1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Root fs. 61allow domain tmpfs:dir { getattr search }; 62allow domain rootfs:dir search; 63allow domain rootfs:lnk_file { read getattr }; 64 65# Device accesses. 66allow domain device:dir search; 67allow domain dev_type:lnk_file r_file_perms; 68allow domain devpts:dir search; 69allow domain socket_device:dir r_dir_perms; 70allow domain owntty_device:chr_file rw_file_perms; 71allow domain null_device:chr_file rw_file_perms; 72allow domain zero_device:chr_file rw_file_perms; 73allow { 74 domain 75 # TODO(b/113362644): route coredomain to ashmemd 76 #-coredomain 77 -mediaprovider 78 -ephemeral_app 79 -isolated_app 80 -untrusted_app_all 81} ashmem_device:chr_file rw_file_perms; 82 83# Allow using fds to /dev/ashmem. 84allow domain ashmemd:fd use; 85 86# /dev/binder can be accessed by non-vendor domains and by apps 87allow { 88 coredomain 89 appdomain 90 binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 91 -hwservicemanager 92} binder_device:chr_file rw_file_perms; 93# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder 94not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') 95allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 96allow domain ptmx_device:chr_file rw_file_perms; 97allow domain random_device:chr_file rw_file_perms; 98allow domain proc_random:dir r_dir_perms; 99allow domain proc_random:file r_file_perms; 100allow domain properties_device:dir { search getattr }; 101allow domain properties_serial:file r_file_perms; 102allow domain property_info:file r_file_perms; 103 104# Public readable properties 105get_prop(domain, debug_prop) 106get_prop(domain, exported_config_prop) 107get_prop(domain, exported_default_prop) 108get_prop(domain, exported_dumpstate_prop) 109get_prop(domain, exported_fingerprint_prop) 110get_prop(domain, exported_radio_prop) 111get_prop(domain, exported_secure_prop) 112get_prop(domain, exported_system_prop) 113get_prop(domain, exported_vold_prop) 114get_prop(domain, exported2_default_prop) 115get_prop(domain, logd_prop) 116 117# Let everyone read log properties, so that liblog can avoid sending unloggable 118# messages to logd. 119get_prop(domain, log_property_type) 120dontaudit domain property_type:file audit_access; 121allow domain property_contexts_file:file r_file_perms; 122 123allow domain init:key search; 124allow domain vold:key search; 125 126# logd access 127write_logd(domain) 128 129# Directory/link file access for path resolution. 130allow domain { 131 system_file 132 system_lib_file 133 system_seccomp_policy_file 134 system_security_cacerts_file 135}:dir r_dir_perms; 136allow domain system_file:lnk_file { getattr read }; 137 138# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 139# linker and its config. 140allow domain system_seccomp_policy_file:file r_file_perms; 141# cacerts are accessible from public Java API. 142allow domain system_security_cacerts_file:file r_file_perms; 143allow domain system_linker_exec:file { execute read open getattr map }; 144allow domain system_linker_config_file:file r_file_perms; 145allow domain system_lib_file:file { execute read open getattr map }; 146# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 147allow domain system_linker_exec:lnk_file { read open getattr }; 148allow domain system_lib_file:lnk_file { read open getattr }; 149 150allow domain system_event_log_tags_file:file r_file_perms; 151 152allow { appdomain coredomain } system_file:file { execute read open getattr map }; 153 154# Make sure system/vendor split doesn not affect non-treble 155# devices 156not_full_treble(` 157 allow domain system_file:file { execute read open getattr map }; 158 allow domain vendor_file_type:dir { search getattr }; 159 allow domain vendor_file_type:file { execute read open getattr map }; 160 allow domain vendor_file_type:lnk_file { getattr read }; 161') 162 163# All domains are allowed to open and read directories 164# that contain HAL implementations (e.g. passthrough 165# HALs require clients to have these permissions) 166allow domain vendor_hal_file:dir r_dir_perms; 167 168# Everyone can read and execute all same process HALs 169allow domain same_process_hal_file:dir r_dir_perms; 170allow { 171 domain 172 -coredomain # access is explicitly granted to individual coredomains 173} same_process_hal_file:file { execute read open getattr map }; 174 175# Any process can load vndk-sp libraries, which are system libraries 176# used by same process HALs 177allow domain vndk_sp_file:dir r_dir_perms; 178allow domain vndk_sp_file:file { execute read open getattr map }; 179 180# All domains get access to /vendor/etc 181allow domain vendor_configs_file:dir r_dir_perms; 182allow domain vendor_configs_file:file { read open getattr map }; 183 184full_treble_only(` 185 # Allow all domains to be able to follow /system/vendor and/or 186 # /vendor/odm symlinks. 187 allow domain vendor_file_type:lnk_file { getattr open read }; 188 189 # This is required to be able to search & read /vendor/lib64 190 # in order to lookup vendor libraries. The execute permission 191 # for coredomains is granted *only* for same process HALs 192 allow domain vendor_file:dir { getattr search }; 193 194 # Allow reading and executing out of /vendor to all vendor domains 195 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 196 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 197 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 198') 199 200# read and stat any sysfs symlinks 201allow domain sysfs:lnk_file { getattr read }; 202 203# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for 204# timezone related information. 205# This directory is considered to be a VNDK-stable 206allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms; 207allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms; 208 209# Lots of processes access current CPU information 210r_dir_file(domain, sysfs_devices_system_cpu) 211 212r_dir_file(domain, sysfs_usb); 213 214# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 215# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 216allow domain sysfs_transparent_hugepage:dir search; 217allow domain sysfs_transparent_hugepage:file r_file_perms; 218 219# files under /data. 220not_full_treble(` 221 allow domain system_data_file:dir getattr; 222') 223allow { coredomain appdomain } system_data_file:dir getattr; 224# /data has the label system_data_file. Vendor components need the search 225# permission on system_data_file for path traversal to /data/vendor. 226allow domain system_data_file:dir search; 227# TODO restrict this to non-coredomain 228allow domain vendor_data_file:dir { getattr search }; 229 230# required by the dynamic linker 231allow domain proc:lnk_file { getattr read }; 232 233# /proc/cpuinfo 234allow domain proc_cpuinfo:file r_file_perms; 235 236# /dev/cpu_variant:.* 237allow domain dev_cpu_variant:file r_file_perms; 238 239# jemalloc needs to read /proc/sys/vm/overcommit_memory 240allow domain proc_overcommit_memory:file r_file_perms; 241 242# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 243allow domain proc_perf:file r_file_perms; 244 245# toybox loads libselinux which stats /sys/fs/selinux/ 246allow domain selinuxfs:dir search; 247allow domain selinuxfs:file getattr; 248allow domain sysfs:dir search; 249allow domain selinuxfs:filesystem getattr; 250 251# Almost all processes log tracing information to 252# /sys/kernel/debug/tracing/trace_marker 253# The reason behind this is documented in b/6513400 254allow domain debugfs:dir search; 255allow domain debugfs_tracing:dir search; 256allow domain debugfs_tracing_debug:dir search; 257allow domain debugfs_trace_marker:file w_file_perms; 258 259# Filesystem access. 260allow domain fs_type:filesystem getattr; 261allow domain fs_type:dir getattr; 262 263# Restrict all domains to a allowlist for common socket types. Additional 264# ioctl commands may be added to individual domains, but this sets safe 265# defaults for all processes. Note that granting this allowlist to domain does 266# not grant the ioctl permission on these socket types. That must be granted 267# separately. 268allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 269 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 270# default allowlist for unix sockets. 271allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 272 ioctl unpriv_unix_sock_ioctls; 273 274# Restrict PTYs to only allowlisted ioctls. 275# Note that granting this allowlist to domain does 276# not grant the wider ioctl permission. That must be granted 277# separately. 278allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 279 280# All domains must clearly enumerate what ioctls they use 281# on filesystem objects (plain files, directories, symbolic links, 282# named pipes, and named sockets). We start off with a safe set. 283allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 284 285# If a domain has ioctl access to tun_device, it must clearly enumerate the 286# ioctls used. Safe defaults are listed below. 287allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 288 289# Allow a process to make a determination whether a file descriptor 290# for a plain file or pipe (fifo_file) is a tty. Note that granting 291# this allowlist to domain does not grant the ioctl permission to 292# these files. That must be granted separately. 293allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 294allowxperm domain domain:fifo_file ioctl { TCGETS }; 295 296# If a domain has access to perform an ioctl on a block device, allow these 297# very common, benign ioctls 298allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 299 300# Support sqlite F2FS specific optimizations 301# ioctl permission on the specific file type is still required 302# TODO: consider only compiling these rules if we know the 303# /data partition is F2FS 304allowxperm domain { file_type sdcard_type }:file ioctl { 305 F2FS_IOC_ABORT_VOLATILE_WRITE 306 F2FS_IOC_COMMIT_ATOMIC_WRITE 307 F2FS_IOC_GET_FEATURES 308 F2FS_IOC_GET_PIN_FILE 309 F2FS_IOC_SET_PIN_FILE 310 F2FS_IOC_START_ATOMIC_WRITE 311}; 312 313# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 314# when it's not explicitly used in allow rules 315allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 316# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 317# when it's not explicitly used in allow rules 318allow { domain -domain } vndservice_manager_type:service_manager { add find }; 319 320# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 321with_asan(`allow domain system_data_file:dir getattr;') 322# Under ASAN, /system/asan.options needs to be globally accessible. 323with_asan(`allow domain system_asan_options_file:file r_file_perms;') 324 325# read APEX dir and stat any symlink pointing to APEXs. 326allow domain apex_mnt_dir:dir { getattr search }; 327allow domain apex_mnt_dir:lnk_file r_file_perms; 328 329### 330### neverallow rules 331### 332 333# All ioctls on file-like objects (except chr_file and blk_file) and 334# sockets must be restricted to a allowlist. 335neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 336 337# b/68014825 and https://android-review.googlesource.com/516535 338# rfc6093 says that processes should not use the TCP urgent mechanism 339neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 340 341# TIOCSTI is only ever used for exploits. Block it. 342# b/33073072, b/7530569 343# http://www.openwall.com/lists/oss-security/2016/09/26/14 344neverallowxperm * devpts:chr_file ioctl TIOCSTI; 345 346# Do not allow any domain other than init to create unlabeled files. 347neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 348 349# Limit device node creation to these allowlisted domains. 350neverallow { 351 domain 352 -kernel 353 -init 354 -ueventd 355 -vold 356} self:global_capability_class_set mknod; 357 358# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 359neverallow * self:memprotect mmap_zero; 360 361# No domain needs mac_override as it is unused by SELinux. 362neverallow * self:global_capability2_class_set mac_override; 363 364# Disallow attempts to set contexts not defined in current policy 365# This helps guarantee that unknown or dangerous contents will not ever 366# be set. 367neverallow * self:global_capability2_class_set mac_admin; 368 369# Once the policy has been loaded there shall be none to modify the policy. 370# It is sealed. 371neverallow * kernel:security load_policy; 372 373# Only init prior to switching context should be able to set enforcing mode. 374# init starts in kernel domain and switches to init domain via setcon in 375# the init.rc, so the setenforce occurs while still in kernel. After 376# switching domains, there is never any need to setenforce again by init. 377neverallow * kernel:security setenforce; 378neverallow { domain -kernel } kernel:security setcheckreqprot; 379 380# No booleans in AOSP policy, so no need to ever set them. 381neverallow * kernel:security setbool; 382 383# Adjusting the AVC cache threshold. 384# Not presently allowed to anything in policy, but possibly something 385# that could be set from init.rc. 386neverallow { domain -init } kernel:security setsecparam; 387 388# Only init, ueventd, shell and system_server should be able to access HW RNG 389neverallow { 390 domain 391 -init 392 -shell # For CTS and is restricted to getattr in shell.te 393 -system_server 394 -ueventd 395} hw_random_device:chr_file *; 396# b/78174219 b/64114943 397neverallow { 398 domain 399 -shell # stat of /dev, getattr only 400 -ueventd 401} keychord_device:chr_file *; 402 403# Ensure that all entrypoint executables are in exec_type or postinstall_file. 404neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 405 406# The dynamic linker always calls access(2) on the path. Don't generate SElinux 407# denials since the linker does not actually access the path in case the path 408# does not exist or isn't accessible for the process. 409dontaudit domain postinstall_mnt_dir:dir audit_access; 410 411#Ensure that nothing in userspace can access /dev/port 412neverallow { 413 domain 414 -shell # Shell user should not have any abilities outside of getattr 415 -ueventd 416} port_device:chr_file *; 417neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 418# Only init should be able to configure kernel usermodehelpers or 419# security-sensitive proc settings. 420neverallow { domain -init } usermodehelper:file { append write }; 421neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 422neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 423 424# Nobody is allowed to make binder calls into init. 425# Only servicemanager may transfer binder references to init 426# vendor_init shouldn't use binder at all. 427neverallow * init:binder ~{ transfer }; 428neverallow { domain -servicemanager } init:binder { transfer }; 429neverallow * vendor_init:binder *; 430 431# Don't allow raw read/write/open access to block_device 432# Rather force a relabel to a more specific type 433neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 434 435# Do not allow renaming of block files or character files 436# Ability to do so can lead to possible use in an exploit chain 437# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 438neverallow * *:{ blk_file chr_file } rename; 439 440# Don't allow raw read/write/open access to generic devices. 441# Rather force a relabel to a more specific type. 442neverallow domain device:chr_file { open read write }; 443 444# Files from cache should never be executed 445neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 446 447# Protect most domains from executing arbitrary content from /data. 448neverallow { 449 domain 450 -appdomain 451} { 452 data_file_type 453 -dalvikcache_data_file 454 -system_data_file # shared libs in apks 455 -apk_data_file 456}:file no_x_file_perms; 457 458# The test files and executables MUST not be accessible to any domain 459neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 460neverallow domain nativetest_data_file:dir no_w_dir_perms; 461neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 462 463# Only the init property service should write to /data/property and /dev/__properties__ 464neverallow { domain -init } property_data_file:dir no_w_dir_perms; 465neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 466neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 467neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 468neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 469 470# Nobody should be doing writes to /system & /vendor 471# These partitions are intended to be read-only and must never be 472# modified. Doing so would violate important Android security guarantees 473# and invalidate dm-verity signatures. 474neverallow { 475 domain 476 with_asan(`-asan_extract') 477 recovery_only(`userdebug_or_eng(`-fastbootd')') 478} { 479 system_file_type 480 vendor_file_type 481 exec_type 482}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 483 484neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 485 486# Don't allow mounting on top of /system files or directories 487neverallow * exec_type:dir_file_class_set mounton; 488neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton; 489 490# Nothing should be writing to files in the rootfs. 491neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 492 493# Restrict context mounts to specific types marked with 494# the contextmount_type attribute. 495neverallow * {fs_type -contextmount_type}:filesystem relabelto; 496 497# Ensure that context mount types are not writable, to ensure that 498# the write to /system restriction above is not bypassed via context= 499# mount to another type. 500neverallow * contextmount_type:dir_file_class_set 501 { create setattr relabelfrom relabelto append link rename }; 502neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 503 504# Do not allow service_manager add for default service labels. 505# Instead domains should use a more specific type such as 506# system_app_service rather than the generic type. 507# New service_types are defined in {,hw,vnd}service.te and new mappings 508# from service name to service_type are defined in {,hw,vnd}service_contexts. 509neverallow * default_android_service:service_manager add; 510neverallow * default_android_vndservice:service_manager { add find }; 511neverallow * default_android_hwservice:hwservice_manager { add find }; 512 513# Looking up the base class/interface of all HwBinder services is a bad idea. 514# hwservicemanager currently offer such lookups only to make it so that security 515# decisions are expressed in SELinux policy. However, it's unclear whether this 516# lookup has security implications. If it doesn't, hwservicemanager should be 517# modified to not offer this lookup. 518# This rule can be removed if hwservicemanager is modified to not permit these 519# lookups. 520neverallow * hidl_base_hwservice:hwservice_manager find; 521 522# Require that domains explicitly label unknown properties, and do not allow 523# anyone but init to modify unknown properties. 524neverallow { domain -init -vendor_init } default_prop:property_service set; 525neverallow { domain -init -vendor_init } mmc_prop:property_service set; 526 527compatible_property_only(` 528 neverallow { domain -init } default_prop:property_service set; 529 neverallow { domain -init } mmc_prop:property_service set; 530 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 531 neverallow { domain -init } exported_secure_prop:property_service set; 532 neverallow { domain -init } exported2_default_prop:property_service set; 533 neverallow { domain -init -vendor_init } exported3_default_prop:property_service set; 534 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 535') 536 537# Only core domains are allowed to access package_manager properties 538neverallow { domain -init -system_server } pm_prop:property_service set; 539neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 540 541compatible_property_only(` 542 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 543 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 544') 545 546# Do not allow reading device's serial number from system properties except form 547# a few allowlisted domains. 548neverallow { 549 domain 550 -adbd 551 -dumpstate 552 -fastbootd 553 -hal_camera_server 554 -hal_cas_server 555 -hal_drm_server 556 -init 557 -mediadrmserver 558 -recovery 559 -shell 560 -system_server 561 -vendor_init 562} serialno_prop:file r_file_perms; 563 564# Do not allow reading the last boot timestamp from system properties 565neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 566 567neverallow { 568 domain 569 -init 570 -recovery 571 -system_server 572 -shell # Shell is further restricted in shell.te 573 -ueventd # Further restricted in ueventd.te 574} frp_block_device:blk_file no_rw_file_perms; 575 576# The metadata block device is set aside for device encryption and 577# verified boot metadata. It may be reset at will and should not 578# be used by other domains. 579neverallow { 580 domain 581 -init 582 -recovery 583 -vold 584 -e2fs 585 -fsck 586 -fastbootd 587} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 588 589# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 590neverallow { 591 domain 592 -fastbootd 593 userdebug_or_eng(`-fsck') 594 userdebug_or_eng(`-init') 595 -recovery 596 -update_engine 597} system_block_device:blk_file { write append }; 598 599# No domains other than a select few can access the misc_block_device. This 600# block device is reserved for OTA use. 601# Do not assert this rule on userdebug/eng builds, due to some devices using 602# this partition for testing purposes. 603neverallow { 604 domain 605 userdebug_or_eng(`-domain') # exclude debuggable builds 606 -fastbootd 607 -hal_bootctl_server 608 -init 609 -uncrypt 610 -update_engine 611 -vendor_init 612 -vendor_misc_writer 613 -vold 614 -recovery 615 -ueventd 616} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 617 618# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 619neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 620# The service managers are only allowed to access their own device node 621neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 622neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 623neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 624neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 625neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 626neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 627 628# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core 629# domain apps need this because Android framework offers many of its services to apps as Binder 630# services. 631full_treble_only(` 632 neverallow { 633 domain 634 -coredomain 635 -appdomain 636 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 637 } binder_device:chr_file rw_file_perms; 638') 639 640# libcutils can probe for /dev/binder permissions with access(). Ignore 641# generated denials. See b/129073672 for details. 642dontaudit domain binder_device:chr_file audit_access; 643 644full_treble_only(` 645 neverallow { 646 domain 647 -coredomain 648 -appdomain # restrictions for vendor apps are declared lower down 649 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 650 } service_manager_type:service_manager find; 651') 652full_treble_only(` 653 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 654 # services which can change any time framework/core is updated, breakage is likely. 655 neverallow { 656 appdomain 657 -coredomain 658 } { 659 service_manager_type 660 -app_api_service 661 -ephemeral_app_api_service 662 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 663 -cameraserver_service 664 -drmserver_service 665 -keystore_service 666 -mediadrmserver_service 667 -mediaextractor_service 668 -mediametrics_service 669 -mediaserver_service 670 -nfc_service 671 -radio_service 672 -virtual_touchpad_service 673 -vr_hwc_service 674 -vr_manager_service 675 }:service_manager find; 676') 677full_treble_only(` 678 neverallow { 679 domain 680 -coredomain 681 -appdomain 682 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 683 } servicemanager:binder { call transfer }; 684') 685 686# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 687full_treble_only(` 688 neverallow { 689 coredomain 690 -shell 691 userdebug_or_eng(`-su') 692 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 693 } vndbinder_device:chr_file rw_file_perms; 694') 695full_treble_only(` 696 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 697') 698full_treble_only(` 699 neverallow { 700 coredomain 701 -shell 702 userdebug_or_eng(`-su') 703 } vndservice_manager_type:service_manager *; 704') 705full_treble_only(` 706 neverallow { 707 coredomain 708 -shell 709 userdebug_or_eng(`-su') 710 } vndservicemanager:binder *; 711') 712 713# On full TREBLE devices, socket communications between core components and vendor components are 714# not permitted. 715 # Most general rules first, more specific rules below. 716 717 # Core domains are not permitted to initiate communications to vendor domain sockets. 718 # We are not restricting the use of already established sockets because it is fine for a process 719 # to obtain an already established socket via some public/official/stable API and then exchange 720 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 721 # and thus does not break the core-vendor separation. 722full_treble_only(` 723 neverallow_establish_socket_comms({ 724 coredomain 725 -init 726 -adbd 727 }, { 728 domain 729 -coredomain 730 -socket_between_core_and_vendor_violators 731 }); 732') 733 # Vendor domains are not permitted to initiate communications to core domain sockets 734full_treble_only(` 735 neverallow_establish_socket_comms({ 736 domain 737 -coredomain 738 -appdomain 739 -socket_between_core_and_vendor_violators 740 }, { 741 coredomain 742 -logd # Logging by writing to logd Unix domain socket is public API 743 -netd # netdomain needs this 744 -mdnsd # netdomain needs this 745 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 746 -init 747 -tombstoned # linker to tombstoned 748 userdebug_or_eng('-heapprofd`) 749 }); 750') 751 752 # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets 753full_treble_only(` 754 neverallow_establish_socket_comms({ 755 domain 756 -coredomain 757 -netdomain 758 -socket_between_core_and_vendor_violators 759 }, netd); 760') 761 762 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 763full_treble_only(` 764 neverallow { 765 domain 766 -coredomain 767 -appdomain # appdomain restrictions below 768 -data_between_core_and_vendor_violators # b/70393317 769 -socket_between_core_and_vendor_violators 770 -vendor_init 771 } { 772 coredomain_socket 773 core_data_file_type 774 unlabeled # used only by core domains 775 }:sock_file ~{ append getattr ioctl read write }; 776') 777full_treble_only(` 778 neverallow { 779 appdomain 780 -coredomain 781 } { 782 coredomain_socket 783 unlabeled # used only by core domains 784 core_data_file_type 785 -app_data_file 786 -privapp_data_file 787 -pdx_endpoint_socket_type # used by VR layer 788 -pdx_channel_socket_type # used by VR layer 789 }:sock_file ~{ append getattr ioctl read write }; 790') 791 792 # Core domains are not permitted to create/open sockets owned by vendor domains 793full_treble_only(` 794 neverallow { 795 coredomain 796 -init 797 -ueventd 798 -socket_between_core_and_vendor_violators 799 } { 800 file_type 801 dev_type 802 -coredomain_socket 803 -core_data_file_type 804 -unlabeled 805 }:sock_file ~{ append getattr ioctl read write }; 806') 807 808# On TREBLE devices, vendor and system components are only allowed to share 809# files by passing open FDs over hwbinder. Ban all directory access and all file 810# accesses other than what can be applied to an open FD such as 811# ioctl/stat/read/write/append. This is enforced by segregating /data. 812# Vendor domains may directly access file in /data/vendor by path, but may only 813# access files outside of /data/vendor via an open FD passed over hwbinder. 814# Likewise, core domains may only directly access files outside /data/vendor by 815# path and files in /data/vendor by open FD. 816full_treble_only(` 817 # only coredomains may only access core_data_file_type, particularly not 818 # /data/vendor 819 neverallow { 820 coredomain 821 -appdomain # TODO(b/34980020) remove exemption for appdomain 822 -data_between_core_and_vendor_violators 823 -init 824 -vold_prepare_subdirs 825 } { 826 data_file_type 827 -core_data_file_type 828 }:file_class_set ~{ append getattr ioctl read write map }; 829') 830full_treble_only(` 831 neverallow { 832 coredomain 833 -appdomain # TODO(b/34980020) remove exemption for appdomain 834 -data_between_core_and_vendor_violators 835 -init 836 -vold_prepare_subdirs 837 } { 838 data_file_type 839 -core_data_file_type 840 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 841 # neverallow. Currently only getattr and search are allowed. 842 -vendor_data_file 843 }:dir *; 844 845') 846full_treble_only(` 847 # vendor domains may only access files in /data/vendor, never core_data_file_types 848 neverallow { 849 domain 850 -appdomain # TODO(b/34980020) remove exemption for appdomain 851 -coredomain 852 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 853 -vendor_init 854 } { 855 core_data_file_type 856 # libc includes functions like mktime and localtime which attempt to access 857 # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata. 858 # These functions are considered vndk-stable and thus must be allowed for 859 # all processes. 860 -zoneinfo_data_file 861 with_native_coverage(`-method_trace_data_file') 862 }:file_class_set ~{ append getattr ioctl read write map }; 863 neverallow { 864 vendor_init 865 -data_between_core_and_vendor_violators 866 } { 867 core_data_file_type 868 -unencrypted_data_file 869 -zoneinfo_data_file 870 with_native_coverage(`-method_trace_data_file') 871 }:file_class_set ~{ append getattr ioctl read write map }; 872 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 873 # The vendor init binary lives on the system partition so there is not a concern with stability. 874 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 875') 876full_treble_only(` 877 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 878 neverallow { 879 domain 880 -appdomain # TODO(b/34980020) remove exemption for appdomain 881 -coredomain 882 -data_between_core_and_vendor_violators 883 -vendor_init 884 } { 885 core_data_file_type 886 -system_data_file # default label for files on /data. Covered below... 887 -vendor_data_file 888 -zoneinfo_data_file 889 with_native_coverage(`-method_trace_data_file') 890 }:dir *; 891 neverallow { 892 vendor_init 893 -data_between_core_and_vendor_violators 894 } { 895 core_data_file_type 896 -unencrypted_data_file 897 -system_data_file 898 -vendor_data_file 899 -zoneinfo_data_file 900 with_native_coverage(`-method_trace_data_file') 901 }:dir *; 902 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 903 # The vendor init binary lives on the system partition so there is not a concern with stability. 904 neverallow vendor_init unencrypted_data_file:dir ~search; 905') 906full_treble_only(` 907 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 908 neverallow { 909 domain 910 -appdomain # TODO(b/34980020) remove exemption for appdomain 911 -coredomain 912 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 913 } { 914 system_data_file # default label for files on /data. Covered below 915 }:dir ~{ getattr search }; 916') 917 918full_treble_only(` 919 # coredomains may not access dirs in /data/vendor. 920 neverallow { 921 coredomain 922 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 923 -init 924 -vold # vold creates per-user storage for both system and vendor 925 -vold_prepare_subdirs 926 } { 927 vendor_data_file # default label for files on /data. Covered below 928 }:dir ~{ getattr search }; 929') 930 931full_treble_only(` 932 # coredomains may not access dirs in /data/vendor. 933 neverallow { 934 coredomain 935 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 936 -init 937 } { 938 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 939 }:file_class_set ~{ append getattr ioctl read write map }; 940') 941 942full_treble_only(` 943 # Non-vendor domains are not allowed to file execute shell 944 # from vendor 945 neverallow { 946 coredomain 947 -init 948 -shell 949 } vendor_shell_exec:file { execute execute_no_trans }; 950') 951 952full_treble_only(` 953 # Do not allow vendor components to execute files from system 954 # except for the ones allowlist here. 955 neverallow { 956 domain 957 -coredomain 958 -appdomain 959 -vendor_executes_system_violators 960 -vendor_init 961 } { 962 system_file_type 963 -system_lib_file 964 -system_linker_exec 965 -crash_dump_exec 966 -netutils_wrapper_exec 967 userdebug_or_eng(`-tcpdump_exec') 968 }:file { entrypoint execute execute_no_trans }; 969') 970 971full_treble_only(` 972 # Do not allow system components to execute files from vendor 973 # except for the ones allowlisted here. 974 neverallow { 975 coredomain 976 -init 977 -shell 978 -system_executes_vendor_violators 979 } { 980 vendor_file_type 981 -same_process_hal_file 982 -vndk_sp_file 983 -vendor_app_file 984 -vendor_public_lib_file 985 }:file execute; 986') 987 988full_treble_only(` 989 neverallow { 990 coredomain 991 -shell 992 -system_executes_vendor_violators 993 } { 994 vendor_file_type 995 -same_process_hal_file 996 }:file execute_no_trans; 997') 998 999full_treble_only(` 1000 # Do not allow system components access to /vendor files except for the 1001 # ones allowlisted here. 1002 neverallow { 1003 coredomain 1004 # TODO(b/37168747): clean up fwk access to /vendor 1005 -crash_dump 1006 -init # starts vendor executables 1007 -kernel # loads /vendor/firmware 1008 userdebug_or_eng(`-perfprofd') 1009 userdebug_or_eng(`-heapprofd') 1010 -shell 1011 -system_executes_vendor_violators 1012 -ueventd # reads /vendor/ueventd.rc 1013 } { 1014 vendor_file_type 1015 -same_process_hal_file 1016 -vendor_app_file 1017 -vendor_configs_file 1018 -vendor_framework_file 1019 -vendor_idc_file 1020 -vendor_keychars_file 1021 -vendor_keylayout_file 1022 -vendor_overlay_file 1023 -vendor_public_lib_file 1024 -vendor_task_profiles_file 1025 -vndk_sp_file 1026 }:file *; 1027') 1028 1029full_treble_only(` 1030 # Do not allow vendor components access to /system files except for the 1031 # ones allowlisted here. 1032 neverallow { 1033 domain 1034 -appdomain 1035 -coredomain 1036 -vendor_executes_system_violators 1037 # vendor_init needs access to init_exec for domain transition. vendor_init 1038 # neverallows are covered in public/vendor_init.te 1039 -vendor_init 1040 } { 1041 system_file_type 1042 -crash_dump_exec 1043 -file_contexts_file 1044 -netutils_wrapper_exec 1045 -property_contexts_file 1046 -system_event_log_tags_file 1047 -system_lib_file 1048 with_asan(`-system_asan_options_file') 1049 -system_linker_exec 1050 -system_linker_config_file 1051 -system_seccomp_policy_file 1052 -system_security_cacerts_file 1053 -system_zoneinfo_file 1054 -task_profiles_file 1055 userdebug_or_eng(`-tcpdump_exec') 1056 }:file *; 1057') 1058 1059# Only system_server should be able to send commands via the zygote socket 1060neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1061neverallow { domain -system_server } zygote_socket:sock_file write; 1062 1063neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1064neverallow { domain -system_server } webview_zygote:sock_file write; 1065neverallow { domain -system_server } app_zygote:sock_file write; 1066 1067neverallow { 1068 domain 1069 -tombstoned 1070 -crash_dump 1071 -dumpstate 1072 -incidentd 1073 -system_server 1074 1075 # Processes that can't exec crash_dump 1076 -hal_codec2_server 1077 -hal_omx_server 1078 -mediaextractor 1079} tombstoned_crash_socket:unix_stream_socket connectto; 1080 1081# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1082# the tombstoned intercept socket. 1083neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1084neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1085 1086# Android does not support System V IPCs. 1087# 1088# The reason for this is due to the fact that, by design, they lead to global 1089# kernel resource leakage. 1090# 1091# For example, there is no way to automatically release a SysV semaphore 1092# allocated in the kernel when: 1093# 1094# - a buggy or malicious process exits 1095# - a non-buggy and non-malicious process crashes or is explicitly killed. 1096# 1097# Killing processes automatically to make room for new ones is an 1098# important part of Android's application lifecycle implementation. This means 1099# that, even assuming only non-buggy and non-malicious code, it is very likely 1100# that over time, the kernel global tables used to implement SysV IPCs will fill 1101# up. 1102neverallow * *:{ shm sem msg msgq } *; 1103 1104# Do not mount on top of symlinks, fifos, or sockets. 1105# Feature parity with Chromium LSM. 1106neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1107 1108# Nobody should be able to execute su on user builds. 1109# On userdebug/eng builds, only dumpstate, shell, and 1110# su itself execute su. 1111neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1112 1113# Do not allow the introduction of new execmod rules. Text relocations 1114# and modification of executable pages are unsafe. 1115# The only exceptions are for NDK text relocations associated with 1116# https://code.google.com/p/android/issues/detail?id=23203 1117# which, long term, need to go away. 1118neverallow * { 1119 file_type 1120 -apk_data_file 1121 -app_data_file 1122 -asec_public_file 1123}:file execmod; 1124 1125# Do not allow making the stack or heap executable. 1126# We would also like to minimize execmem but it seems to be 1127# required by some device-specific service domains. 1128neverallow * self:process { execstack execheap }; 1129 1130# Do not allow the introduction of new execmod rules. Text relocations 1131# and modification of executable pages are unsafe. 1132neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1133 1134neverallow { domain -init } proc:{ file dir } mounton; 1135 1136# Ensure that all types assigned to processes are included 1137# in the domain attribute, so that all allow and neverallow rules 1138# written on domain are applied to all processes. 1139# This is achieved by ensuring that it is impossible to transition 1140# from a domain to a non-domain type and vice versa. 1141# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1142neverallow ~domain domain:process { transition dyntransition }; 1143 1144# 1145# Only system_app and system_server should be creating or writing 1146# their files. The proper way to share files is to setup 1147# type transitions to a more specific type or assigning a type 1148# to its parent directory via a file_contexts entry. 1149# Example type transition: 1150# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1151# 1152neverallow { 1153 domain 1154 -system_server 1155 -system_app 1156 -init 1157 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1158 -vold_prepare_subdirs # For unlink 1159 with_asan(`-asan_extract') 1160} system_data_file:file no_w_file_perms; 1161# do not grant anything greater than r_file_perms and relabelfrom unlink 1162# to installd 1163neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1164 1165# respect system_app sandboxes 1166neverallow { 1167 domain 1168 -appdomain # finer-grained rules for appdomain are listed below 1169 -system_server #populate com.android.providers.settings/databases/settings.db. 1170 -installd # creation of app sandbox 1171 -traced_probes # resolve inodes for i/o tracing. 1172 # only needs open and read, the rest is neverallow in 1173 # traced_probes.te. 1174} system_app_data_file:dir_file_class_set { create unlink open }; 1175neverallow { 1176 isolated_app 1177 untrusted_app_all # finer-grained rules for appdomain are listed below 1178 ephemeral_app 1179 priv_app 1180} system_app_data_file:dir_file_class_set { create unlink open }; 1181 1182# 1183# Only these domains should transition to shell domain. This domain is 1184# permissible for the "shell user". If you need a process to exec a shell 1185# script with differing privilege, define a domain and set up a transition. 1186# 1187neverallow { 1188 domain 1189 -adbd 1190 -init 1191 -runas 1192 -zygote 1193} shell:process { transition dyntransition }; 1194 1195# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain 1196# attribute. 1197neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1198 appdomain -shell userdebug_or_eng(`-su') 1199}:process { transition dyntransition }; 1200 1201# Minimize read access to shell- or app-writable symlinks. 1202# This is to prevent malicious symlink attacks. 1203neverallow { 1204 domain 1205 -appdomain 1206 -installd 1207} { app_data_file privapp_data_file }:lnk_file read; 1208 1209neverallow { 1210 domain 1211 -shell 1212 userdebug_or_eng(`-uncrypt') 1213 -installd 1214} shell_data_file:lnk_file read; 1215 1216# In addition to the symlink reading restrictions above, restrict 1217# write access to shell owned directories. The /data/local/tmp 1218# directory is untrustworthy, and non-allowlisted domains should 1219# not be trusting any content in those directories. 1220neverallow { 1221 domain 1222 -adbd 1223 -dumpstate 1224 -installd 1225 -init 1226 -shell 1227 -vold 1228} shell_data_file:dir no_w_dir_perms; 1229 1230neverallow { 1231 domain 1232 -adbd 1233 -appdomain 1234 -dumpstate 1235 -init 1236 -installd 1237 -simpleperf_app_runner 1238 -system_server # why? 1239 userdebug_or_eng(`-uncrypt') 1240} shell_data_file:dir { open search }; 1241 1242# Same as above for /data/local/tmp files. We allow shell files 1243# to be passed around by file descriptor, but not directly opened. 1244neverallow { 1245 domain 1246 -adbd 1247 -appdomain 1248 -dumpstate 1249 -installd 1250 userdebug_or_eng(`-uncrypt') 1251} shell_data_file:file open; 1252 1253# servicemanager and vndservicemanager are the only processes which handle the 1254# service_manager list request 1255neverallow * ~{ 1256 servicemanager 1257 vndservicemanager 1258 }:service_manager list; 1259 1260# hwservicemanager is the only process which handles hw list requests 1261neverallow * ~{ 1262 hwservicemanager 1263 }:hwservice_manager list; 1264 1265# only service_manager_types can be added to service_manager 1266# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1267 1268# Prevent assigning non property types to properties 1269# TODO - rework this: neverallow * ~property_type:property_service set; 1270 1271# Domain types should never be assigned to any files other 1272# than the /proc/pid files associated with a process. The 1273# executable file used to enter a domain should be labeled 1274# with its own _exec type, not with the domain type. 1275# Conventionally, this looks something like: 1276# $ cat mydaemon.te 1277# type mydaemon, domain; 1278# type mydaemon_exec, exec_type, file_type; 1279# init_daemon_domain(mydaemon) 1280# $ grep mydaemon file_contexts 1281# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1282neverallow * domain:file { execute execute_no_trans entrypoint }; 1283 1284# Do not allow access to the generic debugfs label. This is too broad. 1285# Instead, if access to part of debugfs is desired, it should have a 1286# more specific label. 1287# TODO: fix dumpstate 1288neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1289 1290# Do not allow executable files in debugfs. 1291neverallow domain debugfs_type:file { execute execute_no_trans }; 1292 1293# Profiles contain untrusted data and profman parses that. We should only run 1294# in from installd forked processes. 1295neverallow { 1296 domain 1297 -installd 1298 -profman 1299} profman_exec:file no_x_file_perms; 1300 1301# Enforce restrictions on kernel module origin. 1302# Do not allow kernel module loading except from system, 1303# vendor, and boot partitions. 1304neverallow * ~{ system_file vendor_file rootfs }:system module_load; 1305 1306# Only allow filesystem caps to be set at build time. Runtime changes 1307# to filesystem capabilities are not permitted. 1308neverallow * self:global_capability_class_set setfcap; 1309 1310# Enforce AT_SECURE for executing crash_dump. 1311neverallow domain crash_dump:process noatsecure; 1312 1313# Do not permit non-core domains to register HwBinder services which are 1314# guaranteed to be provided by core domains only. 1315neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1316 1317# Do not permit the registeration of HwBinder services which are guaranteed to 1318# be passthrough only (i.e., run in the process of their clients instead of a 1319# separate server process). 1320neverallow * same_process_hwservice:hwservice_manager add; 1321 1322# On TREBLE devices, most coredomains should not access vendor_files. 1323# TODO(b/71553434): Remove exceptions here. 1324full_treble_only(` 1325 neverallow { 1326 coredomain 1327 -appdomain 1328 -bootanim 1329 -crash_dump 1330 -init 1331 -kernel 1332 -perfprofd 1333 -heapprofd 1334 -ueventd 1335 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 1336') 1337 1338# If an already existing file is opened with O_CREAT, the kernel might generate 1339# a false report of a create denial. Silence these denials and make sure that 1340# inappropriate permissions are not granted. 1341 1342# These filesystems don't allow files or directories to be created, so the permission 1343# to do so should never be granted. 1344neverallow domain { 1345 proc_type 1346 sysfs_type 1347}:dir { add_name create link remove_name rename reparent rmdir write }; 1348 1349# cgroupfs directories can be created, but not files within them. 1350neverallow domain cgroup:file create; 1351 1352dontaudit domain proc_type:dir write; 1353dontaudit domain sysfs_type:dir write; 1354dontaudit domain cgroup:file create; 1355 1356# These are only needed in permissive mode - in enforcing mode the 1357# directory write check fails and so these are never attempted. 1358userdebug_or_eng(` 1359 dontaudit domain proc_type:dir add_name; 1360 dontaudit domain sysfs_type:dir add_name; 1361 dontaudit domain proc_type:file create; 1362 dontaudit domain sysfs_type:file create; 1363') 1364 1365# Platform must not have access to /mnt/vendor. 1366neverallow { 1367 coredomain 1368 -init 1369 -ueventd 1370 -vold 1371 -system_writes_mnt_vendor_violators 1372} mnt_vendor_file:dir *; 1373 1374# Only apps are allowed access to vendor public libraries. 1375full_treble_only(` 1376 neverallow { 1377 coredomain 1378 -appdomain 1379 } vendor_public_lib_file:file { execute execute_no_trans }; 1380') 1381 1382# Vendor domian must not have access to /mnt/product. 1383neverallow { 1384 domain 1385 -coredomain 1386} mnt_product_file:dir *; 1387 1388# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd 1389full_treble_only(` 1390 neverallow { 1391 coredomain 1392 -healthd 1393 -shell 1394 # Generate uevents for health info 1395 -ueventd 1396 # Recovery uses health HAL passthrough implementation. 1397 -recovery 1398 # Charger uses health HAL passthrough implementation. 1399 -charger 1400 # TODO(b/110891300): remove this exception 1401 -incidentd 1402 } sysfs_batteryinfo:file { open read }; 1403') 1404 1405neverallow { 1406 domain 1407 -hal_codec2_server 1408 -hal_omx_server 1409} hal_codec2_hwservice:hwservice_manager add; 1410 1411