• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# ==============================================
2# MTK Policy Rule
3# ==============================================
4
5# Rules for all domains.
6
7# Do not allow access to the generic sysfs label. This is too broad.
8# Instead, if access to part of sysfs is desired, it should have a
9# more specific label.
10full_treble_only(`
11  neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;
12
13  neverallow {
14    coredomain
15    -init
16    -ueventd
17    -vold
18    } sysfs:file *;
19
20  neverallow {
21    init
22    ueventd
23    vold
24    } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
25
26  neverallow ~{
27    init
28    ueventd
29    } sysfs:lnk_file ~r_file_perms;
30
31  neverallow {
32    init
33    ueventd
34    } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };
35
36  neverallow ~{
37    init
38    ueventd
39    vendor_init
40    } sysfs:dir ~r_dir_perms;
41
42  neverallow {
43    init
44    ueventd
45    vendor_init
46    } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
47')
48
49
50# Do not allow access to the generic proc label. This is too broad.
51# Instead, if access to part of proc is desired, it should have a
52# more specific label.
53# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
54#
55#   r_dir_file(hal_audio, proc)
56#   hal_server_domain(mtk_hal_audio, hal_audio)
57#   hal_client_domain(audioserver, hal_audio)
58#
59full_treble_only(`
60  neverallow * proc:{ chr_file blk_file sock_file fifo_file } *;
61
62  neverallow {
63    coredomain
64    -audioserver
65    -bluetooth
66    -init
67    -system_server
68    -vold
69    } proc:file *;
70
71  neverallow {
72    audioserver
73    bluetooth
74    init
75    system_server
76    vold
77    } proc:file ~r_file_perms;
78
79  neverallow vendor_init proc:file ~{ read setattr map open };
80
81  neverallow {
82    coredomain
83    -audioserver
84    -bluetooth
85    -init
86    -system_server
87    } proc:lnk_file ~{ read getattr };
88
89  neverallow {
90    audioserver
91    bluetooth
92    init
93    system_server
94    } proc:lnk_file ~r_file_perms;
95
96  neverallow ~{
97    init
98    vendor_init
99    } proc:dir ~{ r_file_perms search };
100
101  neverallow {
102    init
103    vendor_init
104    } proc:dir ~{ r_file_perms search setattr };
105')
106
107
108# Do not allow access to the generic debugfs label. This is too broad.
109# Instead, if access to part of debugfs is desired, it should have a
110# more specific label.
111full_treble_only(`
112  neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *;
113
114  neverallow ~{
115    dumpstate
116    init
117    vendor_init
118    } debugfs:file *;
119
120  neverallow dumpstate debugfs:file ~r_file_perms;
121
122  neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto };
123
124  neverallow vendor_init debugfs:file ~{ read setattr open map };
125
126  neverallow ~init debugfs:lnk_file *;
127
128  neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto };
129
130  neverallow ~{
131    init
132    vendor_init
133    } debugfs:dir ~{ search getattr };
134
135  neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto };
136
137  neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
138')
139
140
141# Do not allow access to the generic system_data_file label. This is
142# too broad.
143# Instead, if access to part of system_data_file is desired, it should
144# have a more specific label.
145# TODO: Remove merged_hal_service and so on once there are no violations.
146#
147#   allow hal_drm system_data_file:file { getattr read };
148#   hal_server_domain(merged_hal_service, hal_drm)
149#
150full_treble_only(`
151  neverallow ~{
152    init
153    installd
154    system_server
155    } system_data_file:{ chr_file blk_file sock_file fifo_file } *;
156
157  neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };;
158
159  neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
160
161  neverallow installd system_data_file:{ chr_file blk_file } *;
162
163  neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };
164
165  neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;
166
167  neverallow {
168    coredomain
169    -appdomain
170    -app_zygote
171    -init
172    -installd
173    -iorap_prefetcherd
174    -iorap_inode2filename
175    -system_server
176    -toolbox
177    -vold
178    -vold_prepare_subdirs
179    } system_data_file:file ~r_file_perms;
180
181  neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
182
183  neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
184
185  neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
186
187  neverallow iorap_inode2filename system_data_file:file ~getattr;
188
189  neverallow iorap_prefetcherd system_data_file:file ~{ open read };
190
191  neverallow {
192    mediadrmserver
193    mediaextractor
194    mediaserver
195   } system_data_file:file ~{ read getattr };
196
197  neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
198
199  neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
200
201  neverallow vold system_data_file:file ~read;
202
203  neverallow ~{
204    appdomain
205    app_zygote
206    init
207    installd
208    iorap_prefetcherd
209    iorap_inode2filename
210    logd
211    rs
212    runas
213    simpleperf_app_runner
214    system_server
215    tee
216    vold
217    webview_zygote
218    zygote
219    } system_data_file:lnk_file ~getattr;
220
221  neverallow {
222    appdomain
223    app_zygote
224    logd
225    webview_zygote
226    } system_data_file:lnk_file ~r_file_perms;
227
228  neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
229
230  neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
231
232  neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
233
234  neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
235
236  neverallow rs system_data_file:lnk_file ~{ read };
237
238  neverallow {
239    runas
240    simpleperf_app_runner
241    tee
242    } system_data_file:lnk_file ~{ read getattr };
243
244  neverallow system_server system_data_file:lnk_file ~create_file_perms;
245
246  neverallow ~{
247    apexd
248    init
249    installd
250    iorap_prefetcherd
251    iorap_inode2filename
252    system_server
253    toolbox
254    traced_probes
255    vold
256    vold_prepare_subdirs
257    zygote
258    } system_data_file:dir ~{ search getattr };
259
260  neverallow apexd system_data_file:dir ~r_dir_perms;
261
262  neverallow init system_data_file:dir ~{
263    create search getattr open read setattr ioctl
264    mounton
265    relabelto
266    write add_name remove_name rmdir relabelfrom
267    };
268
269  neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };
270
271  neverallow {
272    iorap_prefetcherd
273    iorap_inode2filename
274    traced_probes
275    } system_data_file:dir ~{ open read search getattr };
276
277  neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };
278
279  neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };
280
281  neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };
282
283  neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr };
284
285  neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
286')
287
288
289# Do not allow access to the generic vendor_data_file label. This is
290# too broad.
291# Instead, if access to part of vendor_data_file is desired, it should
292# have a more specific label.
293full_treble_only(`
294  neverallow ~{
295    init
296    vendor_init
297    } vendor_data_file:file_class_set *;
298
299  neverallow {
300    init
301    vendor_init
302    } vendor_data_file:{ chr_file blk_file } ~{ relabelto };
303
304  neverallow {
305    init
306    vendor_init
307    } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
308
309  neverallow {
310    init
311    vendor_init
312    } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };
313
314  neverallow {
315    init
316    vendor_init
317    } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };
318
319  neverallow ~{
320    init
321    vendor_init
322    vold
323    vold_prepare_subdirs
324    } vendor_data_file:dir ~{ getattr search };
325
326  neverallow {
327    init
328    vendor_init
329    } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };
330
331  neverallow vold vendor_data_file:dir ~create_dir_perms;
332
333  neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
334')
335
336# Do not allow access to the generic app_data_file label. This is too broad.
337# Instead, if access to part of app_data_file is desired, it should have a
338# more specific label.
339#neverallow * app_data_file:dir_file_class_set *;
340
341# Do not allow access to the generic default_prop label. This is too broad.
342# Instead, if access to part of default_prop is desired, it should have a
343# more specific label.
344#neverallow * default_prop:dir_file_class_set *;
345
346# Do not allow access to the generic vendor_default_prop label. This is
347# too broad.
348# Instead, if access to part of vendor_default_prop is desired, it should
349# have a more specific label.
350#neverallow * vendor_default_prop:dir_file_class_set *;
351
352# Do not allow access to the generic device label. This is too broad.
353# Instead, if access to part of device is desired, it should have a
354# more specific label.
355#neverallow * device:dir_file_class_set *;
356
357# Do not allow access to the generic socket_device label. This is too broad.
358# Instead, if access to part of socket_device is desired, it should have a
359# more specific label.
360#neverallow * socket_device:dir_file_class_set *;
361
362# Do not allow access to the generic block_device label. This is too broad.
363# Instead, if access to part of block_device is desired, it should have a
364# more specific label.
365#neverallow * block_device:dir_file_class_set *;
366
367# Do not allow access to the generic bootdevice_block_device label. This is
368# too broad.
369# Instead, if access to part of bootdevice_block_device is desired, it should
370# have a more specific label.
371#neverallow * bootdevice_block_device:dir_file_class_set *;
372
373