• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute map };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint open read execute getattr map };
15# New domain can send SIGCHLD to its caller.
16ifelse($1, `init', `', `allow $3 $1:process sigchld;')
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# tmpfs_domain(domain)
75# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
76define(`tmpfs_domain', `
77type_transition $1 tmpfs:file $1_tmpfs;
78allow $1 $1_tmpfs:file { read write getattr map };
79')
80
81# pdx macros for IPC. pdx is a high-level name which contains transport-specific
82# rules from underlying transport (e.g. UDS-based implementation).
83
84#####################################
85# pdx_service_attributes(service)
86# Defines type attribute used to identify various service-related types.
87define(`pdx_service_attributes', `
88attribute pdx_$1_endpoint_dir_type;
89attribute pdx_$1_endpoint_socket_type;
90attribute pdx_$1_channel_socket_type;
91attribute pdx_$1_server_type;
92')
93
94#####################################
95# pdx_service_socket_types(service, endpoint_dir_t)
96# Define types for endpoint and channel sockets.
97define(`pdx_service_socket_types', `
98typeattribute $2 pdx_$1_endpoint_dir_type;
99type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
100type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
101userdebug_or_eng(`
102dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
103dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
104')
105')
106
107#####################################
108# pdx_server(server_domain, service)
109define(`pdx_server', `
110# Mark the server domain as a PDX server.
111typeattribute $1 pdx_$2_server_type;
112# Allow the init process to create the initial endpoint socket.
113allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
114# Allow the server domain to use the endpoint socket and accept connections on it.
115# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
116# than we need (e.g. we don"t need "bind" or "connect").
117allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
118# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
119allow $1 self:process setsockcreate;
120# Allow the server domain to create a client channel socket.
121allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
122# Prevent other processes from claiming to be a server for the same service.
123neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
124')
125
126#####################################
127# pdx_connect(client, service)
128define(`pdx_connect', `
129# Allow client to open the service endpoint file.
130allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
131allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
132# Allow the client to connect to endpoint socket.
133allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
134')
135
136#####################################
137# pdx_use(client, service)
138define(`pdx_use', `
139# Allow the client to use the PDX channel socket.
140# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
141# than we need (e.g. we don"t need "bind" or "connect").
142allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
143# Client needs to use an channel event fd from the server.
144allow $1 pdx_$2_server_type:fd use;
145# Servers may receive sync fences, gralloc buffers, etc, from clients.
146# This could be tightened on a per-server basis, but keeping track of service
147# clients is error prone.
148allow pdx_$2_server_type $1:fd use;
149')
150
151#####################################
152# pdx_client(client, service)
153define(`pdx_client', `
154pdx_connect($1, $2)
155pdx_use($1, $2)
156')
157
158#####################################
159# init_daemon_domain(domain)
160# Set up a transition from init to the daemon domain
161# upon executing its binary.
162define(`init_daemon_domain', `
163domain_auto_trans(init, $1_exec, $1)
164')
165
166####################################
167# userfaultfd_use(domain)
168# Allow domain to create/use userfaultfd.
169define(`userfaultfd_use', `
170# Set up a type_transition to "userfaultfd" named anonymous inode object.
171type $1_userfaultfd;
172type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
173# Allow domain to create/use userfaultfd anon_inode.
174allow $1 $1_userfaultfd:anon_inode { create ioctl read };
175# Other domains may not use userfaultfd anon_inodes created by this domain.
176neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
177# This domain may not use userfaultfd anon_inodes created by other domains.
178neverallow $1 ~$1_userfaultfd:anon_inode *;
179')
180
181#####################################
182# app_domain(domain)
183# Allow a base set of permissions required for all apps.
184define(`app_domain', `
185typeattribute $1 appdomain;
186# Label tmpfs objects for all apps.
187type_transition $1 tmpfs:file appdomain_tmpfs;
188userfaultfd_use($1)
189allow $1 appdomain_tmpfs:file { execute getattr map read write };
190neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
191neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
192# The Android security model guarantees the confidentiality and integrity
193# of application data and execution state. Ptrace bypasses those
194# confidentiality guarantees. Disallow ptrace access from system components to
195# apps. crash_dump is excluded, as it needs ptrace access to produce stack
196# traces. runas_app is excluded, as it operates only on debuggable apps.
197# simpleperf is excluded, as it operates only on debuggable or profileable
198# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
199# live lock conditions.
200neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
201')
202
203#####################################
204# untrusted_app_domain(domain)
205# Allow a base set of permissions required for all untrusted apps.
206define(`untrusted_app_domain', `
207typeattribute $1 untrusted_app_all;
208')
209
210#####################################
211# net_domain(domain)
212# Allow a base set of permissions required for network access.
213define(`net_domain', `
214typeattribute $1 netdomain;
215')
216
217#####################################
218# bluetooth_domain(domain)
219# Allow a base set of permissions required for bluetooth access.
220define(`bluetooth_domain', `
221typeattribute $1 bluetoothdomain;
222')
223
224#####################################
225# hal_attribute(hal_name)
226# Add an attribute for hal implementations along with necessary
227# restrictions.
228define(`hal_attribute', `
229attribute hal_$1;
230expandattribute hal_$1 true;
231attribute hal_$1_client;
232expandattribute hal_$1_client true;
233attribute hal_$1_server;
234expandattribute hal_$1_server false;
235
236neverallow { hal_$1_server -halserverdomain } domain:process fork;
237# hal_*_client and halclientdomain attributes are always expanded for
238# performance reasons. Neverallow rules targeting expanded attributes can not be
239# verified by CTS since these attributes are already expanded by that time.
240build_test_only(`
241neverallow { hal_$1_server -hal_$1 } domain:process fork;
242neverallow { hal_$1_client -halclientdomain } domain:process fork;
243')
244')
245
246#####################################
247# hal_server_domain(domain, hal_type)
248# Allow a base set of permissions required for a domain to offer a
249# HAL implementation of the specified type over HwBinder.
250#
251# For example, default implementation of Foo HAL:
252#   type hal_foo_default, domain;
253#   hal_server_domain(hal_foo_default, hal_foo)
254#
255define(`hal_server_domain', `
256typeattribute $1 halserverdomain;
257typeattribute $1 $2_server;
258typeattribute $1 $2;
259')
260
261#####################################
262# hal_client_domain(domain, hal_type)
263# Allow a base set of permissions required for a domain to be a
264# client of a HAL of the specified type.
265#
266# For example, make some_domain a client of Foo HAL:
267#   hal_client_domain(some_domain, hal_foo)
268#
269define(`hal_client_domain', `
270typeattribute $1 halclientdomain;
271typeattribute $1 $2_client;
272
273# TODO(b/34170079): Make the inclusion of the rules below conditional also on
274# non-Treble devices. For now, on non-Treble device, always grant clients of a
275# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
276not_full_treble(`
277typeattribute $1 $2;
278# Find passthrough HAL implementations
279allow $2 system_file:dir r_dir_perms;
280allow $2 vendor_file:dir r_dir_perms;
281allow $2 vendor_file:file { read open getattr execute map };
282')
283')
284
285#####################################
286# passthrough_hal_client_domain(domain, hal_type)
287# Allow a base set of permissions required for a domain to be a
288# client of a passthrough HAL of the specified type.
289#
290# For example, make some_domain a client of passthrough Foo HAL:
291#   passthrough_hal_client_domain(some_domain, hal_foo)
292#
293define(`passthrough_hal_client_domain', `
294typeattribute $1 halclientdomain;
295typeattribute $1 $2_client;
296typeattribute $1 $2;
297# Find passthrough HAL implementations
298allow $2 system_file:dir r_dir_perms;
299allow $2 vendor_file:dir r_dir_perms;
300allow $2 vendor_file:file { read open getattr execute map };
301')
302
303#####################################
304# unix_socket_connect(clientdomain, socket, serverdomain)
305# Allow a local socket connection from clientdomain via
306# socket to serverdomain.
307#
308# Note: If you see denial records that distill to the
309# following allow rules:
310# allow clientdomain property_socket:sock_file write;
311# allow clientdomain init:unix_stream_socket connectto;
312# allow clientdomain something_prop:property_service set;
313#
314# This sequence is indicative of attempting to set a property.
315# use set_prop(sourcedomain, targetproperty)
316#
317define(`unix_socket_connect', `
318allow $1 $2_socket:sock_file write;
319allow $1 $3:unix_stream_socket connectto;
320')
321
322#####################################
323# set_prop(sourcedomain, targetproperty)
324# Allows source domain to set the
325# targetproperty.
326#
327define(`set_prop', `
328unix_socket_connect($1, property, init)
329allow $1 $2:property_service set;
330get_prop($1, $2)
331')
332
333#####################################
334# get_prop(sourcedomain, targetproperty)
335# Allows source domain to read the
336# targetproperty.
337#
338define(`get_prop', `
339allow $1 $2:file { getattr open read map };
340')
341
342#####################################
343# unix_socket_send(clientdomain, socket, serverdomain)
344# Allow a local socket send from clientdomain via
345# socket to serverdomain.
346define(`unix_socket_send', `
347allow $1 $2_socket:sock_file write;
348allow $1 $3:unix_dgram_socket sendto;
349')
350
351#####################################
352# binder_use(domain)
353# Allow domain to use Binder IPC.
354define(`binder_use', `
355# Call the servicemanager and transfer references to it.
356allow $1 servicemanager:binder { call transfer };
357# Allow servicemanager to send out callbacks
358allow servicemanager $1:binder { call transfer };
359# servicemanager performs getpidcon on clients.
360allow servicemanager $1:dir search;
361allow servicemanager $1:file { read open };
362allow servicemanager $1:process getattr;
363# rw access to /dev/binder and /dev/ashmem is presently granted to
364# all domains in domain.te.
365')
366
367#####################################
368# hwbinder_use(domain)
369# Allow domain to use HwBinder IPC.
370define(`hwbinder_use', `
371# Call the hwservicemanager and transfer references to it.
372allow $1 hwservicemanager:binder { call transfer };
373# Allow hwservicemanager to send out callbacks
374allow hwservicemanager $1:binder { call transfer };
375# hwservicemanager performs getpidcon on clients.
376allow hwservicemanager $1:dir search;
377allow hwservicemanager $1:file { read open map };
378allow hwservicemanager $1:process getattr;
379# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
380# all domains in domain.te.
381')
382
383#####################################
384# vndbinder_use(domain)
385# Allow domain to use Binder IPC.
386define(`vndbinder_use', `
387# Talk to the vndbinder device node
388allow $1 vndbinder_device:chr_file rw_file_perms;
389# Call the vndservicemanager and transfer references to it.
390allow $1 vndservicemanager:binder { call transfer };
391# vndservicemanager performs getpidcon on clients.
392allow vndservicemanager $1:dir search;
393allow vndservicemanager $1:file { read open map };
394allow vndservicemanager $1:process getattr;
395')
396
397#####################################
398# binder_call(clientdomain, serverdomain)
399# Allow clientdomain to perform binder IPC to serverdomain.
400define(`binder_call', `
401# Call the server domain and optionally transfer references to it.
402allow $1 $2:binder { call transfer };
403# Allow the serverdomain to transfer references to the client on the reply.
404allow $2 $1:binder transfer;
405# Receive and use open files from the server.
406allow $1 $2:fd use;
407')
408
409#####################################
410# binder_service(domain)
411# Mark a domain as being a Binder service domain.
412# Used to allow binder IPC to the various system services.
413define(`binder_service', `
414typeattribute $1 binderservicedomain;
415')
416
417#####################################
418# wakelock_use(domain)
419# Allow domain to manage wake locks
420define(`wakelock_use', `
421# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
422# deprecated.
423# Access /sys/power/wake_lock and /sys/power/wake_unlock
424allow $1 sysfs_wake_lock:file rw_file_perms;
425# Accessing these files requires CAP_BLOCK_SUSPEND
426allow $1 self:global_capability2_class_set block_suspend;
427# system_suspend permissions
428binder_call($1, system_suspend_server)
429allow $1 system_suspend_hwservice:hwservice_manager find;
430# halclientdomain permissions
431hwbinder_use($1)
432get_prop($1, hwservicemanager_prop)
433allow $1 hidl_manager_hwservice:hwservice_manager find;
434')
435
436#####################################
437# selinux_check_access(domain)
438# Allow domain to check SELinux permissions via selinuxfs.
439define(`selinux_check_access', `
440r_dir_file($1, selinuxfs)
441allow $1 selinuxfs:file w_file_perms;
442allow $1 kernel:security compute_av;
443allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
444')
445
446#####################################
447# selinux_check_context(domain)
448# Allow domain to check SELinux contexts via selinuxfs.
449define(`selinux_check_context', `
450r_dir_file($1, selinuxfs)
451allow $1 selinuxfs:file w_file_perms;
452allow $1 kernel:security check_context;
453')
454
455#####################################
456# create_pty(domain)
457# Allow domain to create and use a pty, isolated from any other domain ptys.
458define(`create_pty', `
459# Each domain gets a unique devpts type.
460type $1_devpts, fs_type;
461# Label the pty with the unique type when created.
462type_transition $1 devpts:chr_file $1_devpts;
463# Allow use of the pty after creation.
464allow $1 $1_devpts:chr_file { open getattr read write ioctl };
465allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
466# TIOCSTI is only ever used for exploits. Block it.
467# b/33073072, b/7530569
468# http://www.openwall.com/lists/oss-security/2016/09/26/14
469neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
470# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
471# allowed to everyone via domain.te.
472')
473
474#####################################
475# Non system_app application set
476#
477define(`non_system_app_set', `{ appdomain -system_app }')
478
479#####################################
480# Recovery only
481# SELinux rules which apply only to recovery mode
482#
483define(`recovery_only', ifelse(target_recovery, `true', $1, ))
484
485#####################################
486# Not recovery
487# SELinux rules which apply only to non-recovery (normal) mode
488#
489define(`not_recovery', ifelse(target_recovery, `true', , $1))
490
491#####################################
492# Full TREBLE only
493# SELinux rules which apply only to full TREBLE devices
494#
495define(`full_treble_only', ifelse(target_full_treble, `true', $1,
496ifelse(target_full_treble, `cts',
497# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
498$1
499# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
500, )))
501
502#####################################
503# Not full TREBLE
504# SELinux rules which apply only to devices which are not full TREBLE devices
505#
506define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
507
508#####################################
509# enforce_debugfs_restriction
510# SELinux rules which apply to devices that enable debugfs restrictions.
511# The keyword "cts" is used to insert markers to only CTS test the neverallows
512# added by the macro for S-launch devices and newer.
513define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
514ifelse(target_enforce_debugfs_restriction, `cts',
515# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
516$1
517# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
518, )))
519
520#####################################
521# no_debugfs_restriction
522# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
523define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
524
525#####################################
526# Compatible property only
527# SELinux rules which apply only to devices with compatible property
528#
529define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
530ifelse(target_compatible_property, `cts',
531# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
532$1
533# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
534, )))
535
536#####################################
537# Not compatible property
538# SELinux rules which apply only to devices without compatible property
539#
540define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
541
542#####################################
543# Userdebug or eng builds
544# SELinux rules which apply only to userdebug or eng builds
545#
546define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
547
548#####################################
549# asan builds
550# SELinux rules which apply only to asan builds
551#
552define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
553
554#####################################
555# native coverage builds
556# SELinux rules which apply only to builds with native coverage
557#
558define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
559
560#####################################
561# Build-time-only test
562# SELinux rules which are verified during build, but not as part of *TS testing.
563#
564define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
565
566####################################
567# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
568#
569define(`crash_dump_fallback', `
570userdebug_or_eng(`
571  allow $1 su:fifo_file append;
572')
573allow $1 anr_data_file:file append;
574allow $1 dumpstate:fd use;
575allow $1 incidentd:fd use;
576# TODO: Figure out why write is needed.
577allow $1 dumpstate:fifo_file { append write };
578allow $1 incidentd:fifo_file { append write };
579allow $1 system_server:fifo_file { append write };
580allow $1 tombstoned:unix_stream_socket connectto;
581allow $1 tombstoned:fd use;
582allow $1 tombstoned_crash_socket:sock_file write;
583allow $1 tombstone_data_file:file append;
584')
585
586#####################################
587# WITH_DEXPREOPT builds
588# SELinux rules which apply only when pre-opting.
589#
590define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
591
592#####################################
593# write_logd(domain)
594# Ability to write to android log
595# daemon via sockets
596define(`write_logd', `
597unix_socket_send($1, logdw, logd)
598allow $1 pmsg_device:chr_file w_file_perms;
599')
600
601#####################################
602# read_logd(domain)
603# Ability to run logcat and read from android
604# log daemon via sockets
605define(`read_logd', `
606allow $1 logcat_exec:file rx_file_perms;
607unix_socket_connect($1, logdr, logd)
608')
609
610#####################################
611# read_runtime_log_tags(domain)
612# ability to directly map the runtime event log tags
613define(`read_runtime_log_tags', `
614allow $1 runtime_event_log_tags_file:file r_file_perms;
615')
616
617#####################################
618# control_logd(domain)
619# Ability to control
620# android log daemon via sockets
621define(`control_logd', `
622# Group AID_LOG checked by filesystem & logd
623# to permit control commands
624unix_socket_connect($1, logd, logd)
625')
626
627#####################################
628# use_keystore(domain)
629# Ability to use keystore.
630# Keystore is requires the following permissions
631# to call getpidcon.
632define(`use_keystore', `
633  allow keystore $1:dir search;
634  allow keystore $1:file { read open };
635  allow keystore $1:process getattr;
636  allow $1 apc_service:service_manager find;
637  allow $1 keystore_service:service_manager find;
638  allow $1 legacykeystore_service:service_manager find;
639  binder_call($1, keystore)
640  binder_call(keystore, $1)
641')
642
643#####################################
644# use_credstore(domain)
645# Ability to use credstore.
646define(`use_credstore', `
647  allow credstore $1:dir search;
648  allow credstore $1:file { read open };
649  allow credstore $1:process getattr;
650  allow $1 credstore_service:service_manager find;
651  binder_call($1, credstore)
652  binder_call(credstore, $1)
653')
654
655###########################################
656# use_drmservice(domain)
657# Ability to use DrmService which requires
658# DrmService to call getpidcon.
659define(`use_drmservice', `
660  allow drmserver $1:dir search;
661  allow drmserver $1:file { read open };
662  allow drmserver $1:process getattr;
663')
664
665###########################################
666# add_service(domain, service)
667# Ability for domain to add a service to service_manager
668# and find it. It also creates a neverallow preventing
669# others from adding it.
670define(`add_service', `
671  allow $1 $2:service_manager { add find };
672  neverallow { domain -$1 } $2:service_manager add;
673')
674
675###########################################
676# add_hwservice(domain, service)
677# Ability for domain to add a service to hwservice_manager
678# and find it. It also creates a neverallow preventing
679# others from adding it.
680define(`add_hwservice', `
681  allow $1 $2:hwservice_manager { add find };
682  allow $1 hidl_base_hwservice:hwservice_manager add;
683  neverallow { domain -$1 } $2:hwservice_manager add;
684')
685
686###########################################
687# hal_attribute_hwservice(attribute, service)
688# Ability for domain to get a service to hwservice_manager
689# and find it. It also creates a neverallow preventing
690# others from adding it.
691#
692# Used to pair hal_foo_client with hal_foo_hwservice
693define(`hal_attribute_hwservice', `
694  allow $1_client $2:hwservice_manager find;
695  add_hwservice($1_server, $2)
696
697  build_test_only(`
698    # if you are hitting this neverallow, try using:
699    #     hal_client_domain(<your domain>, hal_<foo>)
700    # instead
701    neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
702  ')
703')
704
705###########################################
706# hal_attribute_service(attribute, service)
707# Ability for domain to get a service to service_manager
708# and find it. It also creates a neverallow preventing
709# others from adding it.
710#
711# Used to pair hal_foo_client with hal_foo_service
712define(`hal_attribute_service', `
713  allow $1_client $2:service_manager find;
714  add_service($1_server, $2)
715
716  build_test_only(`
717    # if you are hitting this neverallow, try using:
718    #     hal_client_domain(<your domain>, hal_<foo>)
719    # instead
720    neverallow {
721        domain
722        -$1_client
723        -$1_server
724        # some services are allowed to find all services
725        -atrace
726        -dumpstate
727        -shell
728        -system_app
729        -traceur_app
730    } $2:service_manager find;
731  ')
732')
733
734###################################
735# can_profile_heap(domain)
736# Allow processes within the domain to have their heap profiled by central
737# heapprofd.
738define(`can_profile_heap', `
739  # Allow central daemon to send signal for client initialization.
740  allow heapprofd $1:process signal;
741  # Allow connecting to the daemon.
742  unix_socket_connect($1, heapprofd, heapprofd)
743  # Allow daemon to use the passed fds.
744  allow heapprofd $1:fd use;
745  # Allow to read and write to heapprofd shmem.
746  # The client needs to read the read and write pointers in order to write.
747  allow $1 heapprofd_tmpfs:file { read write getattr map };
748  # Use shared memory received over the unix socket.
749  allow $1 heapprofd:fd use;
750
751  # To read and write from the received file descriptors.
752  # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
753  # process they relate to.
754  # We need to write to /proc/$PID/page_idle to find idle allocations.
755  # The client only opens /proc/self/page_idle with RDWR, everything else
756  # with RDONLY.
757  # heapprofd cannot open /proc/$PID/mem itself, as it does not have
758  # sys_ptrace.
759  allow heapprofd $1:file rw_file_perms;
760  # Allow searching the /proc/[pid] directory for cmdline.
761  allow heapprofd $1:dir r_dir_perms;
762')
763
764###################################
765# never_profile_heap(domain)
766# Opt out of heap profiling by heapprofd.
767define(`never_profile_heap', `
768  neverallow heapprofd $1:file read;
769  neverallow heapprofd $1:process signal;
770')
771
772###################################
773# can_profile_perf(domain)
774# Allow processes within the domain to be profiled, and have their stacks
775# sampled, by traced_perf.
776define(`can_profile_perf', `
777  # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
778  # reads /proc/[pid]/cmdline.
779  allow traced_perf $1:file r_file_perms;
780  allow traced_perf $1:dir r_dir_perms;
781
782  # Allow central daemon to send signal to request /proc/[pid]/maps and
783  # /proc/[pid]/mem fds from this process.
784  allow traced_perf $1:process signal;
785
786  # Allow connecting to the daemon.
787  unix_socket_connect($1, traced_perf, traced_perf)
788  # Allow daemon to use the passed fds.
789  allow traced_perf $1:fd use;
790')
791
792###################################
793# never_profile_perf(domain)
794# Opt out of profiling by traced_perf.
795define(`never_profile_perf', `
796  neverallow traced_perf $1:file read;
797  neverallow traced_perf $1:process signal;
798')
799
800###################################
801# perfetto_producer(domain)
802# Allow processes within the domain to write data to Perfetto.
803# When applying this macro, you might need to also allow traced to use the
804# producer tmpfs domain, if the producer will be the one creating the shared
805# memory.
806define(`perfetto_producer', `
807  allow $1 traced:fd use;
808  allow $1 traced_tmpfs:file { read write getattr map };
809  unix_socket_connect($1, traced_producer, traced)
810
811  # Also allow the service to use the producer file descriptors. This is
812  # necessary when the producer is creating the shared memory, as it will be
813  # passed to the service as a file descriptor (obtained from memfd_create).
814  allow traced $1:fd use;
815')
816
817###########################################
818# dump_hal(hal_type)
819# Ability to dump the hal debug info
820#
821define(`dump_hal', `
822  hal_client_domain(dumpstate, $1);
823  allow $1_server dumpstate:fifo_file write;
824  allow $1_server dumpstate:fd use;
825')
826
827#####################################
828# treble_sysprop_neverallow(rules)
829# SELinux neverallow rules which enforces the accessibility of each property
830# outside the owner.
831#
832# For devices launching with R or later, exported properties must be explicitly marked as
833# "restricted" or "public", depending on the accessibility outside the owner.
834# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
835# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
836# See {partition}_{accessibility}_prop macros below.
837#
838# CTS uses these rules only for devices launching with R or later.
839#
840# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
841#
842define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
843ifelse(target_treble_sysprop_neverallow, `cts',
844# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
845$1
846# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
847, )))
848
849#####################################
850# enforce_sysprop_owner(rules)
851# SELinux neverallow rules which enforces the owner of each property.
852#
853# For devices launching with S or later, all properties must be explicitly marked as one of:
854# system_property_type, vendor_property_type, or product_property_type.
855# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
856# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
857# See {partition}_{accessibility}_prop macros below.
858#
859# CTS uses these ules only for devices launching with S or later.
860#
861define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
862ifelse(target_enforce_sysprop_owner, `cts',
863# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
864$1
865# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
866, )))
867
868###########################################
869# define_prop(name, owner, scope)
870# Define a property with given owner and scope
871#
872define(`define_prop', `
873  type $1, property_type, $2_property_type, $2_$3_property_type;
874')
875
876###########################################
877# system_internal_prop(name)
878# Define a /system-owned property used only in /system
879# For devices launching with Q or eariler, this restriction can be relaxed with
880# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
881#
882define(`system_internal_prop', `
883  define_prop($1, system, internal)
884  treble_sysprop_neverallow(`
885    neverallow { domain -coredomain } $1:file no_rw_file_perms;
886  ')
887')
888
889###########################################
890# system_restricted_prop(name)
891# Define a /system-owned property which can't be written outside /system
892# For devices launching with Q or eariler, this restriction can be relaxed with
893# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
894#
895define(`system_restricted_prop', `
896  define_prop($1, system, restricted)
897  treble_sysprop_neverallow(`
898    neverallow { domain -coredomain } $1:property_service set;
899  ')
900')
901
902###########################################
903# system_public_prop(name)
904# Define a /system-owned property with no restrictions
905#
906define(`system_public_prop', `define_prop($1, system, public)')
907
908###########################################
909# system_vendor_config_prop(name)
910# Define a /system-owned property which can only be written by vendor_init
911# This is a macro for vendor-specific configuration properties which is meant
912# to be set once from vendor_init.
913#
914define(`system_vendor_config_prop', `
915  system_public_prop($1)
916  set_prop(vendor_init, $1)
917  neverallow { domain -init -vendor_init } $1:property_service set;
918')
919
920###########################################
921# product_internal_prop(name)
922# Define a /product-owned property used only in /product
923# For devices launching with Q or eariler, this restriction can be relaxed with
924# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
925#
926define(`product_internal_prop', `
927  define_prop($1, product, internal)
928  treble_sysprop_neverallow(`
929    neverallow { domain -coredomain } $1:file no_rw_file_perms;
930  ')
931')
932
933###########################################
934# product_restricted_prop(name)
935# Define a /product-owned property which can't be written outside /product
936# For devices launching with Q or eariler, this restriction can be relaxed with
937# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
938#
939define(`product_restricted_prop', `
940  define_prop($1, product, restricted)
941  treble_sysprop_neverallow(`
942    neverallow { domain -coredomain } $1:property_service set;
943  ')
944')
945
946###########################################
947# product_public_prop(name)
948# Define a /product-owned property with no restrictions
949#
950define(`product_public_prop', `define_prop($1, product, public)')
951
952###########################################
953# vendor_internal_prop(name)
954# Define a /vendor-owned property used only in /vendor
955# For devices launching with Q or eariler, this restriction can be relaxed with
956# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
957#
958define(`vendor_internal_prop', `
959  define_prop($1, vendor, internal)
960  treble_sysprop_neverallow(`
961# init and dumpstate are in coredomain, but should be able to read all props.
962    neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
963  ')
964')
965
966###########################################
967# vendor_restricted_prop(name)
968# Define a /vendor-owned property which can't be written outside /vendor
969# For devices launching with Q or eariler, this restriction can be relaxed with
970# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
971#
972define(`vendor_restricted_prop', `
973  define_prop($1, vendor, restricted)
974  treble_sysprop_neverallow(`
975# init is in coredomain, but should be able to write all props.
976    neverallow { coredomain -init } $1:property_service set;
977  ')
978')
979
980###########################################
981# vendor_public_prop(name)
982# Define a /vendor-owned property with no restrictions
983#
984define(`vendor_public_prop', `define_prop($1, vendor, public)')
985
986#####################################
987# read_fstab(domain)
988# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
989#
990define(`read_fstab', `
991  allow $1 { metadata_file gsi_metadata_file_type }:dir search;
992  allow $1 gsi_public_metadata_file:file r_file_perms;
993')
994