1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Root fs. 61allow domain tmpfs:dir { getattr search }; 62allow domain rootfs:dir search; 63allow domain rootfs:lnk_file { read getattr }; 64 65# Device accesses. 66allow domain device:dir search; 67allow domain dev_type:lnk_file r_file_perms; 68allow domain devpts:dir search; 69allow domain dmabuf_heap_device:dir r_dir_perms; 70allow domain socket_device:dir r_dir_perms; 71allow domain owntty_device:chr_file rw_file_perms; 72allow domain null_device:chr_file rw_file_perms; 73allow domain zero_device:chr_file rw_file_perms; 74 75# /dev/ashmem is being deprecated by means of constraining and eventually 76# removing all "open" permissions. We preserve the other permissions. 77allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 78# This device is used by libcutils, which is accessible to everyone. 79allow domain ashmem_libcutils_device:chr_file rw_file_perms; 80 81# /dev/binder can be accessed by ... everyone! :) 82allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 83 84# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 85# added to individual domains, but this sets safe defaults for all processes. 86allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 87 88# /dev/binderfs needs to be accessed by everyone too! 89allow domain binderfs:dir { getattr search }; 90allow domain binderfs_logs_proc:dir search; 91allow domain binderfs_features:dir search; 92allow domain binderfs_features:file r_file_perms; 93 94allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 95allow domain ptmx_device:chr_file rw_file_perms; 96allow domain random_device:chr_file rw_file_perms; 97allow domain proc_random:dir r_dir_perms; 98allow domain proc_random:file r_file_perms; 99allow domain properties_device:dir { search getattr }; 100allow domain properties_serial:file r_file_perms; 101allow domain property_info:file r_file_perms; 102 103# Public readable properties 104get_prop(domain, aaudio_config_prop) 105get_prop(domain, apexd_select_prop) 106get_prop(domain, arm64_memtag_prop) 107get_prop(domain, bluetooth_config_prop) 108get_prop(domain, bootloader_prop) 109get_prop(domain, build_odm_prop) 110get_prop(domain, build_prop) 111get_prop(domain, build_vendor_prop) 112get_prop(domain, debug_prop) 113get_prop(domain, exported_config_prop) 114get_prop(domain, exported_default_prop) 115get_prop(domain, exported_dumpstate_prop) 116get_prop(domain, exported_secure_prop) 117get_prop(domain, exported_system_prop) 118get_prop(domain, fingerprint_prop) 119get_prop(domain, framework_status_prop) 120get_prop(domain, gwp_asan_prop) 121get_prop(domain, hal_instrumentation_prop) 122get_prop(domain, hw_timeout_multiplier_prop) 123get_prop(domain, init_service_status_prop) 124get_prop(domain, libc_debug_prop) 125get_prop(domain, logd_prop) 126get_prop(domain, mediadrm_config_prop) 127get_prop(domain, property_service_version_prop) 128get_prop(domain, soc_prop) 129get_prop(domain, socket_hook_prop) 130get_prop(domain, surfaceflinger_prop) 131get_prop(domain, telephony_status_prop) 132get_prop({domain -untrusted_app_all userdebug_or_eng(`-isolated_app -ephemeral_app') }, userdebug_or_eng_prop) 133get_prop(domain, vendor_socket_hook_prop) 134get_prop(domain, vndk_prop) 135get_prop(domain, vold_status_prop) 136get_prop(domain, vts_config_prop) 137 138# Binder cache properties are world-readable 139get_prop(domain, binder_cache_bluetooth_server_prop) 140get_prop(domain, binder_cache_system_server_prop) 141get_prop(domain, binder_cache_telephony_server_prop) 142 143# Let everyone read log properties, so that liblog can avoid sending unloggable 144# messages to logd. 145get_prop(domain, log_property_type) 146dontaudit domain property_type:file audit_access; 147allow domain property_contexts_file:file r_file_perms; 148 149allow domain init:key search; 150allow domain vold:key search; 151 152# logd access 153write_logd(domain) 154 155# Directory/link file access for path resolution. 156allow domain { 157 system_file 158 system_lib_file 159 system_seccomp_policy_file 160 system_security_cacerts_file 161}:dir r_dir_perms; 162allow domain system_file:lnk_file { getattr read }; 163 164# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 165# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 166allow domain system_seccomp_policy_file:file r_file_perms; 167# cacerts are accessible from public Java API. 168allow domain system_security_cacerts_file:file r_file_perms; 169allow domain system_group_file:file r_file_perms; 170allow domain system_passwd_file:file r_file_perms; 171allow domain system_linker_exec:file { execute read open getattr map }; 172allow domain system_linker_config_file:file r_file_perms; 173allow domain system_lib_file:file { execute read open getattr map }; 174# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 175allow domain system_linker_exec:lnk_file { read open getattr }; 176allow domain system_lib_file:lnk_file { read open getattr }; 177 178allow domain system_event_log_tags_file:file r_file_perms; 179 180allow { appdomain coredomain } system_file:file { execute read open getattr map }; 181 182# Make sure system/vendor split doesn not affect non-treble 183# devices 184not_full_treble(` 185 allow domain system_file:file { execute read open getattr map }; 186 allow domain vendor_file_type:dir { search getattr }; 187 allow domain vendor_file_type:file { execute read open getattr map }; 188 allow domain vendor_file_type:lnk_file { getattr read }; 189') 190 191# All domains are allowed to open and read directories 192# that contain HAL implementations (e.g. passthrough 193# HALs require clients to have these permissions) 194allow domain vendor_hal_file:dir r_dir_perms; 195 196# Everyone can read and execute all same process HALs 197allow domain same_process_hal_file:dir r_dir_perms; 198allow { 199 domain 200 -coredomain # access is explicitly granted to individual coredomains 201} same_process_hal_file:file { execute read open getattr map }; 202 203# Any process can load vndk-sp libraries, which are system libraries 204# used by same process HALs 205allow domain vndk_sp_file:dir r_dir_perms; 206allow domain vndk_sp_file:file { execute read open getattr map }; 207 208# All domains get access to /vendor/etc 209allow domain vendor_configs_file:dir r_dir_perms; 210allow domain vendor_configs_file:file { read open getattr map }; 211 212full_treble_only(` 213 # Allow all domains to be able to follow /system/vendor and/or 214 # /vendor/odm symlinks. 215 allow domain vendor_file_type:lnk_file { getattr open read }; 216 217 # This is required to be able to search & read /vendor/lib64 218 # in order to lookup vendor libraries. The execute permission 219 # for coredomains is granted *only* for same process HALs 220 allow domain vendor_file:dir { getattr search }; 221 222 # Allow reading and executing out of /vendor to all vendor domains 223 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 224 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 225 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 226') 227 228# read and stat any sysfs symlinks 229allow domain sysfs:lnk_file { getattr read }; 230 231# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for 232# timezone related information. 233# This directory is considered to be a VNDK-stable 234allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms; 235allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms; 236 237# Lots of processes access current CPU information 238r_dir_file(domain, sysfs_devices_system_cpu) 239 240r_dir_file(domain, sysfs_usb); 241 242# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 243# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 244allow domain sysfs_transparent_hugepage:dir search; 245allow domain sysfs_transparent_hugepage:file r_file_perms; 246 247# files under /data. 248not_full_treble(` 249 allow domain system_data_file:dir getattr; 250') 251allow { coredomain appdomain } system_data_file:dir getattr; 252# /data has the label system_data_root_file. Vendor components need the search 253# permission on system_data_root_file for path traversal to /data/vendor. 254allow domain system_data_root_file:dir { search getattr } ; 255allow domain system_data_file:dir search; 256# TODO restrict this to non-coredomain 257allow domain vendor_data_file:dir { getattr search }; 258 259# required by the dynamic linker 260allow domain proc:lnk_file { getattr read }; 261 262# /proc/cpuinfo 263allow domain proc_cpuinfo:file r_file_perms; 264 265# /dev/cpu_variant:.* 266allow domain dev_cpu_variant:file r_file_perms; 267 268# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 269allow domain proc_perf:file r_file_perms; 270 271# toybox loads libselinux which stats /sys/fs/selinux/ 272allow domain selinuxfs:dir search; 273allow domain selinuxfs:file getattr; 274allow domain sysfs:dir search; 275allow domain selinuxfs:filesystem getattr; 276 277# Almost all processes log tracing information to 278# /sys/kernel/debug/tracing/trace_marker 279# The reason behind this is documented in b/6513400 280allow domain debugfs:dir search; 281allow domain debugfs_tracing:dir search; 282allow domain debugfs_tracing_debug:dir search; 283allow domain debugfs_trace_marker:file w_file_perms; 284 285# Linux lockdown mode offers coarse-grained definitions for access controls. 286# The "confidentiality" level detects access to tracefs or the perf subsystem. 287# This overlaps with more precise declarations in Android's policy. The 288# debugfs_trace_marker above is an example in which all processes should have 289# some access to tracefs. Therefore, allow all domains to access this level. 290# The "integrity" level is however enforced. 291allow domain self:lockdown confidentiality; 292 293# Filesystem access. 294allow domain fs_type:filesystem getattr; 295allow domain fs_type:dir getattr; 296 297# Restrict all domains to an allowlist for common socket types. Additional 298# ioctl commands may be added to individual domains, but this sets safe 299# defaults for all processes. Note that granting this allowlist to domain does 300# not grant the ioctl permission on these socket types. That must be granted 301# separately. 302allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 303 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 304# default allowlist for unix sockets. 305allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 306 ioctl unpriv_unix_sock_ioctls; 307 308# Restrict PTYs to only allowed ioctls. 309# Note that granting this allowlist to domain does 310# not grant the wider ioctl permission. That must be granted 311# separately. 312allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 313 314# All domains must clearly enumerate what ioctls they use 315# on filesystem objects (plain files, directories, symbolic links, 316# named pipes, and named sockets). We start off with a safe set. 317allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 318 319# If a domain has ioctl access to tun_device, it must clearly enumerate the 320# ioctls used. Safe defaults are listed below. 321allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 322 323# Allow a process to make a determination whether a file descriptor 324# for a plain file or pipe (fifo_file) is a tty. Note that granting 325# this allowlist to domain does not grant the ioctl permission to 326# these files. That must be granted separately. 327allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 328allowxperm domain domain:fifo_file ioctl { TCGETS }; 329 330# If a domain has access to perform an ioctl on a block device, allow these 331# very common, benign ioctls 332allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 333 334# Support sqlite F2FS specific optimizations 335# ioctl permission on the specific file type is still required 336# TODO: consider only compiling these rules if we know the 337# /data partition is F2FS 338allowxperm domain { file_type sdcard_type }:file ioctl { 339 F2FS_IOC_ABORT_VOLATILE_WRITE 340 F2FS_IOC_COMMIT_ATOMIC_WRITE 341 F2FS_IOC_GET_FEATURES 342 F2FS_IOC_GET_PIN_FILE 343 F2FS_IOC_SET_PIN_FILE 344 F2FS_IOC_START_ATOMIC_WRITE 345}; 346 347# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 348# when it's not explicitly used in allow rules 349allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 350# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 351# when it's not explicitly used in allow rules 352allow { domain -domain } vndservice_manager_type:service_manager { add find }; 353 354# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 355with_asan(`allow domain system_data_file:dir getattr;') 356# Under ASAN, /system/asan.options needs to be globally accessible. 357with_asan(`allow domain system_asan_options_file:file r_file_perms;') 358 359# read APEX dir and stat any symlink pointing to APEXs. 360allow domain apex_mnt_dir:dir { getattr search }; 361allow domain apex_mnt_dir:lnk_file r_file_perms; 362 363### 364### neverallow rules 365### 366 367# All ioctls on file-like objects (except chr_file and blk_file) and 368# sockets must be restricted to an allowlist. 369neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 370 371# b/68014825 and https://android-review.googlesource.com/516535 372# rfc6093 says that processes should not use the TCP urgent mechanism 373neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 374 375# TIOCSTI is only ever used for exploits. Block it. 376# b/33073072, b/7530569 377# http://www.openwall.com/lists/oss-security/2016/09/26/14 378neverallowxperm * devpts:chr_file ioctl TIOCSTI; 379 380# Do not allow any domain other than init to create unlabeled files. 381neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 382 383# Limit device node creation to these allowed domains. 384neverallow { 385 domain 386 -kernel 387 -init 388 -ueventd 389 -vold 390} self:global_capability_class_set mknod; 391 392# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 393neverallow * self:memprotect mmap_zero; 394 395# No domain needs mac_override as it is unused by SELinux. 396neverallow * self:global_capability2_class_set mac_override; 397 398# Disallow attempts to set contexts not defined in current policy 399# This helps guarantee that unknown or dangerous contents will not ever 400# be set. 401neverallow * self:global_capability2_class_set mac_admin; 402 403# Once the policy has been loaded there shall be none to modify the policy. 404# It is sealed. 405neverallow * kernel:security load_policy; 406 407# Only init prior to switching context should be able to set enforcing mode. 408# init starts in kernel domain and switches to init domain via setcon in 409# the init.rc, so the setenforce occurs while still in kernel. After 410# switching domains, there is never any need to setenforce again by init. 411neverallow * kernel:security setenforce; 412neverallow { domain -kernel } kernel:security setcheckreqprot; 413 414# No booleans in AOSP policy, so no need to ever set them. 415neverallow * kernel:security setbool; 416 417# Adjusting the AVC cache threshold. 418# Not presently allowed to anything in policy, but possibly something 419# that could be set from init.rc. 420neverallow { domain -init } kernel:security setsecparam; 421 422# Only the kernel hwrng thread should be able to read from the HW RNG. 423neverallow { 424 domain 425 -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG 426 -shell # For CTS, restricted to just getattr in shell.te 427 -ueventd # To create the /dev/hw_random file 428} hw_random_device:chr_file *; 429# b/78174219 b/64114943 430neverallow { 431 domain 432 -shell # stat of /dev, getattr only 433 -ueventd 434} keychord_device:chr_file *; 435 436# Ensure that all entrypoint executables are in exec_type or postinstall_file. 437neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 438 439# The dynamic linker always calls access(2) on the path. Don't generate SElinux 440# denials since the linker does not actually access the path in case the path 441# does not exist or isn't accessible for the process. 442dontaudit domain postinstall_mnt_dir:dir audit_access; 443 444#Ensure that nothing in userspace can access /dev/port 445neverallow { 446 domain 447 -shell # Shell user should not have any abilities outside of getattr 448 -ueventd 449} port_device:chr_file *; 450neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 451# Only init should be able to configure kernel usermodehelpers or 452# security-sensitive proc settings. 453neverallow { domain -init } usermodehelper:file { append write }; 454neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 455neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 456 457# Init can't do anything with binder calls. If this neverallow rule is being 458# triggered, it's probably due to a service with no SELinux domain. 459neverallow * init:binder *; 460neverallow * vendor_init:binder *; 461 462# Don't allow raw read/write/open access to block_device 463# Rather force a relabel to a more specific type 464neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 465 466# Do not allow renaming of block files or character files 467# Ability to do so can lead to possible use in an exploit chain 468# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 469neverallow * *:{ blk_file chr_file } rename; 470 471# Don't allow raw read/write/open access to generic devices. 472# Rather force a relabel to a more specific type. 473neverallow domain device:chr_file { open read write }; 474 475# Files from cache should never be executed 476neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 477 478# The test files and executables MUST not be accessible to any domain 479neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 480neverallow domain nativetest_data_file:dir no_w_dir_perms; 481neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 482 483neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 484neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 485neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; 486neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 487neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 488 489# Only the init property service should write to /data/property and /dev/__properties__ 490neverallow { domain -init } property_data_file:dir no_w_dir_perms; 491neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 492neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 493neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 494neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 495 496# Nobody should be doing writes to /system & /vendor 497# These partitions are intended to be read-only and must never be 498# modified. Doing so would violate important Android security guarantees 499# and invalidate dm-verity signatures. 500neverallow { 501 domain 502 with_asan(`-asan_extract') 503 recovery_only(`userdebug_or_eng(`-fastbootd')') 504} { 505 system_file_type 506 vendor_file_type 507 exec_type 508}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 509 510neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 511 512# Don't allow mounting on top of /system files or directories 513neverallow * exec_type:dir_file_class_set mounton; 514 515# Nothing should be writing to files in the rootfs. 516neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 517 518# Restrict context mounts to specific types marked with 519# the contextmount_type attribute. 520neverallow * {fs_type -contextmount_type}:filesystem relabelto; 521 522# Ensure that context mount types are not writable, to ensure that 523# the write to /system restriction above is not bypassed via context= 524# mount to another type. 525neverallow * contextmount_type:dir_file_class_set 526 { create setattr relabelfrom relabelto append link rename }; 527neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 528 529# Do not allow service_manager add for default service labels. 530# Instead domains should use a more specific type such as 531# system_app_service rather than the generic type. 532# New service_types are defined in {,hw,vnd}service.te and new mappings 533# from service name to service_type are defined in {,hw,vnd}service_contexts. 534neverallow * default_android_service:service_manager *; 535neverallow * default_android_vndservice:service_manager *; 536neverallow * default_android_hwservice:hwservice_manager *; 537 538# Looking up the base class/interface of all HwBinder services is a bad idea. 539# hwservicemanager currently offer such lookups only to make it so that security 540# decisions are expressed in SELinux policy. However, it's unclear whether this 541# lookup has security implications. If it doesn't, hwservicemanager should be 542# modified to not offer this lookup. 543# This rule can be removed if hwservicemanager is modified to not permit these 544# lookups. 545neverallow * hidl_base_hwservice:hwservice_manager find; 546 547# Require that domains explicitly label unknown properties, and do not allow 548# anyone but init to modify unknown properties. 549neverallow { domain -init -vendor_init } mmc_prop:property_service set; 550neverallow { domain -init -vendor_init } vndk_prop:property_service set; 551 552compatible_property_only(` 553 neverallow { domain -init } mmc_prop:property_service set; 554 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 555 neverallow { domain -init } exported_secure_prop:property_service set; 556 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 557 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 558 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 559') 560 561compatible_property_only(` 562 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 563 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 564') 565 566neverallow { domain -init } aac_drc_prop:property_service set; 567neverallow { domain -init } build_prop:property_service set; 568neverallow { domain -init } userdebug_or_eng_prop:property_service set; 569 570# Do not allow reading device's serial number from system properties except form 571# a few allowed domains. 572neverallow { 573 domain 574 -adbd 575 -dumpstate 576 -fastbootd 577 -hal_camera_server 578 -hal_cas_server 579 -hal_drm_server 580 userdebug_or_eng(`-incidentd') 581 -init 582 -mediadrmserver 583 -mediaserver 584 -recovery 585 -shell 586 -system_server 587 -vendor_init 588} serialno_prop:file r_file_perms; 589 590neverallow { 591 domain 592 -init 593 -recovery 594 -system_server 595 -shell # Shell is further restricted in shell.te 596 -ueventd # Further restricted in ueventd.te 597} frp_block_device:blk_file no_rw_file_perms; 598 599# The metadata block device is set aside for device encryption and 600# verified boot metadata. It may be reset at will and should not 601# be used by other domains. 602neverallow { 603 domain 604 -init 605 -recovery 606 -vold 607 -e2fs 608 -fsck 609 -fastbootd 610} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 611 612# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 613neverallow { 614 domain 615 -fastbootd 616 userdebug_or_eng(`-fsck') 617 userdebug_or_eng(`-init') 618 -recovery 619 -update_engine 620} system_block_device:blk_file { write append }; 621 622# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 623neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 624# The service managers are only allowed to access their own device node 625neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 626neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 627neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 628neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 629neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 630neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 631 632# system services cant add vendor services 633neverallow { 634 coredomain 635} vendor_service:service_manager add; 636 637full_treble_only(` 638 # vendor services cant add system services 639 neverallow { 640 domain 641 -coredomain 642 } { 643 service_manager_type 644 -vendor_service 645 }:service_manager add; 646') 647 648full_treble_only(` 649 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 650 # services which can change any time framework/core is updated, breakage is likely. 651 # 652 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 653 neverallow { 654 appdomain 655 -coredomain 656 } { 657 service_manager_type 658 659 -app_api_service 660 -vendor_service # must be @VintfStability to be used by an app 661 -ephemeral_app_api_service 662 663 -apc_service 664 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 665 -cameraserver_service 666 -drmserver_service 667 -credstore_service 668 -keystore_maintenance_service 669 -keystore_service 670 -legacykeystore_service 671 -mediadrmserver_service 672 -mediaextractor_service 673 -mediametrics_service 674 -mediaserver_service 675 -nfc_service 676 -radio_service 677 -virtual_touchpad_service 678 -vr_manager_service 679 userdebug_or_eng(`-hal_face_service') 680 }:service_manager find; 681') 682 683# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 684full_treble_only(` 685 neverallow { 686 coredomain 687 -shell 688 userdebug_or_eng(`-su') 689 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 690 } vndbinder_device:chr_file rw_file_perms; 691') 692full_treble_only(` 693 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 694') 695full_treble_only(` 696 neverallow { 697 coredomain 698 -shell 699 userdebug_or_eng(`-su') 700 } vndservice_manager_type:service_manager *; 701') 702full_treble_only(` 703 neverallow { 704 coredomain 705 -shell 706 userdebug_or_eng(`-su') 707 } vndservicemanager:binder *; 708') 709 710# On full TREBLE devices, socket communications between core components and vendor components are 711# not permitted. 712 # Most general rules first, more specific rules below. 713 714 # Core domains are not permitted to initiate communications to vendor domain sockets. 715 # We are not restricting the use of already established sockets because it is fine for a process 716 # to obtain an already established socket via some public/official/stable API and then exchange 717 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 718 # and thus does not break the core-vendor separation. 719full_treble_only(` 720 neverallow_establish_socket_comms({ 721 coredomain 722 -init 723 -adbd 724 }, { 725 domain 726 -coredomain 727 -socket_between_core_and_vendor_violators 728 }); 729') 730 731 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 732full_treble_only(` 733 neverallow { 734 domain 735 -coredomain 736 -appdomain # appdomain restrictions below 737 -data_between_core_and_vendor_violators # b/70393317 738 -socket_between_core_and_vendor_violators 739 -vendor_init 740 } { 741 coredomain_socket 742 core_data_file_type 743 unlabeled # used only by core domains 744 }:sock_file ~{ append getattr ioctl read write }; 745') 746full_treble_only(` 747 neverallow { 748 appdomain 749 -coredomain 750 } { 751 coredomain_socket 752 unlabeled # used only by core domains 753 core_data_file_type 754 -app_data_file 755 -privapp_data_file 756 -pdx_endpoint_socket_type # used by VR layer 757 -pdx_channel_socket_type # used by VR layer 758 }:sock_file ~{ append getattr ioctl read write }; 759') 760 761 # Core domains are not permitted to create/open sockets owned by vendor domains 762full_treble_only(` 763 neverallow { 764 coredomain 765 -init 766 -ueventd 767 -socket_between_core_and_vendor_violators 768 } { 769 file_type 770 dev_type 771 -coredomain_socket 772 -core_data_file_type 773 -app_data_file_type 774 -unlabeled 775 }:sock_file ~{ append getattr ioctl read write }; 776') 777 778# On TREBLE devices, vendor and system components are only allowed to share 779# files by passing open FDs over hwbinder. Ban all directory access and all file 780# accesses other than what can be applied to an open FD such as 781# ioctl/stat/read/write/append. This is enforced by segregating /data. 782# Vendor domains may directly access file in /data/vendor by path, but may only 783# access files outside of /data/vendor via an open FD passed over hwbinder. 784# Likewise, core domains may only directly access files outside /data/vendor by 785# path and files in /data/vendor by open FD. 786full_treble_only(` 787 # only coredomains may only access core_data_file_type, particularly not 788 # /data/vendor 789 neverallow { 790 coredomain 791 -appdomain # TODO(b/34980020) remove exemption for appdomain 792 -data_between_core_and_vendor_violators 793 -init 794 -vold_prepare_subdirs 795 } { 796 data_file_type 797 -core_data_file_type 798 -app_data_file_type 799 }:file_class_set ~{ append getattr ioctl read write map }; 800') 801full_treble_only(` 802 neverallow { 803 coredomain 804 -appdomain # TODO(b/34980020) remove exemption for appdomain 805 -data_between_core_and_vendor_violators 806 -init 807 -vold_prepare_subdirs 808 } { 809 data_file_type 810 -core_data_file_type 811 -app_data_file_type 812 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 813 # neverallow. Currently only getattr and search are allowed. 814 -vendor_data_file 815 }:dir *; 816 817') 818full_treble_only(` 819 # vendor domains may only access files in /data/vendor, never core_data_file_types 820 neverallow { 821 domain 822 -appdomain # TODO(b/34980020) remove exemption for appdomain 823 -coredomain 824 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 825 -vendor_init 826 } { 827 core_data_file_type 828 # libc includes functions like mktime and localtime which attempt to access 829 # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata. 830 # These functions are considered vndk-stable and thus must be allowed for 831 # all processes. 832 -zoneinfo_data_file 833 with_native_coverage(`-method_trace_data_file') 834 }:file_class_set ~{ append getattr ioctl read write map }; 835 neverallow { 836 vendor_init 837 -data_between_core_and_vendor_violators 838 } { 839 core_data_file_type 840 -unencrypted_data_file 841 -zoneinfo_data_file 842 with_native_coverage(`-method_trace_data_file') 843 }:file_class_set ~{ append getattr ioctl read write map }; 844 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 845 # The vendor init binary lives on the system partition so there is not a concern with stability. 846 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 847') 848full_treble_only(` 849 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 850 neverallow { 851 domain 852 -appdomain # TODO(b/34980020) remove exemption for appdomain 853 -coredomain 854 -data_between_core_and_vendor_violators 855 -vendor_init 856 } { 857 core_data_file_type 858 -system_data_file # default label for files on /data. Covered below... 859 -system_data_root_file 860 -vendor_data_file 861 -zoneinfo_data_file 862 with_native_coverage(`-method_trace_data_file') 863 }:dir *; 864 neverallow { 865 vendor_init 866 -data_between_core_and_vendor_violators 867 } { 868 core_data_file_type 869 -unencrypted_data_file 870 -system_data_file 871 -system_data_root_file 872 -vendor_data_file 873 -zoneinfo_data_file 874 with_native_coverage(`-method_trace_data_file') 875 }:dir *; 876 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 877 # The vendor init binary lives on the system partition so there is not a concern with stability. 878 neverallow vendor_init unencrypted_data_file:dir ~search; 879') 880full_treble_only(` 881 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 882 neverallow { 883 domain 884 -appdomain # TODO(b/34980020) remove exemption for appdomain 885 -coredomain 886 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 887 } { 888 system_data_file # default label for files on /data. Covered below 889 }:dir ~{ getattr search }; 890') 891 892full_treble_only(` 893 # coredomains may not access dirs in /data/vendor. 894 neverallow { 895 coredomain 896 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 897 -init 898 -vold # vold creates per-user storage for both system and vendor 899 -vold_prepare_subdirs 900 } { 901 vendor_data_file # default label for files on /data. Covered below 902 }:dir ~{ getattr search }; 903') 904 905full_treble_only(` 906 # coredomains may not access dirs in /data/vendor. 907 neverallow { 908 coredomain 909 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 910 -init 911 } { 912 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 913 }:file_class_set ~{ append getattr ioctl read write map }; 914') 915 916full_treble_only(` 917 # Non-vendor domains are not allowed to file execute shell 918 # from vendor 919 neverallow { 920 coredomain 921 -init 922 -shell 923 -ueventd 924 } vendor_shell_exec:file { execute execute_no_trans }; 925') 926 927full_treble_only(` 928 # Do not allow vendor components to execute files from system 929 # except for the ones allowed here. 930 neverallow { 931 domain 932 -coredomain 933 -appdomain 934 -vendor_executes_system_violators 935 -vendor_init 936 } { 937 system_file_type 938 -system_lib_file 939 -system_linker_exec 940 -crash_dump_exec 941 -iorap_prefetcherd_exec 942 -iorap_inode2filename_exec 943 -netutils_wrapper_exec 944 userdebug_or_eng(`-tcpdump_exec') 945 }:file { entrypoint execute execute_no_trans }; 946') 947 948full_treble_only(` 949 # Do not allow coredomain to access entrypoint for files other 950 # than system_file_type and postinstall_file 951 neverallow coredomain { 952 file_type 953 -system_file_type 954 -postinstall_file 955 }:file entrypoint; 956 # Do not allow domains other than coredomain to access entrypoint 957 # for anything but vendor_file_type and init_exec for vendor_init. 958 neverallow { domain -coredomain } { 959 file_type 960 -vendor_file_type 961 -init_exec 962 }:file entrypoint; 963') 964 965full_treble_only(` 966 # Do not allow system components to execute files from vendor 967 # except for the ones allowed here. 968 neverallow { 969 coredomain 970 -init 971 -shell 972 -system_executes_vendor_violators 973 -ueventd 974 } { 975 vendor_file_type 976 -same_process_hal_file 977 -vndk_sp_file 978 -vendor_app_file 979 -vendor_public_framework_file 980 -vendor_public_lib_file 981 }:file execute; 982') 983 984full_treble_only(` 985 neverallow { 986 coredomain 987 -shell 988 -system_executes_vendor_violators 989 } { 990 vendor_file_type 991 -same_process_hal_file 992 }:file execute_no_trans; 993') 994 995full_treble_only(` 996 # Do not allow vendor components access to /system files except for the 997 # ones allowed here. 998 neverallow { 999 domain 1000 -appdomain 1001 -coredomain 1002 -vendor_executes_system_violators 1003 # vendor_init needs access to init_exec for domain transition. vendor_init 1004 # neverallows are covered in public/vendor_init.te 1005 -vendor_init 1006 } { 1007 system_file_type 1008 -crash_dump_exec 1009 -file_contexts_file 1010 -iorap_inode2filename_exec 1011 -netutils_wrapper_exec 1012 -property_contexts_file 1013 -system_event_log_tags_file 1014 -system_group_file 1015 -system_lib_file 1016 with_asan(`-system_asan_options_file') 1017 -system_linker_exec 1018 -system_linker_config_file 1019 -system_passwd_file 1020 -system_seccomp_policy_file 1021 -system_security_cacerts_file 1022 -system_zoneinfo_file 1023 -task_profiles_api_file 1024 -task_profiles_file 1025 userdebug_or_eng(`-tcpdump_exec') 1026 }:file *; 1027') 1028 1029# Only system_server should be able to send commands via the zygote socket 1030neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1031neverallow { domain -system_server } zygote_socket:sock_file write; 1032 1033neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1034neverallow { domain -system_server } webview_zygote:sock_file write; 1035neverallow { domain -system_server } app_zygote:sock_file write; 1036 1037neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; 1038 1039# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1040# the tombstoned intercept socket. 1041neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1042neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1043 1044# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1045neverallow { domain -init -system_server } heapdump_data_file:file read; 1046 1047# Android does not support System V IPCs. 1048# 1049# The reason for this is due to the fact that, by design, they lead to global 1050# kernel resource leakage. 1051# 1052# For example, there is no way to automatically release a SysV semaphore 1053# allocated in the kernel when: 1054# 1055# - a buggy or malicious process exits 1056# - a non-buggy and non-malicious process crashes or is explicitly killed. 1057# 1058# Killing processes automatically to make room for new ones is an 1059# important part of Android's application lifecycle implementation. This means 1060# that, even assuming only non-buggy and non-malicious code, it is very likely 1061# that over time, the kernel global tables used to implement SysV IPCs will fill 1062# up. 1063neverallow * *:{ shm sem msg msgq } *; 1064 1065# Do not mount on top of symlinks, fifos, or sockets. 1066# Feature parity with Chromium LSM. 1067neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1068 1069# Nobody should be able to execute su on user builds. 1070# On userdebug/eng builds, only dumpstate, shell, and 1071# su itself execute su. 1072neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1073 1074# Do not allow the introduction of new execmod rules. Text relocations 1075# and modification of executable pages are unsafe. 1076# The only exceptions are for NDK text relocations associated with 1077# https://code.google.com/p/android/issues/detail?id=23203 1078# which, long term, need to go away. 1079neverallow * { 1080 file_type 1081 -apk_data_file 1082 -app_data_file 1083 -asec_public_file 1084}:file execmod; 1085 1086# Do not allow making the stack or heap executable. 1087# We would also like to minimize execmem but it seems to be 1088# required by some device-specific service domains. 1089neverallow * self:process { execstack execheap }; 1090 1091# Do not allow the introduction of new execmod rules. Text relocations 1092# and modification of executable pages are unsafe. 1093neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1094 1095neverallow { domain -init } proc:{ file dir } mounton; 1096 1097# Ensure that all types assigned to processes are included 1098# in the domain attribute, so that all allow and neverallow rules 1099# written on domain are applied to all processes. 1100# This is achieved by ensuring that it is impossible to transition 1101# from a domain to a non-domain type and vice versa. 1102# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1103neverallow ~domain domain:process { transition dyntransition }; 1104 1105# 1106# Only system_app and system_server should be creating or writing 1107# their files. The proper way to share files is to setup 1108# type transitions to a more specific type or assigning a type 1109# to its parent directory via a file_contexts entry. 1110# Example type transition: 1111# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1112# 1113neverallow { 1114 domain 1115 -system_server 1116 -system_app 1117 -init 1118 -toolbox # TODO(b/141108496) We want to remove toolbox 1119 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1120 -vold_prepare_subdirs # For unlink 1121 with_asan(`-asan_extract') 1122} system_data_file:file no_w_file_perms; 1123# do not grant anything greater than r_file_perms and relabelfrom unlink 1124# to installd 1125neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1126 1127# 1128# Only these domains should transition to shell domain. This domain is 1129# permissible for the "shell user". If you need a process to exec a shell 1130# script with differing privilege, define a domain and set up a transition. 1131# 1132neverallow { 1133 domain 1134 -adbd 1135 -init 1136 -runas 1137 -zygote 1138} shell:process { transition dyntransition }; 1139 1140# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1141# the appdomain attribute. simpleperf is excluded as a domain transitioned to 1142# when running an app-scoped profiling session. 1143neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1144 appdomain -shell -simpleperf userdebug_or_eng(`-su') 1145}:process { transition dyntransition }; 1146 1147# Minimize read access to shell- or app-writable symlinks. 1148# This is to prevent malicious symlink attacks. 1149neverallow { 1150 domain 1151 -appdomain 1152 -installd 1153} { app_data_file privapp_data_file }:lnk_file read; 1154 1155neverallow { 1156 domain 1157 -shell 1158 userdebug_or_eng(`-uncrypt') 1159 -installd 1160} shell_data_file:lnk_file read; 1161 1162# In addition to the symlink reading restrictions above, restrict 1163# write access to shell owned directories. The /data/local/tmp 1164# directory is untrustworthy, and non-allowed domains should 1165# not be trusting any content in those directories. 1166neverallow { 1167 domain 1168 -adbd 1169 -dumpstate 1170 -installd 1171 -init 1172 -shell 1173 -vold 1174} shell_data_file:dir no_w_dir_perms; 1175 1176neverallow { 1177 domain 1178 -adbd 1179 -appdomain 1180 -dumpstate 1181 -init 1182 -installd 1183 -iorap_inode2filename 1184 -simpleperf_app_runner 1185 -system_server # why? 1186 userdebug_or_eng(`-uncrypt') 1187} shell_data_file:dir { open search }; 1188 1189# servicemanager and vndservicemanager are the only processes which handle the 1190# service_manager list request 1191neverallow * ~{ 1192 servicemanager 1193 vndservicemanager 1194 }:service_manager list; 1195 1196# hwservicemanager is the only process which handles hw list requests 1197neverallow * ~{ 1198 hwservicemanager 1199 }:hwservice_manager list; 1200 1201# only service_manager_types can be added to service_manager 1202# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1203 1204# Prevent assigning non property types to properties 1205# TODO - rework this: neverallow * ~property_type:property_service set; 1206 1207# Domain types should never be assigned to any files other 1208# than the /proc/pid files associated with a process. The 1209# executable file used to enter a domain should be labeled 1210# with its own _exec type, not with the domain type. 1211# Conventionally, this looks something like: 1212# $ cat mydaemon.te 1213# type mydaemon, domain; 1214# type mydaemon_exec, exec_type, file_type; 1215# init_daemon_domain(mydaemon) 1216# $ grep mydaemon file_contexts 1217# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1218neverallow * domain:file { execute execute_no_trans entrypoint }; 1219 1220# Do not allow access to the generic debugfs label. This is too broad. 1221# Instead, if access to part of debugfs is desired, it should have a 1222# more specific label. 1223# TODO: fix dumpstate 1224neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1225 1226# Do not allow executable files in debugfs. 1227neverallow domain debugfs_type:file { execute execute_no_trans }; 1228 1229# Don't allow access to the FUSE control filesystem, except to vold and init's 1230neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1231 1232# Profiles contain untrusted data and profman parses that. We should only run 1233# in from installd forked processes. 1234neverallow { 1235 domain 1236 -installd 1237 -profman 1238} profman_exec:file no_x_file_perms; 1239 1240# Enforce restrictions on kernel module origin. 1241# Do not allow kernel module loading except from system, 1242# vendor, boot, and system_dlkm partitions. 1243# TODO(b/218951883): Remove usage of system and rootfs as origin 1244neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; 1245 1246# Only allow filesystem caps to be set at build time. Runtime changes 1247# to filesystem capabilities are not permitted. 1248neverallow * self:global_capability_class_set setfcap; 1249 1250# Enforce AT_SECURE for executing crash_dump. 1251neverallow domain crash_dump:process noatsecure; 1252 1253# Do not permit non-core domains to register HwBinder services which are 1254# guaranteed to be provided by core domains only. 1255neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1256 1257# Do not permit the registeration of HwBinder services which are guaranteed to 1258# be passthrough only (i.e., run in the process of their clients instead of a 1259# separate server process). 1260neverallow * same_process_hwservice:hwservice_manager add; 1261 1262# If an already existing file is opened with O_CREAT, the kernel might generate 1263# a false report of a create denial. Silence these denials and make sure that 1264# inappropriate permissions are not granted. 1265 1266# These filesystems don't allow files or directories to be created, so the permission 1267# to do so should never be granted. 1268neverallow domain { 1269 proc_type 1270 sysfs_type 1271}:dir { add_name create link remove_name rename reparent rmdir write }; 1272 1273# cgroupfs directories can be created, but not files within them. 1274neverallow domain cgroup:file create; 1275neverallow domain cgroup_v2:file create; 1276 1277dontaudit domain proc_type:dir write; 1278dontaudit domain sysfs_type:dir write; 1279dontaudit domain cgroup:file create; 1280dontaudit domain cgroup_v2:file create; 1281 1282# These are only needed in permissive mode - in enforcing mode the 1283# directory write check fails and so these are never attempted. 1284userdebug_or_eng(` 1285 dontaudit domain proc_type:dir add_name; 1286 dontaudit domain sysfs_type:dir add_name; 1287 dontaudit domain proc_type:file create; 1288 dontaudit domain sysfs_type:file create; 1289') 1290 1291# Platform must not have access to /mnt/vendor. 1292neverallow { 1293 coredomain 1294 -init 1295 -ueventd 1296 -vold 1297 -system_writes_mnt_vendor_violators 1298} mnt_vendor_file:dir *; 1299 1300# Only apps are allowed access to vendor public libraries. 1301full_treble_only(` 1302 neverallow { 1303 coredomain 1304 -appdomain 1305 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1306') 1307 1308# Vendor domian must not have access to /mnt/product. 1309neverallow { 1310 domain 1311 -coredomain 1312} mnt_product_file:dir *; 1313 1314# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL 1315full_treble_only(` 1316 neverallow { 1317 coredomain 1318 -shell 1319 # For access to block device information under /sys/class/block. 1320 -apexd 1321 # Read sysfs block device information. 1322 -init 1323 # Generate uevents for health info 1324 -ueventd 1325 # Recovery uses health HAL passthrough implementation. 1326 -recovery 1327 # Charger uses health HAL passthrough implementation. 1328 -charger 1329 # TODO(b/110891300): remove this exception 1330 -incidentd 1331 } sysfs_batteryinfo:file { open read }; 1332') 1333 1334neverallow { 1335 domain 1336 -hal_codec2_server 1337 -hal_omx_server 1338} hal_codec2_hwservice:hwservice_manager add; 1339 1340# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1341# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1342neverallow { 1343 domain 1344 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1345 -untrusted_app_25 1346 -untrusted_app_27 1347} ashmem_device:chr_file open; 1348 1349neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1350 1351# Linux lockdown "integrity" level is enforced for user builds. 1352neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; 1353