1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 # Same as adbd rules above, except allow su to do the same thing 37 allow domain su:unix_stream_socket connectto; 38 allow domain su:fd use; 39 allow domain su:unix_stream_socket { getattr getopt read write shutdown }; 40 41 allow { domain -init } su:binder { call transfer }; 42 allow { domain -init } su:fd use; 43 44 # Running something like "pm dump com.android.bluetooth" requires 45 # fifo writes 46 allow domain su:fifo_file { write getattr }; 47 48 # allow "gdbserver --attach" to work for su. 49 allow domain su:process sigchld; 50 51 # Allow writing coredumps to /cores/* 52 allow domain coredump_file:file create_file_perms; 53 allow domain coredump_file:dir ra_dir_perms; 54') 55 56# Root fs. 57allow domain rootfs:dir search; 58allow domain rootfs:lnk_file { read getattr }; 59 60# Device accesses. 61allow domain device:dir search; 62allow domain dev_type:lnk_file r_file_perms; 63allow domain devpts:dir search; 64allow domain socket_device:dir r_dir_perms; 65allow domain owntty_device:chr_file rw_file_perms; 66allow domain null_device:chr_file rw_file_perms; 67allow domain zero_device:chr_file rw_file_perms; 68allow domain ashmem_device:chr_file rw_file_perms; 69# /dev/binder can be accessed by non-vendor domains and by apps 70allow { 71 coredomain 72 appdomain 73 binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 74 -hwservicemanager 75} binder_device:chr_file rw_file_perms; 76# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder 77not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') 78allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms; 79allow domain ptmx_device:chr_file rw_file_perms; 80allow domain alarm_device:chr_file r_file_perms; 81allow domain random_device:chr_file rw_file_perms; 82allow domain properties_device:dir { search getattr }; 83allow domain properties_serial:file r_file_perms; 84 85# For now, everyone can access core property files 86# Device specific properties are not granted by default 87get_prop(domain, core_property_type) 88# Let everyone read log properties, so that liblog can avoid sending unloggable 89# messages to logd. 90get_prop(domain, log_property_type) 91dontaudit domain property_type:file audit_access; 92allow domain property_contexts_file:file r_file_perms; 93 94allow domain init:key search; 95allow domain vold:key search; 96 97# logd access 98write_logd(domain) 99 100# System file accesses. 101allow domain system_file:dir { search getattr }; 102allow domain system_file:file { execute read open getattr }; 103allow domain system_file:lnk_file { getattr read }; 104 105# Make sure system/vendor split doesn not affect non-treble 106# devices 107not_full_treble(` 108 allow domain vendor_file_type:dir { search getattr }; 109 allow domain vendor_file_type:file { execute read open getattr }; 110 allow domain vendor_file_type:lnk_file { getattr read }; 111') 112 113# All domains are allowed to open and read directories 114# that contain HAL implementations (e.g. passthrough 115# HALs require clients to have these permissions) 116allow domain vendor_hal_file:dir r_dir_perms; 117 118# Everyone can read and execute all same process HALs 119allow domain same_process_hal_file:dir r_dir_perms; 120allow domain same_process_hal_file:file { execute read open getattr }; 121 122# Any process can load vndk-sp libraries, which are system libraries 123# used by same process HALs 124allow domain vndk_sp_file:dir r_dir_perms; 125allow domain vndk_sp_file:file { execute read open getattr }; 126 127# All domains get access to /vendor/etc 128allow domain vendor_configs_file:dir r_dir_perms; 129allow domain vendor_configs_file:file { read open getattr }; 130 131full_treble_only(` 132 # Allow all domains to be able to follow /system/vendor symlink 133 allow domain vendor_file:lnk_file { getattr open read }; 134 135 # This is required to be able to search & read /vendor/lib64 136 # in order to lookup vendor libraries. The execute permission 137 # for coredomains is granted *only* for same process HALs 138 allow domain vendor_file:dir { getattr search }; 139 140 # Allow reading and executing out of /vendor to all vendor domains 141 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 142 allow { domain -coredomain } vendor_file_type:file { read open getattr execute }; 143 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 144') 145 146# read any sysfs symlinks 147allow domain sysfs:lnk_file read; 148 149# libc references /data/misc/zoneinfo for timezone related information 150# This directory is considered to be a VNDK-stable 151r_dir_file(domain, zoneinfo_data_file) 152 153# Lots of processes access current CPU information 154r_dir_file(domain, sysfs_devices_system_cpu) 155 156r_dir_file(domain, sysfs_usb); 157 158# files under /data. 159not_full_treble(`allow domain system_data_file:dir getattr;') 160allow { coredomain appdomain } system_data_file:dir getattr; 161# /data has the label system_data_file. Vendor components need the search 162# permission on system_data_file for path traversal to /data/vendor. 163allow domain system_data_file:dir search; 164 165# required by the dynamic linker 166allow domain proc:lnk_file { getattr read }; 167 168# /proc/cpuinfo 169allow domain proc_cpuinfo:file r_file_perms; 170 171# jemalloc needs to read /proc/sys/vm/overcommit_memory 172allow domain proc_overcommit_memory:file r_file_perms; 173 174# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 175allow domain proc_perf:file r_file_perms; 176 177# toybox loads libselinux which stats /sys/fs/selinux/ 178allow domain selinuxfs:dir search; 179allow domain selinuxfs:file getattr; 180allow domain sysfs:dir search; 181allow domain selinuxfs:filesystem getattr; 182 183# For /acct/uid/*/tasks. 184allow domain cgroup:dir { search write }; 185allow domain cgroup:file w_file_perms; 186 187# Almost all processes log tracing information to 188# /sys/kernel/debug/tracing/trace_marker 189# The reason behind this is documented in b/6513400 190allow domain debugfs:dir search; 191allow domain debugfs_tracing:dir search; 192allow domain debugfs_trace_marker:file w_file_perms; 193 194# Filesystem access. 195allow domain fs_type:filesystem getattr; 196allow domain fs_type:dir getattr; 197 198# Restrict all domains to a whitelist for common socket types. Additional 199# ioctl commands may be added to individual domains, but this sets safe 200# defaults for all processes. Note that granting this whitelist to domain does 201# not grant the ioctl permission on these socket types. That must be granted 202# separately. 203allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } 204 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 205# default whitelist for unix sockets. 206allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } 207 ioctl unpriv_unix_sock_ioctls; 208 209# Restrict PTYs to only whitelisted ioctls. 210# Note that granting this whitelist to domain does 211# not grant the wider ioctl permission. That must be granted 212# separately. 213allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 214 215# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 216# when it's not explicitly used in allow rules 217allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 218# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 219# when it's not explicitly used in allow rules 220allow { domain -domain } vndservice_manager_type:service_manager { add find }; 221 222### 223### neverallow rules 224### 225 226# All socket ioctls must be restricted to a whitelist. 227neverallowxperm domain domain:socket_class_set ioctl { 0 }; 228 229# TIOCSTI is only ever used for exploits. Block it. 230# b/33073072, b/7530569 231# http://www.openwall.com/lists/oss-security/2016/09/26/14 232neverallowxperm * devpts:chr_file ioctl TIOCSTI; 233 234# Do not allow any domain other than init or recovery to create unlabeled files. 235neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 236 237# Limit device node creation to these whitelisted domains. 238neverallow { 239 domain 240 -kernel 241 -init 242 -ueventd 243 -vold 244} self:capability mknod; 245 246# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. 247neverallow { 248 domain 249 userdebug_or_eng(`-domain') 250 -kernel 251 -init 252 -recovery 253 -ueventd 254 -healthd 255 -uncrypt 256 -tee 257} self:capability sys_rawio; 258 259# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 260neverallow * self:memprotect mmap_zero; 261 262# No domain needs mac_override as it is unused by SELinux. 263neverallow * self:capability2 mac_override; 264 265# Only recovery needs mac_admin to set contexts not defined in current policy. 266neverallow { domain -recovery } self:capability2 mac_admin; 267 268# Once the policy has been loaded there shall be none to modify the policy. 269# It is sealed. 270neverallow * kernel:security load_policy; 271 272# Only init prior to switching context should be able to set enforcing mode. 273# init starts in kernel domain and switches to init domain via setcon in 274# the init.rc, so the setenforce occurs while still in kernel. After 275# switching domains, there is never any need to setenforce again by init. 276neverallow * kernel:security setenforce; 277neverallow { domain -kernel } kernel:security setcheckreqprot; 278 279# No booleans in AOSP policy, so no need to ever set them. 280neverallow * kernel:security setbool; 281 282# Adjusting the AVC cache threshold. 283# Not presently allowed to anything in policy, but possibly something 284# that could be set from init.rc. 285neverallow { domain -init } kernel:security setsecparam; 286 287# Only init, ueventd, shell and system_server should be able to access HW RNG 288neverallow { 289 domain 290 -init 291 -shell # For CTS and is restricted to getattr in shell.te 292 -system_server 293 -ueventd 294} hw_random_device:chr_file *; 295 296# Ensure that all entrypoint executables are in exec_type or postinstall_file. 297neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 298 299# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 300neverallow { 301 domain 302 -shell # For CTS and is restricted to getattr in shell.te 303 -ueventd # Further restricted in ueventd.te 304} kmem_device:chr_file *; 305neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; 306 307#Ensure that nothing in userspace can access /dev/port 308neverallow { 309 domain 310 -shell # Shell user should not have any abilities outside of getattr 311 -ueventd 312} port_device:chr_file *; 313neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 314# Only init should be able to configure kernel usermodehelpers or 315# security-sensitive proc settings. 316neverallow { domain -init } usermodehelper:file { append write }; 317neverallow { domain -init } proc_security:file { append open read write }; 318 319# No domain should be allowed to ptrace init. 320neverallow * init:process ptrace; 321 322# Init can't do anything with binder calls. If this neverallow rule is being 323# triggered, it's probably due to a service with no SELinux domain. 324neverallow * init:binder *; 325 326# Don't allow raw read/write/open access to block_device 327# Rather force a relabel to a more specific type 328neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 329 330# Do not allow renaming of block files or character files 331# Ability to do so can lead to possible use in an exploit chain 332# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 333neverallow * *:{ blk_file chr_file } rename; 334 335# Don't allow raw read/write/open access to generic devices. 336# Rather force a relabel to a more specific type. 337neverallow domain device:chr_file { open read write }; 338 339# Limit what domains can mount filesystems or change their mount flags. 340# sdcard_type / vfat is exempt as a larger set of domains need 341# this capability, including device-specific domains. 342neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 343 344# 345# Assert that, to the extent possible, we're not loading executable content from 346# outside the rootfs or /system partition except for a few whitelisted domains. 347# 348neverallow { 349 domain 350 -appdomain 351 with_asan(`-asan_extract') 352 -dumpstate 353 -shell 354 userdebug_or_eng(`-su') 355 -system_server 356 -webview_zygote 357 -zygote 358} { 359 file_type 360 -system_file 361 -vendor_file_type 362 -exec_type 363 -postinstall_file 364}:file execute; 365 366neverallow { 367 domain 368 -appdomain # for oemfs 369 -recovery # for /tmp/update_binary in tmpfs 370} { fs_type -rootfs }:file execute; 371# Files from cache should never be executed 372neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 373 374# Protect most domains from executing arbitrary content from /data. 375neverallow { 376 domain 377 -appdomain 378} { 379 data_file_type 380 -dalvikcache_data_file 381 -system_data_file # shared libs in apks 382 -apk_data_file 383}:file no_x_file_perms; 384 385neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 386 387# Only the init property service should write to /data/property and /dev/__properties__ 388neverallow { domain -init } property_data_file:dir no_w_dir_perms; 389neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 390neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 391neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 392neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 393 394# Only recovery should be doing writes to /system & /vendor 395neverallow { 396 domain 397 -recovery 398 with_asan(`-asan_extract') 399} { 400 system_file 401 vendor_file_type 402 exec_type 403}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 404 405neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; 406 407# Don't allow mounting on top of /system files or directories 408neverallow * exec_type:dir_file_class_set mounton; 409neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton; 410 411# Nothing should be writing to files in the rootfs. 412neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 413 414# Restrict context mounts to specific types marked with 415# the contextmount_type attribute. 416neverallow * {fs_type -contextmount_type}:filesystem relabelto; 417 418# Ensure that context mount types are not writable, to ensure that 419# the write to /system restriction above is not bypassed via context= 420# mount to another type. 421neverallow { domain -recovery } contextmount_type:dir_file_class_set 422 { create write setattr relabelfrom relabelto append unlink link rename }; 423 424# Do not allow service_manager add for default service labels. 425# Instead domains should use a more specific type such as 426# system_app_service rather than the generic type. 427# New service_types are defined in {,hw,vnd}service.te and new mappings 428# from service name to service_type are defined in {,hw,vnd}service_contexts. 429neverallow * default_android_service:service_manager add; 430neverallow * default_android_vndservice:service_manager { add find }; 431neverallow * default_android_hwservice:hwservice_manager { add find }; 432 433# Looking up the base class/interface of all HwBinder services is a bad idea. 434# hwservicemanager currently offer such lookups only to make it so that security 435# decisions are expressed in SELinux policy. However, it's unclear whether this 436# lookup has security implications. If it doesn't, hwservicemanager should be 437# modified to not offer this lookup. 438# This rule can be removed if hwservicemanager is modified to not permit these 439# lookups. 440neverallow * hidl_base_hwservice:hwservice_manager find; 441 442# Require that domains explicitly label unknown properties, and do not allow 443# anyone but init to modify unknown properties. 444neverallow { domain -init } default_prop:property_service set; 445neverallow { domain -init } mmc_prop:property_service set; 446 447# Do not allow reading device's serial number from system properties except form 448# a few whitelisted domains. 449neverallow { 450 domain 451 -adbd 452 -dumpstate 453 -hal_drm 454 -init 455 -mediadrmserver 456 -recovery 457 -shell 458 -system_server 459} serialno_prop:file r_file_perms; 460 461# Do not allow reading the last boot timestamp from system properties 462neverallow { domain -init -system_server } firstboot_prop:file r_file_perms; 463 464neverallow { 465 domain 466 -init 467 -recovery 468 -system_server 469 -shell # Shell is further restricted in shell.te 470 -ueventd # Further restricted in ueventd.te 471} frp_block_device:blk_file no_rw_file_perms; 472 473# The metadata block device is set aside for device encryption and 474# verified boot metadata. It may be reset at will and should not 475# be used by other domains. 476neverallow { domain -init -recovery -vold } metadata_block_device:blk_file 477 { append link rename write open read ioctl lock }; 478 479# No domain other than recovery and update_engine can write to system partition(s). 480neverallow { domain -recovery -update_engine } system_block_device:blk_file write; 481 482# No domains other than install_recovery or recovery can write to recovery. 483neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; 484 485# No domains other than a select few can access the misc_block_device. This 486# block device is reserved for OTA use. 487# Do not assert this rule on userdebug/eng builds, due to some devices using 488# this partition for testing purposes. 489neverallow { 490 domain 491 userdebug_or_eng(`-domain') # exclude debuggable builds 492 -hal_bootctl 493 -init 494 -uncrypt 495 -update_engine 496 -vold 497 -recovery 498 -ueventd 499} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 500neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302 501 502# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 503neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 504# The service managers are only allowed to access their own device node 505neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 506neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 507neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 508neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 509neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 510neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 511 512# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core 513# domain apps need this because Android framework offers many of its services to apps as Binder 514# services. 515full_treble_only(` 516 neverallow { 517 domain 518 -coredomain 519 -appdomain 520 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 521 } binder_device:chr_file rw_file_perms; 522 neverallow { 523 domain 524 -coredomain 525 -appdomain # restrictions for vendor apps are declared lower down 526 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 527 } service_manager_type:service_manager find; 528 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 529 # services which can change any time framework/core is updated, breakage is likely. 530 neverallow { 531 appdomain 532 -coredomain 533 } { 534 service_manager_type 535 -app_api_service 536 -ephemeral_app_api_service 537 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 538 -cameraserver_service 539 -drmserver_service 540 -keystore_service 541 -mediacasserver_service 542 -mediadrmserver_service 543 -mediaextractor_service 544 -mediametrics_service 545 -mediaserver_service 546 -nfc_service 547 -radio_service 548 -surfaceflinger_service 549 -virtual_touchpad_service 550 -vr_hwc_service 551 -vr_manager_service 552 }:service_manager find; 553 neverallow { 554 domain 555 -coredomain 556 -appdomain 557 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 558 } servicemanager:binder { call transfer }; 559 neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302 560') 561 562# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 563full_treble_only(` 564 neverallow { 565 coredomain 566 -shell 567 userdebug_or_eng(`-su') 568 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 569 } vndbinder_device:chr_file rw_file_perms; 570 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 571 neverallow { 572 coredomain 573 -shell 574 userdebug_or_eng(`-su') 575 } vndservice_manager_type:service_manager *; 576 neverallow { 577 coredomain 578 -shell 579 userdebug_or_eng(`-su') 580 } vndservicemanager:binder *; 581') 582 583# On full TREBLE devices, socket communications between core components and vendor components are 584# not permitted. 585full_treble_only(` 586 # Most general rules first, more specific rules below. 587 588 # Core domains are not permitted to initiate communications to vendor domain sockets. 589 # We are not restricting the use of already established sockets because it is fine for a process 590 # to obtain an already established socket via some public/official/stable API and then exchange 591 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 592 # and thus does not break the core-vendor separation. 593 neverallow_establish_socket_comms({ 594 coredomain 595 -init 596 -adbd 597 }, { 598 domain 599 -coredomain 600 -socket_between_core_and_vendor_violators 601 }); 602 # Vendor domains are not permitted to initiate communications to core domain sockets 603 neverallow_establish_socket_comms({ 604 domain 605 -coredomain 606 -appdomain 607 -socket_between_core_and_vendor_violators 608 }, { 609 coredomain 610 -logd # Logging by writing to logd Unix domain socket is public API 611 -netd # netdomain needs this 612 -mdnsd # netdomain needs this 613 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 614 -init 615 -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services 616 -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services 617 }); 618 neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302 619 620 # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets 621 neverallow_establish_socket_comms({ 622 domain 623 -coredomain 624 -netdomain 625 -socket_between_core_and_vendor_violators 626 }, netd); 627 628 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 629 neverallow { 630 domain 631 -coredomain 632 -appdomain # appdomain restrictions below 633 -socket_between_core_and_vendor_violators 634 } { 635 coredomain_socket 636 core_data_file_type 637 unlabeled # used only by core domains 638 }:sock_file ~{ append getattr ioctl read write }; 639 neverallow { 640 appdomain 641 -coredomain 642 } { 643 coredomain_socket 644 unlabeled # used only by core domains 645 core_data_file_type 646 -app_data_file 647 -pdx_endpoint_socket_type # used by VR layer 648 -pdx_channel_socket_type # used by VR layer 649 }:sock_file ~{ append getattr ioctl read write }; 650 neverallow { 651 pdx_endpoint_socket_type 652 pdx_channel_socket_type 653 } unlabeled:service_manager list; #TODO: b/62658302 654 655 # Core domains are not permitted to create/open sockets owned by vendor domains 656 neverallow { 657 coredomain 658 -init 659 -ueventd 660 -socket_between_core_and_vendor_violators 661 } { 662 file_type 663 dev_type 664 -coredomain_socket 665 -core_data_file_type 666 -unlabeled 667 }:sock_file ~{ append getattr ioctl read write }; 668') 669 670# On TREBLE devices, a limited set of files in /vendor are accessible to 671# only a few whitelisted coredomains to keep system/vendor separation. 672full_treble_only(` 673 # Limit access to /vendor/app 674 neverallow { 675 coredomain 676 -appdomain 677 -dex2oat 678 -idmap 679 -init 680 -installd 681 -postinstall_dexopt 682 -system_server 683 } vendor_app_file:dir { open read getattr search }; 684 685 neverallow { 686 coredomain 687 -appdomain 688 -dex2oat 689 -idmap 690 -init 691 -installd 692 -postinstall_dexopt 693 -system_server 694 } vendor_app_file:{ file lnk_file } r_file_perms; 695 696 # Limit access to /vendor/overlay 697 neverallow { 698 coredomain 699 -appdomain 700 -idmap 701 -init 702 -installd 703 -system_server 704 -zygote 705 } vendor_overlay_file:dir { getattr open read search }; 706 707 neverallow { 708 coredomain 709 -appdomain 710 -idmap 711 -init 712 -installd 713 -system_server 714 -zygote 715 } vendor_overlay_file:{ file lnk_file } r_file_perms; 716 717 # Non-vendor domains are not allowed to file execute shell 718 # from vendor 719 neverallow { 720 coredomain 721 -init 722 } vendor_shell_exec:file { execute execute_no_trans }; 723 724 # Do not allow vendor components to execute files from system 725 # except for the ones whitelist here. 726 neverallow { 727 domain 728 -coredomain 729 -appdomain 730 -rild 731 -vendor_executes_system_violators 732 } { 733 exec_type 734 -vendor_file_type 735 -crash_dump_exec 736 -netutils_wrapper_exec 737 }:file { entrypoint execute execute_no_trans }; 738 neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302 739') 740 741# Only authorized processes should be writing to files in /data/dalvik-cache 742neverallow { 743 domain 744 -init # TODO: limit init to relabelfrom for files 745 -zygote 746 -installd 747 -postinstall_dexopt 748 -cppreopts 749 -dex2oat 750 -otapreopt_slot 751} dalvikcache_data_file:file no_w_file_perms; 752 753neverallow { 754 domain 755 -init 756 -installd 757 -postinstall_dexopt 758 -cppreopts 759 -dex2oat 760 -zygote 761 -otapreopt_slot 762} dalvikcache_data_file:dir no_w_dir_perms; 763 764# Only system_server should be able to send commands via the zygote socket 765neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 766neverallow { domain -system_server } zygote_socket:sock_file write; 767 768neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; 769neverallow { domain -system_server } webview_zygote_socket:sock_file write; 770 771neverallow { 772 domain 773 -tombstoned 774 -crash_dump 775 -dumpstate 776 -system_server 777 778 # Processes that can't exec crash_dump 779 -mediacodec 780 -mediaextractor 781} tombstoned:unix_stream_socket connectto; 782neverallow { 783 domain 784 -crash_dump 785 -mediacodec 786 -mediaextractor 787} tombstoned_crash_socket:sock_file write; 788neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write; 789 790# Android does not support System V IPCs. 791# 792# The reason for this is due to the fact that, by design, they lead to global 793# kernel resource leakage. 794# 795# For example, there is no way to automatically release a SysV semaphore 796# allocated in the kernel when: 797# 798# - a buggy or malicious process exits 799# - a non-buggy and non-malicious process crashes or is explicitly killed. 800# 801# Killing processes automatically to make room for new ones is an 802# important part of Android's application lifecycle implementation. This means 803# that, even assuming only non-buggy and non-malicious code, it is very likely 804# that over time, the kernel global tables used to implement SysV IPCs will fill 805# up. 806neverallow * *:{ shm sem msg msgq } *; 807 808# Do not mount on top of symlinks, fifos, or sockets. 809# Feature parity with Chromium LSM. 810neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 811 812# Nobody should be able to execute su on user builds. 813# On userdebug/eng builds, only dumpstate, shell, and 814# su itself execute su. 815neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 816 817# Do not allow the introduction of new execmod rules. Text relocations 818# and modification of executable pages are unsafe. 819# The only exceptions are for NDK text relocations associated with 820# https://code.google.com/p/android/issues/detail?id=23203 821# which, long term, need to go away. 822neverallow * { 823 file_type 824 -apk_data_file 825 -app_data_file 826 -asec_public_file 827}:file execmod; 828 829# Do not allow making the stack or heap executable. 830# We would also like to minimize execmem but it seems to be 831# required by some device-specific service domains. 832neverallow * self:process { execstack execheap }; 833 834# prohibit non-zygote spawned processes from using shared libraries 835# with text relocations. b/20013628 . 836neverallow { domain -untrusted_app_all } file_type:file execmod; 837 838neverallow { domain -init } proc:{ file dir } mounton; 839 840# Ensure that all types assigned to processes are included 841# in the domain attribute, so that all allow and neverallow rules 842# written on domain are applied to all processes. 843# This is achieved by ensuring that it is impossible to transition 844# from a domain to a non-domain type and vice versa. 845# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 846neverallow ~domain domain:process { transition dyntransition }; 847 848# 849# Only system_app and system_server should be creating or writing 850# their files. The proper way to share files is to setup 851# type transitions to a more specific type or assigning a type 852# to its parent directory via a file_contexts entry. 853# Example type transition: 854# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 855# 856neverallow { 857 domain 858 -system_server 859 -system_app 860 -init 861 -installd # for relabelfrom and unlink, check for this in explicit neverallow 862 with_asan(`-asan_extract') 863} system_data_file:file no_w_file_perms; 864# do not grant anything greater than r_file_perms and relabelfrom unlink 865# to installd 866neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 867 868# respect system_app sandboxes 869neverallow { 870 domain 871 -appdomain # finer-grained rules for appdomain are listed below 872 -system_server #populate com.android.providers.settings/databases/settings.db. 873 -installd # creation of app sandbox 874} system_app_data_file:dir_file_class_set { create unlink open }; 875neverallow { 876 isolated_app 877 untrusted_app_all # finer-grained rules for appdomain are listed below 878 ephemeral_app 879 priv_app 880} system_app_data_file:dir_file_class_set { create unlink open }; 881 882 883# Services should respect app sandboxes 884neverallow { 885 domain 886 -appdomain 887 -installd # creation of sandbox 888} app_data_file:dir_file_class_set { create unlink }; 889 890# 891# Only these domains should transition to shell domain. This domain is 892# permissible for the "shell user". If you need a process to exec a shell 893# script with differing privilege, define a domain and set up a transition. 894# 895neverallow { 896 domain 897 -adbd 898 -init 899 -runas 900 -zygote 901} shell:process { transition dyntransition }; 902 903# Only domains spawned from zygote and runas may have the appdomain attribute. 904neverallow { domain -runas -webview_zygote -zygote } { 905 appdomain -shell userdebug_or_eng(`-su') -bluetooth 906}:process { transition dyntransition }; 907 908# Minimize read access to shell- or app-writable symlinks. 909# This is to prevent malicious symlink attacks. 910neverallow { 911 domain 912 -appdomain 913 -installd 914 -uncrypt # TODO: see if we can remove 915} app_data_file:lnk_file read; 916 917neverallow { 918 domain 919 -shell 920 userdebug_or_eng(`-uncrypt') 921 -installd 922} shell_data_file:lnk_file read; 923 924# In addition to the symlink reading restrictions above, restrict 925# write access to shell owned directories. The /data/local/tmp 926# directory is untrustworthy, and non-whitelisted domains should 927# not be trusting any content in those directories. 928neverallow { 929 domain 930 -adbd 931 -dumpstate 932 -installd 933 -init 934 -shell 935 -vold 936} shell_data_file:dir no_w_dir_perms; 937 938neverallow { 939 domain 940 -adbd 941 -appdomain 942 -dumpstate 943 -init 944 -installd 945 -system_server # why? 946 userdebug_or_eng(`-uncrypt') 947} shell_data_file:dir { open search }; 948 949# Same as above for /data/local/tmp files. We allow shell files 950# to be passed around by file descriptor, but not directly opened. 951neverallow { 952 domain 953 -adbd 954 -appdomain 955 -dumpstate 956 -installd 957 userdebug_or_eng(`-uncrypt') 958} shell_data_file:file open; 959 960 961# servicemanager and vndservicemanager are the only processes which handle the 962# service_manager list request 963neverallow * ~{ 964 servicemanager 965 vndservicemanager 966 }:service_manager list; 967 968# hwservicemanager is the only process which handles hw list requests 969neverallow * ~{ 970 hwservicemanager 971 }:hwservice_manager list; 972 973# only service_manager_types can be added to service_manager 974# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 975 976# Prevent assigning non property types to properties 977# TODO - rework this: neverallow * ~property_type:property_service set; 978 979# Domain types should never be assigned to any files other 980# than the /proc/pid files associated with a process. The 981# executable file used to enter a domain should be labeled 982# with its own _exec type, not with the domain type. 983# Conventionally, this looks something like: 984# $ cat mydaemon.te 985# type mydaemon, domain; 986# type mydaemon_exec, exec_type, file_type; 987# init_daemon_domain(mydaemon) 988# $ grep mydaemon file_contexts 989# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 990neverallow * domain:file { execute execute_no_trans entrypoint }; 991 992# Do not allow access to the generic debugfs label. This is too broad. 993# Instead, if access to part of debugfs is desired, it should have a 994# more specific label. 995# TODO: fix system_server and dumpstate 996neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms; 997 998# Profiles contain untrusted data and profman parses that. We should only run 999# in from installd forked processes. 1000neverallow { 1001 domain 1002 -installd 1003 -profman 1004} profman_exec:file no_x_file_perms; 1005 1006# Enforce restrictions on kernel module origin. 1007# Do not allow kernel module loading except from system, 1008# vendor, and boot partitions. 1009neverallow * ~{ system_file vendor_file rootfs }:system module_load; 1010 1011# Only allow filesystem caps to be set at build time or 1012# during upgrade by recovery. 1013neverallow { 1014 domain 1015 -recovery 1016} self:capability setfcap; 1017 1018# Enforce AT_SECURE for executing crash_dump. 1019neverallow domain crash_dump:process noatsecure; 1020 1021# Do not permit non-core domains to register HwBinder services which are 1022# guaranteed to be provided by core domains only. 1023neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1024 1025# Do not permit the registeration of HwBinder services which are guaranteed to 1026# be passthrough only (i.e., run in the process of their clients instead of a 1027# separate server process). 1028neverallow * same_process_hwservice:hwservice_manager add; 1029