1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Allow everyone to read aconfig flags 61get_prop(domain, device_config_aconfig_flags_prop); 62 63# Root fs. 64allow domain tmpfs:dir { getattr search }; 65allow domain rootfs:dir search; 66allow domain rootfs:lnk_file { read getattr }; 67 68# Device accesses. 69allow domain device:dir search; 70allow domain dev_type:lnk_file r_file_perms; 71allow domain devpts:dir search; 72allow domain dmabuf_heap_device:dir r_dir_perms; 73allow domain socket_device:dir r_dir_perms; 74allow domain owntty_device:chr_file rw_file_perms; 75allow domain null_device:chr_file rw_file_perms; 76allow domain zero_device:chr_file rw_file_perms; 77 78# /dev/ashmem is being deprecated by means of constraining and eventually 79# removing all "open" permissions. We preserve the other permissions. 80allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 81# This device is used by libcutils, which is accessible to everyone. 82allow domain ashmem_libcutils_device:chr_file rw_file_perms; 83 84# /dev/binder can be accessed by ... everyone! :) 85allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 86get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop) 87 88# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 89# added to individual domains, but this sets safe defaults for all processes. 90allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 91 92# /dev/binderfs needs to be accessed by everyone too! 93allow domain binderfs:dir { getattr search }; 94allow domain binderfs_logs_proc:dir search; 95allow domain binderfs_features:dir search; 96allow domain binderfs_features:file r_file_perms; 97 98allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 99allow domain ptmx_device:chr_file rw_file_perms; 100allow domain random_device:chr_file rw_file_perms; 101allow domain proc_random:dir r_dir_perms; 102allow domain proc_random:file r_file_perms; 103allow domain properties_device:dir { search getattr }; 104allow domain properties_serial:file r_file_perms; 105allow domain property_info:file r_file_perms; 106 107# Let everyone read log properties, so that liblog can avoid sending unloggable 108# messages to logd. 109get_prop(domain, log_property_type) 110dontaudit domain property_type:file audit_access; 111allow domain property_contexts_file:file r_file_perms; 112 113allow domain init:key search; 114allow domain vold:key search; 115 116# logd access 117write_logd(domain) 118 119# Directory/link file access for path resolution. 120allow domain { 121 system_file 122 system_lib_file 123 system_seccomp_policy_file 124 system_security_cacerts_file 125}:dir r_dir_perms; 126allow domain system_file:lnk_file { getattr read }; 127 128# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 129# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 130allow domain system_seccomp_policy_file:file r_file_perms; 131# cacerts are accessible from public Java API. 132allow domain system_security_cacerts_file:file r_file_perms; 133allow domain system_group_file:file r_file_perms; 134allow domain system_passwd_file:file r_file_perms; 135allow domain system_linker_exec:file { execute read open getattr map }; 136allow domain system_linker_config_file:file r_file_perms; 137allow domain system_lib_file:file { execute read open getattr map }; 138# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 139allow domain system_linker_exec:lnk_file { read open getattr }; 140allow domain system_lib_file:lnk_file { read open getattr }; 141 142allow domain system_event_log_tags_file:file r_file_perms; 143 144allow { appdomain coredomain } system_file:file { execute read open getattr map }; 145 146# Make sure system/vendor split doesn not affect non-treble 147# devices 148not_full_treble(` 149 allow domain system_file:file { execute read open getattr map }; 150 allow domain vendor_file_type:dir { search getattr }; 151 allow domain vendor_file_type:file { execute read open getattr map }; 152 allow domain vendor_file_type:lnk_file { getattr read }; 153') 154 155# All domains are allowed to open and read directories 156# that contain HAL implementations (e.g. passthrough 157# HALs require clients to have these permissions) 158allow domain vendor_hal_file:dir r_dir_perms; 159 160# Everyone can read and execute all same process HALs 161allow domain same_process_hal_file:dir r_dir_perms; 162allow { 163 domain 164 -coredomain # access is explicitly granted to individual coredomains 165} same_process_hal_file:file { execute read open getattr map }; 166 167# Any process can load vndk-sp libraries, which are system libraries 168# used by same process HALs 169allow domain vndk_sp_file:dir r_dir_perms; 170allow domain vndk_sp_file:file { execute read open getattr map }; 171 172# All domains get access to /vendor/etc 173allow domain vendor_configs_file:dir r_dir_perms; 174allow domain vendor_configs_file:file { read open getattr map }; 175 176full_treble_only(` 177 # Allow all domains to be able to follow /system/vendor and/or 178 # /vendor/odm symlinks. 179 allow domain vendor_file_type:lnk_file { getattr open read }; 180 181 # This is required to be able to search & read /vendor/lib64 182 # in order to lookup vendor libraries. The execute permission 183 # for coredomains is granted *only* for same process HALs 184 allow domain vendor_file:dir { getattr search }; 185 186 # Allow reading and executing out of /vendor to all vendor domains 187 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 188 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 189 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 190') 191 192# read and stat any sysfs symlinks 193allow domain sysfs:lnk_file { getattr read }; 194 195# libc references /system/usr/share/zoneinfo for timezone related information. 196# This directory is considered to be a VNDK-stable 197allow domain { system_zoneinfo_file }:file r_file_perms; 198allow domain { system_zoneinfo_file }:dir r_dir_perms; 199 200# Lots of processes access current CPU information 201r_dir_file(domain, sysfs_devices_system_cpu) 202 203r_dir_file(domain, sysfs_usb); 204 205# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 206# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 207allow domain sysfs_transparent_hugepage:dir search; 208allow domain sysfs_transparent_hugepage:file r_file_perms; 209 210# Allow search access, and sometimes getattr access, to various directories 211# under /data. We are fairly lenient in allowing search access to top-level 212# dirs that commonly need to be traversed to get access to the "real" files, as 213# this greatly simplifies the policy and doesn't open up much attack surface. 214not_full_treble(` 215 allow domain system_data_file:dir getattr; 216') 217allow { coredomain appdomain } system_data_file:dir getattr; 218# Anything that accesses anything in /data needs search access to /data itself. 219# This includes vendor components, as they need to access /data/vendor. 220allow domain system_data_root_file:dir { search getattr } ; 221# system_data_file is the default type for directories in /data. Anything 222# accessing data files with a more specific type often has to traverse a 223# system_data_file directory such as /data/misc to get there. 224allow domain system_data_file:dir search; 225# Anything that accesses files in /data/user (and /data/user_de, etc.) needs 226# search access to these directories themselves. getattr access is sometimes 227# needed too. 228allow { coredomain appdomain } system_userdir_file:dir { search getattr }; 229# Anything that accesses files in /data/media needs search access to /data/media 230# itself. 231allow { coredomain appdomain } media_userdir_file:dir search; 232# TODO restrict this to non-coredomain 233allow domain vendor_userdir_file:dir { getattr search }; 234allow domain vendor_data_file:dir { getattr search }; 235 236# required by the dynamic linker 237allow domain proc:lnk_file { getattr read }; 238 239# /proc/cpuinfo 240allow domain proc_cpuinfo:file r_file_perms; 241 242# /dev/cpu_variant:.* 243allow domain dev_cpu_variant:file r_file_perms; 244 245# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 246allow domain proc_perf:file r_file_perms; 247 248# toybox loads libselinux which stats /sys/fs/selinux/ 249allow domain selinuxfs:dir search; 250allow domain selinuxfs:file getattr; 251allow domain sysfs:dir search; 252allow domain selinuxfs:filesystem getattr; 253 254# Almost all processes log tracing information to 255# /sys/kernel/debug/tracing/trace_marker 256# The reason behind this is documented in b/6513400 257allow domain debugfs:dir search; 258allow domain debugfs_tracing:dir search; 259allow domain debugfs_tracing_debug:dir search; 260allow domain debugfs_trace_marker:file w_file_perms; 261 262# Linux lockdown mode offered coarse-grained definitions for access controls. In 263# previous versions of the policy, the integrity permission was neverallowed. 264# It was found that this permission mainly duplicates pre-existing rules in 265# the policy (see b/285443587). Additionally, some access were found to be 266# required (b/269377822). The access vector was removed from kernel 5.16 267# onwards. Grant unconditional access, these rules should be removed from the 268# policy once no kernel <5.16 are supported. 269allow domain self:lockdown { confidentiality integrity }; 270 271# Filesystem access. 272allow domain fs_type:filesystem getattr; 273allow domain fs_type:dir getattr; 274 275# Restrict all domains to an allowlist for common socket types. Additional 276# ioctl commands may be added to individual domains, but this sets safe 277# defaults for all processes. Note that granting this allowlist to domain does 278# not grant the ioctl permission on these socket types. That must be granted 279# separately. 280allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 281 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 282# default allowlist for unix sockets. 283allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 284 ioctl unpriv_unix_sock_ioctls; 285 286# Restrict PTYs to only allowed ioctls. 287# Note that granting this allowlist to domain does 288# not grant the wider ioctl permission. That must be granted 289# separately. 290allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 291 292# All domains must clearly enumerate what ioctls they use 293# on filesystem objects (plain files, directories, symbolic links, 294# named pipes, and named sockets). We start off with a safe set. 295allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 296 297# If a domain has ioctl access to tun_device, it must clearly enumerate the 298# ioctls used. Safe defaults are listed below. 299allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 300 301# Allow a process to make a determination whether a file descriptor 302# for a plain file or pipe (fifo_file) is a tty. Note that granting 303# this allowlist to domain does not grant the ioctl permission to 304# these files. That must be granted separately. 305allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 306allowxperm domain domain:fifo_file ioctl { TCGETS }; 307 308# If a domain has access to perform an ioctl on a block device, allow these 309# very common, benign ioctls 310allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 311 312# Support sqlite F2FS specific optimizations 313# ioctl permission on the specific file type is still required 314# TODO: consider only compiling these rules if we know the 315# /data partition is F2FS 316allowxperm domain { file_type sdcard_type }:file ioctl { 317 F2FS_IOC_ABORT_VOLATILE_WRITE 318 F2FS_IOC_COMMIT_ATOMIC_WRITE 319 F2FS_IOC_GET_FEATURES 320 F2FS_IOC_GET_PIN_FILE 321 F2FS_IOC_SET_PIN_FILE 322 F2FS_IOC_START_ATOMIC_WRITE 323}; 324 325# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 326# when it's not explicitly used in allow rules 327allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 328# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 329# when it's not explicitly used in allow rules 330allow { domain -domain } vndservice_manager_type:service_manager { add find }; 331 332# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 333with_asan(`allow domain system_data_file:dir getattr;') 334# Under ASAN, /system/asan.options needs to be globally accessible. 335with_asan(`allow domain system_asan_options_file:file r_file_perms;') 336 337# read APEX dir and stat any symlink pointing to APEXs. 338allow domain apex_mnt_dir:dir { getattr search }; 339allow domain apex_mnt_dir:lnk_file r_file_perms; 340 341# Allow everyone to read media server-configurable flags, so that libstagefright can be 342# configured using server-configurable flags 343get_prop(domain, device_config_media_native_prop) 344 345# Allow everyone to read from flag value boot snapshot files and general pb files 346# The boot copy of the flag value files serves flag read traffic for all processes, thus 347# needs to be readable by everybody. Also, the metadata directory will contain pb file 348# that records where flag storage files are, so also needs to be readable by everbody. 349allow domain { aconfig_storage_metadata_file }:file r_file_perms; 350 351### 352### neverallow rules 353### 354 355# All ioctls on file-like objects (except chr_file and blk_file) and 356# sockets must be restricted to an allowlist. 357neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 358 359# b/68014825 and https://android-review.googlesource.com/516535 360# rfc6093 says that processes should not use the TCP urgent mechanism 361neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 362 363# TIOCSTI is only ever used for exploits. Block it. 364# b/33073072, b/7530569 365# http://www.openwall.com/lists/oss-security/2016/09/26/14 366neverallowxperm * devpts:chr_file ioctl TIOCSTI; 367 368# Do not allow any domain other than init to create unlabeled files. 369neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 370 371# Limit device node creation to these allowed domains. 372neverallow { 373 domain 374 -kernel 375 -init 376 -ueventd 377 -vold 378} self:global_capability_class_set mknod; 379 380# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 381neverallow * self:memprotect mmap_zero; 382 383# No domain needs mac_override as it is unused by SELinux. 384neverallow * self:global_capability2_class_set mac_override; 385 386# Disallow attempts to set contexts not defined in current policy 387# This helps guarantee that unknown or dangerous contents will not ever 388# be set. 389neverallow * self:global_capability2_class_set mac_admin; 390 391# Once the policy has been loaded there shall be none to modify the policy. 392# It is sealed. 393neverallow * kernel:security load_policy; 394 395# Only init prior to switching context should be able to set enforcing mode. 396# init starts in kernel domain and switches to init domain via setcon in 397# the init.rc, so the setenforce occurs while still in kernel. After 398# switching domains, there is never any need to setenforce again by init. 399neverallow * kernel:security setenforce; 400neverallow { domain -kernel } kernel:security setcheckreqprot; 401 402# No booleans in AOSP policy, so no need to ever set them. 403neverallow * kernel:security setbool; 404 405# Adjusting the AVC cache threshold. 406# Not presently allowed to anything in policy, but possibly something 407# that could be set from init.rc. 408neverallow { domain -init } kernel:security setsecparam; 409 410# Only the kernel hwrng thread should be able to read from the HW RNG. 411neverallow { 412 domain 413 -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG 414 -shell # For CTS, restricted to just getattr in shell.te 415 -ueventd # To create the /dev/hw_random file 416} hw_random_device:chr_file *; 417# b/78174219 b/64114943 418neverallow { 419 domain 420 -shell # stat of /dev, getattr only 421 -ueventd 422} keychord_device:chr_file *; 423 424# Ensure that all entrypoint executables are in exec_type or postinstall_file. 425neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 426 427# The dynamic linker always calls access(2) on the path. Don't generate SElinux 428# denials since the linker does not actually access the path in case the path 429# does not exist or isn't accessible for the process. 430dontaudit domain postinstall_mnt_dir:dir audit_access; 431 432#Ensure that nothing in userspace can access /dev/port 433neverallow { 434 domain 435 -shell # Shell user should not have any abilities outside of getattr 436 -ueventd 437} port_device:chr_file *; 438neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 439# Only init should be able to configure kernel usermodehelpers or 440# security-sensitive proc settings. 441neverallow { domain -init } usermodehelper:file { append write }; 442neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 443neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 444 445# Init can't do anything with binder calls. If this neverallow rule is being 446# triggered, it's probably due to a service with no SELinux domain. 447neverallow * init:binder *; 448neverallow * vendor_init:binder *; 449 450# Binderfs logs contain sensitive information about other processes. 451neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms; 452neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms; 453 454# Don't allow raw read/write/open access to block_device 455# Rather force a relabel to a more specific type 456neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 457 458# Do not allow renaming of block files or character files 459# Ability to do so can lead to possible use in an exploit chain 460# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 461neverallow * *:{ blk_file chr_file } rename; 462 463# Don't allow raw read/write/open access to generic devices. 464# Rather force a relabel to a more specific type. 465neverallow domain device:chr_file { open read write }; 466 467# Files from cache should never be executed 468neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 469 470# The test files and executables MUST not be accessible to any domain 471neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 472neverallow domain nativetest_data_file:dir no_w_dir_perms; 473neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 474 475neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 476neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 477neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; 478neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 479neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 480 481# Only the init property service should write to /data/property and /dev/__properties__ 482neverallow { domain -init } property_data_file:dir no_w_dir_perms; 483neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 484neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 485neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 486neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 487 488# Nobody should be doing writes to /system & /vendor 489# These partitions are intended to be read-only and must never be 490# modified. Doing so would violate important Android security guarantees 491# and invalidate dm-verity signatures. 492neverallow { 493 domain 494 with_asan(`-asan_extract') 495 recovery_only(`userdebug_or_eng(`-fastbootd')') 496} { 497 system_file_type 498 vendor_file_type 499 exec_type 500}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 501 502neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 503 504# Don't allow mounting on top of /system files or directories 505neverallow * exec_type:dir_file_class_set mounton; 506 507# Nothing should be writing to files in the rootfs. 508neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 509 510# Restrict context mounts to specific types marked with 511# the contextmount_type attribute. 512neverallow * {fs_type -contextmount_type}:filesystem relabelto; 513 514# Ensure that context mount types are not writable, to ensure that 515# the write to /system restriction above is not bypassed via context= 516# mount to another type. 517neverallow * contextmount_type:dir_file_class_set 518 { create setattr relabelfrom relabelto append link rename }; 519neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 520 521# Do not allow service_manager add for default service labels. 522# Instead domains should use a more specific type such as 523# system_app_service rather than the generic type. 524# New service_types are defined in {,hw,vnd}service.te and new mappings 525# from service name to service_type are defined in {,hw,vnd}service_contexts. 526neverallow * default_android_service:service_manager *; 527neverallow * default_android_vndservice:service_manager *; 528neverallow * default_android_hwservice:hwservice_manager *; 529 530# Looking up the base class/interface of all HwBinder services is a bad idea. 531# hwservicemanager currently offer such lookups only to make it so that security 532# decisions are expressed in SELinux policy. However, it's unclear whether this 533# lookup has security implications. If it doesn't, hwservicemanager should be 534# modified to not offer this lookup. 535# This rule can be removed if hwservicemanager is modified to not permit these 536# lookups. 537neverallow * hidl_base_hwservice:hwservice_manager find; 538 539# Require that domains explicitly label unknown properties, and do not allow 540# anyone but init to modify unknown properties. 541neverallow { domain -init -vendor_init } mmc_prop:property_service set; 542neverallow { domain -init -vendor_init } vndk_prop:property_service set; 543 544compatible_property_only(` 545 neverallow { domain -init } mmc_prop:property_service set; 546 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 547 neverallow { domain -init } exported_secure_prop:property_service set; 548 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 549 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 550 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 551') 552 553compatible_property_only(` 554 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 555 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 556') 557 558# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop. 559neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set; 560neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms; 561 562# ART may introduce new sysprops. SELinux denials due to reading new sysprops on 563# old platforms shouldn't be regarded as a problem. 564dontaudit domain future_pm_prop:file read; 565 566neverallow { domain -init } aac_drc_prop:property_service set; 567neverallow { domain -init } build_prop:property_service set; 568neverallow { domain -init } userdebug_or_eng_prop:property_service set; 569 570# Do not allow reading device's serial number from system properties except form 571# a few allowed domains. 572neverallow { 573 domain 574 -adbd 575 -dumpstate 576 -fastbootd 577 -hal_camera_server 578 -hal_cas_server 579 -hal_drm_server 580 -hal_keymint_server 581 userdebug_or_eng(`-incidentd') 582 -init 583 -mediadrmserver 584 -mediaserver 585 -recovery 586 -shell 587 -system_server 588 -vendor_init 589} serialno_prop:file r_file_perms; 590 591neverallow { 592 domain 593 -init 594 -recovery 595 -system_server 596 -ueventd # Further restricted in ueventd.te 597} frp_block_device:blk_file no_rw_file_perms; 598 599# The metadata block device is set aside for device encryption and 600# verified boot metadata. It may be reset at will and should not 601# be used by other domains. 602neverallow { 603 domain 604 -init 605 -recovery 606 -vold 607 -e2fs 608 -fsck 609 -fastbootd 610 -hal_fastboot_server 611} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 612 613# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 614neverallow { 615 domain 616 -fastbootd 617 userdebug_or_eng(`-fsck') 618 userdebug_or_eng(`-init') 619 -recovery 620 -update_engine 621} system_block_device:blk_file { write append }; 622 623# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 624neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 625# The service managers are only allowed to access their own device node 626neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 627neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 628neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 629neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 630neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 631neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 632 633full_treble_only(` 634 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 635 # services which can change any time framework/core is updated, breakage is likely. 636 # 637 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 638 neverallow { 639 appdomain 640 -coredomain 641 } { 642 service_manager_type 643 644 -app_api_service 645 -ephemeral_app_api_service 646 647 -hal_service_type # see app_neverallows.te 648 649 -apc_service 650 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 651 -cameraserver_service 652 -drmserver_service 653 -credstore_service 654 -keystore_maintenance_service 655 -keystore_service 656 -legacykeystore_service 657 -mediadrmserver_service 658 -mediaextractor_service 659 -mediametrics_service 660 -mediaserver_service 661 -nfc_service 662 -radio_service 663 -virtual_touchpad_service 664 -vr_manager_service 665 userdebug_or_eng(`-hal_face_service') 666 }:service_manager find; 667') 668 669# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 670full_treble_only(` 671 neverallow { 672 coredomain 673 -shell 674 userdebug_or_eng(`-su') 675 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 676 } vndbinder_device:chr_file rw_file_perms; 677') 678full_treble_only(` 679 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 680') 681full_treble_only(` 682 neverallow { 683 coredomain 684 -shell 685 userdebug_or_eng(`-su') 686 } vndservice_manager_type:service_manager *; 687') 688full_treble_only(` 689 neverallow { 690 coredomain 691 -shell 692 userdebug_or_eng(`-su') 693 } vndservicemanager:binder *; 694') 695 696# On full TREBLE devices, socket communications between core components and vendor components are 697# not permitted. 698 # Most general rules first, more specific rules below. 699 700 # Core domains are not permitted to initiate communications to vendor domain sockets. 701 # We are not restricting the use of already established sockets because it is fine for a process 702 # to obtain an already established socket via some public/official/stable API and then exchange 703 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 704 # and thus does not break the core-vendor separation. 705full_treble_only(` 706 neverallow_establish_socket_comms({ 707 coredomain 708 -init 709 -adbd 710 }, { 711 domain 712 -coredomain 713 -socket_between_core_and_vendor_violators 714 }); 715') 716 717 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 718full_treble_only(` 719 neverallow { 720 domain 721 -coredomain 722 -appdomain # appdomain restrictions below 723 -data_between_core_and_vendor_violators # b/70393317 724 -socket_between_core_and_vendor_violators 725 -vendor_init 726 } { 727 coredomain_socket 728 core_data_file_type 729 unlabeled # used only by core domains 730 }:sock_file ~{ append getattr ioctl read write }; 731') 732full_treble_only(` 733 neverallow { 734 appdomain 735 -coredomain 736 } { 737 coredomain_socket 738 unlabeled # used only by core domains 739 core_data_file_type 740 -app_data_file 741 -privapp_data_file 742 -pdx_endpoint_socket_type # used by VR layer 743 -pdx_channel_socket_type # used by VR layer 744 }:sock_file ~{ append getattr ioctl read write }; 745') 746 747 # Core domains are not permitted to create/open sockets owned by vendor domains 748full_treble_only(` 749 neverallow { 750 coredomain 751 -init 752 -ueventd 753 -socket_between_core_and_vendor_violators 754 } { 755 file_type 756 dev_type 757 -coredomain_socket 758 -core_data_file_type 759 -app_data_file_type 760 -unlabeled 761 }:sock_file ~{ append getattr ioctl read write }; 762') 763 764# On TREBLE devices, vendor and system components are only allowed to share 765# files by passing open FDs over hwbinder. Ban all directory access and all file 766# accesses other than what can be applied to an open FD such as 767# ioctl/stat/read/write/append. This is enforced by segregating /data. 768# Vendor domains may directly access file in /data/vendor by path, but may only 769# access files outside of /data/vendor via an open FD passed over hwbinder. 770# Likewise, core domains may only directly access files outside /data/vendor by 771# path and files in /data/vendor by open FD. 772full_treble_only(` 773 # only coredomains may only access core_data_file_type, particularly not 774 # /data/vendor 775 neverallow { 776 coredomain 777 -appdomain # TODO(b/34980020) remove exemption for appdomain 778 -data_between_core_and_vendor_violators 779 -init 780 -vold_prepare_subdirs 781 } { 782 data_file_type 783 -core_data_file_type 784 -app_data_file_type 785 }:file_class_set ~{ append getattr ioctl read write map }; 786') 787full_treble_only(` 788 neverallow { 789 coredomain 790 -appdomain # TODO(b/34980020) remove exemption for appdomain 791 -data_between_core_and_vendor_violators 792 -init 793 -vold_prepare_subdirs 794 } { 795 data_file_type 796 -core_data_file_type 797 -app_data_file_type 798 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 799 # neverallow. Currently only getattr and search are allowed. 800 -vendor_data_file 801 }:dir *; 802 803') 804full_treble_only(` 805 # vendor domains may only access files in /data/vendor, never core_data_file_types 806 neverallow { 807 domain 808 -appdomain # TODO(b/34980020) remove exemption for appdomain 809 -coredomain 810 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 811 -vendor_init 812 } { 813 core_data_file_type 814 with_native_coverage(`-method_trace_data_file') 815 }:file_class_set ~{ append getattr ioctl read write map }; 816 neverallow { 817 vendor_init 818 -data_between_core_and_vendor_violators 819 } { 820 core_data_file_type 821 -unencrypted_data_file 822 with_native_coverage(`-method_trace_data_file') 823 }:file_class_set ~{ append getattr ioctl read write map }; 824 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 825 # The vendor init binary lives on the system partition so there is not a concern with stability. 826 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 827') 828full_treble_only(` 829 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 830 neverallow { 831 domain 832 -appdomain # TODO(b/34980020) remove exemption for appdomain 833 -coredomain 834 -data_between_core_and_vendor_violators 835 -vendor_init 836 } { 837 core_data_file_type 838 -system_data_file # default label for files on /data. Covered below... 839 -system_data_root_file 840 -vendor_userdir_file 841 -vendor_data_file 842 with_native_coverage(`-method_trace_data_file') 843 }:dir *; 844 neverallow { 845 vendor_init 846 -data_between_core_and_vendor_violators 847 } { 848 core_data_file_type 849 -unencrypted_data_file 850 -system_data_file 851 -system_data_root_file 852 -vendor_userdir_file 853 -vendor_data_file 854 with_native_coverage(`-method_trace_data_file') 855 }:dir *; 856 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 857 # The vendor init binary lives on the system partition so there is not a concern with stability. 858 neverallow vendor_init unencrypted_data_file:dir ~search; 859') 860full_treble_only(` 861 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 862 neverallow { 863 domain 864 -appdomain # TODO(b/34980020) remove exemption for appdomain 865 -coredomain 866 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 867 } { 868 system_data_file # default label for files on /data. Covered below 869 }:dir ~{ getattr search }; 870') 871 872full_treble_only(` 873 # coredomains may not access dirs in /data/vendor. 874 neverallow { 875 coredomain 876 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 877 -init 878 -vold # vold creates per-user storage for both system and vendor 879 -vold_prepare_subdirs 880 } { 881 vendor_data_file # default label for files on /data. Covered below 882 }:dir ~{ getattr search }; 883') 884 885full_treble_only(` 886 # coredomains may not access dirs in /data/vendor. 887 neverallow { 888 coredomain 889 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 890 -init 891 } { 892 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 893 }:file_class_set ~{ append getattr ioctl read write map }; 894') 895 896full_treble_only(` 897 # Non-vendor domains are not allowed to file execute shell 898 # from vendor 899 neverallow { 900 coredomain 901 -init 902 -shell 903 -ueventd 904 } vendor_shell_exec:file { execute execute_no_trans }; 905') 906 907full_treble_only(` 908 # Do not allow vendor components to execute files from system 909 # except for the ones allowed here. 910 neverallow { 911 domain 912 -coredomain 913 -appdomain 914 -vendor_executes_system_violators 915 -vendor_init 916 } { 917 system_file_type 918 -system_lib_file 919 -system_linker_exec 920 -crash_dump_exec 921 -netutils_wrapper_exec 922 userdebug_or_eng(`-tcpdump_exec') 923 # Vendor components still can invoke shell commands via /system/bin/sh 924 -shell_exec 925 -toolbox_exec 926 }:file { entrypoint execute execute_no_trans }; 927') 928 929full_treble_only(` 930 # Do not allow coredomain to access entrypoint for files other 931 # than system_file_type and postinstall_file 932 neverallow coredomain { 933 file_type 934 -system_file_type 935 -postinstall_file 936 }:file entrypoint; 937 # Do not allow domains other than coredomain to access entrypoint 938 # for anything but vendor_file_type and init_exec for vendor_init. 939 neverallow { domain -coredomain } { 940 file_type 941 -vendor_file_type 942 -init_exec 943 }:file entrypoint; 944') 945 946full_treble_only(` 947 # Do not allow system components to execute files from vendor 948 # except for the ones allowed here. 949 neverallow { 950 coredomain 951 -init 952 -shell 953 -system_executes_vendor_violators 954 -ueventd 955 } { 956 vendor_file_type 957 -same_process_hal_file 958 -vndk_sp_file 959 -vendor_app_file 960 -vendor_public_framework_file 961 -vendor_public_lib_file 962 }:file execute; 963') 964 965full_treble_only(` 966 neverallow { 967 coredomain 968 -shell 969 -system_executes_vendor_violators 970 } { 971 vendor_file_type 972 -same_process_hal_file 973 }:file execute_no_trans; 974') 975 976full_treble_only(` 977 # Do not allow vendor components access to /system files except for the 978 # ones allowed here. 979 neverallow { 980 domain 981 -appdomain 982 -coredomain 983 -vendor_executes_system_violators 984 # vendor_init needs access to init_exec for domain transition. vendor_init 985 # neverallows are covered in public/vendor_init.te 986 -vendor_init 987 } { 988 system_file_type 989 -crash_dump_exec 990 -file_contexts_file 991 -netutils_wrapper_exec 992 -property_contexts_file 993 -system_event_log_tags_file 994 -system_group_file 995 -system_lib_file 996 with_asan(`-system_asan_options_file') 997 -system_linker_exec 998 -system_linker_config_file 999 -system_passwd_file 1000 -system_seccomp_policy_file 1001 -system_security_cacerts_file 1002 -system_zoneinfo_file 1003 -task_profiles_api_file 1004 -task_profiles_file 1005 userdebug_or_eng(`-tcpdump_exec') 1006 # Vendor components still can invoke shell commands via /system/bin/sh 1007 -shell_exec 1008 -toolbox_exec 1009 }:file *; 1010') 1011 1012# Only system_server should be able to send commands via the zygote socket 1013neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1014neverallow { domain -system_server } zygote_socket:sock_file write; 1015 1016neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1017neverallow { domain -system_server } webview_zygote:sock_file write; 1018neverallow { domain -system_server } app_zygote:sock_file write; 1019 1020neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; 1021 1022# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1023# the tombstoned intercept socket. 1024neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1025neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1026 1027# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1028neverallow { domain -init -system_server } heapdump_data_file:file read; 1029 1030# Android does not support System V IPCs. 1031# 1032# The reason for this is due to the fact that, by design, they lead to global 1033# kernel resource leakage. 1034# 1035# For example, there is no way to automatically release a SysV semaphore 1036# allocated in the kernel when: 1037# 1038# - a buggy or malicious process exits 1039# - a non-buggy and non-malicious process crashes or is explicitly killed. 1040# 1041# Killing processes automatically to make room for new ones is an 1042# important part of Android's application lifecycle implementation. This means 1043# that, even assuming only non-buggy and non-malicious code, it is very likely 1044# that over time, the kernel global tables used to implement SysV IPCs will fill 1045# up. 1046neverallow * *:{ shm sem msg msgq } *; 1047 1048# Do not mount on top of symlinks, fifos, or sockets. 1049# Feature parity with Chromium LSM. 1050neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1051 1052# Nobody should be able to execute su on user builds. 1053# On userdebug/eng builds, only dumpstate, shell, and 1054# su itself execute su. 1055neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1056 1057# Do not allow the introduction of new execmod rules. Text relocations 1058# and modification of executable pages are unsafe. 1059# The only exceptions are for NDK text relocations associated with 1060# https://code.google.com/p/android/issues/detail?id=23203 1061# which, long term, need to go away. 1062neverallow * { 1063 file_type 1064 -apk_data_file 1065 -app_data_file 1066 -asec_public_file 1067}:file execmod; 1068 1069# Do not allow making the stack or heap executable. 1070# We would also like to minimize execmem but it seems to be 1071# required by some device-specific service domains. 1072neverallow * self:process { execstack execheap }; 1073 1074# Do not allow the introduction of new execmod rules. Text relocations 1075# and modification of executable pages are unsafe. 1076neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1077 1078neverallow { domain -init } proc:{ file dir } mounton; 1079neverallow { domain -init -zygote } proc_type:{ file dir } mounton; 1080 1081# Ensure that all types assigned to processes are included 1082# in the domain attribute, so that all allow and neverallow rules 1083# written on domain are applied to all processes. 1084# This is achieved by ensuring that it is impossible to transition 1085# from a domain to a non-domain type and vice versa. 1086# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1087neverallow ~domain domain:process { transition dyntransition }; 1088 1089# 1090# Only system_app and system_server should be creating or writing 1091# their files. The proper way to share files is to setup 1092# type transitions to a more specific type or assigning a type 1093# to its parent directory via a file_contexts entry. 1094# Example type transition: 1095# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1096# 1097neverallow { 1098 domain 1099 -system_server 1100 -system_app 1101 -init 1102 -toolbox # TODO(b/141108496) We want to remove toolbox 1103 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1104 -vold_prepare_subdirs # For unlink 1105 with_asan(`-asan_extract') 1106} system_data_file:file no_w_file_perms; 1107# do not grant anything greater than r_file_perms and relabelfrom unlink 1108# to installd 1109neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1110 1111# 1112# Only these domains should transition to shell domain. This domain is 1113# permissible for the "shell user". If you need a process to exec a shell 1114# script with differing privilege, define a domain and set up a transition. 1115# 1116neverallow { 1117 domain 1118 -adbd 1119 -init 1120 -runas 1121 -zygote 1122} shell:process { transition dyntransition }; 1123 1124# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1125# the appdomain attribute. simpleperf is excluded as a domain transitioned to 1126# when running an app-scoped profiling session. 1127neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1128 appdomain -shell -simpleperf userdebug_or_eng(`-su') 1129}:process { transition dyntransition }; 1130 1131# Minimize read access to shell- or app-writable symlinks. 1132# This is to prevent malicious symlink attacks. 1133neverallow { 1134 domain 1135 -appdomain 1136 -artd 1137 -installd 1138} { app_data_file privapp_data_file }:lnk_file read; 1139 1140neverallow { 1141 domain 1142 -shell 1143 userdebug_or_eng(`-uncrypt') 1144 -installd 1145} shell_data_file:lnk_file read; 1146 1147# servicemanager and vndservicemanager are the only processes which handle the 1148# service_manager list request 1149neverallow * ~{ 1150 servicemanager 1151 vndservicemanager 1152 }:service_manager list; 1153 1154# hwservicemanager is the only process which handles hw list requests 1155neverallow * ~{ 1156 hwservicemanager 1157 }:hwservice_manager list; 1158 1159# only service_manager_types can be added to service_manager 1160# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1161 1162# Prevent assigning non property types to properties 1163# TODO - rework this: neverallow * ~property_type:property_service set; 1164 1165# Domain types should never be assigned to any files other 1166# than the /proc/pid files associated with a process. The 1167# executable file used to enter a domain should be labeled 1168# with its own _exec type, not with the domain type. 1169# Conventionally, this looks something like: 1170# $ cat mydaemon.te 1171# type mydaemon, domain; 1172# type mydaemon_exec, exec_type, file_type; 1173# init_daemon_domain(mydaemon) 1174# $ grep mydaemon file_contexts 1175# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1176neverallow * domain:file { execute execute_no_trans entrypoint }; 1177 1178# Do not allow access to the generic debugfs label. This is too broad. 1179# Instead, if access to part of debugfs is desired, it should have a 1180# more specific label. 1181# TODO: fix dumpstate 1182neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1183 1184# Do not allow executable files in debugfs. 1185neverallow domain debugfs_type:file { execute execute_no_trans }; 1186 1187# Don't allow access to the FUSE control filesystem, except to vold and init's 1188neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1189 1190# Profiles contain untrusted data and profman parses that. We should only run 1191# it from installd and artd forked processes. 1192neverallow { 1193 domain 1194 -installd 1195 -profman 1196 -artd 1197} profman_exec:file no_x_file_perms; 1198 1199# Enforce restrictions on kernel module origin. 1200# Do not allow kernel module loading except from system, 1201# vendor, boot, and system_dlkm partitions. 1202# TODO(b/218951883): Remove usage of system and rootfs as origin 1203neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; 1204 1205# Only allow filesystem caps to be set at build time. Runtime changes 1206# to filesystem capabilities are not permitted. 1207neverallow * self:global_capability_class_set setfcap; 1208 1209# Enforce AT_SECURE for executing crash_dump. 1210neverallow domain crash_dump:process noatsecure; 1211 1212# Do not permit non-core domains to register HwBinder services which are 1213# guaranteed to be provided by core domains only. 1214neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1215 1216# Do not permit the registeration of HwBinder services which are guaranteed to 1217# be passthrough only (i.e., run in the process of their clients instead of a 1218# separate server process). 1219neverallow * same_process_hwservice:hwservice_manager add; 1220 1221# If an already existing file is opened with O_CREAT, the kernel might generate 1222# a false report of a create denial. Silence these denials and make sure that 1223# inappropriate permissions are not granted. 1224 1225# These filesystems don't allow files or directories to be created, so the permission 1226# to do so should never be granted. 1227neverallow domain { 1228 proc_type 1229 sysfs_type 1230}:dir { add_name create link remove_name rename reparent rmdir write }; 1231 1232# cgroupfs directories can be created, but not files within them. 1233neverallow domain cgroup:file create; 1234neverallow domain cgroup_v2:file create; 1235 1236dontaudit domain proc_type:dir write; 1237dontaudit domain sysfs_type:dir write; 1238dontaudit domain cgroup:file create; 1239dontaudit domain cgroup_v2:file create; 1240 1241# These are only needed in permissive mode - in enforcing mode the 1242# directory write check fails and so these are never attempted. 1243userdebug_or_eng(` 1244 dontaudit domain proc_type:dir add_name; 1245 dontaudit domain sysfs_type:dir add_name; 1246 dontaudit domain proc_type:file create; 1247 dontaudit domain sysfs_type:file create; 1248') 1249 1250# Platform must not have access to /mnt/vendor. 1251neverallow { 1252 coredomain 1253 -init 1254 -ueventd 1255 -vold 1256 -system_writes_mnt_vendor_violators 1257} mnt_vendor_file:dir *; 1258 1259# Only apps are allowed access to vendor public libraries. 1260full_treble_only(` 1261 neverallow { 1262 coredomain 1263 -appdomain 1264 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1265') 1266 1267# Vendor domian must not have access to /mnt/product. 1268neverallow { 1269 domain 1270 -coredomain 1271} mnt_product_file:dir *; 1272 1273# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL 1274full_treble_only(` 1275 neverallow { 1276 coredomain 1277 -shell 1278 # For access to block device information under /sys/class/block. 1279 -apexd 1280 # Read sysfs block device information. 1281 -init 1282 # Generate uevents for health info 1283 -ueventd 1284 # Recovery uses health HAL passthrough implementation. 1285 -recovery 1286 # Charger uses health HAL passthrough implementation. 1287 -charger 1288 # TODO(b/110891300): remove this exception 1289 -incidentd 1290 } sysfs_batteryinfo:file { open read }; 1291') 1292 1293neverallow { 1294 domain 1295 -hal_codec2_server 1296 -hal_omx_server 1297} hal_codec2_hwservice:hwservice_manager add; 1298 1299# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1300# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1301neverallow { 1302 domain 1303 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1304 -untrusted_app_25 1305 -untrusted_app_27 1306} ashmem_device:chr_file open; 1307 1308neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1309