1# Transition to crash_dump when /system/bin/crash_dump* is executed. 2# This occurs when the process crashes. 3# We do not apply this to the su domain to avoid interfering with 4# tests (b/114136122) 5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); 6allow domain crash_dump:process sigchld; 7 8# Allow every process to check the heapprofd.enable properties to determine 9# whether to load the heap profiling library. This does not necessarily enable 10# heap profiling, as initialization will fail if it does not have the 11# necessary SELinux permissions. 12get_prop(domain, heapprofd_prop); 13# Allow heap profiling on debug builds. 14userdebug_or_eng(`can_profile_heap({ 15 domain 16 -bpfloader 17 -init 18 -kernel 19 -keystore 20 -llkd 21 -logd 22 -logpersist 23 -recovery 24 -recovery_persist 25 -recovery_refresh 26 -ueventd 27 -vendor_init 28 -vold 29})') 30 31# As above, allow perf profiling most processes on debug builds. 32# zygote is excluded as system-wide profiling could end up with it 33# (unexpectedly) holding an open fd across a fork. 34userdebug_or_eng(`can_profile_perf({ 35 domain 36 -bpfloader 37 -init 38 -kernel 39 -keystore 40 -llkd 41 -logd 42 -logpersist 43 -recovery 44 -recovery_persist 45 -recovery_refresh 46 -ueventd 47 -vendor_init 48 -vold 49 -zygote 50})') 51 52# Everyone can access the IncFS list of features. 53r_dir_file(domain, sysfs_fs_incfs_features); 54 55# Path resolution access in cgroups. 56allow domain cgroup:dir search; 57allow { domain -appdomain -rs } cgroup:dir w_dir_perms; 58allow { domain -appdomain -rs } cgroup:file w_file_perms; 59 60allow domain cgroup_v2:dir search; 61allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; 62allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; 63 64allow domain cgroup_rc_file:dir search; 65allow domain cgroup_rc_file:file r_file_perms; 66allow domain task_profiles_file:file r_file_perms; 67allow domain task_profiles_api_file:file r_file_perms; 68allow domain vendor_task_profiles_file:file r_file_perms; 69 70# Allow all domains to read sys.use_memfd to determine 71# if memfd support can be used if device supports it 72get_prop(domain, use_memfd_prop); 73 74# Read access to sdkextensions props 75get_prop(domain, module_sdkextensions_prop) 76 77# Read access to bq configuration values 78get_prop(domain, bq_config_prop); 79 80# For now, everyone can access core property files 81# Device specific properties are not granted by default 82not_compatible_property(` 83 # DO NOT ADD ANY PROPERTIES HERE 84 get_prop(domain, core_property_type) 85 get_prop(domain, exported3_system_prop) 86 get_prop(domain, vendor_default_prop) 87') 88compatible_property_only(` 89 # DO NOT ADD ANY PROPERTIES HERE 90 get_prop({coredomain appdomain shell}, core_property_type) 91 get_prop({coredomain appdomain shell}, exported3_system_prop) 92 get_prop({coredomain appdomain shell}, exported_camera_prop) 93 get_prop({coredomain shell}, userspace_reboot_exported_prop) 94 get_prop({coredomain shell}, userspace_reboot_log_prop) 95 get_prop({coredomain shell}, userspace_reboot_test_prop) 96 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 97') 98 99# Allow access to fsverity keyring. 100allow domain kernel:key search; 101# Allow access to keys in the fsverity keyring that were installed at boot. 102allow domain fsverity_init:key search; 103# For testing purposes, allow access to keys installed with su. 104userdebug_or_eng(` 105 allow domain su:key search; 106') 107 108# Allow access to linkerconfig file 109allow domain linkerconfig_file:dir search; 110allow domain linkerconfig_file:file r_file_perms; 111 112# Allow all processes to check for the existence of the boringssl_self_test_marker files. 113allow domain boringssl_self_test_marker:dir search; 114 115# Limit ability to ptrace or read sensitive /proc/pid files of processes 116# with other UIDs to these allowlisted domains. 117neverallow { 118 domain 119 -vold 120 userdebug_or_eng(`-llkd') 121 -dumpstate 122 userdebug_or_eng(`-incidentd') 123 userdebug_or_eng(`-profcollectd') 124 -storaged 125 -system_server 126} self:global_capability_class_set sys_ptrace; 127 128# Limit ability to generate hardware unique device ID attestations to priv_apps 129neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id; 130neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; 131neverallow { domain -system_server } *:keystore2_key use_dev_id; 132neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; 133 134neverallow { 135 domain 136 -init 137 -vendor_init 138 userdebug_or_eng(`-domain') 139} debugfs_tracing_debug:file no_rw_file_perms; 140 141# System_server owns dropbox data, and init creates/restorecons the directory 142# Disallow direct access by other processes. 143neverallow { domain -init -system_server } dropbox_data_file:dir *; 144neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; 145 146### 147# Services should respect app sandboxes 148neverallow { 149 domain 150 -appdomain 151 -installd # creation of sandbox 152} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 153 154# Only the following processes should be directly accessing private app 155# directories. 156neverallow { 157 domain 158 -adbd 159 -appdomain 160 -app_zygote 161 -dexoptanalyzer 162 -installd 163 -iorap_inode2filename 164 -iorap_prefetcherd 165 -profman 166 -rs # spawned by appdomain, so carryover the exception above 167 -runas 168 -system_server 169 -viewcompiler 170 -zygote 171} { privapp_data_file app_data_file }:dir *; 172 173# Only apps should be modifying app data. installd is exempted for 174# restorecon and package install/uninstall. 175neverallow { 176 domain 177 -appdomain 178 -installd 179 -rs # spawned by appdomain, so carryover the exception above 180} { privapp_data_file app_data_file }:dir ~r_dir_perms; 181 182neverallow { 183 domain 184 -appdomain 185 -app_zygote 186 -installd 187 -iorap_prefetcherd 188 -rs # spawned by appdomain, so carryover the exception above 189} { privapp_data_file app_data_file }:file_class_set open; 190 191neverallow { 192 domain 193 -appdomain 194 -installd # creation of sandbox 195} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 196 197neverallow { 198 domain 199 -installd 200} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; 201 202# The staging directory contains APEX and APK files. It is important to ensure 203# that these files cannot be accessed by other domains to ensure that the files 204# do not change between system_server staging the files and apexd processing 205# the files. 206neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *; 207neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *; 208neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; 209# apexd needs the link and unlink permissions, so list every `no_w_file_perms` 210# except for `link` and `unlink`. 211neverallow { domain -init -system_server } staging_data_file:file 212 { append create relabelfrom rename setattr write no_x_file_perms }; 213 214neverallow { 215 domain 216 -appdomain # for oemfs 217 -bootanim # for oemfs 218 -recovery # for /tmp/update_binary in tmpfs 219} { fs_type -rootfs }:file execute; 220 221# 222# Assert that, to the extent possible, we're not loading executable content from 223# outside the rootfs or /system partition except for a few allowlisted domains. 224# Executable files loaded from /data is a persistence vector 225# we want to avoid. See 226# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 227# 228neverallow { 229 domain 230 -appdomain 231 with_asan(`-asan_extract') 232 -iorap_prefetcherd 233 -shell 234 userdebug_or_eng(`-su') 235 -system_server_startup # for memfd backed executable regions 236 -app_zygote 237 -webview_zygote 238 -zygote 239 userdebug_or_eng(`-mediaextractor') 240 userdebug_or_eng(`-mediaswcodec') 241} { 242 file_type 243 -system_file_type 244 -system_lib_file 245 -system_linker_exec 246 -vendor_file_type 247 -exec_type 248 -postinstall_file 249}:file execute; 250 251# Only init is allowed to write cgroup.rc file 252neverallow { 253 domain 254 -init 255 -vendor_init 256} cgroup_rc_file:file no_w_file_perms; 257 258# Only authorized processes should be writing to files in /data/dalvik-cache 259neverallow { 260 domain 261 -init # TODO: limit init to relabelfrom for files 262 -zygote 263 -installd 264 -postinstall_dexopt 265 -cppreopts 266 -dex2oat 267 -otapreopt_slot 268} dalvikcache_data_file:file no_w_file_perms; 269 270neverallow { 271 domain 272 -init 273 -installd 274 -postinstall_dexopt 275 -cppreopts 276 -dex2oat 277 -zygote 278 -otapreopt_slot 279} dalvikcache_data_file:dir no_w_dir_perms; 280 281# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it 282# contains boot class path and system server AOT artifacts following an ART APEX Mainline update. 283neverallow { 284 domain 285 # art processes 286 -odrefresh 287 -odsign 288 # others 289 -apexd 290 -init 291 -vold_prepare_subdirs 292} apex_art_data_file:file no_w_file_perms; 293 294neverallow { 295 domain 296 # art processes 297 -odrefresh 298 -odsign 299 # others 300 -apexd 301 -init 302 -vold_prepare_subdirs 303} apex_art_data_file:dir no_w_dir_perms; 304 305# Protect most domains from executing arbitrary content from /data. 306neverallow { 307 domain 308 -appdomain 309} { 310 data_file_type 311 -apex_art_data_file 312 -dalvikcache_data_file 313 -system_data_file # shared libs in apks 314 -apk_data_file 315}:file no_x_file_perms; 316 317# Minimize dac_override and dac_read_search. 318# Instead of granting them it is usually better to add the domain to 319# a Unix group or change the permissions of a file. 320define(`dac_override_allowed', `{ 321 apexd 322 dnsmasq 323 dumpstate 324 init 325 installd 326 userdebug_or_eng(`llkd') 327 lmkd 328 migrate_legacy_obb_data 329 netd 330 postinstall_dexopt 331 recovery 332 rss_hwm_reset 333 sdcardd 334 tee 335 ueventd 336 uncrypt 337 vendor_init 338 vold 339 vold_prepare_subdirs 340 zygote 341}') 342neverallow ~dac_override_allowed self:global_capability_class_set dac_override; 343# Since the kernel checks dac_read_search before dac_override, domains that 344# have dac_override should also have dac_read_search to eliminate spurious 345# denials. Some domains have dac_read_search without having dac_override, so 346# this list should be a superset of the one above. 347neverallow ~{ 348 dac_override_allowed 349 iorap_inode2filename 350 iorap_prefetcherd 351 traced_perf 352 traced_probes 353 heapprofd 354} self:global_capability_class_set dac_read_search; 355 356# Limit what domains can mount filesystems or change their mount flags. 357# sdcard_type / vfat is exempt as a larger set of domains need 358# this capability, including device-specific domains. 359neverallow { 360 domain 361 -apexd 362 recovery_only(`-fastbootd') 363 -init 364 -kernel 365 -otapreopt_chroot 366 -recovery 367 -update_engine 368 -vold 369 -zygote 370} { fs_type 371 -sdcard_type 372}:filesystem { mount remount relabelfrom relabelto }; 373 374enforce_debugfs_restriction(` 375 neverallow { 376 domain userdebug_or_eng(`-init') 377 } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; 378') 379 380# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. 381neverallow { 382 domain 383 userdebug_or_eng(`-domain') 384 -kernel 385 -gsid 386 -init 387 -recovery 388 -ueventd 389 -healthd 390 -uncrypt 391 -tee 392 -hal_bootctl_server 393 -fastbootd 394} self:global_capability_class_set sys_rawio; 395 396# Limit directory operations that doesn't need to do app data isolation. 397neverallow { 398 domain 399 -init 400 -installd 401 -zygote 402} mirror_data_file:dir *; 403 404# This property is being removed. Remove remaining access. 405neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; 406neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; 407 408# Only core domains are allowed to access package_manager properties 409neverallow { domain -init -system_server } pm_prop:property_service set; 410neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 411 412# Do not allow reading the last boot timestamp from system properties 413neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 414 415# Kprobes should only be used by adb root 416neverallow { domain -init -vendor_init } debugfs_kprobes:file *; 417 418# On TREBLE devices, most coredomains should not access vendor_files. 419# TODO(b/71553434): Remove exceptions here. 420full_treble_only(` 421 neverallow { 422 coredomain 423 -appdomain 424 -bootanim 425 -crash_dump 426 -heapprofd 427 userdebug_or_eng(`-profcollectd') 428 -init 429 -iorap_inode2filename 430 -iorap_prefetcherd 431 -kernel 432 -traced_perf 433 -ueventd 434 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 435') 436 437# Vendor domains are not permitted to initiate communications to core domain sockets 438full_treble_only(` 439 neverallow_establish_socket_comms({ 440 domain 441 -coredomain 442 -appdomain 443 -socket_between_core_and_vendor_violators 444 }, { 445 coredomain 446 -logd # Logging by writing to logd Unix domain socket is public API 447 -netd # netdomain needs this 448 -mdnsd # netdomain needs this 449 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 450 -init 451 -tombstoned # linker to tombstoned 452 userdebug_or_eng(`-heapprofd') 453 userdebug_or_eng(`-traced_perf') 454 }); 455') 456 457full_treble_only(` 458 # Do not allow system components access to /vendor files except for the 459 # ones allowed here. 460 neverallow { 461 coredomain 462 # TODO(b/37168747): clean up fwk access to /vendor 463 -crash_dump 464 -init # starts vendor executables 465 -iorap_inode2filename 466 -iorap_prefetcherd 467 -kernel # loads /vendor/firmware 468 -heapprofd 469 userdebug_or_eng(`-profcollectd') 470 -shell 471 -system_executes_vendor_violators 472 -traced_perf # library/binary access for symbolization 473 -ueventd # reads /vendor/ueventd.rc 474 -vold # loads incremental fs driver 475 } { 476 vendor_file_type 477 -same_process_hal_file 478 -vendor_app_file 479 -vendor_apex_file 480 -vendor_configs_file 481 -vendor_service_contexts_file 482 -vendor_framework_file 483 -vendor_idc_file 484 -vendor_keychars_file 485 -vendor_keylayout_file 486 -vendor_overlay_file 487 -vendor_public_framework_file 488 -vendor_public_lib_file 489 -vendor_task_profiles_file 490 -vndk_sp_file 491 }:file *; 492') 493 494# mlsvendorcompat is only for compatibility support for older vendor 495# images, and should not be granted to any domain in current policy. 496# (Every domain is allowed self:fork, so this will trigger if the 497# intsersection of domain & mlsvendorcompat is not empty.) 498neverallow domain mlsvendorcompat:process fork; 499 500# Only init and otapreopt_chroot should be mounting filesystems on locations 501# labeled system or vendor (/product and /vendor respectively). 502neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton; 503 504# Only allow init and vendor_init to read/write mm_events properties 505# NOTE: dumpstate is allowed to read any system property 506neverallow { 507 domain 508 -init 509 -vendor_init 510 -dumpstate 511} mm_events_config_prop:file no_rw_file_perms; 512 513# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize 514# kernel traces. Addresses are not disclosed, they are repalced with symbol 515# names (if available). Traces don't disclose KASLR. 516neverallow { 517 domain 518 -init 519 userdebug_or_eng(`-profcollectd') 520 -vendor_init 521 -traced_probes 522 -traced_perf 523} proc_kallsyms:file { open read }; 524 525# debugfs_kcov type is not included in this neverallow statement since the KCOV 526# tool uses it for kernel fuzzing. 527# vendor_modprobe is also exempted since the kernel modules it loads may create 528# debugfs files in its context. 529enforce_debugfs_restriction(` 530 neverallow { 531 domain 532 -vendor_modprobe 533 userdebug_or_eng(` 534 -init 535 -hal_dumpstate 536 ') 537 } { debugfs_type 538 userdebug_or_eng(`-debugfs_kcov') 539 -tracefs_type 540 }:file no_rw_file_perms; 541') 542