1get_prop(coredomain, boot_status_prop) 2get_prop(coredomain, camera_config_prop) 3get_prop(coredomain, dalvik_config_prop) 4get_prop(coredomain, dalvik_runtime_prop) 5get_prop(coredomain, exported_pm_prop) 6get_prop(coredomain, ffs_config_prop) 7get_prop(coredomain, graphics_config_prop) 8get_prop(coredomain, hdmi_config_prop) 9get_prop(coredomain, init_service_status_private_prop) 10get_prop(coredomain, lmkd_config_prop) 11get_prop(coredomain, localization_prop) 12get_prop(coredomain, pm_prop) 13get_prop(coredomain, radio_control_prop) 14get_prop(coredomain, rollback_test_prop) 15get_prop(coredomain, setupwizard_prop) 16get_prop(coredomain, sqlite_log_prop) 17get_prop(coredomain, storagemanager_config_prop) 18get_prop(coredomain, surfaceflinger_color_prop) 19get_prop(coredomain, systemsound_config_prop) 20get_prop(coredomain, telephony_config_prop) 21get_prop(coredomain, usb_config_prop) 22get_prop(coredomain, usb_control_prop) 23get_prop(coredomain, userspace_reboot_config_prop) 24get_prop(coredomain, vold_config_prop) 25get_prop(coredomain, vts_status_prop) 26get_prop(coredomain, zygote_config_prop) 27get_prop(coredomain, zygote_wrap_prop) 28 29# TODO(b/170590987): remove this after cleaning up default_prop 30get_prop(coredomain, default_prop) 31 32full_treble_only(` 33neverallow { 34 coredomain 35 36 # for chowning 37 -init 38 39 # generic access to sysfs_type 40 -ueventd 41 -vold 42} sysfs_leds:file *; 43') 44 45# On TREBLE devices, a limited set of files in /vendor are accessible to 46# only a few allowlisted coredomains to keep system/vendor separation. 47full_treble_only(` 48 # Limit access to /vendor/app 49 neverallow { 50 coredomain 51 -appdomain 52 -dex2oat 53 -dexoptanalyzer 54 -idmap 55 -init 56 -installd 57 -heapprofd 58 -postinstall_dexopt 59 -rs # spawned by appdomain, so carryover the exception above 60 -system_server 61 -traced_perf 62 } vendor_app_file:dir { open read getattr search }; 63') 64 65full_treble_only(` 66 neverallow { 67 coredomain 68 -appdomain 69 -dex2oat 70 -dexoptanalyzer 71 -idmap 72 -init 73 -installd 74 -heapprofd 75 userdebug_or_eng(`-profcollectd') 76 -postinstall_dexopt 77 -rs # spawned by appdomain, so carryover the exception above 78 -system_server 79 -traced_perf 80 -mediaserver 81 } vendor_app_file:file r_file_perms; 82') 83 84full_treble_only(` 85 # Limit access to /vendor/overlay 86 neverallow { 87 coredomain 88 -appdomain 89 -idmap 90 -init 91 -installd 92 -iorap_inode2filename 93 -iorap_prefetcherd 94 -postinstall_dexopt 95 -rs # spawned by appdomain, so carryover the exception above 96 -system_server 97 -traced_perf 98 -app_zygote 99 -webview_zygote 100 -zygote 101 -heapprofd 102 } vendor_overlay_file:dir { getattr open read search }; 103') 104 105full_treble_only(` 106 neverallow { 107 coredomain 108 -appdomain 109 -idmap 110 -init 111 -installd 112 -iorap_inode2filename 113 -iorap_prefetcherd 114 -postinstall_dexopt 115 -rs # spawned by appdomain, so carryover the exception above 116 -system_server 117 -traced_perf 118 -app_zygote 119 -webview_zygote 120 -zygote 121 -heapprofd 122 userdebug_or_eng(`-profcollectd') 123 } vendor_overlay_file:file open; 124') 125 126# Core domains are not permitted to use kernel interfaces which are not 127# explicitly labeled. 128# TODO(b/65643247): Apply these neverallow rules to all coredomain. 129full_treble_only(` 130 # /proc 131 neverallow { 132 coredomain 133 -init 134 -vold 135 } proc:file no_rw_file_perms; 136 137 # /sys 138 neverallow { 139 coredomain 140 -init 141 -ueventd 142 -vold 143 } sysfs:file no_rw_file_perms; 144 145 # /dev 146 neverallow { 147 coredomain 148 -fsck 149 -init 150 -ueventd 151 } device:{ blk_file file } no_rw_file_perms; 152 153 # debugfs 154 neverallow { 155 coredomain 156 no_debugfs_restriction(` 157 -dumpstate 158 -init 159 -system_server 160 ') 161 } debugfs:file no_rw_file_perms; 162 163 # tracefs 164 neverallow { 165 coredomain 166 -atrace 167 -dumpstate 168 -gpuservice 169 -init 170 -traced_perf 171 -traced_probes 172 -shell 173 -system_server 174 -traceur_app 175 userdebug_or_eng(`-profcollectd') 176 } debugfs_tracing:file no_rw_file_perms; 177 178 # inotifyfs 179 neverallow { 180 coredomain 181 -init 182 } inotify:file no_rw_file_perms; 183 184 # pstorefs 185 neverallow { 186 coredomain 187 -bootstat 188 -charger 189 -dumpstate 190 -healthd 191 userdebug_or_eng(`-incidentd') 192 -init 193 -logd 194 -logpersist 195 -recovery_persist 196 -recovery_refresh 197 -shell 198 -system_server 199 } pstorefs:file no_rw_file_perms; 200 201 # configfs 202 neverallow { 203 coredomain 204 -init 205 -system_server 206 } configfs:file no_rw_file_perms; 207 208 # functionfs 209 neverallow { 210 coredomain 211 -adbd 212 -init 213 -mediaprovider 214 -system_server 215 } functionfs:file no_rw_file_perms; 216 217 # usbfs and binfmt_miscfs 218 neverallow { 219 coredomain 220 -init 221 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 222 223 # dmabuf heaps 224 neverallow { 225 coredomain 226 -init 227 -ueventd 228 }{ 229 dmabuf_heap_device_type 230 -dmabuf_system_heap_device 231 -dmabuf_system_secure_heap_device 232 }:chr_file no_rw_file_perms; 233') 234 235# Following /dev nodes must not be directly accessed by coredomain, but should 236# instead be wrapped by HALs. 237neverallow coredomain { 238 iio_device 239 radio_device 240}:chr_file { open read append write ioctl }; 241 242# TODO(b/120243891): HAL permission to tee_device is included into coredomain 243# on non-Treble devices. 244full_treble_only(` 245 neverallow coredomain tee_device:chr_file { open read append write ioctl }; 246') 247