1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Root fs. 61allow domain tmpfs:dir { getattr search }; 62allow domain rootfs:dir search; 63allow domain rootfs:lnk_file { read getattr }; 64 65# Device accesses. 66allow domain device:dir search; 67allow domain dev_type:lnk_file r_file_perms; 68allow domain devpts:dir search; 69allow domain dmabuf_heap_device:dir r_dir_perms; 70allow domain socket_device:dir r_dir_perms; 71allow domain owntty_device:chr_file rw_file_perms; 72allow domain null_device:chr_file rw_file_perms; 73allow domain zero_device:chr_file rw_file_perms; 74 75# /dev/ashmem is being deprecated by means of constraining and eventually 76# removing all "open" permissions. We preserve the other permissions. 77allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 78# This device is used by libcutils, which is accessible to everyone. 79allow domain ashmem_libcutils_device:chr_file rw_file_perms; 80 81# /dev/binder can be accessed by ... everyone! :) 82allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 83 84# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 85# added to individual domains, but this sets safe defaults for all processes. 86allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 87 88# /dev/binderfs needs to be accessed by everyone too! 89allow domain binderfs:dir { getattr search }; 90allow domain binderfs_logs_proc:dir search; 91allow domain binderfs_features:dir search; 92allow domain binderfs_features:file r_file_perms; 93 94allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 95allow domain ptmx_device:chr_file rw_file_perms; 96allow domain random_device:chr_file rw_file_perms; 97allow domain proc_random:dir r_dir_perms; 98allow domain proc_random:file r_file_perms; 99allow domain properties_device:dir { search getattr }; 100allow domain properties_serial:file r_file_perms; 101allow domain property_info:file r_file_perms; 102 103# Public readable properties 104get_prop(domain, aaudio_config_prop) 105get_prop(domain, apexd_select_prop) 106get_prop(domain, arm64_memtag_prop) 107get_prop(domain, bluetooth_config_prop) 108get_prop(domain, bootloader_prop) 109get_prop(domain, build_odm_prop) 110get_prop(domain, build_prop) 111get_prop(domain, build_vendor_prop) 112get_prop(domain, debug_prop) 113get_prop(domain, exported_config_prop) 114get_prop(domain, exported_default_prop) 115get_prop(domain, exported_dumpstate_prop) 116get_prop(domain, exported_secure_prop) 117get_prop(domain, exported_system_prop) 118get_prop(domain, fingerprint_prop) 119get_prop(domain, framework_status_prop) 120get_prop(domain, gwp_asan_prop) 121get_prop(domain, hal_instrumentation_prop) 122get_prop(domain, hw_timeout_multiplier_prop) 123get_prop(domain, init_service_status_prop) 124get_prop(domain, libc_debug_prop) 125get_prop(domain, logd_prop) 126get_prop(domain, mediadrm_config_prop) 127get_prop(domain, property_service_version_prop) 128get_prop(domain, soc_prop) 129get_prop(domain, socket_hook_prop) 130get_prop(domain, surfaceflinger_prop) 131get_prop(domain, telephony_status_prop) 132get_prop(domain, vendor_socket_hook_prop) 133get_prop(domain, vndk_prop) 134get_prop(domain, vold_status_prop) 135get_prop(domain, vts_config_prop) 136 137# Binder cache properties are world-readable 138get_prop(domain, binder_cache_bluetooth_server_prop) 139get_prop(domain, binder_cache_system_server_prop) 140get_prop(domain, binder_cache_telephony_server_prop) 141 142# Let everyone read log properties, so that liblog can avoid sending unloggable 143# messages to logd. 144get_prop(domain, log_property_type) 145dontaudit domain property_type:file audit_access; 146allow domain property_contexts_file:file r_file_perms; 147 148allow domain init:key search; 149allow domain vold:key search; 150 151# logd access 152write_logd(domain) 153 154# Directory/link file access for path resolution. 155allow domain { 156 system_file 157 system_lib_file 158 system_seccomp_policy_file 159 system_security_cacerts_file 160}:dir r_dir_perms; 161allow domain system_file:lnk_file { getattr read }; 162 163# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 164# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 165allow domain system_seccomp_policy_file:file r_file_perms; 166# cacerts are accessible from public Java API. 167allow domain system_security_cacerts_file:file r_file_perms; 168allow domain system_group_file:file r_file_perms; 169allow domain system_passwd_file:file r_file_perms; 170allow domain system_linker_exec:file { execute read open getattr map }; 171allow domain system_linker_config_file:file r_file_perms; 172allow domain system_lib_file:file { execute read open getattr map }; 173# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 174allow domain system_linker_exec:lnk_file { read open getattr }; 175allow domain system_lib_file:lnk_file { read open getattr }; 176 177allow domain system_event_log_tags_file:file r_file_perms; 178 179allow { appdomain coredomain } system_file:file { execute read open getattr map }; 180 181# Make sure system/vendor split doesn not affect non-treble 182# devices 183not_full_treble(` 184 allow domain system_file:file { execute read open getattr map }; 185 allow domain vendor_file_type:dir { search getattr }; 186 allow domain vendor_file_type:file { execute read open getattr map }; 187 allow domain vendor_file_type:lnk_file { getattr read }; 188') 189 190# All domains are allowed to open and read directories 191# that contain HAL implementations (e.g. passthrough 192# HALs require clients to have these permissions) 193allow domain vendor_hal_file:dir r_dir_perms; 194 195# Everyone can read and execute all same process HALs 196allow domain same_process_hal_file:dir r_dir_perms; 197allow { 198 domain 199 -coredomain # access is explicitly granted to individual coredomains 200} same_process_hal_file:file { execute read open getattr map }; 201 202# Any process can load vndk-sp libraries, which are system libraries 203# used by same process HALs 204allow domain vndk_sp_file:dir r_dir_perms; 205allow domain vndk_sp_file:file { execute read open getattr map }; 206 207# All domains get access to /vendor/etc 208allow domain vendor_configs_file:dir r_dir_perms; 209allow domain vendor_configs_file:file { read open getattr map }; 210 211full_treble_only(` 212 # Allow all domains to be able to follow /system/vendor and/or 213 # /vendor/odm symlinks. 214 allow domain vendor_file_type:lnk_file { getattr open read }; 215 216 # This is required to be able to search & read /vendor/lib64 217 # in order to lookup vendor libraries. The execute permission 218 # for coredomains is granted *only* for same process HALs 219 allow domain vendor_file:dir { getattr search }; 220 221 # Allow reading and executing out of /vendor to all vendor domains 222 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 223 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 224 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 225') 226 227# read and stat any sysfs symlinks 228allow domain sysfs:lnk_file { getattr read }; 229 230# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for 231# timezone related information. 232# This directory is considered to be a VNDK-stable 233allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms; 234allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms; 235 236# Lots of processes access current CPU information 237r_dir_file(domain, sysfs_devices_system_cpu) 238 239r_dir_file(domain, sysfs_usb); 240 241# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 242# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 243allow domain sysfs_transparent_hugepage:dir search; 244allow domain sysfs_transparent_hugepage:file r_file_perms; 245 246# files under /data. 247not_full_treble(` 248 allow domain system_data_file:dir getattr; 249') 250allow { coredomain appdomain } system_data_file:dir getattr; 251# /data has the label system_data_root_file. Vendor components need the search 252# permission on system_data_root_file for path traversal to /data/vendor. 253allow domain system_data_root_file:dir { search getattr } ; 254allow domain system_data_file:dir search; 255# TODO restrict this to non-coredomain 256allow domain vendor_data_file:dir { getattr search }; 257 258# required by the dynamic linker 259allow domain proc:lnk_file { getattr read }; 260 261# /proc/cpuinfo 262allow domain proc_cpuinfo:file r_file_perms; 263 264# /dev/cpu_variant:.* 265allow domain dev_cpu_variant:file r_file_perms; 266 267# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 268allow domain proc_perf:file r_file_perms; 269 270# toybox loads libselinux which stats /sys/fs/selinux/ 271allow domain selinuxfs:dir search; 272allow domain selinuxfs:file getattr; 273allow domain sysfs:dir search; 274allow domain selinuxfs:filesystem getattr; 275 276# Almost all processes log tracing information to 277# /sys/kernel/debug/tracing/trace_marker 278# The reason behind this is documented in b/6513400 279allow domain debugfs:dir search; 280allow domain debugfs_tracing:dir search; 281allow domain debugfs_tracing_debug:dir search; 282allow domain debugfs_trace_marker:file w_file_perms; 283 284# Linux lockdown mode offers coarse-grained definitions for access controls. 285# The "confidentiality" level detects access to tracefs or the perf subsystem. 286# This overlaps with more precise declarations in Android's policy. The 287# debugfs_trace_marker above is an example in which all processes should have 288# some access to tracefs. Therefore, allow all domains to access this level. 289# The "integrity" level is however enforced. 290allow domain self:lockdown confidentiality; 291 292# Filesystem access. 293allow domain fs_type:filesystem getattr; 294allow domain fs_type:dir getattr; 295 296# Restrict all domains to an allowlist for common socket types. Additional 297# ioctl commands may be added to individual domains, but this sets safe 298# defaults for all processes. Note that granting this allowlist to domain does 299# not grant the ioctl permission on these socket types. That must be granted 300# separately. 301allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 302 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 303# default allowlist for unix sockets. 304allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 305 ioctl unpriv_unix_sock_ioctls; 306 307# Restrict PTYs to only allowed ioctls. 308# Note that granting this allowlist to domain does 309# not grant the wider ioctl permission. That must be granted 310# separately. 311allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 312 313# All domains must clearly enumerate what ioctls they use 314# on filesystem objects (plain files, directories, symbolic links, 315# named pipes, and named sockets). We start off with a safe set. 316allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 317 318# If a domain has ioctl access to tun_device, it must clearly enumerate the 319# ioctls used. Safe defaults are listed below. 320allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 321 322# Allow a process to make a determination whether a file descriptor 323# for a plain file or pipe (fifo_file) is a tty. Note that granting 324# this allowlist to domain does not grant the ioctl permission to 325# these files. That must be granted separately. 326allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 327allowxperm domain domain:fifo_file ioctl { TCGETS }; 328 329# If a domain has access to perform an ioctl on a block device, allow these 330# very common, benign ioctls 331allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 332 333# Support sqlite F2FS specific optimizations 334# ioctl permission on the specific file type is still required 335# TODO: consider only compiling these rules if we know the 336# /data partition is F2FS 337allowxperm domain { file_type sdcard_type }:file ioctl { 338 F2FS_IOC_ABORT_VOLATILE_WRITE 339 F2FS_IOC_COMMIT_ATOMIC_WRITE 340 F2FS_IOC_GET_FEATURES 341 F2FS_IOC_GET_PIN_FILE 342 F2FS_IOC_SET_PIN_FILE 343 F2FS_IOC_START_ATOMIC_WRITE 344}; 345 346# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 347# when it's not explicitly used in allow rules 348allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 349# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 350# when it's not explicitly used in allow rules 351allow { domain -domain } vndservice_manager_type:service_manager { add find }; 352 353# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 354with_asan(`allow domain system_data_file:dir getattr;') 355# Under ASAN, /system/asan.options needs to be globally accessible. 356with_asan(`allow domain system_asan_options_file:file r_file_perms;') 357 358# read APEX dir and stat any symlink pointing to APEXs. 359allow domain apex_mnt_dir:dir { getattr search }; 360allow domain apex_mnt_dir:lnk_file r_file_perms; 361 362### 363### neverallow rules 364### 365 366# All ioctls on file-like objects (except chr_file and blk_file) and 367# sockets must be restricted to an allowlist. 368neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 369 370# b/68014825 and https://android-review.googlesource.com/516535 371# rfc6093 says that processes should not use the TCP urgent mechanism 372neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 373 374# TIOCSTI is only ever used for exploits. Block it. 375# b/33073072, b/7530569 376# http://www.openwall.com/lists/oss-security/2016/09/26/14 377neverallowxperm * devpts:chr_file ioctl TIOCSTI; 378 379# Do not allow any domain other than init to create unlabeled files. 380neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 381 382# Limit device node creation to these allowed domains. 383neverallow { 384 domain 385 -kernel 386 -init 387 -ueventd 388 -vold 389} self:global_capability_class_set mknod; 390 391# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 392neverallow * self:memprotect mmap_zero; 393 394# No domain needs mac_override as it is unused by SELinux. 395neverallow * self:global_capability2_class_set mac_override; 396 397# Disallow attempts to set contexts not defined in current policy 398# This helps guarantee that unknown or dangerous contents will not ever 399# be set. 400neverallow * self:global_capability2_class_set mac_admin; 401 402# Once the policy has been loaded there shall be none to modify the policy. 403# It is sealed. 404neverallow * kernel:security load_policy; 405 406# Only init prior to switching context should be able to set enforcing mode. 407# init starts in kernel domain and switches to init domain via setcon in 408# the init.rc, so the setenforce occurs while still in kernel. After 409# switching domains, there is never any need to setenforce again by init. 410neverallow * kernel:security setenforce; 411neverallow { domain -kernel } kernel:security setcheckreqprot; 412 413# No booleans in AOSP policy, so no need to ever set them. 414neverallow * kernel:security setbool; 415 416# Adjusting the AVC cache threshold. 417# Not presently allowed to anything in policy, but possibly something 418# that could be set from init.rc. 419neverallow { domain -init } kernel:security setsecparam; 420 421# Only the kernel hwrng thread should be able to read from the HW RNG. 422neverallow { 423 domain 424 -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG 425 -shell # For CTS, restricted to just getattr in shell.te 426 -ueventd # To create the /dev/hw_random file 427} hw_random_device:chr_file *; 428# b/78174219 b/64114943 429neverallow { 430 domain 431 -shell # stat of /dev, getattr only 432 -ueventd 433} keychord_device:chr_file *; 434 435# Ensure that all entrypoint executables are in exec_type or postinstall_file. 436neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 437 438# The dynamic linker always calls access(2) on the path. Don't generate SElinux 439# denials since the linker does not actually access the path in case the path 440# does not exist or isn't accessible for the process. 441dontaudit domain postinstall_mnt_dir:dir audit_access; 442 443#Ensure that nothing in userspace can access /dev/port 444neverallow { 445 domain 446 -shell # Shell user should not have any abilities outside of getattr 447 -ueventd 448} port_device:chr_file *; 449neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 450# Only init should be able to configure kernel usermodehelpers or 451# security-sensitive proc settings. 452neverallow { domain -init } usermodehelper:file { append write }; 453neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 454neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 455 456# Init can't do anything with binder calls. If this neverallow rule is being 457# triggered, it's probably due to a service with no SELinux domain. 458neverallow * init:binder *; 459neverallow * vendor_init:binder *; 460 461# Don't allow raw read/write/open access to block_device 462# Rather force a relabel to a more specific type 463neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 464 465# Do not allow renaming of block files or character files 466# Ability to do so can lead to possible use in an exploit chain 467# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 468neverallow * *:{ blk_file chr_file } rename; 469 470# Don't allow raw read/write/open access to generic devices. 471# Rather force a relabel to a more specific type. 472neverallow domain device:chr_file { open read write }; 473 474# Files from cache should never be executed 475neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 476 477# The test files and executables MUST not be accessible to any domain 478neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 479neverallow domain nativetest_data_file:dir no_w_dir_perms; 480neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 481 482neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 483neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 484neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; 485neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 486neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 487 488# Only the init property service should write to /data/property and /dev/__properties__ 489neverallow { domain -init } property_data_file:dir no_w_dir_perms; 490neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 491neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 492neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 493neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 494 495# Nobody should be doing writes to /system & /vendor 496# These partitions are intended to be read-only and must never be 497# modified. Doing so would violate important Android security guarantees 498# and invalidate dm-verity signatures. 499neverallow { 500 domain 501 with_asan(`-asan_extract') 502 recovery_only(`userdebug_or_eng(`-fastbootd')') 503} { 504 system_file_type 505 vendor_file_type 506 exec_type 507}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 508 509neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 510 511# Don't allow mounting on top of /system files or directories 512neverallow * exec_type:dir_file_class_set mounton; 513 514# Nothing should be writing to files in the rootfs. 515neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 516 517# Restrict context mounts to specific types marked with 518# the contextmount_type attribute. 519neverallow * {fs_type -contextmount_type}:filesystem relabelto; 520 521# Ensure that context mount types are not writable, to ensure that 522# the write to /system restriction above is not bypassed via context= 523# mount to another type. 524neverallow * contextmount_type:dir_file_class_set 525 { create setattr relabelfrom relabelto append link rename }; 526neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 527 528# Do not allow service_manager add for default service labels. 529# Instead domains should use a more specific type such as 530# system_app_service rather than the generic type. 531# New service_types are defined in {,hw,vnd}service.te and new mappings 532# from service name to service_type are defined in {,hw,vnd}service_contexts. 533neverallow * default_android_service:service_manager *; 534neverallow * default_android_vndservice:service_manager *; 535neverallow * default_android_hwservice:hwservice_manager *; 536 537# Looking up the base class/interface of all HwBinder services is a bad idea. 538# hwservicemanager currently offer such lookups only to make it so that security 539# decisions are expressed in SELinux policy. However, it's unclear whether this 540# lookup has security implications. If it doesn't, hwservicemanager should be 541# modified to not offer this lookup. 542# This rule can be removed if hwservicemanager is modified to not permit these 543# lookups. 544neverallow * hidl_base_hwservice:hwservice_manager find; 545 546# Require that domains explicitly label unknown properties, and do not allow 547# anyone but init to modify unknown properties. 548neverallow { domain -init -vendor_init } mmc_prop:property_service set; 549neverallow { domain -init -vendor_init } vndk_prop:property_service set; 550 551compatible_property_only(` 552 neverallow { domain -init } mmc_prop:property_service set; 553 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 554 neverallow { domain -init } exported_secure_prop:property_service set; 555 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 556 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 557 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 558') 559 560compatible_property_only(` 561 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 562 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 563') 564 565neverallow { domain -init } aac_drc_prop:property_service set; 566neverallow { domain -init } build_prop:property_service set; 567 568# Do not allow reading device's serial number from system properties except form 569# a few allowed domains. 570neverallow { 571 domain 572 -adbd 573 -dumpstate 574 -fastbootd 575 -hal_camera_server 576 -hal_cas_server 577 -hal_drm_server 578 userdebug_or_eng(`-incidentd') 579 -init 580 -mediadrmserver 581 -mediaserver 582 -recovery 583 -shell 584 -system_server 585 -vendor_init 586} serialno_prop:file r_file_perms; 587 588neverallow { 589 domain 590 -init 591 -recovery 592 -system_server 593 -shell # Shell is further restricted in shell.te 594 -ueventd # Further restricted in ueventd.te 595} frp_block_device:blk_file no_rw_file_perms; 596 597# The metadata block device is set aside for device encryption and 598# verified boot metadata. It may be reset at will and should not 599# be used by other domains. 600neverallow { 601 domain 602 -init 603 -recovery 604 -vold 605 -e2fs 606 -fsck 607 -fastbootd 608} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 609 610# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 611neverallow { 612 domain 613 -fastbootd 614 userdebug_or_eng(`-fsck') 615 userdebug_or_eng(`-init') 616 -recovery 617 -update_engine 618} system_block_device:blk_file { write append }; 619 620# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 621neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 622# The service managers are only allowed to access their own device node 623neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 624neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 625neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 626neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 627neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 628neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 629 630# system services cant add vendor services 631neverallow { 632 coredomain 633} vendor_service:service_manager add; 634 635full_treble_only(` 636 # vendor services cant add system services 637 neverallow { 638 domain 639 -coredomain 640 } { 641 service_manager_type 642 -vendor_service 643 }:service_manager add; 644') 645 646full_treble_only(` 647 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 648 # services which can change any time framework/core is updated, breakage is likely. 649 # 650 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 651 neverallow { 652 appdomain 653 -coredomain 654 } { 655 service_manager_type 656 657 -app_api_service 658 -vendor_service # must be @VintfStability to be used by an app 659 -ephemeral_app_api_service 660 661 -apc_service 662 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 663 -cameraserver_service 664 -drmserver_service 665 -credstore_service 666 -keystore_maintenance_service 667 -keystore_service 668 -legacykeystore_service 669 -mediadrmserver_service 670 -mediaextractor_service 671 -mediametrics_service 672 -mediaserver_service 673 -nfc_service 674 -radio_service 675 -virtual_touchpad_service 676 -vr_manager_service 677 userdebug_or_eng(`-hal_face_service') 678 }:service_manager find; 679') 680 681# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 682full_treble_only(` 683 neverallow { 684 coredomain 685 -shell 686 userdebug_or_eng(`-su') 687 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 688 } vndbinder_device:chr_file rw_file_perms; 689') 690full_treble_only(` 691 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 692') 693full_treble_only(` 694 neverallow { 695 coredomain 696 -shell 697 userdebug_or_eng(`-su') 698 } vndservice_manager_type:service_manager *; 699') 700full_treble_only(` 701 neverallow { 702 coredomain 703 -shell 704 userdebug_or_eng(`-su') 705 } vndservicemanager:binder *; 706') 707 708# On full TREBLE devices, socket communications between core components and vendor components are 709# not permitted. 710 # Most general rules first, more specific rules below. 711 712 # Core domains are not permitted to initiate communications to vendor domain sockets. 713 # We are not restricting the use of already established sockets because it is fine for a process 714 # to obtain an already established socket via some public/official/stable API and then exchange 715 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 716 # and thus does not break the core-vendor separation. 717full_treble_only(` 718 neverallow_establish_socket_comms({ 719 coredomain 720 -init 721 -adbd 722 }, { 723 domain 724 -coredomain 725 -socket_between_core_and_vendor_violators 726 }); 727') 728 729 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 730full_treble_only(` 731 neverallow { 732 domain 733 -coredomain 734 -appdomain # appdomain restrictions below 735 -data_between_core_and_vendor_violators # b/70393317 736 -socket_between_core_and_vendor_violators 737 -vendor_init 738 } { 739 coredomain_socket 740 core_data_file_type 741 unlabeled # used only by core domains 742 }:sock_file ~{ append getattr ioctl read write }; 743') 744full_treble_only(` 745 neverallow { 746 appdomain 747 -coredomain 748 } { 749 coredomain_socket 750 unlabeled # used only by core domains 751 core_data_file_type 752 -app_data_file 753 -privapp_data_file 754 -pdx_endpoint_socket_type # used by VR layer 755 -pdx_channel_socket_type # used by VR layer 756 }:sock_file ~{ append getattr ioctl read write }; 757') 758 759 # Core domains are not permitted to create/open sockets owned by vendor domains 760full_treble_only(` 761 neverallow { 762 coredomain 763 -init 764 -ueventd 765 -socket_between_core_and_vendor_violators 766 } { 767 file_type 768 dev_type 769 -coredomain_socket 770 -core_data_file_type 771 -app_data_file_type 772 -unlabeled 773 }:sock_file ~{ append getattr ioctl read write }; 774') 775 776# On TREBLE devices, vendor and system components are only allowed to share 777# files by passing open FDs over hwbinder. Ban all directory access and all file 778# accesses other than what can be applied to an open FD such as 779# ioctl/stat/read/write/append. This is enforced by segregating /data. 780# Vendor domains may directly access file in /data/vendor by path, but may only 781# access files outside of /data/vendor via an open FD passed over hwbinder. 782# Likewise, core domains may only directly access files outside /data/vendor by 783# path and files in /data/vendor by open FD. 784full_treble_only(` 785 # only coredomains may only access core_data_file_type, particularly not 786 # /data/vendor 787 neverallow { 788 coredomain 789 -appdomain # TODO(b/34980020) remove exemption for appdomain 790 -data_between_core_and_vendor_violators 791 -init 792 -vold_prepare_subdirs 793 } { 794 data_file_type 795 -core_data_file_type 796 -app_data_file_type 797 }:file_class_set ~{ append getattr ioctl read write map }; 798') 799full_treble_only(` 800 neverallow { 801 coredomain 802 -appdomain # TODO(b/34980020) remove exemption for appdomain 803 -data_between_core_and_vendor_violators 804 -init 805 -vold_prepare_subdirs 806 } { 807 data_file_type 808 -core_data_file_type 809 -app_data_file_type 810 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 811 # neverallow. Currently only getattr and search are allowed. 812 -vendor_data_file 813 }:dir *; 814 815') 816full_treble_only(` 817 # vendor domains may only access files in /data/vendor, never core_data_file_types 818 neverallow { 819 domain 820 -appdomain # TODO(b/34980020) remove exemption for appdomain 821 -coredomain 822 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 823 -vendor_init 824 } { 825 core_data_file_type 826 # libc includes functions like mktime and localtime which attempt to access 827 # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata. 828 # These functions are considered vndk-stable and thus must be allowed for 829 # all processes. 830 -zoneinfo_data_file 831 with_native_coverage(`-method_trace_data_file') 832 }:file_class_set ~{ append getattr ioctl read write map }; 833 neverallow { 834 vendor_init 835 -data_between_core_and_vendor_violators 836 } { 837 core_data_file_type 838 -unencrypted_data_file 839 -zoneinfo_data_file 840 with_native_coverage(`-method_trace_data_file') 841 }:file_class_set ~{ append getattr ioctl read write map }; 842 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 843 # The vendor init binary lives on the system partition so there is not a concern with stability. 844 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 845') 846full_treble_only(` 847 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 848 neverallow { 849 domain 850 -appdomain # TODO(b/34980020) remove exemption for appdomain 851 -coredomain 852 -data_between_core_and_vendor_violators 853 -vendor_init 854 } { 855 core_data_file_type 856 -system_data_file # default label for files on /data. Covered below... 857 -system_data_root_file 858 -vendor_data_file 859 -zoneinfo_data_file 860 with_native_coverage(`-method_trace_data_file') 861 }:dir *; 862 neverallow { 863 vendor_init 864 -data_between_core_and_vendor_violators 865 } { 866 core_data_file_type 867 -unencrypted_data_file 868 -system_data_file 869 -system_data_root_file 870 -vendor_data_file 871 -zoneinfo_data_file 872 with_native_coverage(`-method_trace_data_file') 873 }:dir *; 874 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 875 # The vendor init binary lives on the system partition so there is not a concern with stability. 876 neverallow vendor_init unencrypted_data_file:dir ~search; 877') 878full_treble_only(` 879 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 880 neverallow { 881 domain 882 -appdomain # TODO(b/34980020) remove exemption for appdomain 883 -coredomain 884 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 885 } { 886 system_data_file # default label for files on /data. Covered below 887 }:dir ~{ getattr search }; 888') 889 890full_treble_only(` 891 # coredomains may not access dirs in /data/vendor. 892 neverallow { 893 coredomain 894 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 895 -init 896 -vold # vold creates per-user storage for both system and vendor 897 -vold_prepare_subdirs 898 } { 899 vendor_data_file # default label for files on /data. Covered below 900 }:dir ~{ getattr search }; 901') 902 903full_treble_only(` 904 # coredomains may not access dirs in /data/vendor. 905 neverallow { 906 coredomain 907 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 908 -init 909 } { 910 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 911 }:file_class_set ~{ append getattr ioctl read write map }; 912') 913 914full_treble_only(` 915 # Non-vendor domains are not allowed to file execute shell 916 # from vendor 917 neverallow { 918 coredomain 919 -init 920 -shell 921 -ueventd 922 } vendor_shell_exec:file { execute execute_no_trans }; 923') 924 925full_treble_only(` 926 # Do not allow vendor components to execute files from system 927 # except for the ones allowed here. 928 neverallow { 929 domain 930 -coredomain 931 -appdomain 932 -vendor_executes_system_violators 933 -vendor_init 934 } { 935 system_file_type 936 -system_lib_file 937 -system_linker_exec 938 -crash_dump_exec 939 -iorap_prefetcherd_exec 940 -iorap_inode2filename_exec 941 -netutils_wrapper_exec 942 userdebug_or_eng(`-tcpdump_exec') 943 }:file { entrypoint execute execute_no_trans }; 944') 945 946full_treble_only(` 947 # Do not allow coredomain to access entrypoint for files other 948 # than system_file_type and postinstall_file 949 neverallow coredomain { 950 file_type 951 -system_file_type 952 -postinstall_file 953 }:file entrypoint; 954 # Do not allow domains other than coredomain to access entrypoint 955 # for anything but vendor_file_type and init_exec for vendor_init. 956 neverallow { domain -coredomain } { 957 file_type 958 -vendor_file_type 959 -init_exec 960 }:file entrypoint; 961') 962 963full_treble_only(` 964 # Do not allow system components to execute files from vendor 965 # except for the ones allowed here. 966 neverallow { 967 coredomain 968 -init 969 -shell 970 -system_executes_vendor_violators 971 -ueventd 972 } { 973 vendor_file_type 974 -same_process_hal_file 975 -vndk_sp_file 976 -vendor_app_file 977 -vendor_public_framework_file 978 -vendor_public_lib_file 979 }:file execute; 980') 981 982full_treble_only(` 983 neverallow { 984 coredomain 985 -shell 986 -system_executes_vendor_violators 987 } { 988 vendor_file_type 989 -same_process_hal_file 990 }:file execute_no_trans; 991') 992 993full_treble_only(` 994 # Do not allow vendor components access to /system files except for the 995 # ones allowed here. 996 neverallow { 997 domain 998 -appdomain 999 -coredomain 1000 -vendor_executes_system_violators 1001 # vendor_init needs access to init_exec for domain transition. vendor_init 1002 # neverallows are covered in public/vendor_init.te 1003 -vendor_init 1004 } { 1005 system_file_type 1006 -crash_dump_exec 1007 -file_contexts_file 1008 -iorap_inode2filename_exec 1009 -netutils_wrapper_exec 1010 -property_contexts_file 1011 -system_event_log_tags_file 1012 -system_group_file 1013 -system_lib_file 1014 with_asan(`-system_asan_options_file') 1015 -system_linker_exec 1016 -system_linker_config_file 1017 -system_passwd_file 1018 -system_seccomp_policy_file 1019 -system_security_cacerts_file 1020 -system_zoneinfo_file 1021 -task_profiles_api_file 1022 -task_profiles_file 1023 userdebug_or_eng(`-tcpdump_exec') 1024 }:file *; 1025') 1026 1027# Only system_server should be able to send commands via the zygote socket 1028neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1029neverallow { domain -system_server } zygote_socket:sock_file write; 1030 1031neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1032neverallow { domain -system_server } webview_zygote:sock_file write; 1033neverallow { domain -system_server } app_zygote:sock_file write; 1034 1035neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; 1036 1037# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1038# the tombstoned intercept socket. 1039neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1040neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1041 1042# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1043neverallow { domain -init -system_server } heapdump_data_file:file read; 1044 1045# Android does not support System V IPCs. 1046# 1047# The reason for this is due to the fact that, by design, they lead to global 1048# kernel resource leakage. 1049# 1050# For example, there is no way to automatically release a SysV semaphore 1051# allocated in the kernel when: 1052# 1053# - a buggy or malicious process exits 1054# - a non-buggy and non-malicious process crashes or is explicitly killed. 1055# 1056# Killing processes automatically to make room for new ones is an 1057# important part of Android's application lifecycle implementation. This means 1058# that, even assuming only non-buggy and non-malicious code, it is very likely 1059# that over time, the kernel global tables used to implement SysV IPCs will fill 1060# up. 1061neverallow * *:{ shm sem msg msgq } *; 1062 1063# Do not mount on top of symlinks, fifos, or sockets. 1064# Feature parity with Chromium LSM. 1065neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1066 1067# Nobody should be able to execute su on user builds. 1068# On userdebug/eng builds, only dumpstate, shell, and 1069# su itself execute su. 1070neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1071 1072# Do not allow the introduction of new execmod rules. Text relocations 1073# and modification of executable pages are unsafe. 1074# The only exceptions are for NDK text relocations associated with 1075# https://code.google.com/p/android/issues/detail?id=23203 1076# which, long term, need to go away. 1077neverallow * { 1078 file_type 1079 -apk_data_file 1080 -app_data_file 1081 -asec_public_file 1082}:file execmod; 1083 1084# Do not allow making the stack or heap executable. 1085# We would also like to minimize execmem but it seems to be 1086# required by some device-specific service domains. 1087neverallow * self:process { execstack execheap }; 1088 1089# Do not allow the introduction of new execmod rules. Text relocations 1090# and modification of executable pages are unsafe. 1091neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1092 1093neverallow { domain -init } proc:{ file dir } mounton; 1094 1095# Ensure that all types assigned to processes are included 1096# in the domain attribute, so that all allow and neverallow rules 1097# written on domain are applied to all processes. 1098# This is achieved by ensuring that it is impossible to transition 1099# from a domain to a non-domain type and vice versa. 1100# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1101neverallow ~domain domain:process { transition dyntransition }; 1102 1103# 1104# Only system_app and system_server should be creating or writing 1105# their files. The proper way to share files is to setup 1106# type transitions to a more specific type or assigning a type 1107# to its parent directory via a file_contexts entry. 1108# Example type transition: 1109# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1110# 1111neverallow { 1112 domain 1113 -system_server 1114 -system_app 1115 -init 1116 -toolbox # TODO(b/141108496) We want to remove toolbox 1117 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1118 -vold_prepare_subdirs # For unlink 1119 with_asan(`-asan_extract') 1120} system_data_file:file no_w_file_perms; 1121# do not grant anything greater than r_file_perms and relabelfrom unlink 1122# to installd 1123neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1124 1125# 1126# Only these domains should transition to shell domain. This domain is 1127# permissible for the "shell user". If you need a process to exec a shell 1128# script with differing privilege, define a domain and set up a transition. 1129# 1130neverallow { 1131 domain 1132 -adbd 1133 -init 1134 -runas 1135 -zygote 1136} shell:process { transition dyntransition }; 1137 1138# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1139# the appdomain attribute. simpleperf is excluded as a domain transitioned to 1140# when running an app-scoped profiling session. 1141neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1142 appdomain -shell -simpleperf userdebug_or_eng(`-su') 1143}:process { transition dyntransition }; 1144 1145# Minimize read access to shell- or app-writable symlinks. 1146# This is to prevent malicious symlink attacks. 1147neverallow { 1148 domain 1149 -appdomain 1150 -installd 1151} { app_data_file privapp_data_file }:lnk_file read; 1152 1153neverallow { 1154 domain 1155 -shell 1156 userdebug_or_eng(`-uncrypt') 1157 -installd 1158} shell_data_file:lnk_file read; 1159 1160# In addition to the symlink reading restrictions above, restrict 1161# write access to shell owned directories. The /data/local/tmp 1162# directory is untrustworthy, and non-allowed domains should 1163# not be trusting any content in those directories. 1164neverallow { 1165 domain 1166 -adbd 1167 -dumpstate 1168 -installd 1169 -init 1170 -shell 1171 -vold 1172} shell_data_file:dir no_w_dir_perms; 1173 1174neverallow { 1175 domain 1176 -adbd 1177 -appdomain 1178 -dumpstate 1179 -init 1180 -installd 1181 -iorap_inode2filename 1182 -simpleperf_app_runner 1183 -system_server # why? 1184 userdebug_or_eng(`-uncrypt') 1185} shell_data_file:dir { open search }; 1186 1187# servicemanager and vndservicemanager are the only processes which handle the 1188# service_manager list request 1189neverallow * ~{ 1190 servicemanager 1191 vndservicemanager 1192 }:service_manager list; 1193 1194# hwservicemanager is the only process which handles hw list requests 1195neverallow * ~{ 1196 hwservicemanager 1197 }:hwservice_manager list; 1198 1199# only service_manager_types can be added to service_manager 1200# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1201 1202# Prevent assigning non property types to properties 1203# TODO - rework this: neverallow * ~property_type:property_service set; 1204 1205# Domain types should never be assigned to any files other 1206# than the /proc/pid files associated with a process. The 1207# executable file used to enter a domain should be labeled 1208# with its own _exec type, not with the domain type. 1209# Conventionally, this looks something like: 1210# $ cat mydaemon.te 1211# type mydaemon, domain; 1212# type mydaemon_exec, exec_type, file_type; 1213# init_daemon_domain(mydaemon) 1214# $ grep mydaemon file_contexts 1215# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1216neverallow * domain:file { execute execute_no_trans entrypoint }; 1217 1218# Do not allow access to the generic debugfs label. This is too broad. 1219# Instead, if access to part of debugfs is desired, it should have a 1220# more specific label. 1221# TODO: fix dumpstate 1222neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1223 1224# Do not allow executable files in debugfs. 1225neverallow domain debugfs_type:file { execute execute_no_trans }; 1226 1227# Don't allow access to the FUSE control filesystem, except to vold and init's 1228neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1229 1230# Profiles contain untrusted data and profman parses that. We should only run 1231# in from installd forked processes. 1232neverallow { 1233 domain 1234 -installd 1235 -profman 1236} profman_exec:file no_x_file_perms; 1237 1238# Enforce restrictions on kernel module origin. 1239# Do not allow kernel module loading except from system, 1240# vendor, boot, and system_dlkm partitions. 1241# TODO(b/218951883): Remove usage of system and rootfs as origin 1242neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; 1243 1244# Only allow filesystem caps to be set at build time. Runtime changes 1245# to filesystem capabilities are not permitted. 1246neverallow * self:global_capability_class_set setfcap; 1247 1248# Enforce AT_SECURE for executing crash_dump. 1249neverallow domain crash_dump:process noatsecure; 1250 1251# Do not permit non-core domains to register HwBinder services which are 1252# guaranteed to be provided by core domains only. 1253neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1254 1255# Do not permit the registeration of HwBinder services which are guaranteed to 1256# be passthrough only (i.e., run in the process of their clients instead of a 1257# separate server process). 1258neverallow * same_process_hwservice:hwservice_manager add; 1259 1260# If an already existing file is opened with O_CREAT, the kernel might generate 1261# a false report of a create denial. Silence these denials and make sure that 1262# inappropriate permissions are not granted. 1263 1264# These filesystems don't allow files or directories to be created, so the permission 1265# to do so should never be granted. 1266neverallow domain { 1267 proc_type 1268 sysfs_type 1269}:dir { add_name create link remove_name rename reparent rmdir write }; 1270 1271# cgroupfs directories can be created, but not files within them. 1272neverallow domain cgroup:file create; 1273neverallow domain cgroup_v2:file create; 1274 1275dontaudit domain proc_type:dir write; 1276dontaudit domain sysfs_type:dir write; 1277dontaudit domain cgroup:file create; 1278dontaudit domain cgroup_v2:file create; 1279 1280# These are only needed in permissive mode - in enforcing mode the 1281# directory write check fails and so these are never attempted. 1282userdebug_or_eng(` 1283 dontaudit domain proc_type:dir add_name; 1284 dontaudit domain sysfs_type:dir add_name; 1285 dontaudit domain proc_type:file create; 1286 dontaudit domain sysfs_type:file create; 1287') 1288 1289# Platform must not have access to /mnt/vendor. 1290neverallow { 1291 coredomain 1292 -init 1293 -ueventd 1294 -vold 1295 -system_writes_mnt_vendor_violators 1296} mnt_vendor_file:dir *; 1297 1298# Only apps are allowed access to vendor public libraries. 1299full_treble_only(` 1300 neverallow { 1301 coredomain 1302 -appdomain 1303 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1304') 1305 1306# Vendor domian must not have access to /mnt/product. 1307neverallow { 1308 domain 1309 -coredomain 1310} mnt_product_file:dir *; 1311 1312# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL 1313full_treble_only(` 1314 neverallow { 1315 coredomain 1316 -shell 1317 # For access to block device information under /sys/class/block. 1318 -apexd 1319 # Read sysfs block device information. 1320 -init 1321 # Generate uevents for health info 1322 -ueventd 1323 # Recovery uses health HAL passthrough implementation. 1324 -recovery 1325 # Charger uses health HAL passthrough implementation. 1326 -charger 1327 # TODO(b/110891300): remove this exception 1328 -incidentd 1329 } sysfs_batteryinfo:file { open read }; 1330') 1331 1332neverallow { 1333 domain 1334 -hal_codec2_server 1335 -hal_omx_server 1336} hal_codec2_hwservice:hwservice_manager add; 1337 1338# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1339# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1340neverallow { 1341 domain 1342 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1343 -untrusted_app_25 1344 -untrusted_app_27 1345} ashmem_device:chr_file open; 1346 1347neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1348 1349# Linux lockdown "integrity" level is enforced for user builds. 1350neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; 1351