1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54# Root fs. 55allow domain rootfs:dir search; 56allow domain rootfs:lnk_file { read getattr }; 57 58# Device accesses. 59allow domain device:dir search; 60allow domain dev_type:lnk_file r_file_perms; 61allow domain devpts:dir search; 62allow domain socket_device:dir r_dir_perms; 63allow domain owntty_device:chr_file rw_file_perms; 64allow domain null_device:chr_file rw_file_perms; 65allow domain zero_device:chr_file rw_file_perms; 66allow domain ashmem_device:chr_file rw_file_perms; 67# /dev/binder can be accessed by non-vendor domains and by apps 68allow { 69 coredomain 70 appdomain 71 binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 72 -hwservicemanager 73} binder_device:chr_file rw_file_perms; 74# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder 75not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') 76allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 77allow domain ptmx_device:chr_file rw_file_perms; 78allow domain alarm_device:chr_file r_file_perms; 79allow domain random_device:chr_file rw_file_perms; 80allow domain proc_random:dir r_dir_perms; 81allow domain proc_random:file r_file_perms; 82allow domain properties_device:dir { search getattr }; 83allow domain properties_serial:file r_file_perms; 84allow domain property_info:file r_file_perms; 85 86# For now, everyone can access core property files 87# Device specific properties are not granted by default 88not_compatible_property(` 89 get_prop(domain, core_property_type) 90 get_prop(domain, exported_dalvik_prop) 91 get_prop(domain, exported_ffs_prop) 92 get_prop(domain, exported_system_radio_prop) 93 get_prop(domain, exported2_config_prop) 94 get_prop(domain, exported2_radio_prop) 95 get_prop(domain, exported2_system_prop) 96 get_prop(domain, exported2_vold_prop) 97 get_prop(domain, exported3_default_prop) 98 get_prop(domain, exported3_radio_prop) 99 get_prop(domain, exported3_system_prop) 100 get_prop(domain, vendor_default_prop) 101') 102compatible_property_only(` 103 get_prop({coredomain appdomain shell}, core_property_type) 104 get_prop({coredomain appdomain shell}, exported_dalvik_prop) 105 get_prop({coredomain appdomain shell}, exported_ffs_prop) 106 get_prop({coredomain appdomain shell}, exported_system_radio_prop) 107 get_prop({coredomain appdomain shell}, exported2_config_prop) 108 get_prop({coredomain appdomain shell}, exported2_radio_prop) 109 get_prop({coredomain appdomain shell}, exported2_system_prop) 110 get_prop({coredomain appdomain shell}, exported2_vold_prop) 111 get_prop({coredomain appdomain shell}, exported3_default_prop) 112 get_prop({coredomain appdomain shell}, exported3_radio_prop) 113 get_prop({coredomain appdomain shell}, exported3_system_prop) 114 userdebug_or_eng(` 115 get_prop(su, core_property_type) 116 get_prop(su, exported_dalvik_prop) 117 get_prop(su, exported_ffs_prop) 118 get_prop(su, exported_system_radio_prop) 119 get_prop(su, exported2_config_prop) 120 get_prop(su, exported2_radio_prop) 121 get_prop(su, exported2_system_prop) 122 get_prop(su, exported2_vold_prop) 123 get_prop(su, exported3_default_prop) 124 get_prop(su, exported3_radio_prop) 125 get_prop(su, exported3_system_prop) 126 ') 127 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 128') 129 130# Public readable properties 131get_prop(domain, debug_prop) 132get_prop(domain, exported_config_prop) 133get_prop(domain, exported_default_prop) 134get_prop(domain, exported_dumpstate_prop) 135get_prop(domain, exported_fingerprint_prop) 136get_prop(domain, exported_radio_prop) 137get_prop(domain, exported_secure_prop) 138get_prop(domain, exported_system_prop) 139get_prop(domain, exported_vold_prop) 140get_prop(domain, exported2_default_prop) 141get_prop(domain, logd_prop) 142 143# Let everyone read log properties, so that liblog can avoid sending unloggable 144# messages to logd. 145get_prop(domain, log_property_type) 146dontaudit domain property_type:file audit_access; 147allow domain property_contexts_file:file r_file_perms; 148 149allow domain init:key search; 150allow domain vold:key search; 151 152# logd access 153write_logd(domain) 154 155# System file accesses. 156allow domain system_file:dir { search getattr }; 157allow domain system_file:file { execute read open getattr map }; 158allow domain system_file:lnk_file { getattr read }; 159 160# Make sure system/vendor split doesn not affect non-treble 161# devices 162not_full_treble(` 163 allow domain vendor_file_type:dir { search getattr }; 164 allow domain vendor_file_type:file { execute read open getattr map }; 165 allow domain vendor_file_type:lnk_file { getattr read }; 166') 167 168# All domains are allowed to open and read directories 169# that contain HAL implementations (e.g. passthrough 170# HALs require clients to have these permissions) 171allow domain vendor_hal_file:dir r_dir_perms; 172 173# Everyone can read and execute all same process HALs 174allow domain same_process_hal_file:dir r_dir_perms; 175allow domain same_process_hal_file:file { execute read open getattr map }; 176 177# Any process can load vndk-sp libraries, which are system libraries 178# used by same process HALs 179allow domain vndk_sp_file:dir r_dir_perms; 180allow domain vndk_sp_file:file { execute read open getattr map }; 181 182# All domains get access to /vendor/etc 183allow domain vendor_configs_file:dir r_dir_perms; 184allow domain vendor_configs_file:file { read open getattr }; 185 186full_treble_only(` 187 # Allow all domains to be able to follow /system/vendor and/or 188 # /vendor/odm symlinks. 189 allow domain vendor_file_type:lnk_file { getattr open read }; 190 191 # This is required to be able to search & read /vendor/lib64 192 # in order to lookup vendor libraries. The execute permission 193 # for coredomains is granted *only* for same process HALs 194 allow domain vendor_file:dir { getattr search }; 195 196 # Allow reading and executing out of /vendor to all vendor domains 197 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 198 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 199 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 200') 201 202# read and stat any sysfs symlinks 203allow domain sysfs:lnk_file { getattr read }; 204 205# libc references /data/misc/zoneinfo for timezone related information 206# This directory is considered to be a VNDK-stable 207allow domain zoneinfo_data_file:file r_file_perms; 208allow domain zoneinfo_data_file:dir r_dir_perms; 209 210# Lots of processes access current CPU information 211r_dir_file(domain, sysfs_devices_system_cpu) 212 213r_dir_file(domain, sysfs_usb); 214 215# files under /data. 216not_full_treble(` 217 allow domain system_data_file:dir getattr; 218') 219allow { coredomain appdomain } system_data_file:dir getattr; 220# /data has the label system_data_file. Vendor components need the search 221# permission on system_data_file for path traversal to /data/vendor. 222allow domain system_data_file:dir search; 223# TODO restrict this to non-coredomain 224allow domain vendor_data_file:dir { getattr search }; 225 226# required by the dynamic linker 227allow domain proc:lnk_file { getattr read }; 228 229# /proc/cpuinfo 230allow domain proc_cpuinfo:file r_file_perms; 231 232# jemalloc needs to read /proc/sys/vm/overcommit_memory 233allow domain proc_overcommit_memory:file r_file_perms; 234 235# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 236allow domain proc_perf:file r_file_perms; 237 238# toybox loads libselinux which stats /sys/fs/selinux/ 239allow domain selinuxfs:dir search; 240allow domain selinuxfs:file getattr; 241allow domain sysfs:dir search; 242allow domain selinuxfs:filesystem getattr; 243 244# For /acct/uid/*/tasks. 245allow domain cgroup:dir { search write }; 246allow domain cgroup:file w_file_perms; 247 248# Almost all processes log tracing information to 249# /sys/kernel/debug/tracing/trace_marker 250# The reason behind this is documented in b/6513400 251allow domain debugfs:dir search; 252allow domain debugfs_tracing:dir search; 253allow domain debugfs_tracing_debug:dir search; 254allow domain debugfs_trace_marker:file w_file_perms; 255 256# Filesystem access. 257allow domain fs_type:filesystem getattr; 258allow domain fs_type:dir getattr; 259 260# Restrict all domains to a allowlist for common socket types. Additional 261# ioctl commands may be added to individual domains, but this sets safe 262# defaults for all processes. Note that granting this allowlist to domain does 263# not grant the ioctl permission on these socket types. That must be granted 264# separately. 265allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } 266 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 267# default allowlist for unix sockets. 268allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } 269 ioctl unpriv_unix_sock_ioctls; 270 271# Restrict PTYs to only allowlisted ioctls. 272# Note that granting this allowlist to domain does 273# not grant the wider ioctl permission. That must be granted 274# separately. 275allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 276 277# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 278# when it's not explicitly used in allow rules 279allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 280# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 281# when it's not explicitly used in allow rules 282allow { domain -domain } vndservice_manager_type:service_manager { add find }; 283 284# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 285with_asan(`allow domain system_data_file:dir getattr;') 286 287### 288### neverallow rules 289### 290 291# All socket ioctls must be restricted to a allowlist. 292neverallowxperm domain domain:socket_class_set ioctl { 0 }; 293 294# b/68014825 and https://android-review.googlesource.com/516535 295# rfc6093 says that processes should not use the TCP urgent mechanism 296neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 297 298# TIOCSTI is only ever used for exploits. Block it. 299# b/33073072, b/7530569 300# http://www.openwall.com/lists/oss-security/2016/09/26/14 301neverallowxperm * devpts:chr_file ioctl TIOCSTI; 302 303# Do not allow any domain other than init to create unlabeled files. 304neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 305 306# Limit device node creation to these allowlisted domains. 307neverallow { 308 domain 309 -kernel 310 -init 311 -ueventd 312 -vold 313} self:global_capability_class_set mknod; 314 315# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. 316neverallow { 317 domain 318 userdebug_or_eng(`-domain') 319 -kernel 320 -init 321 -recovery 322 -ueventd 323 -healthd 324 -uncrypt 325 -tee 326} self:global_capability_class_set sys_rawio; 327 328# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 329neverallow * self:memprotect mmap_zero; 330 331# No domain needs mac_override as it is unused by SELinux. 332neverallow * self:global_capability2_class_set mac_override; 333 334# Disallow attempts to set contexts not defined in current policy 335# This helps guarantee that unknown or dangerous contents will not ever 336# be set. 337neverallow * self:global_capability2_class_set mac_admin; 338 339# Once the policy has been loaded there shall be none to modify the policy. 340# It is sealed. 341neverallow * kernel:security load_policy; 342 343# Only init prior to switching context should be able to set enforcing mode. 344# init starts in kernel domain and switches to init domain via setcon in 345# the init.rc, so the setenforce occurs while still in kernel. After 346# switching domains, there is never any need to setenforce again by init. 347neverallow * kernel:security setenforce; 348neverallow { domain -kernel } kernel:security setcheckreqprot; 349 350# No booleans in AOSP policy, so no need to ever set them. 351neverallow * kernel:security setbool; 352 353# Adjusting the AVC cache threshold. 354# Not presently allowed to anything in policy, but possibly something 355# that could be set from init.rc. 356neverallow { domain -init } kernel:security setsecparam; 357 358# Only init, ueventd, shell and system_server should be able to access HW RNG 359neverallow { 360 domain 361 -init 362 -shell # For CTS and is restricted to getattr in shell.te 363 -system_server 364 -ueventd 365} hw_random_device:chr_file *; 366# b/78174219 b/64114943 367neverallow { 368 domain 369 -init 370 -shell # stat of /dev, getattr only 371 -vendor_init 372 -ueventd 373} keychord_device:chr_file *; 374 375# Ensure that all entrypoint executables are in exec_type or postinstall_file. 376neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 377 378# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 379neverallow { 380 domain 381 -shell # For CTS and is restricted to getattr in shell.te 382 -ueventd # Further restricted in ueventd.te 383} kmem_device:chr_file *; 384neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; 385 386#Ensure that nothing in userspace can access /dev/port 387neverallow { 388 domain 389 -shell # Shell user should not have any abilities outside of getattr 390 -ueventd 391} port_device:chr_file *; 392neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 393# Only init should be able to configure kernel usermodehelpers or 394# security-sensitive proc settings. 395neverallow { domain -init } usermodehelper:file { append write }; 396neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 397neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 398 399# No domain should be allowed to ptrace init. 400neverallow * init:process ptrace; 401 402# Init can't do anything with binder calls. If this neverallow rule is being 403# triggered, it's probably due to a service with no SELinux domain. 404neverallow * init:binder *; 405neverallow * vendor_init:binder *; 406 407# Don't allow raw read/write/open access to block_device 408# Rather force a relabel to a more specific type 409neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 410 411# Do not allow renaming of block files or character files 412# Ability to do so can lead to possible use in an exploit chain 413# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 414neverallow * *:{ blk_file chr_file } rename; 415 416# Don't allow raw read/write/open access to generic devices. 417# Rather force a relabel to a more specific type. 418neverallow domain device:chr_file { open read write }; 419 420# Limit what domains can mount filesystems or change their mount flags. 421# sdcard_type / vfat is exempt as a larger set of domains need 422# this capability, including device-specific domains. 423neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 424 425# 426# Assert that, to the extent possible, we're not loading executable content from 427# outside the rootfs or /system partition except for a few allowlisted domains. 428# 429neverallow { 430 domain 431 -appdomain 432 with_asan(`-asan_extract') 433 -dumpstate 434 -shell 435 userdebug_or_eng(`-su') 436 -webview_zygote 437 -zygote 438 userdebug_or_eng(`-mediaextractor') 439} { 440 file_type 441 -system_file 442 -vendor_file_type 443 -exec_type 444 -postinstall_file 445}:file execute; 446 447neverallow { 448 domain 449 -appdomain # for oemfs 450 -bootanim # for oemfs 451 -recovery # for /tmp/update_binary in tmpfs 452} { fs_type -rootfs }:file execute; 453 454# Files from cache should never be executed 455neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 456 457# Protect most domains from executing arbitrary content from /data. 458neverallow { 459 domain 460 -appdomain 461} { 462 data_file_type 463 -dalvikcache_data_file 464 -system_data_file # shared libs in apks 465 -apk_data_file 466}:file no_x_file_perms; 467 468# The test files and executables MUST not be accessible to any domain 469neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 470neverallow domain nativetest_data_file:dir no_w_dir_perms; 471neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 472 473# Only the init property service should write to /data/property and /dev/__properties__ 474neverallow { domain -init } property_data_file:dir no_w_dir_perms; 475neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 476neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 477neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 478neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 479 480# Nobody should be doing writes to /system & /vendor 481# These partitions are intended to be read-only and must never be 482# modified. Doing so would violate important Android security guarantees 483# and invalidate dm-verity signatures. 484neverallow { 485 domain 486 with_asan(`-asan_extract') 487} { 488 system_file 489 vendor_file_type 490 exec_type 491}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 492 493neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; 494 495# Don't allow mounting on top of /system files or directories 496neverallow * exec_type:dir_file_class_set mounton; 497neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton; 498 499# Nothing should be writing to files in the rootfs. 500neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 501 502# Restrict context mounts to specific types marked with 503# the contextmount_type attribute. 504neverallow * {fs_type -contextmount_type}:filesystem relabelto; 505 506# Ensure that context mount types are not writable, to ensure that 507# the write to /system restriction above is not bypassed via context= 508# mount to another type. 509neverallow * contextmount_type:dir_file_class_set 510 { create write setattr relabelfrom relabelto append unlink link rename }; 511 512# Do not allow service_manager add for default service labels. 513# Instead domains should use a more specific type such as 514# system_app_service rather than the generic type. 515# New service_types are defined in {,hw,vnd}service.te and new mappings 516# from service name to service_type are defined in {,hw,vnd}service_contexts. 517neverallow * default_android_service:service_manager add; 518neverallow * default_android_vndservice:service_manager { add find }; 519neverallow * default_android_hwservice:hwservice_manager { add find }; 520 521# Looking up the base class/interface of all HwBinder services is a bad idea. 522# hwservicemanager currently offer such lookups only to make it so that security 523# decisions are expressed in SELinux policy. However, it's unclear whether this 524# lookup has security implications. If it doesn't, hwservicemanager should be 525# modified to not offer this lookup. 526# This rule can be removed if hwservicemanager is modified to not permit these 527# lookups. 528neverallow * hidl_base_hwservice:hwservice_manager find; 529 530# Require that domains explicitly label unknown properties, and do not allow 531# anyone but init to modify unknown properties. 532neverallow { domain -init -vendor_init } default_prop:property_service set; 533neverallow { domain -init -vendor_init } mmc_prop:property_service set; 534 535compatible_property_only(` 536 neverallow { domain -init } default_prop:property_service set; 537 neverallow { domain -init } mmc_prop:property_service set; 538 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 539 neverallow { domain -init } exported_secure_prop:property_service set; 540 neverallow { domain -init } exported2_default_prop:property_service set; 541 neverallow { domain -init -vendor_init } exported3_default_prop:property_service set; 542 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 543') 544 545# Only core domains are allowed to access package_manager properties 546neverallow { domain -init -system_server } pm_prop:property_service set; 547neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 548 549compatible_property_only(` 550 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 551 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 552') 553 554# Do not allow reading device's serial number from system properties except form 555# a few allowlisted domains. 556neverallow { 557 domain 558 -adbd 559 -dumpstate 560 -hal_drm_server 561 -hal_cas_server 562 -init 563 -mediadrmserver 564 -recovery 565 -shell 566 -system_server 567 -vendor_init 568} serialno_prop:file r_file_perms; 569 570# Do not allow reading the last boot timestamp from system properties 571neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 572 573neverallow { 574 domain 575 -init 576 -recovery 577 -system_server 578 -shell # Shell is further restricted in shell.te 579 -ueventd # Further restricted in ueventd.te 580} frp_block_device:blk_file no_rw_file_perms; 581 582# The metadata block device is set aside for device encryption and 583# verified boot metadata. It may be reset at will and should not 584# be used by other domains. 585neverallow { 586 domain 587 -init 588 -recovery 589 -vold 590 -e2fs 591 -fsck 592} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 593 594# No domain other than recovery and update_engine can write to system partition(s). 595neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append }; 596 597# No domains other than install_recovery or recovery can write to recovery. 598neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append }; 599 600# No domains other than a select few can access the misc_block_device. This 601# block device is reserved for OTA use. 602# Do not assert this rule on userdebug/eng builds, due to some devices using 603# this partition for testing purposes. 604neverallow { 605 domain 606 userdebug_or_eng(`-domain') # exclude debuggable builds 607 -hal_bootctl_server 608 -init 609 -uncrypt 610 -update_engine 611 -vendor_init 612 -vold 613 -recovery 614 -ueventd 615} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 616 617# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 618neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 619# The service managers are only allowed to access their own device node 620neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 621neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 622neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 623neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 624neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 625neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 626 627# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core 628# domain apps need this because Android framework offers many of its services to apps as Binder 629# services. 630full_treble_only(` 631 neverallow { 632 domain 633 -coredomain 634 -appdomain 635 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 636 } binder_device:chr_file rw_file_perms; 637') 638full_treble_only(` 639 neverallow { 640 domain 641 -coredomain 642 -appdomain # restrictions for vendor apps are declared lower down 643 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 644 } service_manager_type:service_manager find; 645') 646full_treble_only(` 647 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 648 # services which can change any time framework/core is updated, breakage is likely. 649 neverallow { 650 appdomain 651 -coredomain 652 } { 653 service_manager_type 654 -app_api_service 655 -ephemeral_app_api_service 656 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 657 -cameraserver_service 658 -drmserver_service 659 -keystore_service 660 -mediadrmserver_service 661 -mediaextractor_service 662 -mediametrics_service 663 -mediaserver_service 664 -nfc_service 665 -radio_service 666 -virtual_touchpad_service 667 -vr_hwc_service 668 -vr_manager_service 669 }:service_manager find; 670') 671full_treble_only(` 672 neverallow { 673 domain 674 -coredomain 675 -appdomain 676 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 677 } servicemanager:binder { call transfer }; 678') 679 680# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 681full_treble_only(` 682 neverallow { 683 coredomain 684 -shell 685 userdebug_or_eng(`-su') 686 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 687 } vndbinder_device:chr_file rw_file_perms; 688') 689full_treble_only(` 690 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 691') 692full_treble_only(` 693 neverallow { 694 coredomain 695 -shell 696 userdebug_or_eng(`-su') 697 } vndservice_manager_type:service_manager *; 698') 699full_treble_only(` 700 neverallow { 701 coredomain 702 -shell 703 userdebug_or_eng(`-su') 704 } vndservicemanager:binder *; 705') 706 707# On full TREBLE devices, socket communications between core components and vendor components are 708# not permitted. 709 # Most general rules first, more specific rules below. 710 711 # Core domains are not permitted to initiate communications to vendor domain sockets. 712 # We are not restricting the use of already established sockets because it is fine for a process 713 # to obtain an already established socket via some public/official/stable API and then exchange 714 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 715 # and thus does not break the core-vendor separation. 716full_treble_only(` 717 neverallow_establish_socket_comms({ 718 coredomain 719 -init 720 -adbd 721 }, { 722 domain 723 -coredomain 724 -socket_between_core_and_vendor_violators 725 }); 726') 727 # Vendor domains are not permitted to initiate communications to core domain sockets 728full_treble_only(` 729 neverallow_establish_socket_comms({ 730 domain 731 -coredomain 732 -appdomain 733 -socket_between_core_and_vendor_violators 734 }, { 735 coredomain 736 -logd # Logging by writing to logd Unix domain socket is public API 737 -netd # netdomain needs this 738 -mdnsd # netdomain needs this 739 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 740 -init 741 -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services 742 -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services 743 }); 744') 745 746 # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets 747full_treble_only(` 748 neverallow_establish_socket_comms({ 749 domain 750 -coredomain 751 -netdomain 752 -socket_between_core_and_vendor_violators 753 }, netd); 754') 755 756 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 757full_treble_only(` 758 neverallow { 759 domain 760 -coredomain 761 -appdomain # appdomain restrictions below 762 -data_between_core_and_vendor_violators # b/70393317 763 -socket_between_core_and_vendor_violators 764 -vendor_init 765 } { 766 coredomain_socket 767 core_data_file_type 768 unlabeled # used only by core domains 769 }:sock_file ~{ append getattr ioctl read write }; 770') 771full_treble_only(` 772 neverallow { 773 appdomain 774 -coredomain 775 } { 776 coredomain_socket 777 unlabeled # used only by core domains 778 core_data_file_type 779 -app_data_file 780 -pdx_endpoint_socket_type # used by VR layer 781 -pdx_channel_socket_type # used by VR layer 782 }:sock_file ~{ append getattr ioctl read write }; 783') 784 785 # Core domains are not permitted to create/open sockets owned by vendor domains 786full_treble_only(` 787 neverallow { 788 coredomain 789 -init 790 -ueventd 791 -socket_between_core_and_vendor_violators 792 } { 793 file_type 794 dev_type 795 -coredomain_socket 796 -core_data_file_type 797 -unlabeled 798 }:sock_file ~{ append getattr ioctl read write }; 799') 800 801# On TREBLE devices, vendor and system components are only allowed to share 802# files by passing open FDs over hwbinder. Ban all directory access and all file 803# accesses other than what can be applied to an open FD such as 804# ioctl/stat/read/write/append. This is enforced by segregating /data. 805# Vendor domains may directly access file in /data/vendor by path, but may only 806# access files outside of /data/vendor via an open FD passed over hwbinder. 807# Likewise, core domains may only directly access files outside /data/vendor by 808# path and files in /data/vendor by open FD. 809full_treble_only(` 810 # only coredomains may only access core_data_file_type, particularly not 811 # /data/vendor 812 neverallow { 813 coredomain 814 -appdomain # TODO(b/34980020) remove exemption for appdomain 815 -data_between_core_and_vendor_violators 816 -init 817 -vold_prepare_subdirs 818 } { 819 data_file_type 820 -core_data_file_type 821 }:file_class_set ~{ append getattr ioctl read write }; 822') 823full_treble_only(` 824 neverallow { 825 coredomain 826 -appdomain # TODO(b/34980020) remove exemption for appdomain 827 -data_between_core_and_vendor_violators 828 -init 829 -vold_prepare_subdirs 830 } { 831 data_file_type 832 -core_data_file_type 833 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 834 # neverallow. Currently only getattr and search are allowed. 835 -vendor_data_file 836 }:dir *; 837 838') 839full_treble_only(` 840 # vendor domains may only access files in /data/vendor, never core_data_file_types 841 neverallow { 842 domain 843 -appdomain # TODO(b/34980020) remove exemption for appdomain 844 -coredomain 845 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 846 -vendor_init 847 } { 848 core_data_file_type 849 # libc includes functions like mktime and localtime which attempt to access 850 # files in /data/misc/zoneinfo/tzdata file. These functions are considered 851 # vndk-stable and thus must be allowed for all processes. 852 -zoneinfo_data_file 853 }:file_class_set ~{ append getattr ioctl read write }; 854 neverallow { 855 vendor_init 856 -data_between_core_and_vendor_violators 857 } { 858 core_data_file_type 859 -unencrypted_data_file 860 -zoneinfo_data_file 861 }:file_class_set ~{ append getattr ioctl read write }; 862 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 863 # The vendor init binary lives on the system partition so there is not a concern with stability. 864 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 865') 866full_treble_only(` 867 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 868 neverallow { 869 domain 870 -appdomain # TODO(b/34980020) remove exemption for appdomain 871 -coredomain 872 -data_between_core_and_vendor_violators 873 -vendor_init 874 } { 875 core_data_file_type 876 -system_data_file # default label for files on /data. Covered below... 877 -vendor_data_file 878 -zoneinfo_data_file 879 }:dir *; 880 neverallow { 881 vendor_init 882 -data_between_core_and_vendor_violators 883 } { 884 core_data_file_type 885 -unencrypted_data_file 886 -system_data_file 887 -vendor_data_file 888 -zoneinfo_data_file 889 }:dir *; 890 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 891 # The vendor init binary lives on the system partition so there is not a concern with stability. 892 neverallow vendor_init unencrypted_data_file:dir ~search; 893') 894full_treble_only(` 895 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 896 neverallow { 897 domain 898 -appdomain # TODO(b/34980020) remove exemption for appdomain 899 -coredomain 900 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 901 } { 902 system_data_file # default label for files on /data. Covered below 903 }:dir ~{ getattr search }; 904') 905 906full_treble_only(` 907 # coredomains may not access dirs in /data/vendor. 908 neverallow { 909 coredomain 910 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 911 -init 912 -vold # vold creates per-user storage for both system and vendor 913 -vold_prepare_subdirs 914 } { 915 vendor_data_file # default label for files on /data. Covered below 916 }:dir ~{ getattr search }; 917') 918 919full_treble_only(` 920 # coredomains may not access dirs in /data/vendor. 921 neverallow { 922 coredomain 923 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 924 -init 925 } { 926 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 927 }:file_class_set ~{ append getattr ioctl read write }; 928') 929 930# On TREBLE devices, a limited set of files in /vendor are accessible to 931# only a few allowlisted coredomains to keep system/vendor separation. 932full_treble_only(` 933 # Limit access to /vendor/app 934 neverallow { 935 coredomain 936 -appdomain 937 -dex2oat 938 -idmap 939 -init 940 -installd 941 userdebug_or_eng(`-perfprofd') 942 -postinstall_dexopt 943 -system_server 944 } vendor_app_file:dir { open read getattr search }; 945') 946 947full_treble_only(` 948 neverallow { 949 coredomain 950 -appdomain 951 -dex2oat 952 -idmap 953 -init 954 -installd 955 userdebug_or_eng(`-perfprofd') 956 -postinstall_dexopt 957 -system_server 958 } vendor_app_file:file r_file_perms; 959') 960 961full_treble_only(` 962 # Limit access to /vendor/overlay 963 neverallow { 964 coredomain 965 -appdomain 966 -idmap 967 -init 968 -installd 969 -system_server 970 -webview_zygote 971 -zygote 972 } vendor_overlay_file:dir { getattr open read search }; 973') 974 975full_treble_only(` 976 neverallow { 977 coredomain 978 -appdomain 979 -idmap 980 -init 981 -installd 982 -system_server 983 -webview_zygote 984 -zygote 985 } vendor_overlay_file:file r_file_perms; 986') 987 988full_treble_only(` 989 # Non-vendor domains are not allowed to file execute shell 990 # from vendor 991 neverallow { 992 coredomain 993 -init 994 -shell 995 } vendor_shell_exec:file { execute execute_no_trans }; 996') 997 998full_treble_only(` 999 # Do not allow vendor components to execute files from system 1000 # except for the ones allowlist here. 1001 neverallow { 1002 domain 1003 -coredomain 1004 -appdomain 1005 -vendor_executes_system_violators 1006 -vendor_init 1007 } { 1008 exec_type 1009 -vendor_file_type 1010 -crash_dump_exec 1011 -netutils_wrapper_exec 1012 }:file { entrypoint execute execute_no_trans }; 1013') 1014 1015full_treble_only(` 1016 # Do not allow system components to execute files from vendor 1017 # except for the ones allowlisted here. 1018 neverallow { 1019 coredomain 1020 -init 1021 -shell 1022 -system_executes_vendor_violators 1023 } { 1024 vendor_file_type 1025 -same_process_hal_file 1026 -vndk_sp_file 1027 -vendor_app_file 1028 }:file execute; 1029') 1030 1031full_treble_only(` 1032 neverallow { 1033 coredomain 1034 -shell 1035 -system_executes_vendor_violators 1036 } vendor_file_type:file execute_no_trans; 1037') 1038 1039# Only authorized processes should be writing to files in /data/dalvik-cache 1040neverallow { 1041 domain 1042 -init # TODO: limit init to relabelfrom for files 1043 -zygote 1044 -installd 1045 -postinstall_dexopt 1046 -cppreopts 1047 -dex2oat 1048 -otapreopt_slot 1049} dalvikcache_data_file:file no_w_file_perms; 1050 1051neverallow { 1052 domain 1053 -init 1054 -installd 1055 -postinstall_dexopt 1056 -cppreopts 1057 -dex2oat 1058 -zygote 1059 -otapreopt_slot 1060} dalvikcache_data_file:dir no_w_dir_perms; 1061 1062# Only system_server should be able to send commands via the zygote socket 1063neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1064neverallow { domain -system_server } zygote_socket:sock_file write; 1065 1066neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; 1067neverallow { domain -system_server } webview_zygote:sock_file write; 1068 1069neverallow { 1070 domain 1071 -tombstoned 1072 -crash_dump 1073 -dumpstate 1074 -incidentd 1075 -system_server 1076 1077 # Processes that can't exec crash_dump 1078 -mediacodec 1079 -mediaextractor 1080} tombstoned_crash_socket:unix_stream_socket connectto; 1081 1082# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1083# the tombstoned intercept socket. 1084neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1085neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1086 1087# Android does not support System V IPCs. 1088# 1089# The reason for this is due to the fact that, by design, they lead to global 1090# kernel resource leakage. 1091# 1092# For example, there is no way to automatically release a SysV semaphore 1093# allocated in the kernel when: 1094# 1095# - a buggy or malicious process exits 1096# - a non-buggy and non-malicious process crashes or is explicitly killed. 1097# 1098# Killing processes automatically to make room for new ones is an 1099# important part of Android's application lifecycle implementation. This means 1100# that, even assuming only non-buggy and non-malicious code, it is very likely 1101# that over time, the kernel global tables used to implement SysV IPCs will fill 1102# up. 1103neverallow * *:{ shm sem msg msgq } *; 1104 1105# Do not mount on top of symlinks, fifos, or sockets. 1106# Feature parity with Chromium LSM. 1107neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1108 1109# Nobody should be able to execute su on user builds. 1110# On userdebug/eng builds, only dumpstate, shell, and 1111# su itself execute su. 1112neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1113 1114# Do not allow the introduction of new execmod rules. Text relocations 1115# and modification of executable pages are unsafe. 1116# The only exceptions are for NDK text relocations associated with 1117# https://code.google.com/p/android/issues/detail?id=23203 1118# which, long term, need to go away. 1119neverallow * { 1120 file_type 1121 -apk_data_file 1122 -app_data_file 1123 -asec_public_file 1124}:file execmod; 1125 1126# Do not allow making the stack or heap executable. 1127# We would also like to minimize execmem but it seems to be 1128# required by some device-specific service domains. 1129neverallow * self:process { execstack execheap }; 1130 1131# prohibit non-zygote spawned processes from using shared libraries 1132# with text relocations. b/20013628 . 1133neverallow { domain -untrusted_app_all } file_type:file execmod; 1134 1135neverallow { domain -init } proc:{ file dir } mounton; 1136 1137# Ensure that all types assigned to processes are included 1138# in the domain attribute, so that all allow and neverallow rules 1139# written on domain are applied to all processes. 1140# This is achieved by ensuring that it is impossible to transition 1141# from a domain to a non-domain type and vice versa. 1142# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1143neverallow ~domain domain:process { transition dyntransition }; 1144 1145# 1146# Only system_app and system_server should be creating or writing 1147# their files. The proper way to share files is to setup 1148# type transitions to a more specific type or assigning a type 1149# to its parent directory via a file_contexts entry. 1150# Example type transition: 1151# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1152# 1153neverallow { 1154 domain 1155 -system_server 1156 -system_app 1157 -init 1158 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1159 -vold_prepare_subdirs # For unlink 1160 with_asan(`-asan_extract') 1161} system_data_file:file no_w_file_perms; 1162# do not grant anything greater than r_file_perms and relabelfrom unlink 1163# to installd 1164neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1165 1166# respect system_app sandboxes 1167neverallow { 1168 domain 1169 -appdomain # finer-grained rules for appdomain are listed below 1170 -system_server #populate com.android.providers.settings/databases/settings.db. 1171 -installd # creation of app sandbox 1172 -traced_probes # resolve inodes for i/o tracing. 1173 # only needs open and read, the rest is neverallow in 1174 # traced_probes.te. 1175} system_app_data_file:dir_file_class_set { create unlink open }; 1176neverallow { 1177 isolated_app 1178 untrusted_app_all # finer-grained rules for appdomain are listed below 1179 ephemeral_app 1180 priv_app 1181} system_app_data_file:dir_file_class_set { create unlink open }; 1182 1183 1184# Services should respect app sandboxes 1185neverallow { 1186 domain 1187 -appdomain 1188 -installd # creation of sandbox 1189} app_data_file:dir_file_class_set { create unlink }; 1190 1191# 1192# Only these domains should transition to shell domain. This domain is 1193# permissible for the "shell user". If you need a process to exec a shell 1194# script with differing privilege, define a domain and set up a transition. 1195# 1196neverallow { 1197 domain 1198 -adbd 1199 -init 1200 -runas 1201 -zygote 1202} shell:process { transition dyntransition }; 1203 1204# Only domains spawned from zygote and runas may have the appdomain attribute. 1205neverallow { domain -runas -webview_zygote -zygote } { 1206 appdomain -shell userdebug_or_eng(`-su') 1207}:process { transition dyntransition }; 1208 1209# Minimize read access to shell- or app-writable symlinks. 1210# This is to prevent malicious symlink attacks. 1211neverallow { 1212 domain 1213 -appdomain 1214 -installd 1215 -uncrypt # TODO: see if we can remove 1216} app_data_file:lnk_file read; 1217 1218neverallow { 1219 domain 1220 -shell 1221 userdebug_or_eng(`-uncrypt') 1222 -installd 1223} shell_data_file:lnk_file read; 1224 1225# In addition to the symlink reading restrictions above, restrict 1226# write access to shell owned directories. The /data/local/tmp 1227# directory is untrustworthy, and non-allowlisted domains should 1228# not be trusting any content in those directories. 1229neverallow { 1230 domain 1231 -adbd 1232 -dumpstate 1233 -installd 1234 -init 1235 -shell 1236 -vold 1237} shell_data_file:dir no_w_dir_perms; 1238 1239neverallow { 1240 domain 1241 -adbd 1242 -appdomain 1243 -dumpstate 1244 -init 1245 -installd 1246 -system_server # why? 1247 userdebug_or_eng(`-uncrypt') 1248} shell_data_file:dir { open search }; 1249 1250# Same as above for /data/local/tmp files. We allow shell files 1251# to be passed around by file descriptor, but not directly opened. 1252neverallow { 1253 domain 1254 -adbd 1255 -appdomain 1256 -dumpstate 1257 -installd 1258 userdebug_or_eng(`-uncrypt') 1259} shell_data_file:file open; 1260 1261# servicemanager and vndservicemanager are the only processes which handle the 1262# service_manager list request 1263neverallow * ~{ 1264 servicemanager 1265 vndservicemanager 1266 }:service_manager list; 1267 1268# hwservicemanager is the only process which handles hw list requests 1269neverallow * ~{ 1270 hwservicemanager 1271 }:hwservice_manager list; 1272 1273# only service_manager_types can be added to service_manager 1274# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1275 1276# Prevent assigning non property types to properties 1277# TODO - rework this: neverallow * ~property_type:property_service set; 1278 1279# Domain types should never be assigned to any files other 1280# than the /proc/pid files associated with a process. The 1281# executable file used to enter a domain should be labeled 1282# with its own _exec type, not with the domain type. 1283# Conventionally, this looks something like: 1284# $ cat mydaemon.te 1285# type mydaemon, domain; 1286# type mydaemon_exec, exec_type, file_type; 1287# init_daemon_domain(mydaemon) 1288# $ grep mydaemon file_contexts 1289# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1290neverallow * domain:file { execute execute_no_trans entrypoint }; 1291 1292# Do not allow access to the generic debugfs label. This is too broad. 1293# Instead, if access to part of debugfs is desired, it should have a 1294# more specific label. 1295# TODO: fix system_server and dumpstate 1296neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms; 1297 1298# Profiles contain untrusted data and profman parses that. We should only run 1299# in from installd forked processes. 1300neverallow { 1301 domain 1302 -installd 1303 -profman 1304} profman_exec:file no_x_file_perms; 1305 1306# Enforce restrictions on kernel module origin. 1307# Do not allow kernel module loading except from system, 1308# vendor, and boot partitions. 1309neverallow * ~{ system_file vendor_file rootfs }:system module_load; 1310 1311# Only allow filesystem caps to be set at build time. Runtime changes 1312# to filesystem capabilities are not permitted. 1313neverallow * self:global_capability_class_set setfcap; 1314 1315# Enforce AT_SECURE for executing crash_dump. 1316neverallow domain crash_dump:process noatsecure; 1317 1318# Do not permit non-core domains to register HwBinder services which are 1319# guaranteed to be provided by core domains only. 1320neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1321 1322# Do not permit the registeration of HwBinder services which are guaranteed to 1323# be passthrough only (i.e., run in the process of their clients instead of a 1324# separate server process). 1325neverallow * same_process_hwservice:hwservice_manager add; 1326 1327# On TREBLE devices, most coredomains should not access vendor_files. 1328# TODO(b/71553434): Remove exceptions here. 1329full_treble_only(` 1330 neverallow { 1331 coredomain 1332 -appdomain 1333 -bootanim 1334 -crash_dump 1335 -init 1336 -kernel 1337 -perfprofd 1338 -ueventd 1339 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 1340') 1341 1342# Minimize dac_override and dac_read_search. 1343# Instead of granting them it is usually better to add the domain to 1344# a Unix group or change the permissions of a file. 1345neverallow { 1346 domain 1347 -dnsmasq 1348 -dumpstate 1349 -init 1350 -installd 1351 -install_recovery 1352 -lmkd 1353 -netd 1354 -perfprofd 1355 -postinstall_dexopt 1356 -recovery 1357 -sdcardd 1358 -tee 1359 -ueventd 1360 -uncrypt 1361 -vendor_init 1362 -vold 1363 -vold_prepare_subdirs 1364 -zygote 1365} self:capability dac_override; 1366neverallow { domain -traced_probes } self:capability dac_read_search; 1367 1368# If an already existing file is opened with O_CREAT, the kernel might generate 1369# a false report of a create denial. Silence these denials and make sure that 1370# inappropriate permissions are not granted. 1371 1372# These filesystems don't allow files or directories to be created, so the permission 1373# to do so should never be granted. 1374neverallow domain { 1375 proc_type 1376 sysfs_type 1377}:dir { add_name create link remove_name rename reparent rmdir write }; 1378 1379# cgroupfs directories can be created, but not files within them. 1380neverallow domain cgroup:file create; 1381 1382dontaudit domain proc_type:dir write; 1383dontaudit domain sysfs_type:dir write; 1384dontaudit domain cgroup:file create; 1385 1386# These are only needed in permissive mode - in enforcing mode the 1387# directory write check fails and so these are never attempted. 1388userdebug_or_eng(` 1389 dontaudit domain proc_type:dir add_name; 1390 dontaudit domain sysfs_type:dir add_name; 1391 dontaudit domain proc_type:file create; 1392 dontaudit domain sysfs_type:file create; 1393') 1394 1395# Platform must not have access to /mnt/vendor. 1396neverallow { 1397 coredomain 1398 -init 1399} mnt_vendor_file:dir *; 1400