• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Intra-domain accesses.
7allow domain self:process {
8    fork
9    sigchld
10    sigkill
11    sigstop
12    signull
13    signal
14    getsched
15    setsched
16    getsession
17    getpgid
18    setpgid
19    getcap
20    setcap
21    getattr
22    setrlimit
23};
24allow domain self:fd use;
25allow domain proc:dir r_dir_perms;
26allow domain proc_net_type:dir search;
27r_dir_file(domain, self)
28allow domain self:{ fifo_file file } rw_file_perms;
29allow domain self:unix_dgram_socket { create_socket_perms sendto };
30allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
31
32# Inherit or receive open files from others.
33allow domain init:fd use;
34
35userdebug_or_eng(`
36  allow domain su:fd use;
37  allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
38  allow domain su:unix_dgram_socket sendto;
39
40  allow { domain -init } su:binder { call transfer };
41
42  # Running something like "pm dump com.android.bluetooth" requires
43  # fifo writes
44  allow domain su:fifo_file { write getattr };
45
46  # allow "gdbserver --attach" to work for su.
47  allow domain su:process sigchld;
48
49  # Allow writing coredumps to /cores/*
50  allow domain coredump_file:file create_file_perms;
51  allow domain coredump_file:dir ra_dir_perms;
52')
53
54with_native_coverage(`
55  # Allow writing coverage information to /data/misc/trace
56  allow domain method_trace_data_file:dir create_dir_perms;
57  allow domain method_trace_data_file:file create_file_perms;
58')
59
60# Root fs.
61allow domain tmpfs:dir { getattr search };
62allow domain rootfs:dir search;
63allow domain rootfs:lnk_file { read getattr };
64
65# Device accesses.
66allow domain device:dir search;
67allow domain dev_type:lnk_file r_file_perms;
68allow domain devpts:dir search;
69allow domain socket_device:dir r_dir_perms;
70allow domain owntty_device:chr_file rw_file_perms;
71allow domain null_device:chr_file rw_file_perms;
72allow domain zero_device:chr_file rw_file_perms;
73allow {
74  domain
75  # TODO(b/113362644): route coredomain to ashmemd
76  #-coredomain
77  -mediaprovider
78  -ephemeral_app
79  -isolated_app
80  -untrusted_app_all
81} ashmem_device:chr_file rw_file_perms;
82
83# Allow using fds to /dev/ashmem.
84allow domain ashmemd:fd use;
85
86# /dev/binder can be accessed by non-vendor domains and by apps
87allow {
88  coredomain
89  appdomain
90  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
91  -hwservicemanager
92} binder_device:chr_file rw_file_perms;
93# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
94not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
95allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
96allow domain ptmx_device:chr_file rw_file_perms;
97allow domain random_device:chr_file rw_file_perms;
98allow domain proc_random:dir r_dir_perms;
99allow domain proc_random:file r_file_perms;
100allow domain properties_device:dir { search getattr };
101allow domain properties_serial:file r_file_perms;
102allow domain property_info:file r_file_perms;
103
104# Public readable properties
105get_prop(domain, debug_prop)
106get_prop(domain, exported_config_prop)
107get_prop(domain, exported_default_prop)
108get_prop(domain, exported_dumpstate_prop)
109get_prop(domain, exported_fingerprint_prop)
110get_prop(domain, exported_radio_prop)
111get_prop(domain, exported_secure_prop)
112get_prop(domain, exported_system_prop)
113get_prop(domain, exported_vold_prop)
114get_prop(domain, exported2_default_prop)
115get_prop(domain, logd_prop)
116
117# Let everyone read log properties, so that liblog can avoid sending unloggable
118# messages to logd.
119get_prop(domain, log_property_type)
120dontaudit domain property_type:file audit_access;
121allow domain property_contexts_file:file r_file_perms;
122
123allow domain init:key search;
124allow domain vold:key search;
125
126# logd access
127write_logd(domain)
128
129# Directory/link file access for path resolution.
130allow domain {
131    system_file
132    system_lib_file
133    system_seccomp_policy_file
134    system_security_cacerts_file
135}:dir r_dir_perms;
136allow domain system_file:lnk_file { getattr read };
137
138# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
139# linker and its config.
140allow domain system_seccomp_policy_file:file r_file_perms;
141# cacerts are accessible from public Java API.
142allow domain system_security_cacerts_file:file r_file_perms;
143allow domain system_linker_exec:file { execute read open getattr map };
144allow domain system_linker_config_file:file r_file_perms;
145allow domain system_lib_file:file { execute read open getattr map };
146# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
147allow domain system_linker_exec:lnk_file { read open getattr };
148allow domain system_lib_file:lnk_file { read open getattr };
149
150allow domain system_event_log_tags_file:file r_file_perms;
151
152allow { appdomain coredomain } system_file:file { execute read open getattr map };
153
154# Make sure system/vendor split doesn not affect non-treble
155# devices
156not_full_treble(`
157    allow domain system_file:file { execute read open getattr map };
158    allow domain vendor_file_type:dir { search getattr };
159    allow domain vendor_file_type:file { execute read open getattr map };
160    allow domain vendor_file_type:lnk_file { getattr read };
161')
162
163# All domains are allowed to open and read directories
164# that contain HAL implementations (e.g. passthrough
165# HALs require clients to have these permissions)
166allow domain vendor_hal_file:dir r_dir_perms;
167
168# Everyone can read and execute all same process HALs
169allow domain same_process_hal_file:dir r_dir_perms;
170allow {
171    domain
172    -coredomain # access is explicitly granted to individual coredomains
173} same_process_hal_file:file { execute read open getattr map };
174
175# Any process can load vndk-sp libraries, which are system libraries
176# used by same process HALs
177allow domain vndk_sp_file:dir r_dir_perms;
178allow domain vndk_sp_file:file { execute read open getattr map };
179
180# All domains get access to /vendor/etc
181allow domain vendor_configs_file:dir r_dir_perms;
182allow domain vendor_configs_file:file { read open getattr map };
183
184full_treble_only(`
185    # Allow all domains to be able to follow /system/vendor and/or
186    # /vendor/odm symlinks.
187    allow domain vendor_file_type:lnk_file { getattr open read };
188
189    # This is required to be able to search & read /vendor/lib64
190    # in order to lookup vendor libraries. The execute permission
191    # for coredomains is granted *only* for same process HALs
192    allow domain vendor_file:dir { getattr search };
193
194    # Allow reading and executing out of /vendor to all vendor domains
195    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
196    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
197    allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
198')
199
200# read and stat any sysfs symlinks
201allow domain sysfs:lnk_file { getattr read };
202
203# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
204# timezone related information.
205# This directory is considered to be a VNDK-stable
206allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
207allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
208
209# Lots of processes access current CPU information
210r_dir_file(domain, sysfs_devices_system_cpu)
211
212r_dir_file(domain, sysfs_usb);
213
214# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
215# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
216allow domain sysfs_transparent_hugepage:dir search;
217allow domain sysfs_transparent_hugepage:file r_file_perms;
218
219# files under /data.
220not_full_treble(`
221  allow domain system_data_file:dir getattr;
222')
223allow { coredomain appdomain } system_data_file:dir getattr;
224# /data has the label system_data_file. Vendor components need the search
225# permission on system_data_file for path traversal to /data/vendor.
226allow domain system_data_file:dir search;
227# TODO restrict this to non-coredomain
228allow domain vendor_data_file:dir { getattr search };
229
230# required by the dynamic linker
231allow domain proc:lnk_file { getattr read };
232
233# /proc/cpuinfo
234allow domain proc_cpuinfo:file r_file_perms;
235
236# /dev/cpu_variant:.*
237allow domain dev_cpu_variant:file r_file_perms;
238
239# jemalloc needs to read /proc/sys/vm/overcommit_memory
240allow domain proc_overcommit_memory:file r_file_perms;
241
242# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
243allow domain proc_perf:file r_file_perms;
244
245# toybox loads libselinux which stats /sys/fs/selinux/
246allow domain selinuxfs:dir search;
247allow domain selinuxfs:file getattr;
248allow domain sysfs:dir search;
249allow domain selinuxfs:filesystem getattr;
250
251# Almost all processes log tracing information to
252# /sys/kernel/debug/tracing/trace_marker
253# The reason behind this is documented in b/6513400
254allow domain debugfs:dir search;
255allow domain debugfs_tracing:dir search;
256allow domain debugfs_tracing_debug:dir search;
257allow domain debugfs_trace_marker:file w_file_perms;
258
259# Filesystem access.
260allow domain fs_type:filesystem getattr;
261allow domain fs_type:dir getattr;
262
263# Restrict all domains to a whitelist for common socket types. Additional
264# ioctl commands may be added to individual domains, but this sets safe
265# defaults for all processes. Note that granting this whitelist to domain does
266# not grant the ioctl permission on these socket types. That must be granted
267# separately.
268allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
269  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
270# default whitelist for unix sockets.
271allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
272  ioctl unpriv_unix_sock_ioctls;
273
274# Restrict PTYs to only whitelisted ioctls.
275# Note that granting this whitelist to domain does
276# not grant the wider ioctl permission. That must be granted
277# separately.
278allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
279
280# All domains must clearly enumerate what ioctls they use
281# on filesystem objects (plain files, directories, symbolic links,
282# named pipes, and named sockets). We start off with a safe set.
283allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
284
285# If a domain has ioctl access to tun_device, it must clearly enumerate the
286# ioctls used. Safe defaults are listed below.
287allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
288
289# Allow a process to make a determination whether a file descriptor
290# for a plain file or pipe (fifo_file) is a tty. Note that granting
291# this whitelist to domain does not grant the ioctl permission to
292# these files. That must be granted separately.
293allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
294allowxperm domain domain:fifo_file ioctl { TCGETS };
295
296# If a domain has access to perform an ioctl on a block device, allow these
297# very common, benign ioctls
298allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
299
300# Support sqlite F2FS specific optimizations
301# ioctl permission on the specific file type is still required
302# TODO: consider only compiling these rules if we know the
303# /data partition is F2FS
304allowxperm domain { file_type sdcard_type }:file ioctl {
305  F2FS_IOC_ABORT_VOLATILE_WRITE
306  F2FS_IOC_COMMIT_ATOMIC_WRITE
307  F2FS_IOC_GET_FEATURES
308  F2FS_IOC_GET_PIN_FILE
309  F2FS_IOC_SET_PIN_FILE
310  F2FS_IOC_START_ATOMIC_WRITE
311};
312
313# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
314# when it's not explicitly used in allow rules
315allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
316# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
317# when it's not explicitly used in allow rules
318allow { domain -domain } vndservice_manager_type:service_manager { add find };
319
320# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
321with_asan(`allow domain system_data_file:dir getattr;')
322# Under ASAN, /system/asan.options needs to be globally accessible.
323with_asan(`allow domain system_asan_options_file:file r_file_perms;')
324
325# read APEX dir and stat any symlink pointing to APEXs.
326allow domain apex_mnt_dir:dir { getattr search };
327allow domain apex_mnt_dir:lnk_file r_file_perms;
328
329###
330### neverallow rules
331###
332
333# All ioctls on file-like objects (except chr_file and blk_file) and
334# sockets must be restricted to a whitelist.
335neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
336
337# b/68014825 and https://android-review.googlesource.com/516535
338# rfc6093 says that processes should not use the TCP urgent mechanism
339neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
340
341# TIOCSTI is only ever used for exploits. Block it.
342# b/33073072, b/7530569
343# http://www.openwall.com/lists/oss-security/2016/09/26/14
344neverallowxperm * devpts:chr_file ioctl TIOCSTI;
345
346# Do not allow any domain other than init to create unlabeled files.
347neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
348
349# Limit device node creation to these whitelisted domains.
350neverallow {
351  domain
352  -kernel
353  -init
354  -ueventd
355  -vold
356} self:global_capability_class_set mknod;
357
358# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
359neverallow * self:memprotect mmap_zero;
360
361# No domain needs mac_override as it is unused by SELinux.
362neverallow * self:global_capability2_class_set mac_override;
363
364# Disallow attempts to set contexts not defined in current policy
365# This helps guarantee that unknown or dangerous contents will not ever
366# be set.
367neverallow * self:global_capability2_class_set mac_admin;
368
369# Once the policy has been loaded there shall be none to modify the policy.
370# It is sealed.
371neverallow * kernel:security load_policy;
372
373# Only init prior to switching context should be able to set enforcing mode.
374# init starts in kernel domain and switches to init domain via setcon in
375# the init.rc, so the setenforce occurs while still in kernel. After
376# switching domains, there is never any need to setenforce again by init.
377neverallow * kernel:security setenforce;
378neverallow { domain -kernel } kernel:security setcheckreqprot;
379
380# No booleans in AOSP policy, so no need to ever set them.
381neverallow * kernel:security setbool;
382
383# Adjusting the AVC cache threshold.
384# Not presently allowed to anything in policy, but possibly something
385# that could be set from init.rc.
386neverallow { domain -init } kernel:security setsecparam;
387
388# Only init, ueventd, shell and system_server should be able to access HW RNG
389neverallow {
390  domain
391  -init
392  -shell # For CTS and is restricted to getattr in shell.te
393  -system_server
394  -ueventd
395} hw_random_device:chr_file *;
396# b/78174219 b/64114943
397neverallow {
398  domain
399  -shell # stat of /dev, getattr only
400  -ueventd
401} keychord_device:chr_file *;
402
403# Ensure that all entrypoint executables are in exec_type or postinstall_file.
404neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
405
406# The dynamic linker always calls access(2) on the path. Don't generate SElinux
407# denials since the linker does not actually access the path in case the path
408# does not exist or isn't accessible for the process.
409dontaudit domain postinstall_mnt_dir:dir audit_access;
410
411#Ensure that nothing in userspace can access /dev/port
412neverallow {
413  domain
414  -shell # Shell user should not have any abilities outside of getattr
415  -ueventd
416} port_device:chr_file *;
417neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
418# Only init should be able to configure kernel usermodehelpers or
419# security-sensitive proc settings.
420neverallow { domain -init } usermodehelper:file { append write };
421neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
422neverallow { domain -init -vendor_init } proc_security:file { append open read write };
423
424# Nobody is allowed to make binder calls into init.
425# Only servicemanager may transfer binder references to init
426# vendor_init shouldn't use binder at all.
427neverallow * init:binder ~{ transfer };
428neverallow { domain -servicemanager } init:binder { transfer };
429neverallow * vendor_init:binder *;
430
431# Don't allow raw read/write/open access to block_device
432# Rather force a relabel to a more specific type
433neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
434
435# Do not allow renaming of block files or character files
436# Ability to do so can lead to possible use in an exploit chain
437# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
438neverallow * *:{ blk_file chr_file } rename;
439
440# Don't allow raw read/write/open access to generic devices.
441# Rather force a relabel to a more specific type.
442neverallow domain device:chr_file { open read write };
443
444# Files from cache should never be executed
445neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
446
447# Protect most domains from executing arbitrary content from /data.
448neverallow {
449  domain
450  -appdomain
451} {
452  data_file_type
453  -dalvikcache_data_file
454  -system_data_file # shared libs in apks
455  -apk_data_file
456}:file no_x_file_perms;
457
458# The test files and executables MUST not be accessible to any domain
459neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
460neverallow domain nativetest_data_file:dir no_w_dir_perms;
461neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
462
463# Only the init property service should write to /data/property and /dev/__properties__
464neverallow { domain -init } property_data_file:dir no_w_dir_perms;
465neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
466neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
467neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
468neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
469
470# Nobody should be doing writes to /system & /vendor
471# These partitions are intended to be read-only and must never be
472# modified. Doing so would violate important Android security guarantees
473# and invalidate dm-verity signatures.
474neverallow {
475    domain
476    with_asan(`-asan_extract')
477    recovery_only(`userdebug_or_eng(`-fastbootd')')
478} {
479    system_file_type
480    vendor_file_type
481    exec_type
482}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
483
484neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
485
486# Don't allow mounting on top of /system files or directories
487neverallow * exec_type:dir_file_class_set mounton;
488neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
489
490# Nothing should be writing to files in the rootfs.
491neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
492
493# Restrict context mounts to specific types marked with
494# the contextmount_type attribute.
495neverallow * {fs_type -contextmount_type}:filesystem relabelto;
496
497# Ensure that context mount types are not writable, to ensure that
498# the write to /system restriction above is not bypassed via context=
499# mount to another type.
500neverallow * contextmount_type:dir_file_class_set
501    { create setattr relabelfrom relabelto append link rename };
502neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
503
504# Do not allow service_manager add for default service labels.
505# Instead domains should use a more specific type such as
506# system_app_service rather than the generic type.
507# New service_types are defined in {,hw,vnd}service.te and new mappings
508# from service name to service_type are defined in {,hw,vnd}service_contexts.
509neverallow * default_android_service:service_manager add;
510neverallow * default_android_vndservice:service_manager { add find };
511neverallow * default_android_hwservice:hwservice_manager { add find };
512
513# Looking up the base class/interface of all HwBinder services is a bad idea.
514# hwservicemanager currently offer such lookups only to make it so that security
515# decisions are expressed in SELinux policy. However, it's unclear whether this
516# lookup has security implications. If it doesn't, hwservicemanager should be
517# modified to not offer this lookup.
518# This rule can be removed if hwservicemanager is modified to not permit these
519# lookups.
520neverallow * hidl_base_hwservice:hwservice_manager find;
521
522# Require that domains explicitly label unknown properties, and do not allow
523# anyone but init to modify unknown properties.
524neverallow { domain -init -vendor_init } default_prop:property_service set;
525neverallow { domain -init -vendor_init } mmc_prop:property_service set;
526
527compatible_property_only(`
528    neverallow { domain -init } default_prop:property_service set;
529    neverallow { domain -init } mmc_prop:property_service set;
530    neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
531    neverallow { domain -init } exported_secure_prop:property_service set;
532    neverallow { domain -init } exported2_default_prop:property_service set;
533    neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
534    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
535')
536
537# Only core domains are allowed to access package_manager properties
538neverallow { domain -init -system_server } pm_prop:property_service set;
539neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
540
541compatible_property_only(`
542    neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
543    neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
544')
545
546# Do not allow reading device's serial number from system properties except form
547# a few whitelisted domains.
548neverallow {
549  domain
550  -adbd
551  -dumpstate
552  -fastbootd
553  -hal_camera_server
554  -hal_cas_server
555  -hal_drm_server
556  -init
557  -mediadrmserver
558  -recovery
559  -shell
560  -system_server
561  -vendor_init
562} serialno_prop:file r_file_perms;
563
564# Do not allow reading the last boot timestamp from system properties
565neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
566
567neverallow {
568  domain
569  -init
570  -recovery
571  -system_server
572  -shell # Shell is further restricted in shell.te
573  -ueventd # Further restricted in ueventd.te
574} frp_block_device:blk_file no_rw_file_perms;
575
576# The metadata block device is set aside for device encryption and
577# verified boot metadata. It may be reset at will and should not
578# be used by other domains.
579neverallow {
580  domain
581  -init
582  -recovery
583  -vold
584  -e2fs
585  -fsck
586  -fastbootd
587} metadata_block_device:blk_file { append link rename write open read ioctl lock };
588
589# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
590neverallow {
591  domain
592  -fastbootd
593  userdebug_or_eng(`-fsck')
594  userdebug_or_eng(`-init')
595  -recovery
596  -update_engine
597} system_block_device:blk_file { write append };
598
599# No domains other than a select few can access the misc_block_device. This
600# block device is reserved for OTA use.
601# Do not assert this rule on userdebug/eng builds, due to some devices using
602# this partition for testing purposes.
603neverallow {
604  domain
605  userdebug_or_eng(`-domain') # exclude debuggable builds
606  -fastbootd
607  -hal_bootctl_server
608  -init
609  -uncrypt
610  -update_engine
611  -vendor_init
612  -vendor_misc_writer
613  -vold
614  -recovery
615  -ueventd
616} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
617
618# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
619neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
620# The service managers are only allowed to access their own device node
621neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
622neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
623neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
624neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
625neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
626neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
627
628# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
629# domain apps need this because Android framework offers many of its services to apps as Binder
630# services.
631full_treble_only(`
632  neverallow {
633    domain
634    -coredomain
635    -appdomain
636    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
637  } binder_device:chr_file rw_file_perms;
638')
639
640# libcutils can probe for /dev/binder permissions with access(). Ignore
641# generated denials. See b/129073672 for details.
642dontaudit domain binder_device:chr_file audit_access;
643
644full_treble_only(`
645  neverallow {
646    domain
647    -coredomain
648    -appdomain # restrictions for vendor apps are declared lower down
649    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
650  } service_manager_type:service_manager find;
651')
652full_treble_only(`
653  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
654  # services which can change any time framework/core is updated, breakage is likely.
655  neverallow {
656    appdomain
657    -coredomain
658  } {
659    service_manager_type
660    -app_api_service
661    -ephemeral_app_api_service
662    -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
663    -cameraserver_service
664    -drmserver_service
665    -keystore_service
666    -mediadrmserver_service
667    -mediaextractor_service
668    -mediametrics_service
669    -mediaserver_service
670    -nfc_service
671    -radio_service
672    -virtual_touchpad_service
673    -vr_hwc_service
674    -vr_manager_service
675  }:service_manager find;
676')
677full_treble_only(`
678  neverallow {
679    domain
680    -coredomain
681    -appdomain
682    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
683  } servicemanager:binder { call transfer };
684')
685
686# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
687full_treble_only(`
688  neverallow {
689    coredomain
690    -shell
691    userdebug_or_eng(`-su')
692    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
693  } vndbinder_device:chr_file rw_file_perms;
694')
695full_treble_only(`
696  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
697')
698full_treble_only(`
699  neverallow {
700    coredomain
701    -shell
702    userdebug_or_eng(`-su')
703  } vndservice_manager_type:service_manager *;
704')
705full_treble_only(`
706  neverallow {
707    coredomain
708    -shell
709    userdebug_or_eng(`-su')
710  } vndservicemanager:binder *;
711')
712
713# On full TREBLE devices, socket communications between core components and vendor components are
714# not permitted.
715  # Most general rules first, more specific rules below.
716
717  # Core domains are not permitted to initiate communications to vendor domain sockets.
718  # We are not restricting the use of already established sockets because it is fine for a process
719  # to obtain an already established socket via some public/official/stable API and then exchange
720  # data with its peer over that socket. The wire format in this scenario is dicatated by the API
721  # and thus does not break the core-vendor separation.
722full_treble_only(`
723  neverallow_establish_socket_comms({
724    coredomain
725    -init
726    -adbd
727  }, {
728    domain
729    -coredomain
730    -socket_between_core_and_vendor_violators
731  });
732')
733  # Vendor domains are not permitted to initiate communications to core domain sockets
734full_treble_only(`
735  neverallow_establish_socket_comms({
736    domain
737    -coredomain
738    -appdomain
739    -socket_between_core_and_vendor_violators
740  }, {
741    coredomain
742    -logd # Logging by writing to logd Unix domain socket is public API
743    -netd # netdomain needs this
744    -mdnsd # netdomain needs this
745    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
746    -init
747    -tombstoned # linker to tombstoned
748    userdebug_or_eng('-heapprofd`)
749  });
750')
751
752  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
753full_treble_only(`
754  neverallow_establish_socket_comms({
755    domain
756    -coredomain
757    -netdomain
758    -socket_between_core_and_vendor_violators
759  }, netd);
760')
761
762  # Vendor domains are not permitted to initiate create/open sockets owned by core domains
763full_treble_only(`
764  neverallow {
765    domain
766    -coredomain
767    -appdomain # appdomain restrictions below
768    -data_between_core_and_vendor_violators # b/70393317
769    -socket_between_core_and_vendor_violators
770    -vendor_init
771  } {
772    coredomain_socket
773    core_data_file_type
774    unlabeled # used only by core domains
775  }:sock_file ~{ append getattr ioctl read write };
776')
777full_treble_only(`
778  neverallow {
779    appdomain
780    -coredomain
781  } {
782    coredomain_socket
783    unlabeled # used only by core domains
784    core_data_file_type
785    -app_data_file
786    -privapp_data_file
787    -pdx_endpoint_socket_type # used by VR layer
788    -pdx_channel_socket_type # used by VR layer
789  }:sock_file ~{ append getattr ioctl read write };
790')
791
792  # Core domains are not permitted to create/open sockets owned by vendor domains
793full_treble_only(`
794  neverallow {
795    coredomain
796    -init
797    -ueventd
798    -socket_between_core_and_vendor_violators
799  } {
800    file_type
801    dev_type
802    -coredomain_socket
803    -core_data_file_type
804    -unlabeled
805  }:sock_file ~{ append getattr ioctl read write };
806')
807
808# On TREBLE devices, vendor and system components are only allowed to share
809# files by passing open FDs over hwbinder. Ban all directory access and all file
810# accesses other than what can be applied to an open FD such as
811# ioctl/stat/read/write/append. This is enforced by segregating /data.
812# Vendor domains may directly access file in /data/vendor by path, but may only
813# access files outside of /data/vendor via an open FD passed over hwbinder.
814# Likewise, core domains may only directly access files outside /data/vendor by
815# path and files in /data/vendor by open FD.
816full_treble_only(`
817  # only coredomains may only access core_data_file_type, particularly not
818  # /data/vendor
819  neverallow {
820    coredomain
821    -appdomain # TODO(b/34980020) remove exemption for appdomain
822    -data_between_core_and_vendor_violators
823    -init
824    -vold_prepare_subdirs
825  } {
826    data_file_type
827    -core_data_file_type
828  }:file_class_set ~{ append getattr ioctl read write map };
829')
830full_treble_only(`
831  neverallow {
832    coredomain
833    -appdomain # TODO(b/34980020) remove exemption for appdomain
834    -data_between_core_and_vendor_violators
835    -init
836    -vold_prepare_subdirs
837    } {
838      data_file_type
839      -core_data_file_type
840      # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
841      # neverallow. Currently only getattr and search are allowed.
842      -vendor_data_file
843    }:dir *;
844
845')
846full_treble_only(`
847  # vendor domains may only access files in /data/vendor, never core_data_file_types
848  neverallow {
849    domain
850    -appdomain # TODO(b/34980020) remove exemption for appdomain
851    -coredomain
852    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
853    -vendor_init
854  } {
855    core_data_file_type
856    # libc includes functions like mktime and localtime which attempt to access
857    # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
858    # These functions are considered vndk-stable and thus must be allowed for
859    # all processes.
860    -zoneinfo_data_file
861    with_native_coverage(`-method_trace_data_file')
862  }:file_class_set ~{ append getattr ioctl read write map };
863  neverallow {
864    vendor_init
865    -data_between_core_and_vendor_violators
866  } {
867    core_data_file_type
868    -unencrypted_data_file
869    -zoneinfo_data_file
870    with_native_coverage(`-method_trace_data_file')
871  }:file_class_set ~{ append getattr ioctl read write map };
872  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
873  # The vendor init binary lives on the system partition so there is not a concern with stability.
874  neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
875')
876full_treble_only(`
877  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
878  neverallow {
879    domain
880    -appdomain # TODO(b/34980020) remove exemption for appdomain
881    -coredomain
882    -data_between_core_and_vendor_violators
883    -vendor_init
884  } {
885    core_data_file_type
886    -system_data_file # default label for files on /data. Covered below...
887    -vendor_data_file
888    -zoneinfo_data_file
889    with_native_coverage(`-method_trace_data_file')
890  }:dir *;
891  neverallow {
892    vendor_init
893    -data_between_core_and_vendor_violators
894  } {
895    core_data_file_type
896    -unencrypted_data_file
897    -system_data_file
898    -vendor_data_file
899    -zoneinfo_data_file
900    with_native_coverage(`-method_trace_data_file')
901  }:dir *;
902  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
903  # The vendor init binary lives on the system partition so there is not a concern with stability.
904  neverallow vendor_init unencrypted_data_file:dir ~search;
905')
906full_treble_only(`
907  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
908  neverallow {
909    domain
910    -appdomain # TODO(b/34980020) remove exemption for appdomain
911    -coredomain
912    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
913    } {
914      system_data_file # default label for files on /data. Covered below
915    }:dir ~{ getattr search };
916')
917
918full_treble_only(`
919  #  coredomains may not access dirs in /data/vendor.
920  neverallow {
921    coredomain
922    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
923    -init
924    -vold # vold creates per-user storage for both system and vendor
925    -vold_prepare_subdirs
926    } {
927      vendor_data_file # default label for files on /data. Covered below
928    }:dir ~{ getattr search };
929')
930
931full_treble_only(`
932  #  coredomains may not access dirs in /data/vendor.
933  neverallow {
934    coredomain
935    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
936    -init
937    } {
938      vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
939    }:file_class_set ~{ append getattr ioctl read write map };
940')
941
942full_treble_only(`
943    # Non-vendor domains are not allowed to file execute shell
944    # from vendor
945    neverallow {
946        coredomain
947        -init
948        -shell
949    } vendor_shell_exec:file { execute execute_no_trans };
950')
951
952full_treble_only(`
953    # Do not allow vendor components to execute files from system
954    # except for the ones whitelist here.
955    neverallow {
956        domain
957        -coredomain
958        -appdomain
959        -vendor_executes_system_violators
960        -vendor_init
961    } {
962        system_file_type
963        -system_lib_file
964        -system_linker_exec
965        -crash_dump_exec
966        -netutils_wrapper_exec
967        userdebug_or_eng(`-tcpdump_exec')
968    }:file { entrypoint execute execute_no_trans };
969')
970
971full_treble_only(`
972    # Do not allow system components to execute files from vendor
973    # except for the ones whitelisted here.
974    neverallow {
975      coredomain
976      -init
977      -shell
978      -system_executes_vendor_violators
979    } {
980      vendor_file_type
981      -same_process_hal_file
982      -vndk_sp_file
983      -vendor_app_file
984      -vendor_public_lib_file
985    }:file execute;
986')
987
988full_treble_only(`
989    neverallow {
990      coredomain
991      -shell
992      -system_executes_vendor_violators
993    } {
994      vendor_file_type
995      -same_process_hal_file
996    }:file execute_no_trans;
997')
998
999full_treble_only(`
1000  # Do not allow system components access to /vendor files except for the
1001  # ones whitelisted here.
1002  neverallow {
1003    coredomain
1004    # TODO(b/37168747): clean up fwk access to /vendor
1005    -crash_dump
1006    -init # starts vendor executables
1007    -kernel # loads /vendor/firmware
1008    userdebug_or_eng(`-perfprofd')
1009    userdebug_or_eng(`-heapprofd')
1010    -shell
1011    -system_executes_vendor_violators
1012    -ueventd # reads /vendor/ueventd.rc
1013  } {
1014    vendor_file_type
1015    -same_process_hal_file
1016    -vendor_app_file
1017    -vendor_configs_file
1018    -vendor_framework_file
1019    -vendor_idc_file
1020    -vendor_keychars_file
1021    -vendor_keylayout_file
1022    -vendor_overlay_file
1023    -vendor_public_lib_file
1024    -vendor_task_profiles_file
1025    -vndk_sp_file
1026  }:file *;
1027')
1028
1029full_treble_only(`
1030  # Do not allow vendor components access to /system files except for the
1031  # ones whitelisted here.
1032  neverallow {
1033    domain
1034    -appdomain
1035    -coredomain
1036    -vendor_executes_system_violators
1037    # vendor_init needs access to init_exec for domain transition. vendor_init
1038    # neverallows are covered in public/vendor_init.te
1039    -vendor_init
1040  } {
1041    system_file_type
1042    -crash_dump_exec
1043    -file_contexts_file
1044    -netutils_wrapper_exec
1045    -property_contexts_file
1046    -system_event_log_tags_file
1047    -system_lib_file
1048    with_asan(`-system_asan_options_file')
1049    -system_linker_exec
1050    -system_linker_config_file
1051    -system_seccomp_policy_file
1052    -system_security_cacerts_file
1053    -system_zoneinfo_file
1054    -task_profiles_file
1055    userdebug_or_eng(`-tcpdump_exec')
1056  }:file *;
1057')
1058
1059# Only system_server should be able to send commands via the zygote socket
1060neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
1061neverallow { domain -system_server } zygote_socket:sock_file write;
1062
1063neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
1064neverallow { domain -system_server } webview_zygote:sock_file write;
1065neverallow { domain -system_server } app_zygote:sock_file write;
1066
1067neverallow {
1068  domain
1069  -tombstoned
1070  -crash_dump
1071  -dumpstate
1072  -incidentd
1073  -system_server
1074
1075  # Processes that can't exec crash_dump
1076  -hal_codec2_server
1077  -hal_omx_server
1078  -mediaextractor
1079} tombstoned_crash_socket:unix_stream_socket connectto;
1080
1081# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
1082# the tombstoned intercept socket.
1083neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
1084neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
1085
1086# Android does not support System V IPCs.
1087#
1088# The reason for this is due to the fact that, by design, they lead to global
1089# kernel resource leakage.
1090#
1091# For example, there is no way to automatically release a SysV semaphore
1092# allocated in the kernel when:
1093#
1094# - a buggy or malicious process exits
1095# - a non-buggy and non-malicious process crashes or is explicitly killed.
1096#
1097# Killing processes automatically to make room for new ones is an
1098# important part of Android's application lifecycle implementation. This means
1099# that, even assuming only non-buggy and non-malicious code, it is very likely
1100# that over time, the kernel global tables used to implement SysV IPCs will fill
1101# up.
1102neverallow * *:{ shm sem msg msgq } *;
1103
1104# Do not mount on top of symlinks, fifos, or sockets.
1105# Feature parity with Chromium LSM.
1106neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
1107
1108# Nobody should be able to execute su on user builds.
1109# On userdebug/eng builds, only dumpstate, shell, and
1110# su itself execute su.
1111neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
1112
1113# Do not allow the introduction of new execmod rules. Text relocations
1114# and modification of executable pages are unsafe.
1115# The only exceptions are for NDK text relocations associated with
1116# https://code.google.com/p/android/issues/detail?id=23203
1117# which, long term, need to go away.
1118neverallow * {
1119  file_type
1120  -apk_data_file
1121  -app_data_file
1122  -asec_public_file
1123}:file execmod;
1124
1125# Do not allow making the stack or heap executable.
1126# We would also like to minimize execmem but it seems to be
1127# required by some device-specific service domains.
1128neverallow * self:process { execstack execheap };
1129
1130# Do not allow the introduction of new execmod rules. Text relocations
1131# and modification of executable pages are unsafe.
1132neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
1133
1134neverallow { domain -init } proc:{ file dir } mounton;
1135
1136# Ensure that all types assigned to processes are included
1137# in the domain attribute, so that all allow and neverallow rules
1138# written on domain are applied to all processes.
1139# This is achieved by ensuring that it is impossible to transition
1140# from a domain to a non-domain type and vice versa.
1141# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
1142neverallow ~domain domain:process { transition dyntransition };
1143
1144#
1145# Only system_app and system_server should be creating or writing
1146# their files. The proper way to share files is to setup
1147# type transitions to a more specific type or assigning a type
1148# to its parent directory via a file_contexts entry.
1149# Example type transition:
1150#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
1151#
1152neverallow {
1153  domain
1154  -system_server
1155  -system_app
1156  -init
1157  -installd # for relabelfrom and unlink, check for this in explicit neverallow
1158  -vold_prepare_subdirs # For unlink
1159  with_asan(`-asan_extract')
1160} system_data_file:file no_w_file_perms;
1161# do not grant anything greater than r_file_perms and relabelfrom unlink
1162# to installd
1163neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
1164
1165# respect system_app sandboxes
1166neverallow {
1167  domain
1168  -appdomain # finer-grained rules for appdomain are listed below
1169  -system_server #populate com.android.providers.settings/databases/settings.db.
1170  -installd # creation of app sandbox
1171  -traced_probes # resolve inodes for i/o tracing.
1172                 # only needs open and read, the rest is neverallow in
1173                 # traced_probes.te.
1174} system_app_data_file:dir_file_class_set { create unlink open };
1175neverallow {
1176  isolated_app
1177  untrusted_app_all # finer-grained rules for appdomain are listed below
1178  ephemeral_app
1179  priv_app
1180} system_app_data_file:dir_file_class_set { create unlink open };
1181
1182#
1183# Only these domains should transition to shell domain. This domain is
1184# permissible for the "shell user". If you need a process to exec a shell
1185# script with differing privilege, define a domain and set up a transition.
1186#
1187neverallow {
1188  domain
1189  -adbd
1190  -init
1191  -runas
1192  -zygote
1193} shell:process { transition dyntransition };
1194
1195# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
1196# attribute.
1197neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
1198  appdomain -shell userdebug_or_eng(`-su')
1199}:process { transition dyntransition };
1200
1201# Minimize read access to shell- or app-writable symlinks.
1202# This is to prevent malicious symlink attacks.
1203neverallow {
1204  domain
1205  -appdomain
1206  -installd
1207} { app_data_file privapp_data_file }:lnk_file read;
1208
1209neverallow {
1210  domain
1211  -shell
1212  userdebug_or_eng(`-uncrypt')
1213  -installd
1214} shell_data_file:lnk_file read;
1215
1216# In addition to the symlink reading restrictions above, restrict
1217# write access to shell owned directories. The /data/local/tmp
1218# directory is untrustworthy, and non-whitelisted domains should
1219# not be trusting any content in those directories.
1220neverallow {
1221  domain
1222  -adbd
1223  -dumpstate
1224  -installd
1225  -init
1226  -shell
1227  -vold
1228} shell_data_file:dir no_w_dir_perms;
1229
1230neverallow {
1231  domain
1232  -adbd
1233  -appdomain
1234  -dumpstate
1235  -init
1236  -installd
1237  -simpleperf_app_runner
1238  -system_server # why?
1239  userdebug_or_eng(`-uncrypt')
1240} shell_data_file:dir { open search };
1241
1242# Same as above for /data/local/tmp files. We allow shell files
1243# to be passed around by file descriptor, but not directly opened.
1244neverallow {
1245  domain
1246  -adbd
1247  -appdomain
1248  -dumpstate
1249  -installd
1250  userdebug_or_eng(`-uncrypt')
1251} shell_data_file:file open;
1252
1253# servicemanager and vndservicemanager are the only processes which handle the
1254# service_manager list request
1255neverallow * ~{
1256    servicemanager
1257    vndservicemanager
1258    }:service_manager list;
1259
1260# hwservicemanager is the only process which handles hw list requests
1261neverallow * ~{
1262    hwservicemanager
1263    }:hwservice_manager list;
1264
1265# only service_manager_types can be added to service_manager
1266# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
1267
1268# Prevent assigning non property types to properties
1269# TODO - rework this: neverallow * ~property_type:property_service set;
1270
1271# Domain types should never be assigned to any files other
1272# than the /proc/pid files associated with a process. The
1273# executable file used to enter a domain should be labeled
1274# with its own _exec type, not with the domain type.
1275# Conventionally, this looks something like:
1276# $ cat mydaemon.te
1277# type mydaemon, domain;
1278# type mydaemon_exec, exec_type, file_type;
1279# init_daemon_domain(mydaemon)
1280# $ grep mydaemon file_contexts
1281# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
1282neverallow * domain:file { execute execute_no_trans entrypoint };
1283
1284# Do not allow access to the generic debugfs label. This is too broad.
1285# Instead, if access to part of debugfs is desired, it should have a
1286# more specific label.
1287# TODO: fix dumpstate
1288neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
1289
1290# Do not allow executable files in debugfs.
1291neverallow domain debugfs_type:file { execute execute_no_trans };
1292
1293# Profiles contain untrusted data and profman parses that. We should only run
1294# in from installd forked processes.
1295neverallow {
1296  domain
1297  -installd
1298  -profman
1299} profman_exec:file no_x_file_perms;
1300
1301# Enforce restrictions on kernel module origin.
1302# Do not allow kernel module loading except from system,
1303# vendor, and boot partitions.
1304neverallow * ~{ system_file vendor_file rootfs }:system module_load;
1305
1306# Only allow filesystem caps to be set at build time. Runtime changes
1307# to filesystem capabilities are not permitted.
1308neverallow * self:global_capability_class_set setfcap;
1309
1310# Enforce AT_SECURE for executing crash_dump.
1311neverallow domain crash_dump:process noatsecure;
1312
1313# Do not permit non-core domains to register HwBinder services which are
1314# guaranteed to be provided by core domains only.
1315neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
1316
1317# Do not permit the registeration of HwBinder services which are guaranteed to
1318# be passthrough only (i.e., run in the process of their clients instead of a
1319# separate server process).
1320neverallow * same_process_hwservice:hwservice_manager add;
1321
1322# On TREBLE devices, most coredomains should not access vendor_files.
1323# TODO(b/71553434): Remove exceptions here.
1324full_treble_only(`
1325  neverallow {
1326    coredomain
1327    -appdomain
1328    -bootanim
1329    -crash_dump
1330    -init
1331    -kernel
1332    -perfprofd
1333    -heapprofd
1334    -ueventd
1335  } vendor_file:file { no_w_file_perms no_x_file_perms open };
1336')
1337
1338# If an already existing file is opened with O_CREAT, the kernel might generate
1339# a false report of a create denial. Silence these denials and make sure that
1340# inappropriate permissions are not granted.
1341
1342# These filesystems don't allow files or directories to be created, so the permission
1343# to do so should never be granted.
1344neverallow domain {
1345  proc_type
1346  sysfs_type
1347}:dir { add_name create link remove_name rename reparent rmdir write };
1348
1349# cgroupfs directories can be created, but not files within them.
1350neverallow domain cgroup:file create;
1351
1352dontaudit domain proc_type:dir write;
1353dontaudit domain sysfs_type:dir write;
1354dontaudit domain cgroup:file create;
1355
1356# These are only needed in permissive mode - in enforcing mode the
1357# directory write check fails and so these are never attempted.
1358userdebug_or_eng(`
1359  dontaudit domain proc_type:dir add_name;
1360  dontaudit domain sysfs_type:dir add_name;
1361  dontaudit domain proc_type:file create;
1362  dontaudit domain sysfs_type:file create;
1363')
1364
1365# Platform must not have access to /mnt/vendor.
1366neverallow {
1367  coredomain
1368  -init
1369  -ueventd
1370  -vold
1371  -system_writes_mnt_vendor_violators
1372} mnt_vendor_file:dir *;
1373
1374# Only apps are allowed access to vendor public libraries.
1375full_treble_only(`
1376  neverallow {
1377    coredomain
1378    -appdomain
1379  } vendor_public_lib_file:file { execute execute_no_trans };
1380')
1381
1382# Vendor domian must not have access to /mnt/product.
1383neverallow {
1384  domain
1385  -coredomain
1386} mnt_product_file:dir *;
1387
1388# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
1389full_treble_only(`
1390  neverallow {
1391    coredomain
1392    -healthd
1393    -shell
1394    # Generate uevents for health info
1395    -ueventd
1396    # Recovery uses health HAL passthrough implementation.
1397    -recovery
1398    # Charger uses health HAL passthrough implementation.
1399    -charger
1400    # TODO(b/110891300): remove this exception
1401    -incidentd
1402  } sysfs_batteryinfo:file { open read };
1403')
1404
1405neverallow {
1406  domain
1407  -hal_codec2_server
1408  -hal_omx_server
1409} hal_codec2_hwservice:hwservice_manager add;
1410
1411