1##################################### 2# domain_trans(olddomain, type, newdomain) 3# Allow a transition from olddomain to newdomain 4# upon executing a file labeled with type. 5# This only allows the transition; it does not 6# cause it to occur automatically - use domain_auto_trans 7# if that is what you want. 8# 9define(`domain_trans', ` 10# Old domain may exec the file and transition to the new domain. 11allow $1 $2:file { getattr open read execute map }; 12allow $1 $3:process transition; 13# New domain is entered by executing the file. 14allow $3 $2:file { entrypoint open read execute getattr map }; 15# New domain can send SIGCHLD to its caller. 16ifelse($1, `init', `', `allow $3 $1:process sigchld;') 17# Enable AT_SECURE, i.e. libc secure mode. 18dontaudit $1 $3:process noatsecure; 19# XXX dontaudit candidate but requires further study. 20allow $1 $3:process { siginh rlimitinh }; 21') 22 23##################################### 24# domain_auto_trans(olddomain, type, newdomain) 25# Automatically transition from olddomain to newdomain 26# upon executing a file labeled with type. 27# 28define(`domain_auto_trans', ` 29# Allow the necessary permissions. 30domain_trans($1,$2,$3) 31# Make the transition occur by default. 32type_transition $1 $2:process $3; 33') 34 35##################################### 36# file_type_trans(domain, dir_type, file_type) 37# Allow domain to create a file labeled file_type in a 38# directory labeled dir_type. 39# This only allows the transition; it does not 40# cause it to occur automatically - use file_type_auto_trans 41# if that is what you want. 42# 43define(`file_type_trans', ` 44# Allow the domain to add entries to the directory. 45allow $1 $2:dir ra_dir_perms; 46# Allow the domain to create the file. 47allow $1 $3:notdevfile_class_set create_file_perms; 48allow $1 $3:dir create_dir_perms; 49') 50 51##################################### 52# file_type_auto_trans(domain, dir_type, file_type) 53# Automatically label new files with file_type when 54# they are created by domain in directories labeled dir_type. 55# 56define(`file_type_auto_trans', ` 57# Allow the necessary permissions. 58file_type_trans($1, $2, $3) 59# Make the transition occur by default. 60type_transition $1 $2:dir $3; 61type_transition $1 $2:notdevfile_class_set $3; 62') 63 64##################################### 65# r_dir_file(domain, type) 66# Allow the specified domain to read directories, files 67# and symbolic links of the specified type. 68define(`r_dir_file', ` 69allow $1 $2:dir r_dir_perms; 70allow $1 $2:{ file lnk_file } r_file_perms; 71') 72 73##################################### 74# tmpfs_domain(domain) 75# Allow access to a unique type for this domain when creating tmpfs / ashmem files. 76define(`tmpfs_domain', ` 77type_transition $1 tmpfs:file $1_tmpfs; 78allow $1 $1_tmpfs:file { read write getattr map }; 79') 80 81# pdx macros for IPC. pdx is a high-level name which contains transport-specific 82# rules from underlying transport (e.g. UDS-based implementation). 83 84##################################### 85# pdx_service_attributes(service) 86# Defines type attribute used to identify various service-related types. 87define(`pdx_service_attributes', ` 88attribute pdx_$1_endpoint_dir_type; 89attribute pdx_$1_endpoint_socket_type; 90attribute pdx_$1_channel_socket_type; 91attribute pdx_$1_server_type; 92') 93 94##################################### 95# pdx_service_socket_types(service, endpoint_dir_t) 96# Define types for endpoint and channel sockets. 97define(`pdx_service_socket_types', ` 98typeattribute $2 pdx_$1_endpoint_dir_type; 99type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; 100type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket; 101userdebug_or_eng(` 102dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *; 103dontaudit su pdx_$1_channel_socket:unix_stream_socket *; 104') 105') 106 107##################################### 108# pdx_server(server_domain, service) 109define(`pdx_server', ` 110# Mark the server domain as a PDX server. 111typeattribute $1 pdx_$2_server_type; 112# Allow the init process to create the initial endpoint socket. 113allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind }; 114# Allow the server domain to use the endpoint socket and accept connections on it. 115# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights 116# than we need (e.g. we don"t need "bind" or "connect"). 117allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; 118# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). 119allow $1 self:process setsockcreate; 120# Allow the server domain to create a client channel socket. 121allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms; 122# Prevent other processes from claiming to be a server for the same service. 123neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept }; 124') 125 126##################################### 127# pdx_connect(client, service) 128define(`pdx_connect', ` 129# Allow client to open the service endpoint file. 130allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms; 131allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms; 132# Allow the client to connect to endpoint socket. 133allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; 134') 135 136##################################### 137# pdx_use(client, service) 138define(`pdx_use', ` 139# Allow the client to use the PDX channel socket. 140# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights 141# than we need (e.g. we don"t need "bind" or "connect"). 142allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; 143# Client needs to use an channel event fd from the server. 144allow $1 pdx_$2_server_type:fd use; 145# Servers may receive sync fences, gralloc buffers, etc, from clients. 146# This could be tightened on a per-server basis, but keeping track of service 147# clients is error prone. 148allow pdx_$2_server_type $1:fd use; 149') 150 151##################################### 152# pdx_client(client, service) 153define(`pdx_client', ` 154pdx_connect($1, $2) 155pdx_use($1, $2) 156') 157 158##################################### 159# init_daemon_domain(domain) 160# Set up a transition from init to the daemon domain 161# upon executing its binary. 162define(`init_daemon_domain', ` 163domain_auto_trans(init, $1_exec, $1) 164') 165 166#################################### 167# userfaultfd_use(domain) 168# Allow domain to create/use userfaultfd. 169define(`userfaultfd_use', ` 170# Set up a type_transition to "userfaultfd" named anonymous inode object. 171type $1_userfaultfd; 172type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]"; 173# Allow domain to create/use userfaultfd anon_inode. 174allow $1 $1_userfaultfd:anon_inode { create ioctl read }; 175# Other domains may not use userfaultfd anon_inodes created by this domain. 176neverallow { domain -$1 } $1_userfaultfd:anon_inode *; 177# This domain may not use userfaultfd anon_inodes created by other domains. 178neverallow $1 ~$1_userfaultfd:anon_inode *; 179') 180 181##################################### 182# app_domain(domain) 183# Allow a base set of permissions required for all apps. 184define(`app_domain', ` 185typeattribute $1 appdomain; 186# Label tmpfs objects for all apps. 187type_transition $1 tmpfs:file appdomain_tmpfs; 188userfaultfd_use($1) 189allow $1 appdomain_tmpfs:file { execute getattr map read write }; 190neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms; 191neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms; 192# The Android security model guarantees the confidentiality and integrity 193# of application data and execution state. Ptrace bypasses those 194# confidentiality guarantees. Disallow ptrace access from system components to 195# apps. crash_dump is excluded, as it needs ptrace access to produce stack 196# traces. runas_app is excluded, as it operates only on debuggable apps. 197# simpleperf is excluded, as it operates only on debuggable or profileable 198# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for 199# live lock conditions. 200neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace; 201') 202 203##################################### 204# untrusted_app_domain(domain) 205# Allow a base set of permissions required for all untrusted apps. 206define(`untrusted_app_domain', ` 207typeattribute $1 untrusted_app_all; 208') 209 210##################################### 211# net_domain(domain) 212# Allow a base set of permissions required for network access. 213define(`net_domain', ` 214typeattribute $1 netdomain; 215') 216 217##################################### 218# bluetooth_domain(domain) 219# Allow a base set of permissions required for bluetooth access. 220define(`bluetooth_domain', ` 221typeattribute $1 bluetoothdomain; 222') 223 224##################################### 225# hal_attribute(hal_name) 226# Add an attribute for hal implementations along with necessary 227# restrictions. 228define(`hal_attribute', ` 229attribute hal_$1; 230expandattribute hal_$1 true; 231attribute hal_$1_client; 232expandattribute hal_$1_client true; 233attribute hal_$1_server; 234expandattribute hal_$1_server false; 235 236neverallow { hal_$1_server -halserverdomain } domain:process fork; 237# hal_*_client and halclientdomain attributes are always expanded for 238# performance reasons. Neverallow rules targeting expanded attributes can not be 239# verified by CTS since these attributes are already expanded by that time. 240build_test_only(` 241neverallow { hal_$1_server -hal_$1 } domain:process fork; 242neverallow { hal_$1_client -halclientdomain } domain:process fork; 243') 244') 245 246##################################### 247# hal_server_domain(domain, hal_type) 248# Allow a base set of permissions required for a domain to offer a 249# HAL implementation of the specified type over HwBinder. 250# 251# For example, default implementation of Foo HAL: 252# type hal_foo_default, domain; 253# hal_server_domain(hal_foo_default, hal_foo) 254# 255define(`hal_server_domain', ` 256typeattribute $1 halserverdomain; 257typeattribute $1 $2_server; 258typeattribute $1 $2; 259') 260 261##################################### 262# hal_client_domain(domain, hal_type) 263# Allow a base set of permissions required for a domain to be a 264# client of a HAL of the specified type. 265# 266# For example, make some_domain a client of Foo HAL: 267# hal_client_domain(some_domain, hal_foo) 268# 269define(`hal_client_domain', ` 270typeattribute $1 halclientdomain; 271typeattribute $1 $2_client; 272 273# TODO(b/34170079): Make the inclusion of the rules below conditional also on 274# non-Treble devices. For now, on non-Treble device, always grant clients of a 275# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). 276not_full_treble(` 277typeattribute $1 $2; 278# Find passthrough HAL implementations 279allow $2 system_file:dir r_dir_perms; 280allow $2 vendor_file:dir r_dir_perms; 281allow $2 vendor_file:file { read open getattr execute map }; 282') 283') 284 285##################################### 286# passthrough_hal_client_domain(domain, hal_type) 287# Allow a base set of permissions required for a domain to be a 288# client of a passthrough HAL of the specified type. 289# 290# For example, make some_domain a client of passthrough Foo HAL: 291# passthrough_hal_client_domain(some_domain, hal_foo) 292# 293define(`passthrough_hal_client_domain', ` 294typeattribute $1 halclientdomain; 295typeattribute $1 $2_client; 296typeattribute $1 $2; 297# Find passthrough HAL implementations 298allow $2 system_file:dir r_dir_perms; 299allow $2 vendor_file:dir r_dir_perms; 300allow $2 vendor_file:file { read open getattr execute map }; 301') 302 303##################################### 304# unix_socket_connect(clientdomain, socket, serverdomain) 305# Allow a local socket connection from clientdomain via 306# socket to serverdomain. 307# 308# Note: If you see denial records that distill to the 309# following allow rules: 310# allow clientdomain property_socket:sock_file write; 311# allow clientdomain init:unix_stream_socket connectto; 312# allow clientdomain something_prop:property_service set; 313# 314# This sequence is indicative of attempting to set a property. 315# use set_prop(sourcedomain, targetproperty) 316# 317define(`unix_socket_connect', ` 318allow $1 $2_socket:sock_file write; 319allow $1 $3:unix_stream_socket connectto; 320') 321 322##################################### 323# set_prop(sourcedomain, targetproperty) 324# Allows source domain to set the 325# targetproperty. 326# 327define(`set_prop', ` 328unix_socket_connect($1, property, init) 329allow $1 $2:property_service set; 330get_prop($1, $2) 331') 332 333##################################### 334# get_prop(sourcedomain, targetproperty) 335# Allows source domain to read the 336# targetproperty. 337# 338define(`get_prop', ` 339allow $1 $2:file { getattr open read map }; 340') 341 342##################################### 343# unix_socket_send(clientdomain, socket, serverdomain) 344# Allow a local socket send from clientdomain via 345# socket to serverdomain. 346define(`unix_socket_send', ` 347allow $1 $2_socket:sock_file write; 348allow $1 $3:unix_dgram_socket sendto; 349') 350 351##################################### 352# binder_use(domain) 353# Allow domain to use Binder IPC. 354define(`binder_use', ` 355# Call the servicemanager and transfer references to it. 356allow $1 servicemanager:binder { call transfer }; 357# Allow servicemanager to send out callbacks 358allow servicemanager $1:binder { call transfer }; 359# servicemanager performs getpidcon on clients. 360allow servicemanager $1:dir search; 361allow servicemanager $1:file { read open }; 362allow servicemanager $1:process getattr; 363# rw access to /dev/binder and /dev/ashmem is presently granted to 364# all domains in domain.te. 365') 366 367##################################### 368# hwbinder_use(domain) 369# Allow domain to use HwBinder IPC. 370define(`hwbinder_use', ` 371# Call the hwservicemanager and transfer references to it. 372allow $1 hwservicemanager:binder { call transfer }; 373# Allow hwservicemanager to send out callbacks 374allow hwservicemanager $1:binder { call transfer }; 375# hwservicemanager performs getpidcon on clients. 376allow hwservicemanager $1:dir search; 377allow hwservicemanager $1:file { read open map }; 378allow hwservicemanager $1:process getattr; 379# rw access to /dev/hwbinder and /dev/ashmem is presently granted to 380# all domains in domain.te. 381') 382 383##################################### 384# vndbinder_use(domain) 385# Allow domain to use Binder IPC. 386define(`vndbinder_use', ` 387# Talk to the vndbinder device node 388allow $1 vndbinder_device:chr_file rw_file_perms; 389# Call the vndservicemanager and transfer references to it. 390allow $1 vndservicemanager:binder { call transfer }; 391# vndservicemanager performs getpidcon on clients. 392allow vndservicemanager $1:dir search; 393allow vndservicemanager $1:file { read open map }; 394allow vndservicemanager $1:process getattr; 395') 396 397##################################### 398# binder_call(clientdomain, serverdomain) 399# Allow clientdomain to perform binder IPC to serverdomain. 400define(`binder_call', ` 401# Call the server domain and optionally transfer references to it. 402allow $1 $2:binder { call transfer }; 403# Allow the serverdomain to transfer references to the client on the reply. 404allow $2 $1:binder transfer; 405# Receive and use open files from the server. 406allow $1 $2:fd use; 407') 408 409##################################### 410# binder_service(domain) 411# Mark a domain as being a Binder service domain. 412# Used to allow binder IPC to the various system services. 413define(`binder_service', ` 414typeattribute $1 binderservicedomain; 415') 416 417##################################### 418# wakelock_use(domain) 419# Allow domain to manage wake locks 420define(`wakelock_use', ` 421# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is 422# deprecated. 423# Access /sys/power/wake_lock and /sys/power/wake_unlock 424allow $1 sysfs_wake_lock:file rw_file_perms; 425# Accessing these files requires CAP_BLOCK_SUSPEND 426allow $1 self:global_capability2_class_set block_suspend; 427# system_suspend permissions 428binder_call($1, system_suspend_server) 429allow $1 system_suspend_hwservice:hwservice_manager find; 430# halclientdomain permissions 431hwbinder_use($1) 432get_prop($1, hwservicemanager_prop) 433allow $1 hidl_manager_hwservice:hwservice_manager find; 434') 435 436##################################### 437# selinux_check_access(domain) 438# Allow domain to check SELinux permissions via selinuxfs. 439define(`selinux_check_access', ` 440r_dir_file($1, selinuxfs) 441allow $1 selinuxfs:file w_file_perms; 442allow $1 kernel:security compute_av; 443allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; 444') 445 446##################################### 447# selinux_check_context(domain) 448# Allow domain to check SELinux contexts via selinuxfs. 449define(`selinux_check_context', ` 450r_dir_file($1, selinuxfs) 451allow $1 selinuxfs:file w_file_perms; 452allow $1 kernel:security check_context; 453') 454 455##################################### 456# create_pty(domain) 457# Allow domain to create and use a pty, isolated from any other domain ptys. 458define(`create_pty', ` 459# Each domain gets a unique devpts type. 460type $1_devpts, fs_type; 461# Label the pty with the unique type when created. 462type_transition $1 devpts:chr_file $1_devpts; 463# Allow use of the pty after creation. 464allow $1 $1_devpts:chr_file { open getattr read write ioctl }; 465allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls; 466# TIOCSTI is only ever used for exploits. Block it. 467# b/33073072, b/7530569 468# http://www.openwall.com/lists/oss-security/2016/09/26/14 469neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI; 470# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms 471# allowed to everyone via domain.te. 472') 473 474##################################### 475# Non system_app application set 476# 477define(`non_system_app_set', `{ appdomain -system_app }') 478 479##################################### 480# Recovery only 481# SELinux rules which apply only to recovery mode 482# 483define(`recovery_only', ifelse(target_recovery, `true', $1, )) 484 485##################################### 486# Not recovery 487# SELinux rules which apply only to non-recovery (normal) mode 488# 489define(`not_recovery', ifelse(target_recovery, `true', , $1)) 490 491##################################### 492# Full TREBLE only 493# SELinux rules which apply only to full TREBLE devices 494# 495define(`full_treble_only', ifelse(target_full_treble, `true', $1, 496ifelse(target_full_treble, `cts', 497# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify 498$1 499# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify 500, ))) 501 502##################################### 503# Not full TREBLE 504# SELinux rules which apply only to devices which are not full TREBLE devices 505# 506define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) 507 508##################################### 509# enforce_debugfs_restriction 510# SELinux rules which apply to devices that enable debugfs restrictions. 511# The keyword "cts" is used to insert markers to only CTS test the neverallows 512# added by the macro for S-launch devices and newer. 513define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1, 514ifelse(target_enforce_debugfs_restriction, `cts', 515# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify 516$1 517# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify 518, ))) 519 520##################################### 521# no_debugfs_restriction 522# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds. 523define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1)) 524 525##################################### 526# Compatible property only 527# SELinux rules which apply only to devices with compatible property 528# 529define(`compatible_property_only', ifelse(target_compatible_property, `true', $1, 530ifelse(target_compatible_property, `cts', 531# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify 532$1 533# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify 534, ))) 535 536##################################### 537# Not compatible property 538# SELinux rules which apply only to devices without compatible property 539# 540define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1)) 541 542##################################### 543# Userdebug or eng builds 544# SELinux rules which apply only to userdebug or eng builds 545# 546define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) 547 548##################################### 549# asan builds 550# SELinux rules which apply only to asan builds 551# 552define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) 553 554##################################### 555# native coverage builds 556# SELinux rules which apply only to builds with native coverage 557# 558define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) 559 560##################################### 561# Build-time-only test 562# SELinux rules which are verified during build, but not as part of *TS testing. 563# 564define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1)) 565 566#################################### 567# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). 568# 569define(`crash_dump_fallback', ` 570userdebug_or_eng(` 571 allow $1 su:fifo_file append; 572') 573allow $1 anr_data_file:file append; 574allow $1 dumpstate:fd use; 575allow $1 incidentd:fd use; 576# TODO: Figure out why write is needed. 577allow $1 dumpstate:fifo_file { append write }; 578allow $1 incidentd:fifo_file { append write }; 579allow $1 system_server:fifo_file { append write }; 580allow $1 tombstoned:unix_stream_socket connectto; 581allow $1 tombstoned:fd use; 582allow $1 tombstoned_crash_socket:sock_file write; 583allow $1 tombstone_data_file:file append; 584') 585 586##################################### 587# WITH_DEXPREOPT builds 588# SELinux rules which apply only when pre-opting. 589# 590define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1)) 591 592##################################### 593# write_logd(domain) 594# Ability to write to android log 595# daemon via sockets 596define(`write_logd', ` 597unix_socket_send($1, logdw, logd) 598allow $1 pmsg_device:chr_file w_file_perms; 599') 600 601##################################### 602# read_logd(domain) 603# Ability to run logcat and read from android 604# log daemon via sockets 605define(`read_logd', ` 606allow $1 logcat_exec:file rx_file_perms; 607unix_socket_connect($1, logdr, logd) 608') 609 610##################################### 611# read_runtime_log_tags(domain) 612# ability to directly map the runtime event log tags 613define(`read_runtime_log_tags', ` 614allow $1 runtime_event_log_tags_file:file r_file_perms; 615') 616 617##################################### 618# control_logd(domain) 619# Ability to control 620# android log daemon via sockets 621define(`control_logd', ` 622# Group AID_LOG checked by filesystem & logd 623# to permit control commands 624unix_socket_connect($1, logd, logd) 625') 626 627##################################### 628# use_keystore(domain) 629# Ability to use keystore. 630# Keystore is requires the following permissions 631# to call getpidcon. 632define(`use_keystore', ` 633 allow keystore $1:dir search; 634 allow keystore $1:file { read open }; 635 allow keystore $1:process getattr; 636 allow $1 apc_service:service_manager find; 637 allow $1 keystore_service:service_manager find; 638 allow $1 legacykeystore_service:service_manager find; 639 binder_call($1, keystore) 640 binder_call(keystore, $1) 641') 642 643##################################### 644# use_credstore(domain) 645# Ability to use credstore. 646define(`use_credstore', ` 647 allow credstore $1:dir search; 648 allow credstore $1:file { read open }; 649 allow credstore $1:process getattr; 650 allow $1 credstore_service:service_manager find; 651 binder_call($1, credstore) 652 binder_call(credstore, $1) 653') 654 655########################################### 656# use_drmservice(domain) 657# Ability to use DrmService which requires 658# DrmService to call getpidcon. 659define(`use_drmservice', ` 660 allow drmserver $1:dir search; 661 allow drmserver $1:file { read open }; 662 allow drmserver $1:process getattr; 663') 664 665########################################### 666# add_service(domain, service) 667# Ability for domain to add a service to service_manager 668# and find it. It also creates a neverallow preventing 669# others from adding it. 670define(`add_service', ` 671 allow $1 $2:service_manager { add find }; 672 neverallow { domain -$1 } $2:service_manager add; 673') 674 675########################################### 676# add_hwservice(domain, service) 677# Ability for domain to add a service to hwservice_manager 678# and find it. It also creates a neverallow preventing 679# others from adding it. 680define(`add_hwservice', ` 681 allow $1 $2:hwservice_manager { add find }; 682 allow $1 hidl_base_hwservice:hwservice_manager add; 683 neverallow { domain -$1 } $2:hwservice_manager add; 684') 685 686########################################### 687# hal_attribute_hwservice(attribute, service) 688# Ability for domain to get a service to hwservice_manager 689# and find it. It also creates a neverallow preventing 690# others from adding it. 691# 692# Used to pair hal_foo_client with hal_foo_hwservice 693define(`hal_attribute_hwservice', ` 694 allow $1_client $2:hwservice_manager find; 695 add_hwservice($1_server, $2) 696 697 build_test_only(` 698 # if you are hitting this neverallow, try using: 699 # hal_client_domain(<your domain>, hal_<foo>) 700 # instead 701 neverallow { domain -$1_client -$1_server } $2:hwservice_manager find; 702 ') 703') 704 705########################################### 706# hal_attribute_service(attribute, service) 707# Ability for domain to get a service to service_manager 708# and find it. It also creates a neverallow preventing 709# others from adding it. 710# 711# Used to pair hal_foo_client with hal_foo_service 712define(`hal_attribute_service', ` 713 allow $1_client $2:service_manager find; 714 add_service($1_server, $2) 715 716 build_test_only(` 717 # if you are hitting this neverallow, try using: 718 # hal_client_domain(<your domain>, hal_<foo>) 719 # instead 720 neverallow { 721 domain 722 -$1_client 723 -$1_server 724 # some services are allowed to find all services 725 -atrace 726 -dumpstate 727 -shell 728 -system_app 729 -traceur_app 730 } $2:service_manager find; 731 ') 732') 733 734################################### 735# can_profile_heap(domain) 736# Allow processes within the domain to have their heap profiled by central 737# heapprofd. 738define(`can_profile_heap', ` 739 # Allow central daemon to send signal for client initialization. 740 allow heapprofd $1:process signal; 741 # Allow connecting to the daemon. 742 unix_socket_connect($1, heapprofd, heapprofd) 743 # Allow daemon to use the passed fds. 744 allow heapprofd $1:fd use; 745 # Allow to read and write to heapprofd shmem. 746 # The client needs to read the read and write pointers in order to write. 747 allow $1 heapprofd_tmpfs:file { read write getattr map }; 748 # Use shared memory received over the unix socket. 749 allow $1 heapprofd:fd use; 750 751 # To read and write from the received file descriptors. 752 # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the 753 # process they relate to. 754 # We need to write to /proc/$PID/page_idle to find idle allocations. 755 # The client only opens /proc/self/page_idle with RDWR, everything else 756 # with RDONLY. 757 # heapprofd cannot open /proc/$PID/mem itself, as it does not have 758 # sys_ptrace. 759 allow heapprofd $1:file rw_file_perms; 760 # Allow searching the /proc/[pid] directory for cmdline. 761 allow heapprofd $1:dir r_dir_perms; 762') 763 764################################### 765# never_profile_heap(domain) 766# Opt out of heap profiling by heapprofd. 767define(`never_profile_heap', ` 768 neverallow heapprofd $1:file read; 769 neverallow heapprofd $1:process signal; 770') 771 772################################### 773# can_profile_perf(domain) 774# Allow processes within the domain to be profiled, and have their stacks 775# sampled, by traced_perf. 776define(`can_profile_perf', ` 777 # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and 778 # reads /proc/[pid]/cmdline. 779 allow traced_perf $1:file r_file_perms; 780 allow traced_perf $1:dir r_dir_perms; 781 782 # Allow central daemon to send signal to request /proc/[pid]/maps and 783 # /proc/[pid]/mem fds from this process. 784 allow traced_perf $1:process signal; 785 786 # Allow connecting to the daemon. 787 unix_socket_connect($1, traced_perf, traced_perf) 788 # Allow daemon to use the passed fds. 789 allow traced_perf $1:fd use; 790') 791 792################################### 793# never_profile_perf(domain) 794# Opt out of profiling by traced_perf. 795define(`never_profile_perf', ` 796 neverallow traced_perf $1:file read; 797 neverallow traced_perf $1:process signal; 798') 799 800################################### 801# perfetto_producer(domain) 802# Allow processes within the domain to write data to Perfetto. 803# When applying this macro, you might need to also allow traced to use the 804# producer tmpfs domain, if the producer will be the one creating the shared 805# memory. 806define(`perfetto_producer', ` 807 allow $1 traced:fd use; 808 allow $1 traced_tmpfs:file { read write getattr map }; 809 unix_socket_connect($1, traced_producer, traced) 810 811 # Also allow the service to use the producer file descriptors. This is 812 # necessary when the producer is creating the shared memory, as it will be 813 # passed to the service as a file descriptor (obtained from memfd_create). 814 allow traced $1:fd use; 815') 816 817########################################### 818# dump_hal(hal_type) 819# Ability to dump the hal debug info 820# 821define(`dump_hal', ` 822 hal_client_domain(dumpstate, $1); 823 allow $1_server dumpstate:fifo_file write; 824 allow $1_server dumpstate:fd use; 825') 826 827##################################### 828# treble_sysprop_neverallow(rules) 829# SELinux neverallow rules which enforces the accessibility of each property 830# outside the owner. 831# 832# For devices launching with R or later, exported properties must be explicitly marked as 833# "restricted" or "public", depending on the accessibility outside the owner. 834# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining 835# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk. 836# See {partition}_{accessibility}_prop macros below. 837# 838# CTS uses these rules only for devices launching with R or later. 839# 840# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW 841# 842define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1, 843ifelse(target_treble_sysprop_neverallow, `cts', 844# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify 845$1 846# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify 847, ))) 848 849##################################### 850# enforce_sysprop_owner(rules) 851# SELinux neverallow rules which enforces the owner of each property. 852# 853# For devices launching with S or later, all properties must be explicitly marked as one of: 854# system_property_type, vendor_property_type, or product_property_type. 855# For devices launching with R or eariler, this neverallow rules can be relaxed with defining 856# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk. 857# See {partition}_{accessibility}_prop macros below. 858# 859# CTS uses these ules only for devices launching with S or later. 860# 861define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1, 862ifelse(target_enforce_sysprop_owner, `cts', 863# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify 864$1 865# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify 866, ))) 867 868########################################### 869# define_prop(name, owner, scope) 870# Define a property with given owner and scope 871# 872define(`define_prop', ` 873 type $1, property_type, $2_property_type, $2_$3_property_type; 874') 875 876########################################### 877# system_internal_prop(name) 878# Define a /system-owned property used only in /system 879# For devices launching with Q or eariler, this restriction can be relaxed with 880# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true 881# 882define(`system_internal_prop', ` 883 define_prop($1, system, internal) 884 treble_sysprop_neverallow(` 885 neverallow { domain -coredomain } $1:file no_rw_file_perms; 886 ') 887') 888 889########################################### 890# system_restricted_prop(name) 891# Define a /system-owned property which can't be written outside /system 892# For devices launching with Q or eariler, this restriction can be relaxed with 893# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true 894# 895define(`system_restricted_prop', ` 896 define_prop($1, system, restricted) 897 treble_sysprop_neverallow(` 898 neverallow { domain -coredomain } $1:property_service set; 899 ') 900') 901 902########################################### 903# system_public_prop(name) 904# Define a /system-owned property with no restrictions 905# 906define(`system_public_prop', `define_prop($1, system, public)') 907 908########################################### 909# system_vendor_config_prop(name) 910# Define a /system-owned property which can only be written by vendor_init 911# This is a macro for vendor-specific configuration properties which is meant 912# to be set once from vendor_init. 913# 914define(`system_vendor_config_prop', ` 915 system_public_prop($1) 916 set_prop(vendor_init, $1) 917 neverallow { domain -init -vendor_init } $1:property_service set; 918') 919 920########################################### 921# product_internal_prop(name) 922# Define a /product-owned property used only in /product 923# For devices launching with Q or eariler, this restriction can be relaxed with 924# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true 925# 926define(`product_internal_prop', ` 927 define_prop($1, product, internal) 928 treble_sysprop_neverallow(` 929 neverallow { domain -coredomain } $1:file no_rw_file_perms; 930 ') 931') 932 933########################################### 934# product_restricted_prop(name) 935# Define a /product-owned property which can't be written outside /product 936# For devices launching with Q or eariler, this restriction can be relaxed with 937# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true 938# 939define(`product_restricted_prop', ` 940 define_prop($1, product, restricted) 941 treble_sysprop_neverallow(` 942 neverallow { domain -coredomain } $1:property_service set; 943 ') 944') 945 946########################################### 947# product_public_prop(name) 948# Define a /product-owned property with no restrictions 949# 950define(`product_public_prop', `define_prop($1, product, public)') 951 952########################################### 953# vendor_internal_prop(name) 954# Define a /vendor-owned property used only in /vendor 955# For devices launching with Q or eariler, this restriction can be relaxed with 956# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true 957# 958define(`vendor_internal_prop', ` 959 define_prop($1, vendor, internal) 960 treble_sysprop_neverallow(` 961# init and dumpstate are in coredomain, but should be able to read all props. 962 neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms; 963 ') 964') 965 966########################################### 967# vendor_restricted_prop(name) 968# Define a /vendor-owned property which can't be written outside /vendor 969# For devices launching with Q or eariler, this restriction can be relaxed with 970# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true 971# 972define(`vendor_restricted_prop', ` 973 define_prop($1, vendor, restricted) 974 treble_sysprop_neverallow(` 975# init is in coredomain, but should be able to write all props. 976 neverallow { coredomain -init } $1:property_service set; 977 ') 978') 979 980########################################### 981# vendor_public_prop(name) 982# Define a /vendor-owned property with no restrictions 983# 984define(`vendor_public_prop', `define_prop($1, vendor, public)') 985 986##################################### 987# read_fstab(domain) 988# Ability to call ReadDefaultFstab() and ReadFstabFromFile(). 989# 990define(`read_fstab', ` 991 allow $1 { metadata_file gsi_metadata_file_type }:dir search; 992 allow $1 gsi_public_metadata_file:file r_file_perms; 993') 994