316e3f3dcashmanneverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms; 328206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley 329206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley# No domain other than recovery can write to system. 330206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalleyneverallow { domain -recovery } system_block_device:blk_file write; 331206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley 332206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalley# No domains other than install_recovery or recovery can write to recovery. 333206b1a6c45f1bae25906018d9c5d968330106826Stephen Smalleyneverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; 33410ecd05df39b25f4b504f795adafae5f45084a59dcashman 33510ecd05df39b25f4b504f795adafae5f45084a59dcashman# Only servicemanager should be able to register with binder as the context manager 33610ecd05df39b25f4b504f795adafae5f45084a59dcashmanneverallow { domain -servicemanager } *:binder set_context_mgr; 3373c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich 3383c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich# Only authorized processes should be writing to files in /data/dalvik-cache 3393c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich# (excluding /data/dalvik-cache/profiles, which is labeled differently) 3403c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevichneverallow { 3413c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich domain 3423c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -init # TODO: limit init to relabelfrom for files 3433c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -zygote 3443c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -installd 3453c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich -dex2oat 3463c77d4d1c113282315fbccf696298e04f99a20b4Nick Kralevich} dalvikcache_data_file:file no_w_file_perms; 34714d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich 34814d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# Android does not support System V IPCs. 34914d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 35014d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# The reason for this is due to the fact that, by design, they lead to global 35114d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# kernel resource leakage. 35214d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 35314d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# For example, there is no way to automatically release a SysV semaphore 35414d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# allocated in the kernel when: 35514d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 35614d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# - a buggy or malicious process exits 35714d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# - a non-buggy and non-malicious process crashes or is explicitly killed. 35814d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# 35914d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# Killing processes automatically to make room for new ones is an 36014d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# important part of Android's application lifecycle implementation. This means 36114d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# that, even assuming only non-buggy and non-malicious code, it is very likely 36214d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# that over time, the kernel global tables used to implement SysV IPCs will fill 36314d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevich# up. 36414d5619a1aada9b3186ad9ea280ff75a08e1c368Nick Kralevichneverallow domain domain:{ shm sem msg msgq } *; 36574ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich 36674ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich# Do not mount on top of symlinks, fifos, or sockets. 36774ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevich# Feature parity with Chromium LSM. 36874ddf301a086a829787ed4fd98154a86534cf5d7Nick Kralevichneverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 369