1get_prop(coredomain, pm_prop) 2get_prop(coredomain, exported_pm_prop) 3 4full_treble_only(` 5neverallow { 6 coredomain 7 8 # for chowning 9 -init 10 11 # generic access to sysfs_type 12 -ueventd 13 -vold 14} sysfs_leds:file *; 15') 16 17# On TREBLE devices, a limited set of files in /vendor are accessible to 18# only a few allowlisted coredomains to keep system/vendor separation. 19full_treble_only(` 20 # Limit access to /vendor/app 21 neverallow { 22 coredomain 23 -appdomain 24 -dex2oat 25 -dexoptanalyzer 26 -idmap 27 -init 28 -installd 29 userdebug_or_eng(`-heapprofd') 30 -postinstall_dexopt 31 -rs # spawned by appdomain, so carryover the exception above 32 -system_server 33 -traced_perf 34 } vendor_app_file:dir { open read getattr search }; 35') 36 37full_treble_only(` 38 neverallow { 39 coredomain 40 -appdomain 41 -dex2oat 42 -dexoptanalyzer 43 -idmap 44 -init 45 -installd 46 userdebug_or_eng(`-heapprofd') 47 -postinstall_dexopt 48 -rs # spawned by appdomain, so carryover the exception above 49 -system_server 50 -traced_perf 51 -mediaserver 52 } vendor_app_file:file r_file_perms; 53') 54 55full_treble_only(` 56 # Limit access to /vendor/overlay 57 neverallow { 58 coredomain 59 -appdomain 60 -idmap 61 -init 62 -installd 63 -iorap_inode2filename 64 -iorap_prefetcherd 65 -postinstall_dexopt 66 -rs # spawned by appdomain, so carryover the exception above 67 -system_server 68 -traced_perf 69 -app_zygote 70 -webview_zygote 71 -zygote 72 userdebug_or_eng(`-heapprofd') 73 } vendor_overlay_file:dir { getattr open read search }; 74') 75 76full_treble_only(` 77 neverallow { 78 coredomain 79 -appdomain 80 -idmap 81 -init 82 -installd 83 -iorap_inode2filename 84 -iorap_prefetcherd 85 -postinstall_dexopt 86 -rs # spawned by appdomain, so carryover the exception above 87 -system_server 88 -traced_perf 89 -app_zygote 90 -webview_zygote 91 -zygote 92 userdebug_or_eng(`-heapprofd') 93 } vendor_overlay_file:file open; 94') 95 96# Core domains are not permitted to use kernel interfaces which are not 97# explicitly labeled. 98# TODO(b/65643247): Apply these neverallow rules to all coredomain. 99full_treble_only(` 100 # /proc 101 neverallow { 102 coredomain 103 -init 104 -vold 105 } proc:file no_rw_file_perms; 106 107 # /sys 108 neverallow { 109 coredomain 110 -init 111 -ueventd 112 -vold 113 } sysfs:file no_rw_file_perms; 114 115 # /dev 116 neverallow { 117 coredomain 118 -fsck 119 -init 120 -ueventd 121 } device:{ blk_file file } no_rw_file_perms; 122 123 # debugfs 124 neverallow { 125 coredomain 126 -dumpstate 127 -init 128 -system_server 129 } debugfs:file no_rw_file_perms; 130 131 # tracefs 132 neverallow { 133 coredomain 134 -atrace 135 -dumpstate 136 -init 137 -traced_probes 138 -shell 139 -system_server 140 -traceur_app 141 } debugfs_tracing:file no_rw_file_perms; 142 143 # inotifyfs 144 neverallow { 145 coredomain 146 -init 147 } inotify:file no_rw_file_perms; 148 149 # pstorefs 150 neverallow { 151 coredomain 152 -bootstat 153 -charger 154 -dumpstate 155 -healthd 156 userdebug_or_eng(`-incidentd') 157 -init 158 -logd 159 -logpersist 160 -recovery_persist 161 -recovery_refresh 162 -shell 163 -system_server 164 } pstorefs:file no_rw_file_perms; 165 166 # configfs 167 neverallow { 168 coredomain 169 -init 170 -system_server 171 } configfs:file no_rw_file_perms; 172 173 # functionfs 174 neverallow { 175 coredomain 176 -adbd 177 -init 178 -mediaprovider 179 -system_server 180 } functionfs:file no_rw_file_perms; 181 182 # usbfs and binfmt_miscfs 183 neverallow { 184 coredomain 185 -init 186 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 187') 188 189# Following /dev nodes must not be directly accessed by coredomain, but should 190# instead be wrapped by HALs. 191neverallow coredomain { 192 iio_device 193 radio_device 194}:chr_file { open read append write ioctl }; 195 196# TODO(b/120243891): HAL permission to tee_device is included into coredomain 197# on non-Treble devices. 198full_treble_only(` 199 neverallow coredomain tee_device:chr_file { open read append write ioctl }; 200') 201