• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1get_prop(coredomain, apex_ready_prop)
2get_prop(coredomain, boot_status_prop)
3get_prop(coredomain, camera_config_prop)
4get_prop(coredomain, dalvik_config_prop_type)
5get_prop(coredomain, dalvik_runtime_prop)
6get_prop(coredomain, exported_pm_prop)
7get_prop(coredomain, ffs_config_prop)
8get_prop(coredomain, graphics_config_prop)
9get_prop(coredomain, graphics_config_writable_prop)
10get_prop(coredomain, hdmi_config_prop)
11get_prop(coredomain, init_service_status_private_prop)
12get_prop(coredomain, lmkd_config_prop)
13get_prop(coredomain, localization_prop)
14get_prop(coredomain, pm_prop)
15get_prop(coredomain, radio_control_prop)
16get_prop(coredomain, rollback_test_prop)
17get_prop(coredomain, setupwizard_prop)
18get_prop(coredomain, setupwizard_mode_prop)
19get_prop(coredomain, sqlite_log_prop)
20get_prop(coredomain, storagemanager_config_prop)
21get_prop(coredomain, surfaceflinger_color_prop)
22get_prop(coredomain, systemsound_config_prop)
23get_prop(coredomain, telephony_config_prop)
24get_prop(coredomain, usb_config_prop)
25get_prop(coredomain, usb_control_prop)
26get_prop(coredomain, userspace_reboot_config_prop)
27get_prop(coredomain, vold_config_prop)
28get_prop(coredomain, vts_status_prop)
29get_prop(coredomain, zygote_config_prop)
30get_prop(coredomain, zygote_wrap_prop)
31
32# TODO(b/170590987): remove this after cleaning up default_prop
33get_prop(coredomain, default_prop)
34
35full_treble_only(`
36neverallow {
37    coredomain
38
39    # for chowning
40    -init
41
42    # generic access to sysfs_type
43    -apexd
44    -ueventd
45    -vold
46} sysfs_leds:file *;
47')
48
49# On TREBLE devices, a limited set of files in /vendor are accessible to
50# only a few allowlisted coredomains to keep system/vendor separation.
51full_treble_only(`
52    # Limit access to /vendor/app
53    neverallow {
54        coredomain
55        -appdomain
56        -artd
57        -dex2oat
58        -idmap
59        -init
60        -installd
61        -heapprofd
62        -postinstall_dexopt
63        -rs # spawned by appdomain, so carryover the exception above
64        -system_server
65        -traced_perf
66        userdebug_or_eng(`-overlay_remounter')
67    } vendor_app_file:dir { open read getattr search };
68')
69
70full_treble_only(`
71    neverallow {
72        coredomain
73        -appdomain
74        -artd
75        -dex2oat
76        -idmap
77        -init
78        -installd
79        -heapprofd
80        userdebug_or_eng(`-profcollectd')
81        -postinstall_dexopt
82        -profman
83        -rs # spawned by appdomain, so carryover the exception above
84        userdebug_or_eng(`-simpleperf_boot')
85        -system_server
86        -traced_perf
87        -mediaserver
88        userdebug_or_eng(`-overlay_remounter')
89    } vendor_app_file:file r_file_perms;
90')
91
92full_treble_only(`
93    # Limit access to /vendor/overlay
94    neverallow {
95        coredomain
96        -appdomain
97        -artd
98        -dex2oat
99        -idmap
100        -init
101        -installd
102        -postinstall_dexopt
103        -rs # spawned by appdomain, so carryover the exception above
104        -system_server
105        -traced_perf
106        -app_zygote
107        -webview_zygote
108        -zygote
109        -heapprofd
110        userdebug_or_eng(`-overlay_remounter')
111    } vendor_overlay_file:dir { getattr open read search };
112')
113
114full_treble_only(`
115    neverallow {
116        coredomain
117        -appdomain
118        -artd
119        -dex2oat
120        -idmap
121        -init
122        -installd
123        -postinstall_dexopt
124        -rs # spawned by appdomain, so carryover the exception above
125        -system_server
126        -traced_perf
127        -app_zygote
128        -webview_zygote
129        -zygote
130        -heapprofd
131        userdebug_or_eng(`-profcollectd')
132        userdebug_or_eng(`-simpleperf_boot')
133        userdebug_or_eng(`-overlay_remounter')
134    } vendor_overlay_file:file open;
135')
136
137# Core domains are not permitted to use kernel interfaces which are not
138# explicitly labeled.
139# TODO(b/65643247): Apply these neverallow rules to all coredomain.
140full_treble_only(`
141  # /proc
142  neverallow {
143    coredomain
144    -init
145    -vold
146  } proc:file no_rw_file_perms;
147
148  # /sys
149  neverallow {
150    coredomain
151    -apexd
152    -init
153    -ueventd
154    is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
155    -vold
156  } sysfs:file no_rw_file_perms;
157
158  # /dev
159  neverallow {
160    coredomain
161    -apexd
162    -fsck
163    -init
164    -ueventd
165  } device:{ blk_file file } no_rw_file_perms;
166
167  # debugfs
168  neverallow {
169    coredomain
170    no_debugfs_restriction(`
171      -dumpstate
172      -init
173      -system_server
174    ')
175  } debugfs:file no_rw_file_perms;
176
177  # tracefs
178  neverallow {
179    coredomain
180    -atrace
181    -dumpstate
182    -gpuservice
183    -init
184    -lmkd
185    -traced_perf
186    -traced_probes
187    -shell
188    -system_server
189    -traceur_app
190    -prefetch
191    userdebug_or_eng(`-profcollectd')
192    userdebug_or_eng(`-simpleperf_boot')
193  } debugfs_tracing:file no_rw_file_perms;
194
195  # inotifyfs
196  neverallow {
197    coredomain
198    -init
199  } inotify:file no_rw_file_perms;
200
201  # pstorefs
202  neverallow {
203    coredomain
204    -bootstat
205    -charger
206    -dumpstate
207    userdebug_or_eng(`-incidentd')
208    -init
209    -logd
210    -logpersist
211    -recovery_persist
212    -recovery_refresh
213    -shell
214    -system_server
215  } pstorefs:file no_rw_file_perms;
216
217  # configfs
218  neverallow {
219    coredomain
220    -init
221    -system_server
222  } configfs:file no_rw_file_perms;
223
224  # functionfs
225  neverallow {
226    coredomain
227    -adbd
228    -adbd_tradeinmode
229    -init
230    -mediaprovider
231    -system_server
232  } functionfs:file no_rw_file_perms;
233
234  # usbfs and binfmt_miscfs
235  neverallow {
236    coredomain
237    -init
238  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
239
240  # dmabuf heaps
241  neverallow {
242    coredomain
243    -init
244    -ueventd
245  }{
246    dmabuf_heap_device_type
247    -dmabuf_system_heap_device
248    -dmabuf_system_secure_heap_device
249  }:chr_file no_rw_file_perms;
250')
251
252# Following /dev nodes must not be directly accessed by coredomain, but should
253# instead be wrapped by HALs.
254neverallow coredomain {
255  iio_device
256  radio_device
257}:chr_file { open read append write ioctl };
258
259# TODO(b/120243891): HAL permission to tee_device is included into coredomain
260# on non-Treble devices.
261full_treble_only(`
262  neverallow coredomain tee_device:chr_file { open read append write ioctl };
263')
264