1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Root fs. 61allow domain tmpfs:dir { getattr search }; 62allow domain rootfs:dir search; 63allow domain rootfs:lnk_file { read getattr }; 64 65# Device accesses. 66allow domain device:dir search; 67allow domain dev_type:lnk_file r_file_perms; 68allow domain devpts:dir search; 69allow domain socket_device:dir r_dir_perms; 70allow domain owntty_device:chr_file rw_file_perms; 71allow domain null_device:chr_file rw_file_perms; 72allow domain zero_device:chr_file rw_file_perms; 73 74# /dev/ashmem is being deprecated by means of constraining and eventually 75# removing all "open" permissions. We preserve the other permissions. 76allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 77# This device is used by libcutils, which is accessible to everyone. 78allow domain ashmem_libcutils_device:chr_file rw_file_perms; 79 80# /dev/binder can be accessed by ... everyone! :) 81allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 82 83# /dev/binderfs needs to be accessed by everyone too! 84allow domain binderfs:dir { getattr search }; 85allow domain binderfs_logs_proc:dir search; 86 87allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 88allow domain ptmx_device:chr_file rw_file_perms; 89allow domain random_device:chr_file rw_file_perms; 90allow domain proc_random:dir r_dir_perms; 91allow domain proc_random:file r_file_perms; 92allow domain properties_device:dir { search getattr }; 93allow domain properties_serial:file r_file_perms; 94allow domain property_info:file r_file_perms; 95 96# Public readable properties 97get_prop(domain, debug_prop) 98get_prop(domain, exported_config_prop) 99get_prop(domain, exported_default_prop) 100get_prop(domain, exported_dumpstate_prop) 101get_prop(domain, exported_fingerprint_prop) 102get_prop(domain, exported_radio_prop) 103get_prop(domain, exported_secure_prop) 104get_prop(domain, exported_system_prop) 105get_prop(domain, exported_vold_prop) 106get_prop(domain, exported2_default_prop) 107get_prop(domain, logd_prop) 108get_prop(domain, socket_hook_prop) 109get_prop(domain, vendor_socket_hook_prop) 110get_prop(domain, vndk_prop) 111 112# Binder cache properties are world-readable 113get_prop(domain, binder_cache_bluetooth_server_prop) 114get_prop(domain, binder_cache_system_server_prop) 115get_prop(domain, binder_cache_telephony_server_prop) 116 117# Let everyone read log properties, so that liblog can avoid sending unloggable 118# messages to logd. 119get_prop(domain, log_property_type) 120dontaudit domain property_type:file audit_access; 121allow domain property_contexts_file:file r_file_perms; 122 123allow domain init:key search; 124allow domain vold:key search; 125 126# logd access 127write_logd(domain) 128 129# Directory/link file access for path resolution. 130allow domain { 131 system_file 132 system_lib_file 133 system_seccomp_policy_file 134 system_security_cacerts_file 135}:dir r_dir_perms; 136allow domain system_file:lnk_file { getattr read }; 137 138# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 139# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 140allow domain system_seccomp_policy_file:file r_file_perms; 141# cacerts are accessible from public Java API. 142allow domain system_security_cacerts_file:file r_file_perms; 143allow domain system_group_file:file r_file_perms; 144allow domain system_passwd_file:file r_file_perms; 145allow domain system_linker_exec:file { execute read open getattr map }; 146allow domain system_linker_config_file:file r_file_perms; 147allow domain system_lib_file:file { execute read open getattr map }; 148# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 149allow domain system_linker_exec:lnk_file { read open getattr }; 150allow domain system_lib_file:lnk_file { read open getattr }; 151 152allow domain system_event_log_tags_file:file r_file_perms; 153 154allow { appdomain coredomain } system_file:file { execute read open getattr map }; 155 156# Make sure system/vendor split doesn not affect non-treble 157# devices 158not_full_treble(` 159 allow domain system_file:file { execute read open getattr map }; 160 allow domain vendor_file_type:dir { search getattr }; 161 allow domain vendor_file_type:file { execute read open getattr map }; 162 allow domain vendor_file_type:lnk_file { getattr read }; 163') 164 165# All domains are allowed to open and read directories 166# that contain HAL implementations (e.g. passthrough 167# HALs require clients to have these permissions) 168allow domain vendor_hal_file:dir r_dir_perms; 169 170# Everyone can read and execute all same process HALs 171allow domain same_process_hal_file:dir r_dir_perms; 172allow { 173 domain 174 -coredomain # access is explicitly granted to individual coredomains 175} same_process_hal_file:file { execute read open getattr map }; 176 177# Any process can load vndk-sp libraries, which are system libraries 178# used by same process HALs 179allow domain vndk_sp_file:dir r_dir_perms; 180allow domain vndk_sp_file:file { execute read open getattr map }; 181 182# All domains get access to /vendor/etc 183allow domain vendor_configs_file:dir r_dir_perms; 184allow domain vendor_configs_file:file { read open getattr map }; 185 186full_treble_only(` 187 # Allow all domains to be able to follow /system/vendor and/or 188 # /vendor/odm symlinks. 189 allow domain vendor_file_type:lnk_file { getattr open read }; 190 191 # This is required to be able to search & read /vendor/lib64 192 # in order to lookup vendor libraries. The execute permission 193 # for coredomains is granted *only* for same process HALs 194 allow domain vendor_file:dir { getattr search }; 195 196 # Allow reading and executing out of /vendor to all vendor domains 197 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 198 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 199 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 200') 201 202# read and stat any sysfs symlinks 203allow domain sysfs:lnk_file { getattr read }; 204 205# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for 206# timezone related information. 207# This directory is considered to be a VNDK-stable 208allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms; 209allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms; 210 211# Lots of processes access current CPU information 212r_dir_file(domain, sysfs_devices_system_cpu) 213 214r_dir_file(domain, sysfs_usb); 215 216# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 217# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 218allow domain sysfs_transparent_hugepage:dir search; 219allow domain sysfs_transparent_hugepage:file r_file_perms; 220 221# files under /data. 222not_full_treble(` 223 allow domain system_data_file:dir getattr; 224') 225allow { coredomain appdomain } system_data_file:dir getattr; 226# /data has the label system_data_root_file. Vendor components need the search 227# permission on system_data_root_file for path traversal to /data/vendor. 228allow domain system_data_root_file:dir { search getattr } ; 229allow domain system_data_file:dir search; 230# TODO restrict this to non-coredomain 231allow domain vendor_data_file:dir { getattr search }; 232 233# required by the dynamic linker 234allow domain proc:lnk_file { getattr read }; 235 236# /proc/cpuinfo 237allow domain proc_cpuinfo:file r_file_perms; 238 239# /dev/cpu_variant:.* 240allow domain dev_cpu_variant:file r_file_perms; 241 242# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 243allow domain proc_perf:file r_file_perms; 244 245# toybox loads libselinux which stats /sys/fs/selinux/ 246allow domain selinuxfs:dir search; 247allow domain selinuxfs:file getattr; 248allow domain sysfs:dir search; 249allow domain selinuxfs:filesystem getattr; 250 251# Almost all processes log tracing information to 252# /sys/kernel/debug/tracing/trace_marker 253# The reason behind this is documented in b/6513400 254allow domain debugfs:dir search; 255allow domain debugfs_tracing:dir search; 256allow domain debugfs_tracing_debug:dir search; 257allow domain debugfs_trace_marker:file w_file_perms; 258 259# Filesystem access. 260allow domain fs_type:filesystem getattr; 261allow domain fs_type:dir getattr; 262 263# Restrict all domains to a allowlist for common socket types. Additional 264# ioctl commands may be added to individual domains, but this sets safe 265# defaults for all processes. Note that granting this allowlist to domain does 266# not grant the ioctl permission on these socket types. That must be granted 267# separately. 268allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 269 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 270# default allowlist for unix sockets. 271allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 272 ioctl unpriv_unix_sock_ioctls; 273 274# Restrict PTYs to only allowlisted ioctls. 275# Note that granting this allowlist to domain does 276# not grant the wider ioctl permission. That must be granted 277# separately. 278allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 279 280# All domains must clearly enumerate what ioctls they use 281# on filesystem objects (plain files, directories, symbolic links, 282# named pipes, and named sockets). We start off with a safe set. 283allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 284 285# If a domain has ioctl access to tun_device, it must clearly enumerate the 286# ioctls used. Safe defaults are listed below. 287allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 288 289# Allow a process to make a determination whether a file descriptor 290# for a plain file or pipe (fifo_file) is a tty. Note that granting 291# this allowlist to domain does not grant the ioctl permission to 292# these files. That must be granted separately. 293allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 294allowxperm domain domain:fifo_file ioctl { TCGETS }; 295 296# If a domain has access to perform an ioctl on a block device, allow these 297# very common, benign ioctls 298allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 299 300# Support sqlite F2FS specific optimizations 301# ioctl permission on the specific file type is still required 302# TODO: consider only compiling these rules if we know the 303# /data partition is F2FS 304allowxperm domain { file_type sdcard_type }:file ioctl { 305 F2FS_IOC_ABORT_VOLATILE_WRITE 306 F2FS_IOC_COMMIT_ATOMIC_WRITE 307 F2FS_IOC_GET_FEATURES 308 F2FS_IOC_GET_PIN_FILE 309 F2FS_IOC_SET_PIN_FILE 310 F2FS_IOC_START_ATOMIC_WRITE 311}; 312 313# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 314# when it's not explicitly used in allow rules 315allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 316# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 317# when it's not explicitly used in allow rules 318allow { domain -domain } vndservice_manager_type:service_manager { add find }; 319 320# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 321with_asan(`allow domain system_data_file:dir getattr;') 322# Under ASAN, /system/asan.options needs to be globally accessible. 323with_asan(`allow domain system_asan_options_file:file r_file_perms;') 324 325# read APEX dir and stat any symlink pointing to APEXs. 326allow domain apex_mnt_dir:dir { getattr search }; 327allow domain apex_mnt_dir:lnk_file r_file_perms; 328 329### 330### neverallow rules 331### 332 333# All ioctls on file-like objects (except chr_file and blk_file) and 334# sockets must be restricted to a allowlist. 335neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 336 337# b/68014825 and https://android-review.googlesource.com/516535 338# rfc6093 says that processes should not use the TCP urgent mechanism 339neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 340 341# TIOCSTI is only ever used for exploits. Block it. 342# b/33073072, b/7530569 343# http://www.openwall.com/lists/oss-security/2016/09/26/14 344neverallowxperm * devpts:chr_file ioctl TIOCSTI; 345 346# Do not allow any domain other than init to create unlabeled files. 347neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 348 349# Limit device node creation to these allowlisted domains. 350neverallow { 351 domain 352 -kernel 353 -init 354 -ueventd 355 -vold 356} self:global_capability_class_set mknod; 357 358# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 359neverallow * self:memprotect mmap_zero; 360 361# No domain needs mac_override as it is unused by SELinux. 362neverallow * self:global_capability2_class_set mac_override; 363 364# Disallow attempts to set contexts not defined in current policy 365# This helps guarantee that unknown or dangerous contents will not ever 366# be set. 367neverallow * self:global_capability2_class_set mac_admin; 368 369# Once the policy has been loaded there shall be none to modify the policy. 370# It is sealed. 371neverallow * kernel:security load_policy; 372 373# Only init prior to switching context should be able to set enforcing mode. 374# init starts in kernel domain and switches to init domain via setcon in 375# the init.rc, so the setenforce occurs while still in kernel. After 376# switching domains, there is never any need to setenforce again by init. 377neverallow * kernel:security setenforce; 378neverallow { domain -kernel } kernel:security setcheckreqprot; 379 380# No booleans in AOSP policy, so no need to ever set them. 381neverallow * kernel:security setbool; 382 383# Adjusting the AVC cache threshold. 384# Not presently allowed to anything in policy, but possibly something 385# that could be set from init.rc. 386neverallow { domain -init } kernel:security setsecparam; 387 388# Only init, ueventd, shell and system_server should be able to access HW RNG 389neverallow { 390 domain 391 -init 392 -shell # For CTS and is restricted to getattr in shell.te 393 -system_server 394 -ueventd 395} hw_random_device:chr_file *; 396# b/78174219 b/64114943 397neverallow { 398 domain 399 -shell # stat of /dev, getattr only 400 -ueventd 401} keychord_device:chr_file *; 402 403# Ensure that all entrypoint executables are in exec_type or postinstall_file. 404neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 405 406# The dynamic linker always calls access(2) on the path. Don't generate SElinux 407# denials since the linker does not actually access the path in case the path 408# does not exist or isn't accessible for the process. 409dontaudit domain postinstall_mnt_dir:dir audit_access; 410 411#Ensure that nothing in userspace can access /dev/port 412neverallow { 413 domain 414 -shell # Shell user should not have any abilities outside of getattr 415 -ueventd 416} port_device:chr_file *; 417neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 418# Only init should be able to configure kernel usermodehelpers or 419# security-sensitive proc settings. 420neverallow { domain -init } usermodehelper:file { append write }; 421neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 422neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 423 424# Init can't do anything with binder calls. If this neverallow rule is being 425# triggered, it's probably due to a service with no SELinux domain. 426neverallow * init:binder *; 427neverallow * vendor_init:binder *; 428 429# Don't allow raw read/write/open access to block_device 430# Rather force a relabel to a more specific type 431neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 432 433# Do not allow renaming of block files or character files 434# Ability to do so can lead to possible use in an exploit chain 435# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 436neverallow * *:{ blk_file chr_file } rename; 437 438# Don't allow raw read/write/open access to generic devices. 439# Rather force a relabel to a more specific type. 440neverallow domain device:chr_file { open read write }; 441 442# Files from cache should never be executed 443neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 444 445# Protect most domains from executing arbitrary content from /data. 446neverallow { 447 domain 448 -appdomain 449} { 450 data_file_type 451 -dalvikcache_data_file 452 -system_data_file # shared libs in apks 453 -apk_data_file 454}:file no_x_file_perms; 455 456# The test files and executables MUST not be accessible to any domain 457neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 458neverallow domain nativetest_data_file:dir no_w_dir_perms; 459neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 460 461# Only the init property service should write to /data/property and /dev/__properties__ 462neverallow { domain -init } property_data_file:dir no_w_dir_perms; 463neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 464neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 465neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 466neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 467 468# Nobody should be doing writes to /system & /vendor 469# These partitions are intended to be read-only and must never be 470# modified. Doing so would violate important Android security guarantees 471# and invalidate dm-verity signatures. 472neverallow { 473 domain 474 with_asan(`-asan_extract') 475 recovery_only(`userdebug_or_eng(`-fastbootd')') 476} { 477 system_file_type 478 vendor_file_type 479 exec_type 480}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 481 482neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 483 484# Don't allow mounting on top of /system files or directories 485neverallow * exec_type:dir_file_class_set mounton; 486neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton; 487 488# Nothing should be writing to files in the rootfs. 489neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 490 491# Restrict context mounts to specific types marked with 492# the contextmount_type attribute. 493neverallow * {fs_type -contextmount_type}:filesystem relabelto; 494 495# Ensure that context mount types are not writable, to ensure that 496# the write to /system restriction above is not bypassed via context= 497# mount to another type. 498neverallow * contextmount_type:dir_file_class_set 499 { create setattr relabelfrom relabelto append link rename }; 500neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 501 502# Do not allow service_manager add for default service labels. 503# Instead domains should use a more specific type such as 504# system_app_service rather than the generic type. 505# New service_types are defined in {,hw,vnd}service.te and new mappings 506# from service name to service_type are defined in {,hw,vnd}service_contexts. 507neverallow * default_android_service:service_manager *; 508neverallow * default_android_vndservice:service_manager *; 509neverallow * default_android_hwservice:hwservice_manager *; 510 511# Looking up the base class/interface of all HwBinder services is a bad idea. 512# hwservicemanager currently offer such lookups only to make it so that security 513# decisions are expressed in SELinux policy. However, it's unclear whether this 514# lookup has security implications. If it doesn't, hwservicemanager should be 515# modified to not offer this lookup. 516# This rule can be removed if hwservicemanager is modified to not permit these 517# lookups. 518neverallow * hidl_base_hwservice:hwservice_manager find; 519 520# Require that domains explicitly label unknown properties, and do not allow 521# anyone but init to modify unknown properties. 522neverallow { domain -init -vendor_init } default_prop:property_service set; 523neverallow { domain -init -vendor_init } mmc_prop:property_service set; 524neverallow { domain -init -vendor_init } vndk_prop:property_service set; 525 526compatible_property_only(` 527 neverallow { domain -init } default_prop:property_service set; 528 neverallow { domain -init } mmc_prop:property_service set; 529 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 530 neverallow { domain -init } exported_secure_prop:property_service set; 531 neverallow { domain -init } exported2_default_prop:property_service set; 532 neverallow { domain -init -vendor_init } exported3_default_prop:property_service set; 533 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 534 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 535') 536 537# Only core domains are allowed to access package_manager properties 538neverallow { domain -init -system_server } pm_prop:property_service set; 539neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 540 541compatible_property_only(` 542 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 543 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 544') 545 546# Do not allow reading device's serial number from system properties except form 547# a few allowlisted domains. 548neverallow { 549 domain 550 -adbd 551 -dumpstate 552 -fastbootd 553 -hal_camera_server 554 -hal_cas_server 555 -hal_drm_server 556 userdebug_or_eng(`-incidentd') 557 -init 558 -mediadrmserver 559 -mediaserver 560 -recovery 561 -shell 562 -system_server 563 -vendor_init 564} serialno_prop:file r_file_perms; 565 566# Do not allow reading the last boot timestamp from system properties 567neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 568 569neverallow { 570 domain 571 -init 572 -recovery 573 -system_server 574 -shell # Shell is further restricted in shell.te 575 -ueventd # Further restricted in ueventd.te 576} frp_block_device:blk_file no_rw_file_perms; 577 578# The metadata block device is set aside for device encryption and 579# verified boot metadata. It may be reset at will and should not 580# be used by other domains. 581neverallow { 582 domain 583 -init 584 -recovery 585 -vold 586 -e2fs 587 -fsck 588 -fastbootd 589} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 590 591# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 592neverallow { 593 domain 594 -fastbootd 595 userdebug_or_eng(`-fsck') 596 userdebug_or_eng(`-init') 597 -recovery 598 -update_engine 599} system_block_device:blk_file { write append }; 600 601# No domains other than a select few can access the misc_block_device. This 602# block device is reserved for OTA use. 603# Do not assert this rule on userdebug/eng builds, due to some devices using 604# this partition for testing purposes. 605neverallow { 606 domain 607 userdebug_or_eng(`-domain') # exclude debuggable builds 608 -fastbootd 609 -hal_bootctl_server 610 -init 611 -uncrypt 612 -update_engine 613 -vendor_init 614 -vendor_misc_writer 615 -vold 616 -recovery 617 -ueventd 618} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 619 620# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 621neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 622# The service managers are only allowed to access their own device node 623neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 624neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 625neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 626neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 627neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 628neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 629 630# system services cant add vendor services 631neverallow { 632 coredomain 633} vendor_service:service_manager add; 634 635full_treble_only(` 636 # vendor services cant add system services 637 neverallow { 638 domain 639 -coredomain 640 -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone 641 } { 642 service_manager_type 643 -vendor_service 644 }:service_manager add; 645') 646 647full_treble_only(` 648 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 649 # services which can change any time framework/core is updated, breakage is likely. 650 neverallow { 651 appdomain 652 -coredomain 653 } { 654 service_manager_type 655 -app_api_service 656 -ephemeral_app_api_service 657 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 658 -cameraserver_service 659 -drmserver_service 660 -hal_light_service # TODO(b/148154485) remove once all violators are gone 661 -credstore_service 662 -keystore_service 663 -mediadrmserver_service 664 -mediaextractor_service 665 -mediametrics_service 666 -mediaserver_service 667 -nfc_service 668 -radio_service 669 -virtual_touchpad_service 670 -vr_hwc_service 671 -vr_manager_service 672 }:service_manager find; 673') 674 675# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 676full_treble_only(` 677 neverallow { 678 coredomain 679 -shell 680 userdebug_or_eng(`-su') 681 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 682 } vndbinder_device:chr_file rw_file_perms; 683') 684full_treble_only(` 685 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 686') 687full_treble_only(` 688 neverallow { 689 coredomain 690 -shell 691 userdebug_or_eng(`-su') 692 } vndservice_manager_type:service_manager *; 693') 694full_treble_only(` 695 neverallow { 696 coredomain 697 -shell 698 userdebug_or_eng(`-su') 699 } vndservicemanager:binder *; 700') 701 702# On full TREBLE devices, socket communications between core components and vendor components are 703# not permitted. 704 # Most general rules first, more specific rules below. 705 706 # Core domains are not permitted to initiate communications to vendor domain sockets. 707 # We are not restricting the use of already established sockets because it is fine for a process 708 # to obtain an already established socket via some public/official/stable API and then exchange 709 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 710 # and thus does not break the core-vendor separation. 711full_treble_only(` 712 neverallow_establish_socket_comms({ 713 coredomain 714 -init 715 -adbd 716 }, { 717 domain 718 -coredomain 719 -socket_between_core_and_vendor_violators 720 }); 721') 722 # Vendor domains are not permitted to initiate communications to core domain sockets 723full_treble_only(` 724 neverallow_establish_socket_comms({ 725 domain 726 -coredomain 727 -appdomain 728 -socket_between_core_and_vendor_violators 729 }, { 730 coredomain 731 -logd # Logging by writing to logd Unix domain socket is public API 732 -netd # netdomain needs this 733 -mdnsd # netdomain needs this 734 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 735 -init 736 -tombstoned # linker to tombstoned 737 userdebug_or_eng(`-heapprofd') 738 userdebug_or_eng(`-traced_perf') 739 }); 740') 741 742 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 743full_treble_only(` 744 neverallow { 745 domain 746 -coredomain 747 -appdomain # appdomain restrictions below 748 -data_between_core_and_vendor_violators # b/70393317 749 -socket_between_core_and_vendor_violators 750 -vendor_init 751 } { 752 coredomain_socket 753 core_data_file_type 754 unlabeled # used only by core domains 755 }:sock_file ~{ append getattr ioctl read write }; 756') 757full_treble_only(` 758 neverallow { 759 appdomain 760 -coredomain 761 } { 762 coredomain_socket 763 unlabeled # used only by core domains 764 core_data_file_type 765 -app_data_file 766 -privapp_data_file 767 -pdx_endpoint_socket_type # used by VR layer 768 -pdx_channel_socket_type # used by VR layer 769 }:sock_file ~{ append getattr ioctl read write }; 770') 771 772 # Core domains are not permitted to create/open sockets owned by vendor domains 773full_treble_only(` 774 neverallow { 775 coredomain 776 -init 777 -ueventd 778 -socket_between_core_and_vendor_violators 779 } { 780 file_type 781 dev_type 782 -coredomain_socket 783 -core_data_file_type 784 -unlabeled 785 }:sock_file ~{ append getattr ioctl read write }; 786') 787 788# On TREBLE devices, vendor and system components are only allowed to share 789# files by passing open FDs over hwbinder. Ban all directory access and all file 790# accesses other than what can be applied to an open FD such as 791# ioctl/stat/read/write/append. This is enforced by segregating /data. 792# Vendor domains may directly access file in /data/vendor by path, but may only 793# access files outside of /data/vendor via an open FD passed over hwbinder. 794# Likewise, core domains may only directly access files outside /data/vendor by 795# path and files in /data/vendor by open FD. 796full_treble_only(` 797 # only coredomains may only access core_data_file_type, particularly not 798 # /data/vendor 799 neverallow { 800 coredomain 801 -appdomain # TODO(b/34980020) remove exemption for appdomain 802 -data_between_core_and_vendor_violators 803 -init 804 -vold_prepare_subdirs 805 } { 806 data_file_type 807 -core_data_file_type 808 }:file_class_set ~{ append getattr ioctl read write map }; 809') 810full_treble_only(` 811 neverallow { 812 coredomain 813 -appdomain # TODO(b/34980020) remove exemption for appdomain 814 -data_between_core_and_vendor_violators 815 -init 816 -vold_prepare_subdirs 817 } { 818 data_file_type 819 -core_data_file_type 820 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 821 # neverallow. Currently only getattr and search are allowed. 822 -vendor_data_file 823 }:dir *; 824 825') 826full_treble_only(` 827 # vendor domains may only access files in /data/vendor, never core_data_file_types 828 neverallow { 829 domain 830 -appdomain # TODO(b/34980020) remove exemption for appdomain 831 -coredomain 832 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 833 -vendor_init 834 } { 835 core_data_file_type 836 # libc includes functions like mktime and localtime which attempt to access 837 # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata. 838 # These functions are considered vndk-stable and thus must be allowed for 839 # all processes. 840 -zoneinfo_data_file 841 with_native_coverage(`-method_trace_data_file') 842 }:file_class_set ~{ append getattr ioctl read write map }; 843 neverallow { 844 vendor_init 845 -data_between_core_and_vendor_violators 846 } { 847 core_data_file_type 848 -unencrypted_data_file 849 -zoneinfo_data_file 850 with_native_coverage(`-method_trace_data_file') 851 }:file_class_set ~{ append getattr ioctl read write map }; 852 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 853 # The vendor init binary lives on the system partition so there is not a concern with stability. 854 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 855') 856full_treble_only(` 857 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 858 neverallow { 859 domain 860 -appdomain # TODO(b/34980020) remove exemption for appdomain 861 -coredomain 862 -data_between_core_and_vendor_violators 863 -vendor_init 864 } { 865 core_data_file_type 866 -system_data_file # default label for files on /data. Covered below... 867 -system_data_root_file 868 -vendor_data_file 869 -zoneinfo_data_file 870 with_native_coverage(`-method_trace_data_file') 871 }:dir *; 872 neverallow { 873 vendor_init 874 -data_between_core_and_vendor_violators 875 } { 876 core_data_file_type 877 -unencrypted_data_file 878 -system_data_file 879 -system_data_root_file 880 -vendor_data_file 881 -zoneinfo_data_file 882 with_native_coverage(`-method_trace_data_file') 883 }:dir *; 884 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 885 # The vendor init binary lives on the system partition so there is not a concern with stability. 886 neverallow vendor_init unencrypted_data_file:dir ~search; 887') 888full_treble_only(` 889 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 890 neverallow { 891 domain 892 -appdomain # TODO(b/34980020) remove exemption for appdomain 893 -coredomain 894 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 895 } { 896 system_data_file # default label for files on /data. Covered below 897 }:dir ~{ getattr search }; 898') 899 900full_treble_only(` 901 # coredomains may not access dirs in /data/vendor. 902 neverallow { 903 coredomain 904 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 905 -init 906 -vold # vold creates per-user storage for both system and vendor 907 -vold_prepare_subdirs 908 } { 909 vendor_data_file # default label for files on /data. Covered below 910 }:dir ~{ getattr search }; 911') 912 913full_treble_only(` 914 # coredomains may not access dirs in /data/vendor. 915 neverallow { 916 coredomain 917 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 918 -init 919 } { 920 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 921 }:file_class_set ~{ append getattr ioctl read write map }; 922') 923 924full_treble_only(` 925 # Non-vendor domains are not allowed to file execute shell 926 # from vendor 927 neverallow { 928 coredomain 929 -init 930 -shell 931 -ueventd 932 } vendor_shell_exec:file { execute execute_no_trans }; 933') 934 935full_treble_only(` 936 # Do not allow vendor components to execute files from system 937 # except for the ones allowlist here. 938 neverallow { 939 domain 940 -coredomain 941 -appdomain 942 -vendor_executes_system_violators 943 -vendor_init 944 } { 945 system_file_type 946 -system_lib_file 947 -system_linker_exec 948 -crash_dump_exec 949 -iorap_prefetcherd_exec 950 -iorap_inode2filename_exec 951 -netutils_wrapper_exec 952 userdebug_or_eng(`-tcpdump_exec') 953 }:file { entrypoint execute execute_no_trans }; 954') 955 956full_treble_only(` 957 # Do not allow system components to execute files from vendor 958 # except for the ones allowlisted here. 959 neverallow { 960 coredomain 961 -init 962 -shell 963 -system_executes_vendor_violators 964 -ueventd 965 } { 966 vendor_file_type 967 -same_process_hal_file 968 -vndk_sp_file 969 -vendor_app_file 970 -vendor_public_lib_file 971 }:file execute; 972') 973 974full_treble_only(` 975 neverallow { 976 coredomain 977 -shell 978 -system_executes_vendor_violators 979 } { 980 vendor_file_type 981 -same_process_hal_file 982 }:file execute_no_trans; 983') 984 985full_treble_only(` 986 # Do not allow system components access to /vendor files except for the 987 # ones allowlisted here. 988 neverallow { 989 coredomain 990 # TODO(b/37168747): clean up fwk access to /vendor 991 -crash_dump 992 -init # starts vendor executables 993 -iorap_inode2filename 994 -iorap_prefetcherd 995 -kernel # loads /vendor/firmware 996 userdebug_or_eng(`-heapprofd') 997 -shell 998 -system_executes_vendor_violators 999 -traced_perf # library/binary access for symbolization 1000 -ueventd # reads /vendor/ueventd.rc 1001 -vold # loads incremental fs driver 1002 } { 1003 vendor_file_type 1004 -same_process_hal_file 1005 -vendor_app_file 1006 -vendor_apex_file 1007 -vendor_configs_file 1008 -vendor_service_contexts_file 1009 -vendor_framework_file 1010 -vendor_idc_file 1011 -vendor_keychars_file 1012 -vendor_keylayout_file 1013 -vendor_overlay_file 1014 -vendor_public_lib_file 1015 -vendor_task_profiles_file 1016 -vndk_sp_file 1017 }:file *; 1018') 1019 1020full_treble_only(` 1021 # Do not allow vendor components access to /system files except for the 1022 # ones allowlisted here. 1023 neverallow { 1024 domain 1025 -appdomain 1026 -coredomain 1027 -vendor_executes_system_violators 1028 # vendor_init needs access to init_exec for domain transition. vendor_init 1029 # neverallows are covered in public/vendor_init.te 1030 -vendor_init 1031 } { 1032 system_file_type 1033 -crash_dump_exec 1034 -file_contexts_file 1035 -iorap_inode2filename_exec 1036 -netutils_wrapper_exec 1037 -property_contexts_file 1038 -system_event_log_tags_file 1039 -system_group_file 1040 -system_lib_file 1041 with_asan(`-system_asan_options_file') 1042 -system_linker_exec 1043 -system_linker_config_file 1044 -system_passwd_file 1045 -system_seccomp_policy_file 1046 -system_security_cacerts_file 1047 -system_zoneinfo_file 1048 -task_profiles_file 1049 userdebug_or_eng(`-tcpdump_exec') 1050 }:file *; 1051') 1052 1053# Only system_server should be able to send commands via the zygote socket 1054neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1055neverallow { domain -system_server } zygote_socket:sock_file write; 1056 1057neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1058neverallow { domain -system_server } webview_zygote:sock_file write; 1059neverallow { domain -system_server } app_zygote:sock_file write; 1060 1061neverallow { 1062 domain 1063 -tombstoned 1064 -crash_dump 1065 -dumpstate 1066 -incidentd 1067 -system_server 1068 1069 # Processes that can't exec crash_dump 1070 -hal_codec2_server 1071 -hal_omx_server 1072 -mediaextractor 1073} tombstoned_crash_socket:unix_stream_socket connectto; 1074 1075# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1076# the tombstoned intercept socket. 1077neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1078neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1079 1080# Android does not support System V IPCs. 1081# 1082# The reason for this is due to the fact that, by design, they lead to global 1083# kernel resource leakage. 1084# 1085# For example, there is no way to automatically release a SysV semaphore 1086# allocated in the kernel when: 1087# 1088# - a buggy or malicious process exits 1089# - a non-buggy and non-malicious process crashes or is explicitly killed. 1090# 1091# Killing processes automatically to make room for new ones is an 1092# important part of Android's application lifecycle implementation. This means 1093# that, even assuming only non-buggy and non-malicious code, it is very likely 1094# that over time, the kernel global tables used to implement SysV IPCs will fill 1095# up. 1096neverallow * *:{ shm sem msg msgq } *; 1097 1098# Do not mount on top of symlinks, fifos, or sockets. 1099# Feature parity with Chromium LSM. 1100neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1101 1102# Nobody should be able to execute su on user builds. 1103# On userdebug/eng builds, only dumpstate, shell, and 1104# su itself execute su. 1105neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1106 1107# Do not allow the introduction of new execmod rules. Text relocations 1108# and modification of executable pages are unsafe. 1109# The only exceptions are for NDK text relocations associated with 1110# https://code.google.com/p/android/issues/detail?id=23203 1111# which, long term, need to go away. 1112neverallow * { 1113 file_type 1114 -apk_data_file 1115 -app_data_file 1116 -asec_public_file 1117}:file execmod; 1118 1119# Do not allow making the stack or heap executable. 1120# We would also like to minimize execmem but it seems to be 1121# required by some device-specific service domains. 1122neverallow * self:process { execstack execheap }; 1123 1124# Do not allow the introduction of new execmod rules. Text relocations 1125# and modification of executable pages are unsafe. 1126neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1127 1128neverallow { domain -init } proc:{ file dir } mounton; 1129 1130# Ensure that all types assigned to processes are included 1131# in the domain attribute, so that all allow and neverallow rules 1132# written on domain are applied to all processes. 1133# This is achieved by ensuring that it is impossible to transition 1134# from a domain to a non-domain type and vice versa. 1135# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1136neverallow ~domain domain:process { transition dyntransition }; 1137 1138# 1139# Only system_app and system_server should be creating or writing 1140# their files. The proper way to share files is to setup 1141# type transitions to a more specific type or assigning a type 1142# to its parent directory via a file_contexts entry. 1143# Example type transition: 1144# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1145# 1146neverallow { 1147 domain 1148 -system_server 1149 -system_app 1150 -init 1151 -toolbox # TODO(b/141108496) We want to remove toolbox 1152 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1153 -vold_prepare_subdirs # For unlink 1154 with_asan(`-asan_extract') 1155} system_data_file:file no_w_file_perms; 1156# do not grant anything greater than r_file_perms and relabelfrom unlink 1157# to installd 1158neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1159 1160# respect system_app sandboxes 1161neverallow { 1162 domain 1163 -appdomain # finer-grained rules for appdomain are listed below 1164 -system_server #populate com.android.providers.settings/databases/settings.db. 1165 -installd # creation of app sandbox 1166 -iorap_inode2filename 1167 -traced_probes # resolve inodes for i/o tracing. 1168 # only needs open and read, the rest is neverallow in 1169 # traced_probes.te. 1170} system_app_data_file:dir_file_class_set { create unlink open }; 1171neverallow { 1172 isolated_app 1173 untrusted_app_all # finer-grained rules for appdomain are listed below 1174 ephemeral_app 1175 priv_app 1176} system_app_data_file:dir_file_class_set { create unlink open }; 1177 1178# 1179# Only these domains should transition to shell domain. This domain is 1180# permissible for the "shell user". If you need a process to exec a shell 1181# script with differing privilege, define a domain and set up a transition. 1182# 1183neverallow { 1184 domain 1185 -adbd 1186 -init 1187 -runas 1188 -zygote 1189} shell:process { transition dyntransition }; 1190 1191# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1192# the appdomain attribute. simpleperf is excluded as a domain transitioned to 1193# when running an app-scoped profiling session. 1194neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1195 appdomain -shell -simpleperf userdebug_or_eng(`-su') 1196}:process { transition dyntransition }; 1197 1198# Minimize read access to shell- or app-writable symlinks. 1199# This is to prevent malicious symlink attacks. 1200neverallow { 1201 domain 1202 -appdomain 1203 -installd 1204} { app_data_file privapp_data_file }:lnk_file read; 1205 1206neverallow { 1207 domain 1208 -shell 1209 userdebug_or_eng(`-uncrypt') 1210 -installd 1211} shell_data_file:lnk_file read; 1212 1213# In addition to the symlink reading restrictions above, restrict 1214# write access to shell owned directories. The /data/local/tmp 1215# directory is untrustworthy, and non-allowlisted domains should 1216# not be trusting any content in those directories. 1217neverallow { 1218 domain 1219 -adbd 1220 -dumpstate 1221 -installd 1222 -init 1223 -shell 1224 -vold 1225} shell_data_file:dir no_w_dir_perms; 1226 1227neverallow { 1228 domain 1229 -adbd 1230 -appdomain 1231 -dumpstate 1232 -init 1233 -installd 1234 -simpleperf_app_runner 1235 -system_server # why? 1236 userdebug_or_eng(`-uncrypt') 1237} shell_data_file:dir { open search }; 1238 1239# Same as above for /data/local/tmp files. We allow shell files 1240# to be passed around by file descriptor, but not directly opened. 1241neverallow { 1242 domain 1243 -adbd 1244 -appdomain 1245 -dumpstate 1246 -installd 1247 userdebug_or_eng(`-uncrypt') 1248} shell_data_file:file open; 1249 1250# servicemanager and vndservicemanager are the only processes which handle the 1251# service_manager list request 1252neverallow * ~{ 1253 servicemanager 1254 vndservicemanager 1255 }:service_manager list; 1256 1257# hwservicemanager is the only process which handles hw list requests 1258neverallow * ~{ 1259 hwservicemanager 1260 }:hwservice_manager list; 1261 1262# only service_manager_types can be added to service_manager 1263# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1264 1265# Prevent assigning non property types to properties 1266# TODO - rework this: neverallow * ~property_type:property_service set; 1267 1268# Domain types should never be assigned to any files other 1269# than the /proc/pid files associated with a process. The 1270# executable file used to enter a domain should be labeled 1271# with its own _exec type, not with the domain type. 1272# Conventionally, this looks something like: 1273# $ cat mydaemon.te 1274# type mydaemon, domain; 1275# type mydaemon_exec, exec_type, file_type; 1276# init_daemon_domain(mydaemon) 1277# $ grep mydaemon file_contexts 1278# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1279neverallow * domain:file { execute execute_no_trans entrypoint }; 1280 1281# Do not allow access to the generic debugfs label. This is too broad. 1282# Instead, if access to part of debugfs is desired, it should have a 1283# more specific label. 1284# TODO: fix dumpstate 1285neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1286 1287# Do not allow executable files in debugfs. 1288neverallow domain debugfs_type:file { execute execute_no_trans }; 1289 1290# Don't allow access to the FUSE control filesystem, except to vold and init's 1291neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1292 1293# Profiles contain untrusted data and profman parses that. We should only run 1294# in from installd forked processes. 1295neverallow { 1296 domain 1297 -installd 1298 -profman 1299} profman_exec:file no_x_file_perms; 1300 1301# Enforce restrictions on kernel module origin. 1302# Do not allow kernel module loading except from system, 1303# vendor, and boot partitions. 1304neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load; 1305 1306# Only allow filesystem caps to be set at build time. Runtime changes 1307# to filesystem capabilities are not permitted. 1308neverallow * self:global_capability_class_set setfcap; 1309 1310# Enforce AT_SECURE for executing crash_dump. 1311neverallow domain crash_dump:process noatsecure; 1312 1313# Do not permit non-core domains to register HwBinder services which are 1314# guaranteed to be provided by core domains only. 1315neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1316 1317# Do not permit the registeration of HwBinder services which are guaranteed to 1318# be passthrough only (i.e., run in the process of their clients instead of a 1319# separate server process). 1320neverallow * same_process_hwservice:hwservice_manager add; 1321 1322# On TREBLE devices, most coredomains should not access vendor_files. 1323# TODO(b/71553434): Remove exceptions here. 1324full_treble_only(` 1325 neverallow { 1326 coredomain 1327 -appdomain 1328 -bootanim 1329 -crash_dump 1330 -heapprofd 1331 -init 1332 -iorap_inode2filename 1333 -iorap_prefetcherd 1334 -kernel 1335 -traced_perf 1336 -ueventd 1337 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 1338') 1339 1340# If an already existing file is opened with O_CREAT, the kernel might generate 1341# a false report of a create denial. Silence these denials and make sure that 1342# inappropriate permissions are not granted. 1343 1344# These filesystems don't allow files or directories to be created, so the permission 1345# to do so should never be granted. 1346neverallow domain { 1347 proc_type 1348 sysfs_type 1349}:dir { add_name create link remove_name rename reparent rmdir write }; 1350 1351# cgroupfs directories can be created, but not files within them. 1352neverallow domain cgroup:file create; 1353 1354dontaudit domain proc_type:dir write; 1355dontaudit domain sysfs_type:dir write; 1356dontaudit domain cgroup:file create; 1357 1358# These are only needed in permissive mode - in enforcing mode the 1359# directory write check fails and so these are never attempted. 1360userdebug_or_eng(` 1361 dontaudit domain proc_type:dir add_name; 1362 dontaudit domain sysfs_type:dir add_name; 1363 dontaudit domain proc_type:file create; 1364 dontaudit domain sysfs_type:file create; 1365') 1366 1367# Platform must not have access to /mnt/vendor. 1368neverallow { 1369 coredomain 1370 -init 1371 -ueventd 1372 -vold 1373 -system_writes_mnt_vendor_violators 1374} mnt_vendor_file:dir *; 1375 1376# Only apps are allowed access to vendor public libraries. 1377full_treble_only(` 1378 neverallow { 1379 coredomain 1380 -appdomain 1381 } vendor_public_lib_file:file { execute execute_no_trans }; 1382') 1383 1384# Vendor domian must not have access to /mnt/product. 1385neverallow { 1386 domain 1387 -coredomain 1388} mnt_product_file:dir *; 1389 1390# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd 1391full_treble_only(` 1392 neverallow { 1393 coredomain 1394 -healthd 1395 -shell 1396 # Generate uevents for health info 1397 -ueventd 1398 # Recovery uses health HAL passthrough implementation. 1399 -recovery 1400 # Charger uses health HAL passthrough implementation. 1401 -charger 1402 # TODO(b/110891300): remove this exception 1403 -incidentd 1404 } sysfs_batteryinfo:file { open read }; 1405') 1406 1407neverallow { 1408 domain 1409 -hal_codec2_server 1410 -hal_omx_server 1411} hal_codec2_hwservice:hwservice_manager add; 1412 1413# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1414# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1415neverallow { 1416 domain 1417 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1418 -untrusted_app_25 1419 -untrusted_app_27 1420} ashmem_device:chr_file open; 1421