1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Root fs. 61allow domain tmpfs:dir { getattr search }; 62allow domain rootfs:dir search; 63allow domain rootfs:lnk_file { read getattr }; 64 65# Device accesses. 66allow domain device:dir search; 67allow domain dev_type:lnk_file r_file_perms; 68allow domain devpts:dir search; 69allow domain dmabuf_heap_device:dir r_dir_perms; 70allow domain socket_device:dir r_dir_perms; 71allow domain owntty_device:chr_file rw_file_perms; 72allow domain null_device:chr_file rw_file_perms; 73allow domain zero_device:chr_file rw_file_perms; 74 75# /dev/ashmem is being deprecated by means of constraining and eventually 76# removing all "open" permissions. We preserve the other permissions. 77allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 78# This device is used by libcutils, which is accessible to everyone. 79allow domain ashmem_libcutils_device:chr_file rw_file_perms; 80 81# /dev/binder can be accessed by ... everyone! :) 82allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 83get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop) 84 85# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 86# added to individual domains, but this sets safe defaults for all processes. 87allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 88 89# /dev/binderfs needs to be accessed by everyone too! 90allow domain binderfs:dir { getattr search }; 91allow domain binderfs_logs_proc:dir search; 92allow domain binderfs_features:dir search; 93allow domain binderfs_features:file r_file_perms; 94 95allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 96allow domain ptmx_device:chr_file rw_file_perms; 97allow domain random_device:chr_file rw_file_perms; 98allow domain proc_random:dir r_dir_perms; 99allow domain proc_random:file r_file_perms; 100allow domain properties_device:dir { search getattr }; 101allow domain properties_serial:file r_file_perms; 102allow domain property_info:file r_file_perms; 103 104# Let everyone read log properties, so that liblog can avoid sending unloggable 105# messages to logd. 106get_prop(domain, log_property_type) 107dontaudit domain property_type:file audit_access; 108allow domain property_contexts_file:file r_file_perms; 109 110allow domain init:key search; 111allow domain vold:key search; 112 113# logd access 114write_logd(domain) 115 116# Directory/link file access for path resolution. 117allow domain { 118 system_file 119 system_lib_file 120 system_seccomp_policy_file 121 system_security_cacerts_file 122}:dir r_dir_perms; 123allow domain system_file:lnk_file { getattr read }; 124 125# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 126# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 127allow domain system_seccomp_policy_file:file r_file_perms; 128# cacerts are accessible from public Java API. 129allow domain system_security_cacerts_file:file r_file_perms; 130allow domain system_group_file:file r_file_perms; 131allow domain system_passwd_file:file r_file_perms; 132allow domain system_linker_exec:file { execute read open getattr map }; 133allow domain system_linker_config_file:file r_file_perms; 134allow domain system_lib_file:file { execute read open getattr map }; 135# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 136allow domain system_linker_exec:lnk_file { read open getattr }; 137allow domain system_lib_file:lnk_file { read open getattr }; 138 139allow domain system_event_log_tags_file:file r_file_perms; 140 141allow { appdomain coredomain } system_file:file { execute read open getattr map }; 142 143# Make sure system/vendor split doesn not affect non-treble 144# devices 145not_full_treble(` 146 allow domain system_file:file { execute read open getattr map }; 147 allow domain vendor_file_type:dir { search getattr }; 148 allow domain vendor_file_type:file { execute read open getattr map }; 149 allow domain vendor_file_type:lnk_file { getattr read }; 150') 151 152# All domains are allowed to open and read directories 153# that contain HAL implementations (e.g. passthrough 154# HALs require clients to have these permissions) 155allow domain vendor_hal_file:dir r_dir_perms; 156 157# Everyone can read and execute all same process HALs 158allow domain same_process_hal_file:dir r_dir_perms; 159allow { 160 domain 161 -coredomain # access is explicitly granted to individual coredomains 162} same_process_hal_file:file { execute read open getattr map }; 163 164# Any process can load vndk-sp libraries, which are system libraries 165# used by same process HALs 166allow domain vndk_sp_file:dir r_dir_perms; 167allow domain vndk_sp_file:file { execute read open getattr map }; 168 169# All domains get access to /vendor/etc 170allow domain vendor_configs_file:dir r_dir_perms; 171allow domain vendor_configs_file:file { read open getattr map }; 172 173full_treble_only(` 174 # Allow all domains to be able to follow /system/vendor and/or 175 # /vendor/odm symlinks. 176 allow domain vendor_file_type:lnk_file { getattr open read }; 177 178 # This is required to be able to search & read /vendor/lib64 179 # in order to lookup vendor libraries. The execute permission 180 # for coredomains is granted *only* for same process HALs 181 allow domain vendor_file:dir { getattr search }; 182 183 # Allow reading and executing out of /vendor to all vendor domains 184 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 185 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 186 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 187') 188 189# read and stat any sysfs symlinks 190allow domain sysfs:lnk_file { getattr read }; 191 192# libc references /system/usr/share/zoneinfo for timezone related information. 193# This directory is considered to be a VNDK-stable 194allow domain { system_zoneinfo_file }:file r_file_perms; 195allow domain { system_zoneinfo_file }:dir r_dir_perms; 196 197# Lots of processes access current CPU information 198r_dir_file(domain, sysfs_devices_system_cpu) 199 200r_dir_file(domain, sysfs_usb); 201 202# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 203# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 204allow domain sysfs_transparent_hugepage:dir search; 205allow domain sysfs_transparent_hugepage:file r_file_perms; 206 207# Allow search access, and sometimes getattr access, to various directories 208# under /data. We are fairly lenient in allowing search access to top-level 209# dirs that commonly need to be traversed to get access to the "real" files, as 210# this greatly simplifies the policy and doesn't open up much attack surface. 211not_full_treble(` 212 allow domain system_data_file:dir getattr; 213') 214allow { coredomain appdomain } system_data_file:dir getattr; 215# Anything that accesses anything in /data needs search access to /data itself. 216# This includes vendor components, as they need to access /data/vendor. 217allow domain system_data_root_file:dir { search getattr } ; 218# system_data_file is the default type for directories in /data. Anything 219# accessing data files with a more specific type often has to traverse a 220# system_data_file directory such as /data/misc to get there. 221allow domain system_data_file:dir search; 222# Anything that accesses files in /data/user (and /data/user_de, etc.) needs 223# search access to these directories themselves. getattr access is sometimes 224# needed too. 225allow { coredomain appdomain } system_userdir_file:dir { search getattr }; 226# Anything that accesses files in /data/media needs search access to /data/media 227# itself. 228allow { coredomain appdomain } media_userdir_file:dir search; 229# TODO restrict this to non-coredomain 230allow domain vendor_userdir_file:dir { getattr search }; 231allow domain vendor_data_file:dir { getattr search }; 232 233# required by the dynamic linker 234allow domain proc:lnk_file { getattr read }; 235 236# /proc/cpuinfo 237allow domain proc_cpuinfo:file r_file_perms; 238 239# /dev/cpu_variant:.* 240allow domain dev_cpu_variant:file r_file_perms; 241 242# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 243allow domain proc_perf:file r_file_perms; 244 245# toybox loads libselinux which stats /sys/fs/selinux/ 246allow domain selinuxfs:dir search; 247allow domain selinuxfs:file getattr; 248allow domain sysfs:dir search; 249allow domain selinuxfs:filesystem getattr; 250 251# Almost all processes log tracing information to 252# /sys/kernel/debug/tracing/trace_marker 253# The reason behind this is documented in b/6513400 254allow domain debugfs:dir search; 255allow domain debugfs_tracing:dir search; 256allow domain debugfs_tracing_debug:dir search; 257allow domain debugfs_trace_marker:file w_file_perms; 258 259# Linux lockdown mode offers coarse-grained definitions for access controls. 260# The "confidentiality" level detects access to tracefs or the perf subsystem. 261# This overlaps with more precise declarations in Android's policy. The 262# debugfs_trace_marker above is an example in which all processes should have 263# some access to tracefs. Therefore, allow all domains to access this level. 264# The "integrity" level is however enforced. 265allow domain self:lockdown confidentiality; 266 267# Filesystem access. 268allow domain fs_type:filesystem getattr; 269allow domain fs_type:dir getattr; 270 271# Restrict all domains to an allowlist for common socket types. Additional 272# ioctl commands may be added to individual domains, but this sets safe 273# defaults for all processes. Note that granting this allowlist to domain does 274# not grant the ioctl permission on these socket types. That must be granted 275# separately. 276allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 277 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 278# default allowlist for unix sockets. 279allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 280 ioctl unpriv_unix_sock_ioctls; 281 282# Restrict PTYs to only allowed ioctls. 283# Note that granting this allowlist to domain does 284# not grant the wider ioctl permission. That must be granted 285# separately. 286allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 287 288# All domains must clearly enumerate what ioctls they use 289# on filesystem objects (plain files, directories, symbolic links, 290# named pipes, and named sockets). We start off with a safe set. 291allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 292 293# If a domain has ioctl access to tun_device, it must clearly enumerate the 294# ioctls used. Safe defaults are listed below. 295allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 296 297# Allow a process to make a determination whether a file descriptor 298# for a plain file or pipe (fifo_file) is a tty. Note that granting 299# this allowlist to domain does not grant the ioctl permission to 300# these files. That must be granted separately. 301allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 302allowxperm domain domain:fifo_file ioctl { TCGETS }; 303 304# If a domain has access to perform an ioctl on a block device, allow these 305# very common, benign ioctls 306allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 307 308# Support sqlite F2FS specific optimizations 309# ioctl permission on the specific file type is still required 310# TODO: consider only compiling these rules if we know the 311# /data partition is F2FS 312allowxperm domain { file_type sdcard_type }:file ioctl { 313 F2FS_IOC_ABORT_VOLATILE_WRITE 314 F2FS_IOC_COMMIT_ATOMIC_WRITE 315 F2FS_IOC_GET_FEATURES 316 F2FS_IOC_GET_PIN_FILE 317 F2FS_IOC_SET_PIN_FILE 318 F2FS_IOC_START_ATOMIC_WRITE 319}; 320 321# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 322# when it's not explicitly used in allow rules 323allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 324# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 325# when it's not explicitly used in allow rules 326allow { domain -domain } vndservice_manager_type:service_manager { add find }; 327 328# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 329with_asan(`allow domain system_data_file:dir getattr;') 330# Under ASAN, /system/asan.options needs to be globally accessible. 331with_asan(`allow domain system_asan_options_file:file r_file_perms;') 332 333# read APEX dir and stat any symlink pointing to APEXs. 334allow domain apex_mnt_dir:dir { getattr search }; 335allow domain apex_mnt_dir:lnk_file r_file_perms; 336 337### 338### neverallow rules 339### 340 341# All ioctls on file-like objects (except chr_file and blk_file) and 342# sockets must be restricted to an allowlist. 343neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 344 345# b/68014825 and https://android-review.googlesource.com/516535 346# rfc6093 says that processes should not use the TCP urgent mechanism 347neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 348 349# TIOCSTI is only ever used for exploits. Block it. 350# b/33073072, b/7530569 351# http://www.openwall.com/lists/oss-security/2016/09/26/14 352neverallowxperm * devpts:chr_file ioctl TIOCSTI; 353 354# Do not allow any domain other than init to create unlabeled files. 355neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 356 357# Limit device node creation to these allowed domains. 358neverallow { 359 domain 360 -kernel 361 -init 362 -ueventd 363 -vold 364} self:global_capability_class_set mknod; 365 366# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 367neverallow * self:memprotect mmap_zero; 368 369# No domain needs mac_override as it is unused by SELinux. 370neverallow * self:global_capability2_class_set mac_override; 371 372# Disallow attempts to set contexts not defined in current policy 373# This helps guarantee that unknown or dangerous contents will not ever 374# be set. 375neverallow * self:global_capability2_class_set mac_admin; 376 377# Once the policy has been loaded there shall be none to modify the policy. 378# It is sealed. 379neverallow * kernel:security load_policy; 380 381# Only init prior to switching context should be able to set enforcing mode. 382# init starts in kernel domain and switches to init domain via setcon in 383# the init.rc, so the setenforce occurs while still in kernel. After 384# switching domains, there is never any need to setenforce again by init. 385neverallow * kernel:security setenforce; 386neverallow { domain -kernel } kernel:security setcheckreqprot; 387 388# No booleans in AOSP policy, so no need to ever set them. 389neverallow * kernel:security setbool; 390 391# Adjusting the AVC cache threshold. 392# Not presently allowed to anything in policy, but possibly something 393# that could be set from init.rc. 394neverallow { domain -init } kernel:security setsecparam; 395 396# Only the kernel hwrng thread should be able to read from the HW RNG. 397neverallow { 398 domain 399 -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG 400 -shell # For CTS, restricted to just getattr in shell.te 401 -ueventd # To create the /dev/hw_random file 402} hw_random_device:chr_file *; 403# b/78174219 b/64114943 404neverallow { 405 domain 406 -shell # stat of /dev, getattr only 407 -ueventd 408} keychord_device:chr_file *; 409 410# Ensure that all entrypoint executables are in exec_type or postinstall_file. 411neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 412 413# The dynamic linker always calls access(2) on the path. Don't generate SElinux 414# denials since the linker does not actually access the path in case the path 415# does not exist or isn't accessible for the process. 416dontaudit domain postinstall_mnt_dir:dir audit_access; 417 418#Ensure that nothing in userspace can access /dev/port 419neverallow { 420 domain 421 -shell # Shell user should not have any abilities outside of getattr 422 -ueventd 423} port_device:chr_file *; 424neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 425# Only init should be able to configure kernel usermodehelpers or 426# security-sensitive proc settings. 427neverallow { domain -init } usermodehelper:file { append write }; 428neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 429neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 430 431# Init can't do anything with binder calls. If this neverallow rule is being 432# triggered, it's probably due to a service with no SELinux domain. 433neverallow * init:binder *; 434neverallow * vendor_init:binder *; 435 436# Don't allow raw read/write/open access to block_device 437# Rather force a relabel to a more specific type 438neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 439 440# Do not allow renaming of block files or character files 441# Ability to do so can lead to possible use in an exploit chain 442# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 443neverallow * *:{ blk_file chr_file } rename; 444 445# Don't allow raw read/write/open access to generic devices. 446# Rather force a relabel to a more specific type. 447neverallow domain device:chr_file { open read write }; 448 449# Files from cache should never be executed 450neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 451 452# The test files and executables MUST not be accessible to any domain 453neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 454neverallow domain nativetest_data_file:dir no_w_dir_perms; 455neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 456 457neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 458neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 459neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; 460neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 461neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 462 463# Only the init property service should write to /data/property and /dev/__properties__ 464neverallow { domain -init } property_data_file:dir no_w_dir_perms; 465neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 466neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 467neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 468neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 469 470# Nobody should be doing writes to /system & /vendor 471# These partitions are intended to be read-only and must never be 472# modified. Doing so would violate important Android security guarantees 473# and invalidate dm-verity signatures. 474neverallow { 475 domain 476 with_asan(`-asan_extract') 477 recovery_only(`userdebug_or_eng(`-fastbootd')') 478} { 479 system_file_type 480 vendor_file_type 481 exec_type 482}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 483 484neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 485 486# Don't allow mounting on top of /system files or directories 487neverallow * exec_type:dir_file_class_set mounton; 488 489# Nothing should be writing to files in the rootfs. 490neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 491 492# Restrict context mounts to specific types marked with 493# the contextmount_type attribute. 494neverallow * {fs_type -contextmount_type}:filesystem relabelto; 495 496# Ensure that context mount types are not writable, to ensure that 497# the write to /system restriction above is not bypassed via context= 498# mount to another type. 499neverallow * contextmount_type:dir_file_class_set 500 { create setattr relabelfrom relabelto append link rename }; 501neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 502 503# Do not allow service_manager add for default service labels. 504# Instead domains should use a more specific type such as 505# system_app_service rather than the generic type. 506# New service_types are defined in {,hw,vnd}service.te and new mappings 507# from service name to service_type are defined in {,hw,vnd}service_contexts. 508neverallow * default_android_service:service_manager *; 509neverallow * default_android_vndservice:service_manager *; 510neverallow * default_android_hwservice:hwservice_manager *; 511 512# Looking up the base class/interface of all HwBinder services is a bad idea. 513# hwservicemanager currently offer such lookups only to make it so that security 514# decisions are expressed in SELinux policy. However, it's unclear whether this 515# lookup has security implications. If it doesn't, hwservicemanager should be 516# modified to not offer this lookup. 517# This rule can be removed if hwservicemanager is modified to not permit these 518# lookups. 519neverallow * hidl_base_hwservice:hwservice_manager find; 520 521# Require that domains explicitly label unknown properties, and do not allow 522# anyone but init to modify unknown properties. 523neverallow { domain -init -vendor_init } mmc_prop:property_service set; 524neverallow { domain -init -vendor_init } vndk_prop:property_service set; 525 526compatible_property_only(` 527 neverallow { domain -init } mmc_prop:property_service set; 528 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 529 neverallow { domain -init } exported_secure_prop:property_service set; 530 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 531 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 532 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 533') 534 535compatible_property_only(` 536 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 537 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 538') 539 540# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop. 541neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set; 542neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms; 543 544# ART may introduce new sysprops. SELinux denials due to reading new sysprops on 545# old platforms shouldn't be regarded as a problem. 546dontaudit domain future_pm_prop:file read; 547 548neverallow { domain -init } aac_drc_prop:property_service set; 549neverallow { domain -init } build_prop:property_service set; 550neverallow { domain -init } userdebug_or_eng_prop:property_service set; 551 552# Do not allow reading device's serial number from system properties except form 553# a few allowed domains. 554neverallow { 555 domain 556 -adbd 557 -dumpstate 558 -fastbootd 559 -hal_camera_server 560 -hal_cas_server 561 -hal_drm_server 562 -hal_keymint_server 563 userdebug_or_eng(`-incidentd') 564 -init 565 -mediadrmserver 566 -mediaserver 567 -recovery 568 -shell 569 -system_server 570 -vendor_init 571} serialno_prop:file r_file_perms; 572 573neverallow { 574 domain 575 -init 576 -recovery 577 -system_server 578 -shell # Shell is further restricted in shell.te 579 -ueventd # Further restricted in ueventd.te 580} frp_block_device:blk_file no_rw_file_perms; 581 582# The metadata block device is set aside for device encryption and 583# verified boot metadata. It may be reset at will and should not 584# be used by other domains. 585neverallow { 586 domain 587 -init 588 -recovery 589 -vold 590 -e2fs 591 -fsck 592 -fastbootd 593 -hal_fastboot_server 594} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 595 596# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 597neverallow { 598 domain 599 -fastbootd 600 userdebug_or_eng(`-fsck') 601 userdebug_or_eng(`-init') 602 -recovery 603 -update_engine 604} system_block_device:blk_file { write append }; 605 606# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 607neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 608# The service managers are only allowed to access their own device node 609neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 610neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 611neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 612neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 613neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 614neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 615 616full_treble_only(` 617 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 618 # services which can change any time framework/core is updated, breakage is likely. 619 # 620 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 621 neverallow { 622 appdomain 623 -coredomain 624 } { 625 service_manager_type 626 627 -app_api_service 628 -ephemeral_app_api_service 629 630 -hal_service_type # see app_neverallows.te 631 632 -apc_service 633 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 634 -cameraserver_service 635 -drmserver_service 636 -credstore_service 637 -keystore_maintenance_service 638 -keystore_service 639 -legacykeystore_service 640 -mediadrmserver_service 641 -mediaextractor_service 642 -mediametrics_service 643 -mediaserver_service 644 -nfc_service 645 -radio_service 646 -virtual_touchpad_service 647 -vr_manager_service 648 userdebug_or_eng(`-hal_face_service') 649 }:service_manager find; 650') 651 652# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 653full_treble_only(` 654 neverallow { 655 coredomain 656 -shell 657 userdebug_or_eng(`-su') 658 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 659 } vndbinder_device:chr_file rw_file_perms; 660') 661full_treble_only(` 662 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 663') 664full_treble_only(` 665 neverallow { 666 coredomain 667 -shell 668 userdebug_or_eng(`-su') 669 } vndservice_manager_type:service_manager *; 670') 671full_treble_only(` 672 neverallow { 673 coredomain 674 -shell 675 userdebug_or_eng(`-su') 676 } vndservicemanager:binder *; 677') 678 679# On full TREBLE devices, socket communications between core components and vendor components are 680# not permitted. 681 # Most general rules first, more specific rules below. 682 683 # Core domains are not permitted to initiate communications to vendor domain sockets. 684 # We are not restricting the use of already established sockets because it is fine for a process 685 # to obtain an already established socket via some public/official/stable API and then exchange 686 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 687 # and thus does not break the core-vendor separation. 688full_treble_only(` 689 neverallow_establish_socket_comms({ 690 coredomain 691 -init 692 -adbd 693 }, { 694 domain 695 -coredomain 696 -socket_between_core_and_vendor_violators 697 }); 698') 699 700 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 701full_treble_only(` 702 neverallow { 703 domain 704 -coredomain 705 -appdomain # appdomain restrictions below 706 -data_between_core_and_vendor_violators # b/70393317 707 -socket_between_core_and_vendor_violators 708 -vendor_init 709 } { 710 coredomain_socket 711 core_data_file_type 712 unlabeled # used only by core domains 713 }:sock_file ~{ append getattr ioctl read write }; 714') 715full_treble_only(` 716 neverallow { 717 appdomain 718 -coredomain 719 } { 720 coredomain_socket 721 unlabeled # used only by core domains 722 core_data_file_type 723 -app_data_file 724 -privapp_data_file 725 -pdx_endpoint_socket_type # used by VR layer 726 -pdx_channel_socket_type # used by VR layer 727 }:sock_file ~{ append getattr ioctl read write }; 728') 729 730 # Core domains are not permitted to create/open sockets owned by vendor domains 731full_treble_only(` 732 neverallow { 733 coredomain 734 -init 735 -ueventd 736 -socket_between_core_and_vendor_violators 737 } { 738 file_type 739 dev_type 740 -coredomain_socket 741 -core_data_file_type 742 -app_data_file_type 743 -unlabeled 744 }:sock_file ~{ append getattr ioctl read write }; 745') 746 747# On TREBLE devices, vendor and system components are only allowed to share 748# files by passing open FDs over hwbinder. Ban all directory access and all file 749# accesses other than what can be applied to an open FD such as 750# ioctl/stat/read/write/append. This is enforced by segregating /data. 751# Vendor domains may directly access file in /data/vendor by path, but may only 752# access files outside of /data/vendor via an open FD passed over hwbinder. 753# Likewise, core domains may only directly access files outside /data/vendor by 754# path and files in /data/vendor by open FD. 755full_treble_only(` 756 # only coredomains may only access core_data_file_type, particularly not 757 # /data/vendor 758 neverallow { 759 coredomain 760 -appdomain # TODO(b/34980020) remove exemption for appdomain 761 -data_between_core_and_vendor_violators 762 -init 763 -vold_prepare_subdirs 764 } { 765 data_file_type 766 -core_data_file_type 767 -app_data_file_type 768 }:file_class_set ~{ append getattr ioctl read write map }; 769') 770full_treble_only(` 771 neverallow { 772 coredomain 773 -appdomain # TODO(b/34980020) remove exemption for appdomain 774 -data_between_core_and_vendor_violators 775 -init 776 -vold_prepare_subdirs 777 } { 778 data_file_type 779 -core_data_file_type 780 -app_data_file_type 781 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 782 # neverallow. Currently only getattr and search are allowed. 783 -vendor_data_file 784 }:dir *; 785 786') 787full_treble_only(` 788 # vendor domains may only access files in /data/vendor, never core_data_file_types 789 neverallow { 790 domain 791 -appdomain # TODO(b/34980020) remove exemption for appdomain 792 -coredomain 793 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 794 -vendor_init 795 } { 796 core_data_file_type 797 with_native_coverage(`-method_trace_data_file') 798 }:file_class_set ~{ append getattr ioctl read write map }; 799 neverallow { 800 vendor_init 801 -data_between_core_and_vendor_violators 802 } { 803 core_data_file_type 804 -unencrypted_data_file 805 with_native_coverage(`-method_trace_data_file') 806 }:file_class_set ~{ append getattr ioctl read write map }; 807 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 808 # The vendor init binary lives on the system partition so there is not a concern with stability. 809 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 810') 811full_treble_only(` 812 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 813 neverallow { 814 domain 815 -appdomain # TODO(b/34980020) remove exemption for appdomain 816 -coredomain 817 -data_between_core_and_vendor_violators 818 -vendor_init 819 } { 820 core_data_file_type 821 -system_data_file # default label for files on /data. Covered below... 822 -system_data_root_file 823 -vendor_userdir_file 824 -vendor_data_file 825 with_native_coverage(`-method_trace_data_file') 826 }:dir *; 827 neverallow { 828 vendor_init 829 -data_between_core_and_vendor_violators 830 } { 831 core_data_file_type 832 -unencrypted_data_file 833 -system_data_file 834 -system_data_root_file 835 -vendor_userdir_file 836 -vendor_data_file 837 with_native_coverage(`-method_trace_data_file') 838 }:dir *; 839 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 840 # The vendor init binary lives on the system partition so there is not a concern with stability. 841 neverallow vendor_init unencrypted_data_file:dir ~search; 842') 843full_treble_only(` 844 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 845 neverallow { 846 domain 847 -appdomain # TODO(b/34980020) remove exemption for appdomain 848 -coredomain 849 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 850 } { 851 system_data_file # default label for files on /data. Covered below 852 }:dir ~{ getattr search }; 853') 854 855full_treble_only(` 856 # coredomains may not access dirs in /data/vendor. 857 neverallow { 858 coredomain 859 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 860 -init 861 -vold # vold creates per-user storage for both system and vendor 862 -vold_prepare_subdirs 863 } { 864 vendor_data_file # default label for files on /data. Covered below 865 }:dir ~{ getattr search }; 866') 867 868full_treble_only(` 869 # coredomains may not access dirs in /data/vendor. 870 neverallow { 871 coredomain 872 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 873 -init 874 } { 875 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 876 }:file_class_set ~{ append getattr ioctl read write map }; 877') 878 879full_treble_only(` 880 # Non-vendor domains are not allowed to file execute shell 881 # from vendor 882 neverallow { 883 coredomain 884 -init 885 -shell 886 -ueventd 887 } vendor_shell_exec:file { execute execute_no_trans }; 888') 889 890full_treble_only(` 891 # Do not allow vendor components to execute files from system 892 # except for the ones allowed here. 893 neverallow { 894 domain 895 -coredomain 896 -appdomain 897 -vendor_executes_system_violators 898 -vendor_init 899 } { 900 system_file_type 901 -system_lib_file 902 -system_linker_exec 903 -crash_dump_exec 904 -netutils_wrapper_exec 905 userdebug_or_eng(`-tcpdump_exec') 906 }:file { entrypoint execute execute_no_trans }; 907') 908 909full_treble_only(` 910 # Do not allow coredomain to access entrypoint for files other 911 # than system_file_type and postinstall_file 912 neverallow coredomain { 913 file_type 914 -system_file_type 915 -postinstall_file 916 }:file entrypoint; 917 # Do not allow domains other than coredomain to access entrypoint 918 # for anything but vendor_file_type and init_exec for vendor_init. 919 neverallow { domain -coredomain } { 920 file_type 921 -vendor_file_type 922 -init_exec 923 }:file entrypoint; 924') 925 926full_treble_only(` 927 # Do not allow system components to execute files from vendor 928 # except for the ones allowed here. 929 neverallow { 930 coredomain 931 -init 932 -shell 933 -system_executes_vendor_violators 934 -ueventd 935 } { 936 vendor_file_type 937 -same_process_hal_file 938 -vndk_sp_file 939 -vendor_app_file 940 -vendor_public_framework_file 941 -vendor_public_lib_file 942 }:file execute; 943') 944 945full_treble_only(` 946 neverallow { 947 coredomain 948 -shell 949 -system_executes_vendor_violators 950 } { 951 vendor_file_type 952 -same_process_hal_file 953 }:file execute_no_trans; 954') 955 956full_treble_only(` 957 # Do not allow vendor components access to /system files except for the 958 # ones allowed here. 959 neverallow { 960 domain 961 -appdomain 962 -coredomain 963 -vendor_executes_system_violators 964 # vendor_init needs access to init_exec for domain transition. vendor_init 965 # neverallows are covered in public/vendor_init.te 966 -vendor_init 967 } { 968 system_file_type 969 -crash_dump_exec 970 -file_contexts_file 971 -netutils_wrapper_exec 972 -property_contexts_file 973 -system_event_log_tags_file 974 -system_group_file 975 -system_lib_file 976 with_asan(`-system_asan_options_file') 977 -system_linker_exec 978 -system_linker_config_file 979 -system_passwd_file 980 -system_seccomp_policy_file 981 -system_security_cacerts_file 982 -system_zoneinfo_file 983 -task_profiles_api_file 984 -task_profiles_file 985 userdebug_or_eng(`-tcpdump_exec') 986 }:file *; 987') 988 989# Only system_server should be able to send commands via the zygote socket 990neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 991neverallow { domain -system_server } zygote_socket:sock_file write; 992 993neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 994neverallow { domain -system_server } webview_zygote:sock_file write; 995neverallow { domain -system_server } app_zygote:sock_file write; 996 997neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; 998 999# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1000# the tombstoned intercept socket. 1001neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1002neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1003 1004# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1005neverallow { domain -init -system_server } heapdump_data_file:file read; 1006 1007# Android does not support System V IPCs. 1008# 1009# The reason for this is due to the fact that, by design, they lead to global 1010# kernel resource leakage. 1011# 1012# For example, there is no way to automatically release a SysV semaphore 1013# allocated in the kernel when: 1014# 1015# - a buggy or malicious process exits 1016# - a non-buggy and non-malicious process crashes or is explicitly killed. 1017# 1018# Killing processes automatically to make room for new ones is an 1019# important part of Android's application lifecycle implementation. This means 1020# that, even assuming only non-buggy and non-malicious code, it is very likely 1021# that over time, the kernel global tables used to implement SysV IPCs will fill 1022# up. 1023neverallow * *:{ shm sem msg msgq } *; 1024 1025# Do not mount on top of symlinks, fifos, or sockets. 1026# Feature parity with Chromium LSM. 1027neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1028 1029# Nobody should be able to execute su on user builds. 1030# On userdebug/eng builds, only dumpstate, shell, and 1031# su itself execute su. 1032neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1033 1034# Do not allow the introduction of new execmod rules. Text relocations 1035# and modification of executable pages are unsafe. 1036# The only exceptions are for NDK text relocations associated with 1037# https://code.google.com/p/android/issues/detail?id=23203 1038# which, long term, need to go away. 1039neverallow * { 1040 file_type 1041 -apk_data_file 1042 -app_data_file 1043 -asec_public_file 1044}:file execmod; 1045 1046# Do not allow making the stack or heap executable. 1047# We would also like to minimize execmem but it seems to be 1048# required by some device-specific service domains. 1049neverallow * self:process { execstack execheap }; 1050 1051# Do not allow the introduction of new execmod rules. Text relocations 1052# and modification of executable pages are unsafe. 1053neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1054 1055neverallow { domain -init } proc:{ file dir } mounton; 1056 1057# Ensure that all types assigned to processes are included 1058# in the domain attribute, so that all allow and neverallow rules 1059# written on domain are applied to all processes. 1060# This is achieved by ensuring that it is impossible to transition 1061# from a domain to a non-domain type and vice versa. 1062# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1063neverallow ~domain domain:process { transition dyntransition }; 1064 1065# 1066# Only system_app and system_server should be creating or writing 1067# their files. The proper way to share files is to setup 1068# type transitions to a more specific type or assigning a type 1069# to its parent directory via a file_contexts entry. 1070# Example type transition: 1071# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1072# 1073neverallow { 1074 domain 1075 -system_server 1076 -system_app 1077 -init 1078 -toolbox # TODO(b/141108496) We want to remove toolbox 1079 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1080 -vold_prepare_subdirs # For unlink 1081 with_asan(`-asan_extract') 1082} system_data_file:file no_w_file_perms; 1083# do not grant anything greater than r_file_perms and relabelfrom unlink 1084# to installd 1085neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1086 1087# 1088# Only these domains should transition to shell domain. This domain is 1089# permissible for the "shell user". If you need a process to exec a shell 1090# script with differing privilege, define a domain and set up a transition. 1091# 1092neverallow { 1093 domain 1094 -adbd 1095 -init 1096 -runas 1097 -zygote 1098} shell:process { transition dyntransition }; 1099 1100# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1101# the appdomain attribute. simpleperf is excluded as a domain transitioned to 1102# when running an app-scoped profiling session. 1103neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1104 appdomain -shell -simpleperf userdebug_or_eng(`-su') 1105}:process { transition dyntransition }; 1106 1107# Minimize read access to shell- or app-writable symlinks. 1108# This is to prevent malicious symlink attacks. 1109neverallow { 1110 domain 1111 -appdomain 1112 -artd 1113 -installd 1114} { app_data_file privapp_data_file }:lnk_file read; 1115 1116neverallow { 1117 domain 1118 -shell 1119 userdebug_or_eng(`-uncrypt') 1120 -installd 1121} shell_data_file:lnk_file read; 1122 1123# servicemanager and vndservicemanager are the only processes which handle the 1124# service_manager list request 1125neverallow * ~{ 1126 servicemanager 1127 vndservicemanager 1128 }:service_manager list; 1129 1130# hwservicemanager is the only process which handles hw list requests 1131neverallow * ~{ 1132 hwservicemanager 1133 }:hwservice_manager list; 1134 1135# only service_manager_types can be added to service_manager 1136# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1137 1138# Prevent assigning non property types to properties 1139# TODO - rework this: neverallow * ~property_type:property_service set; 1140 1141# Domain types should never be assigned to any files other 1142# than the /proc/pid files associated with a process. The 1143# executable file used to enter a domain should be labeled 1144# with its own _exec type, not with the domain type. 1145# Conventionally, this looks something like: 1146# $ cat mydaemon.te 1147# type mydaemon, domain; 1148# type mydaemon_exec, exec_type, file_type; 1149# init_daemon_domain(mydaemon) 1150# $ grep mydaemon file_contexts 1151# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1152neverallow * domain:file { execute execute_no_trans entrypoint }; 1153 1154# Do not allow access to the generic debugfs label. This is too broad. 1155# Instead, if access to part of debugfs is desired, it should have a 1156# more specific label. 1157# TODO: fix dumpstate 1158neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1159 1160# Do not allow executable files in debugfs. 1161neverallow domain debugfs_type:file { execute execute_no_trans }; 1162 1163# Don't allow access to the FUSE control filesystem, except to vold and init's 1164neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1165 1166# Profiles contain untrusted data and profman parses that. We should only run 1167# it from installd and artd forked processes. 1168neverallow { 1169 domain 1170 -installd 1171 -profman 1172 -artd 1173} profman_exec:file no_x_file_perms; 1174 1175# Enforce restrictions on kernel module origin. 1176# Do not allow kernel module loading except from system, 1177# vendor, boot, and system_dlkm partitions. 1178# TODO(b/218951883): Remove usage of system and rootfs as origin 1179neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; 1180 1181# Only allow filesystem caps to be set at build time. Runtime changes 1182# to filesystem capabilities are not permitted. 1183neverallow * self:global_capability_class_set setfcap; 1184 1185# Enforce AT_SECURE for executing crash_dump. 1186neverallow domain crash_dump:process noatsecure; 1187 1188# Do not permit non-core domains to register HwBinder services which are 1189# guaranteed to be provided by core domains only. 1190neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1191 1192# Do not permit the registeration of HwBinder services which are guaranteed to 1193# be passthrough only (i.e., run in the process of their clients instead of a 1194# separate server process). 1195neverallow * same_process_hwservice:hwservice_manager add; 1196 1197# If an already existing file is opened with O_CREAT, the kernel might generate 1198# a false report of a create denial. Silence these denials and make sure that 1199# inappropriate permissions are not granted. 1200 1201# These filesystems don't allow files or directories to be created, so the permission 1202# to do so should never be granted. 1203neverallow domain { 1204 proc_type 1205 sysfs_type 1206}:dir { add_name create link remove_name rename reparent rmdir write }; 1207 1208# cgroupfs directories can be created, but not files within them. 1209neverallow domain cgroup:file create; 1210neverallow domain cgroup_v2:file create; 1211 1212dontaudit domain proc_type:dir write; 1213dontaudit domain sysfs_type:dir write; 1214dontaudit domain cgroup:file create; 1215dontaudit domain cgroup_v2:file create; 1216 1217# These are only needed in permissive mode - in enforcing mode the 1218# directory write check fails and so these are never attempted. 1219userdebug_or_eng(` 1220 dontaudit domain proc_type:dir add_name; 1221 dontaudit domain sysfs_type:dir add_name; 1222 dontaudit domain proc_type:file create; 1223 dontaudit domain sysfs_type:file create; 1224') 1225 1226# Platform must not have access to /mnt/vendor. 1227neverallow { 1228 coredomain 1229 -init 1230 -ueventd 1231 -vold 1232 -system_writes_mnt_vendor_violators 1233} mnt_vendor_file:dir *; 1234 1235# Only apps are allowed access to vendor public libraries. 1236full_treble_only(` 1237 neverallow { 1238 coredomain 1239 -appdomain 1240 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1241') 1242 1243# Vendor domian must not have access to /mnt/product. 1244neverallow { 1245 domain 1246 -coredomain 1247} mnt_product_file:dir *; 1248 1249# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL 1250full_treble_only(` 1251 neverallow { 1252 coredomain 1253 -shell 1254 # For access to block device information under /sys/class/block. 1255 -apexd 1256 # Read sysfs block device information. 1257 -init 1258 # Generate uevents for health info 1259 -ueventd 1260 # Recovery uses health HAL passthrough implementation. 1261 -recovery 1262 # Charger uses health HAL passthrough implementation. 1263 -charger 1264 # TODO(b/110891300): remove this exception 1265 -incidentd 1266 } sysfs_batteryinfo:file { open read }; 1267') 1268 1269neverallow { 1270 domain 1271 -hal_codec2_server 1272 -hal_omx_server 1273} hal_codec2_hwservice:hwservice_manager add; 1274 1275# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1276# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1277neverallow { 1278 domain 1279 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1280 -untrusted_app_25 1281 -untrusted_app_27 1282} ashmem_device:chr_file open; 1283 1284neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1285 1286# Linux lockdown "integrity" level is enforced for user builds. 1287neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; 1288 1289# Allow everyone to read media server-configurable flags, so that libstagefright can be 1290# configured using server-configurable flags 1291get_prop(domain, device_config_media_native_prop) 1292