1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 getcap 19 setcap 20 getattr 21 setrlimit 22}; 23allow { domain -artd_subprocess_type } self:process setpgid; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Allow everyone to read aconfig flags 61get_prop(domain, device_config_aconfig_flags_prop); 62 63# Root fs. 64allow domain tmpfs:dir { getattr search }; 65allow domain rootfs:dir search; 66allow domain rootfs:lnk_file { read getattr }; 67 68# Device accesses. 69allow domain device:dir search; 70allow domain dev_type:lnk_file r_file_perms; 71allow domain devpts:dir search; 72allow domain dmabuf_heap_device:dir r_dir_perms; 73allow domain socket_device:dir r_dir_perms; 74allow domain owntty_device:chr_file rw_file_perms; 75allow domain null_device:chr_file rw_file_perms; 76allow domain zero_device:chr_file rw_file_perms; 77 78# /dev/ashmem is being deprecated by means of constraining and eventually 79# removing all "open" permissions. We preserve the other permissions. 80allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 81# This device is used by libcutils, which is accessible to everyone. 82allow domain ashmem_libcutils_device:chr_file rw_file_perms; 83 84# /dev/binder can be accessed by ... everyone! :) 85allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 86get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop) 87# Checking for the existance of the hwservicemanager binary is done in the client API 88# isHwServiceManagerInstalled 89dontaudit domain hwservicemanager_exec:file r_file_perms; 90 91 92# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 93# added to individual domains, but this sets safe defaults for all processes. 94allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 95 96# /dev/binderfs needs to be accessed by everyone too! 97allow domain binderfs:dir { getattr search }; 98allow domain binderfs_logs_proc:dir search; 99allow domain binderfs_features:dir search; 100allow domain binderfs_features:file r_file_perms; 101 102allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 103allow domain ptmx_device:chr_file rw_file_perms; 104allow domain random_device:chr_file rw_file_perms; 105allow domain proc_random:dir r_dir_perms; 106allow domain proc_random:file r_file_perms; 107allow domain properties_device:dir { search getattr }; 108allow domain properties_serial:file r_file_perms; 109allow domain property_info:file r_file_perms; 110 111# Let everyone read log properties, so that liblog can avoid sending unloggable 112# messages to logd. 113get_prop(domain, log_property_type) 114dontaudit domain property_type:file audit_access; 115allow domain property_contexts_file:file r_file_perms; 116 117allow domain init:key search; 118allow domain vold:key search; 119 120# logd access 121write_logd(domain) 122 123# Directory/link file access for path resolution. 124allow domain { 125 system_file 126 system_lib_file 127 system_seccomp_policy_file 128 system_security_cacerts_file 129}:dir r_dir_perms; 130allow domain system_file:lnk_file { getattr read }; 131 132# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 133# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 134allow domain system_seccomp_policy_file:file r_file_perms; 135# cacerts are accessible from public Java API. 136allow domain system_security_cacerts_file:file r_file_perms; 137allow domain system_group_file:file r_file_perms; 138allow domain system_passwd_file:file r_file_perms; 139allow domain system_linker_exec:file { execute read open getattr map }; 140allow domain system_linker_config_file:file r_file_perms; 141allow domain system_lib_file:file { execute read open getattr map }; 142# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 143allow domain system_linker_exec:lnk_file { read open getattr }; 144allow domain system_lib_file:lnk_file { read open getattr }; 145 146allow domain system_event_log_tags_file:file r_file_perms; 147 148allow { appdomain coredomain } system_file:file { execute read open getattr map }; 149 150# Make sure system/vendor split doesn not affect non-treble 151# devices 152not_full_treble(` 153 allow domain system_file:file { execute read open getattr map }; 154 allow domain vendor_file_type:dir { search getattr }; 155 allow domain vendor_file_type:file { execute read open getattr map }; 156 allow domain vendor_file_type:lnk_file { getattr read }; 157') 158 159# All domains are allowed to open and read directories 160# that contain HAL implementations (e.g. passthrough 161# HALs require clients to have these permissions) 162allow domain vendor_hal_file:dir r_dir_perms; 163 164# Everyone can read and execute all same process HALs 165allow domain same_process_hal_file:dir r_dir_perms; 166allow { 167 domain 168 -coredomain # access is explicitly granted to individual coredomains 169} same_process_hal_file:file { execute read open getattr map }; 170 171# Any process can load vndk-sp libraries, which are system libraries 172# used by same process HALs 173allow domain vndk_sp_file:dir r_dir_perms; 174allow domain vndk_sp_file:file { execute read open getattr map }; 175 176# All domains get access to /vendor/etc 177allow domain vendor_configs_file:dir r_dir_perms; 178allow domain vendor_configs_file:file { read open getattr map }; 179 180full_treble_only(` 181 # Allow all domains to be able to follow /system/vendor and/or 182 # /vendor/odm symlinks. 183 allow domain vendor_file_type:lnk_file { getattr open read }; 184 185 # This is required to be able to search & read /vendor/lib64 186 # in order to lookup vendor libraries. The execute permission 187 # for coredomains is granted *only* for same process HALs 188 allow domain vendor_file:dir { getattr search }; 189 190 # Allow reading and executing out of /vendor to all vendor domains 191 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 192 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 193 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 194') 195 196# read and stat any sysfs symlinks 197allow domain sysfs:lnk_file { getattr read }; 198 199# libc references /system/usr/share/zoneinfo for timezone related information. 200# This directory is considered to be a VNDK-stable 201allow domain { system_zoneinfo_file }:file r_file_perms; 202allow domain { system_zoneinfo_file }:dir r_dir_perms; 203 204# Lots of processes access current CPU information 205r_dir_file(domain, sysfs_devices_system_cpu) 206 207r_dir_file(domain, sysfs_usb); 208 209# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 210# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 211allow domain sysfs_transparent_hugepage:dir search; 212allow domain sysfs_transparent_hugepage:file r_file_perms; 213 214# Allow search access, and sometimes getattr access, to various directories 215# under /data. We are fairly lenient in allowing search access to top-level 216# dirs that commonly need to be traversed to get access to the "real" files, as 217# this greatly simplifies the policy and doesn't open up much attack surface. 218not_full_treble(` 219 allow domain system_data_file:dir getattr; 220') 221allow { coredomain appdomain } system_data_file:dir getattr; 222# Anything that accesses anything in /data needs search access to /data itself. 223# This includes vendor components, as they need to access /data/vendor. 224allow domain system_data_root_file:dir { search getattr } ; 225# system_data_file is the default type for directories in /data. Anything 226# accessing data files with a more specific type often has to traverse a 227# system_data_file directory such as /data/misc to get there. 228allow domain system_data_file:dir search; 229# Anything that accesses files in /data/user (and /data/user_de, etc.) needs 230# search access to these directories themselves. getattr access is sometimes 231# needed too. 232allow { coredomain appdomain } system_userdir_file:dir { search getattr }; 233# Anything that accesses files in /data/media needs search access to /data/media 234# itself. 235allow { coredomain appdomain } media_userdir_file:dir search; 236# TODO restrict this to non-coredomain 237allow domain vendor_userdir_file:dir { getattr search }; 238allow domain vendor_data_file:dir { getattr search }; 239 240# required by the dynamic linker 241allow domain proc:lnk_file { getattr read }; 242 243# /proc/cpuinfo 244allow domain proc_cpuinfo:file r_file_perms; 245 246# /dev/cpu_variant:.* 247allow domain dev_cpu_variant:file r_file_perms; 248 249# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 250allow domain proc_perf:file r_file_perms; 251 252# toybox loads libselinux which stats /sys/fs/selinux/ 253allow domain selinuxfs:dir search; 254allow domain selinuxfs:file getattr; 255allow domain sysfs:dir search; 256allow domain selinuxfs:filesystem getattr; 257 258# Almost all processes log tracing information to 259# /sys/kernel/debug/tracing/trace_marker 260# The reason behind this is documented in b/6513400 261allow domain debugfs:dir search; 262allow domain debugfs_tracing:dir search; 263allow domain debugfs_tracing_debug:dir search; 264allow domain debugfs_trace_marker:file w_file_perms; 265 266# Linux lockdown mode offered coarse-grained definitions for access controls. In 267# previous versions of the policy, the integrity permission was neverallowed. 268# It was found that this permission mainly duplicates pre-existing rules in 269# the policy (see b/285443587). Additionally, some access were found to be 270# required (b/269377822). The access vector was removed from kernel 5.16 271# onwards. Grant unconditional access, these rules should be removed from the 272# policy once no kernel <5.16 are supported. 273allow domain self:lockdown { confidentiality integrity }; 274 275# Filesystem access. 276allow domain fs_type:filesystem getattr; 277allow domain fs_type:dir getattr; 278 279# Restrict all domains to an allowlist for common socket types. Additional 280# ioctl commands may be added to individual domains, but this sets safe 281# defaults for all processes. Note that granting this allowlist to domain does 282# not grant the ioctl permission on these socket types. That must be granted 283# separately. 284allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 285 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 286# default allowlist for unix sockets. 287allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 288 ioctl unpriv_unix_sock_ioctls; 289 290# Restrict PTYs to only allowed ioctls. 291# Note that granting this allowlist to domain does 292# not grant the wider ioctl permission. That must be granted 293# separately. 294allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 295 296# All domains must clearly enumerate what ioctls they use 297# on filesystem objects (plain files, directories, symbolic links, 298# named pipes, and named sockets). We start off with a safe set. 299allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 300 301# If a domain has ioctl access to tun_device, it must clearly enumerate the 302# ioctls used. Safe defaults are listed below. 303allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 304 305# Allow a process to make a determination whether a file descriptor 306# for a plain file or pipe (fifo_file) is a tty. Note that granting 307# this allowlist to domain does not grant the ioctl permission to 308# these files. That must be granted separately. 309allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 310allowxperm domain domain:fifo_file ioctl { TCGETS }; 311 312# If a domain has access to perform an ioctl on a block device, allow these 313# very common, benign ioctls 314allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 315 316# Support sqlite F2FS specific optimizations 317# ioctl permission on the specific file type is still required 318# TODO: consider only compiling these rules if we know the 319# /data partition is F2FS 320allowxperm domain { file_type sdcard_type }:file ioctl { 321 F2FS_IOC_ABORT_VOLATILE_WRITE 322 F2FS_IOC_COMMIT_ATOMIC_WRITE 323 F2FS_IOC_GET_FEATURES 324 F2FS_IOC_GET_PIN_FILE 325 F2FS_IOC_SET_PIN_FILE 326 F2FS_IOC_START_ATOMIC_WRITE 327}; 328 329# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 330# when it's not explicitly used in allow rules 331allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 332# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 333# when it's not explicitly used in allow rules 334allow { domain -domain } vndservice_manager_type:service_manager { add find }; 335 336# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 337with_asan(`allow domain system_data_file:dir getattr;') 338# Under ASAN, /system/asan.options needs to be globally accessible. 339with_asan(`allow domain system_asan_options_file:file r_file_perms;') 340 341# read APEX dir and stat any symlink pointing to APEXs. 342allow domain apex_mnt_dir:dir { getattr search }; 343allow domain apex_mnt_dir:lnk_file r_file_perms; 344 345# Allow reading /sys/kernel/mm/pgsize_migration/enabled 346allow domain sysfs_pgsize_migration:dir search; 347allow domain sysfs_pgsize_migration:file r_file_perms; 348 349# Linker is executed from the context of the process requesting the dynamic linking, 350# so this prop must be "world-readable". 351get_prop(domain, bionic_linker_16kb_app_compat_prop) 352 353# Allow everyone to read media server-configurable flags, so that libstagefright can be 354# configured using server-configurable flags 355get_prop(domain, device_config_media_native_prop) 356 357# Transition to crash_dump when /system/bin/crash_dump* is executed. 358# This occurs when the process crashes. 359# We do not apply this to the su domain to avoid interfering with 360# tests (b/114136122) 361domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); 362allow domain crash_dump:process sigchld; 363 364# Allow every process to check the heapprofd.enable properties to determine 365# whether to load the heap profiling library. This does not necessarily enable 366# heap profiling, as initialization will fail if it does not have the 367# necessary SELinux permissions. 368get_prop(domain, heapprofd_prop); 369 370# See private/crash_dump.te 371define(`dumpable_domain',`{ 372 domain 373 -apexd 374 -bpfloader 375 -crash_dump 376 -crosvm # TODO(b/236672526): Remove exception for crosvm 377 -init 378 -kernel 379 -keystore 380 -llkd 381 -logd 382 -ueventd 383 -vendor_init 384 -vold 385}') 386 387# Allow heap profiling by heapprofd. 388# Zygotes are excluded due to potential issues with holding open file 389# descriptors or other state across forks. Other exclusions conflict with 390# neverallows, and are not considered important to profile. 391can_profile_heap({ 392 dumpable_domain 393 -app_zygote 394 -hal_configstore_server 395 -logpersist 396 -recovery 397 -recovery_persist 398 -recovery_refresh 399 -webview_zygote 400 -zygote 401}) 402 403# Allow profiling using perf_event_open by traced_perf. 404can_profile_perf({ 405 dumpable_domain 406 -app_zygote 407 -hal_configstore_server 408 -webview_zygote 409 -zygote 410}) 411 412# Everyone can access the IncFS list of features. 413r_dir_file(domain, sysfs_fs_incfs_features); 414 415# Everyone can access the fuse list of features. 416r_dir_file(domain, sysfs_fs_fuse_features); 417 418# Path resolution access in cgroups. 419allow domain cgroup:dir search; 420allow { domain -appdomain -rs } cgroup:dir w_dir_perms; 421allow { domain -appdomain -rs } cgroup:file w_file_perms; 422 423allow domain cgroup_v2:dir search; 424allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; 425allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; 426 427allow domain cgroup_desc_file:file r_file_perms; 428allow domain cgroup_rc_file:dir search; 429allow domain cgroup_rc_file:file r_file_perms; 430allow domain task_profiles_file:file r_file_perms; 431allow domain vendor_cgroup_desc_file:file r_file_perms; 432allow domain vendor_task_profiles_file:file r_file_perms; 433allow domain libprocessgroup_metadata_file:dir r_dir_perms; 434allow domain libprocessgroup_metadata_file:file r_file_perms; 435 436# Allow all domains to read sys.use_memfd to determine 437# if memfd support can be used if device supports it 438get_prop(domain, use_memfd_prop); 439 440# Read access to sdkextensions props 441get_prop(domain, module_sdkextensions_prop) 442 443# Read access to bq configuration values 444get_prop(domain, bq_config_prop); 445 446# Allow all domains to check whether MTE is set to permissive mode. 447get_prop(domain, permissive_mte_prop); 448 449# Allow ART to be configurable via device_config properties 450# (ART "runs" inside the app process), and MTE bootloader override to be 451# observed by everything 452get_prop(domain, device_config_memory_safety_native_boot_prop); 453get_prop(domain, device_config_memory_safety_native_prop); 454get_prop(domain, device_config_runtime_native_boot_prop); 455get_prop(domain, device_config_runtime_native_prop); 456 457# For now, everyone can access core property files 458# Device specific properties are not granted by default 459not_compatible_property(` 460 # DO NOT ADD ANY PROPERTIES HERE 461 get_prop(domain, core_property_type) 462 get_prop(domain, exported3_system_prop) 463 get_prop(domain, vendor_default_prop) 464') 465compatible_property_only(` 466 # DO NOT ADD ANY PROPERTIES HERE 467 get_prop({coredomain appdomain shell}, core_property_type) 468 get_prop({coredomain appdomain shell}, exported3_system_prop) 469 get_prop({coredomain appdomain shell}, exported_camera_prop) 470 get_prop({coredomain shell}, userspace_reboot_exported_prop) 471 get_prop({coredomain shell}, userspace_reboot_log_prop) 472 get_prop({coredomain shell}, userspace_reboot_test_prop) 473 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 474') 475 476# Public readable properties 477get_prop(domain, aaudio_config_prop) 478get_prop(domain, apexd_select_prop) 479get_prop(domain, arm64_memtag_prop) 480get_prop(domain, bluetooth_config_prop) 481get_prop(domain, bootloader_prop) 482get_prop(domain, build_odm_prop) 483get_prop(domain, build_prop) 484get_prop(domain, build_vendor_prop) 485get_prop(domain, debug_prop) 486get_prop(domain, exported_config_prop) 487get_prop(domain, exported_default_prop) 488get_prop(domain, exported_dumpstate_prop) 489get_prop(domain, exported_secure_prop) 490get_prop(domain, exported_system_prop) 491get_prop(domain, fingerprint_prop) 492get_prop(domain, framework_status_prop) 493get_prop(domain, gwp_asan_prop) 494get_prop(domain, hal_instrumentation_prop) 495get_prop(domain, hw_timeout_multiplier_prop) 496get_prop(domain, init_service_status_prop) 497get_prop(domain, libc_debug_prop) 498get_prop(domain, locale_prop) 499get_prop(domain, logd_prop) 500get_prop(domain, mediadrm_config_prop) 501get_prop(domain, property_service_version_prop) 502get_prop(domain, soc_prop) 503get_prop(domain, socket_hook_prop) 504get_prop(domain, surfaceflinger_prop) 505get_prop(domain, telephony_status_prop) 506get_prop(domain, timezone_prop) 507get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app -app_zygote }, userdebug_or_eng_prop) 508get_prop(domain, vendor_socket_hook_prop) 509get_prop(domain, vndk_prop) 510get_prop(domain, vold_status_prop) 511get_prop(domain, vts_config_prop) 512 513# Binder cache properties are world-readable 514get_prop(domain, binder_cache_bluetooth_server_prop) 515get_prop(domain, binder_cache_system_server_prop) 516get_prop(domain, binder_cache_telephony_server_prop) 517 518# Binderfs logs contain sensitive information about other processes. 519neverallow { 520 domain 521 -init 522 -vendor_init 523 userdebug_or_eng(`-dumpstate') 524 userdebug_or_eng(`-system_server') 525} binderfs_logs_transactions:file no_rw_file_perms; 526 527# Binderfs transaction history is less sensitive than transactions, but it 528# still contains global information about the system. 529neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms; 530 531# Needed for loading kernel modules. 532# TODO(384942085): Reduce the scope. 533allow domain kernel:key search; 534 535# Allow access to linkerconfig file 536allow domain linkerconfig_file:dir search; 537allow domain linkerconfig_file:file r_file_perms; 538 539# Allow all processes to check for the existence of the boringssl_self_test_marker files. 540allow domain boringssl_self_test_marker:dir search; 541 542# Allow all processes to read the file_logger property that liblog uses to check if file_logger 543# should be used. 544get_prop(domain, log_file_logger_prop) 545 546# Allow all processes to connect to PRNG seeder daemon. 547unix_socket_connect(domain, prng_seeder, prng_seeder) 548 549# Allow calls to system(3), popen(3), ... 550allow { 551 domain 552 # Except domains that explicitly neverallow it. 553 -kernel 554 -init 555 -vendor_init 556 -app_zygote 557 -webview_zygote 558 -system_server 559 -artd 560 -dexopt_chroot_setup 561 -audioserver 562 -cameraserver 563 -mediadrmserver 564 -mediaextractor 565 -mediametrics 566 -mediaserver 567 -mediatuner 568 -mediatranscoding 569 -ueventd 570 -hal_audio_server 571 -hal_camera_server 572 -hal_cas_server 573 -hal_codec2_server 574 -hal_configstore_server 575 -hal_drm_server 576 -hal_omx_server 577} {shell_exec toolbox_exec}:file rx_file_perms; 578 579# Allow all processes to read aconfig flag storage files. The format is hidden behind 580# code-generated APIs, but since the libraries are executed in the context of the caller, 581# all processes need access to the underlying files. 582is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, ` 583 r_dir_file(domain, aconfig_storage_metadata_file); 584') 585 586r_dir_file({ coredomain appdomain }, system_aconfig_storage_file); 587 588# processes needs to access storage file stored at /metadata/aconfig/boot, require search 589# permission on /metadata dir 590allow domain metadata_file:dir search; 591 592# overlayfs performs all file operations as the mounter, being overlay_remounter. 593# It thus opens files as overlay_remounter, and then uses those files in the context of 594# the caller, which is anyone accessing a file on a overlaid read-only partition 595userdebug_or_eng(`allow domain overlay_remounter:fd use'); 596 597### 598### neverallow rules 599### 600 601# All ioctls on file-like objects (except chr_file and blk_file) and 602# sockets must be restricted to an allowlist. 603neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 604 605# b/68014825 and https://android-review.googlesource.com/516535 606# rfc6093 says that processes should not use the TCP urgent mechanism 607neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 608 609# TIOCSTI is only ever used for exploits. Block it. 610# b/33073072, b/7530569 611# http://www.openwall.com/lists/oss-security/2016/09/26/14 612neverallowxperm * devpts:chr_file ioctl TIOCSTI; 613 614# Do not allow any domain other than init to create unlabeled files. 615neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 616 617# Limit device node creation to these allowed domains. 618neverallow { 619 domain 620 -kernel 621 -init 622 -ueventd 623 -vold 624} self:global_capability_class_set mknod; 625 626# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 627neverallow * self:memprotect mmap_zero; 628 629# No domain needs mac_override as it is unused by SELinux. 630neverallow * self:global_capability2_class_set mac_override; 631 632# Disallow attempts to set contexts not defined in current policy 633# This helps guarantee that unknown or dangerous contents will not ever 634# be set. 635neverallow * self:global_capability2_class_set mac_admin; 636 637# Once the policy has been loaded there shall be none to modify the policy. 638# It is sealed. 639neverallow * kernel:security load_policy; 640 641# Only init prior to switching context should be able to set enforcing mode. 642# init starts in kernel domain and switches to init domain via setcon in 643# the init.rc, so the setenforce occurs while still in kernel. After 644# switching domains, there is never any need to setenforce again by init. 645neverallow * kernel:security setenforce; 646neverallow { domain -kernel } kernel:security setcheckreqprot; 647 648# No booleans in AOSP policy, so no need to ever set them. 649neverallow * kernel:security setbool; 650 651# Adjusting the AVC cache threshold. 652# Not presently allowed to anything in policy, but possibly something 653# that could be set from init.rc. 654neverallow { domain -init } kernel:security setsecparam; 655 656# Only the kernel hwrng thread should be able to read from the HW RNG. 657neverallow { 658 domain 659 -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG 660 -shell # For CTS, restricted to just getattr in shell.te 661 -ueventd # To create the /dev/hw_random file 662} hw_random_device:chr_file *; 663# b/78174219 b/64114943 664neverallow { 665 domain 666 -shell # stat of /dev, getattr only 667 -ueventd 668} keychord_device:chr_file *; 669 670# Ensure that all entrypoint executables are in exec_type or postinstall_file. 671neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 672 673# The dynamic linker always calls access(2) on the path. Don't generate SElinux 674# denials since the linker does not actually access the path in case the path 675# does not exist or isn't accessible for the process. 676dontaudit domain postinstall_mnt_dir:dir audit_access; 677 678#Ensure that nothing in userspace can access /dev/port 679neverallow { 680 domain 681 -shell # Shell user should not have any abilities outside of getattr 682 -ueventd 683} port_device:chr_file *; 684neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 685# Only init should be able to configure kernel usermodehelpers or 686# security-sensitive proc settings. 687neverallow { domain -init } usermodehelper:file { append write }; 688neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 689neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 690 691# Init can't do anything with binder calls. If this neverallow rule is being 692# triggered, it's probably due to a service with no SELinux domain. 693neverallow * init:binder *; 694neverallow * vendor_init:binder *; 695 696# Binderfs logs contain sensitive information about other processes. 697neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms; 698neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms; 699 700# Don't allow raw read/write/open access to block_device 701# Rather force a relabel to a more specific type 702neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 703 704# Do not allow renaming of block files or character files 705# Ability to do so can lead to possible use in an exploit chain 706# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 707neverallow { domain userdebug_or_eng(`-overlay_remounter') } *:{ blk_file chr_file } rename; 708 709# Don't allow raw read/write/open access to generic devices. 710# Rather force a relabel to a more specific type. 711neverallow domain device:chr_file { open read write }; 712 713# Files from cache should never be executed 714neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 715 716# The test files and executables MUST not be accessible to any domain 717neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 718neverallow domain nativetest_data_file:dir no_w_dir_perms; 719neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 720 721neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 722neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 723neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; 724neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 725neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 726 727# Only the init property service should write to /data/property and /dev/__properties__ 728neverallow { domain -init } property_data_file:dir no_w_dir_perms; 729neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 730neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 731neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 732neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 733 734# Nobody should be doing writes to /system & /vendor 735# These partitions are intended to be read-only and must never be 736# modified. Doing so would violate important Android security guarantees 737# and invalidate dm-verity signatures. 738neverallow { 739 domain 740 with_asan(`-asan_extract') 741 recovery_only(`userdebug_or_eng(`-fastbootd')') 742 userdebug_or_eng(`-kernel') 743 userdebug_or_eng(`-overlay_remounter') 744} { 745 system_file_type 746 vendor_file_type 747 exec_type 748}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 749 750neverallow { domain -kernel with_asan(`-asan_extract') userdebug_or_eng(`-overlay_remounter') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 751 752# Don't allow mounting on top of /system files or directories 753neverallow { 754 domain 755 userdebug_or_eng(`-overlay_remounter') 756} exec_type:dir_file_class_set mounton; 757 758# Nothing should be writing to files in the rootfs. 759neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 760 761# Restrict context mounts to specific types marked with 762# the contextmount_type attribute. 763neverallow * {fs_type -contextmount_type}:filesystem relabelto; 764 765# Ensure that context mount types are not writable, to ensure that 766# the write to /system restriction above is not bypassed via context= 767# mount to another type. 768neverallow { domain userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set 769 { create setattr relabelfrom relabelto append link rename }; 770neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set { write unlink }; 771 772# Do not allow service_manager add for default service labels. 773# Instead domains should use a more specific type such as 774# system_app_service rather than the generic type. 775# New service_types are defined in {,hw,vnd}service.te and new mappings 776# from service name to service_type are defined in {,hw,vnd}service_contexts. 777neverallow * default_android_service:service_manager *; 778neverallow * default_android_vndservice:service_manager *; 779neverallow * default_android_hwservice:hwservice_manager *; 780 781# Looking up the base class/interface of all HwBinder services is a bad idea. 782# hwservicemanager currently offer such lookups only to make it so that security 783# decisions are expressed in SELinux policy. However, it's unclear whether this 784# lookup has security implications. If it doesn't, hwservicemanager should be 785# modified to not offer this lookup. 786# This rule can be removed if hwservicemanager is modified to not permit these 787# lookups. 788neverallow * hidl_base_hwservice:hwservice_manager find; 789 790# Require that domains explicitly label unknown properties, and do not allow 791# anyone but init to modify unknown properties. 792neverallow { domain -init -vendor_init } mmc_prop:property_service set; 793neverallow { domain -init -vendor_init } vndk_prop:property_service set; 794 795compatible_property_only(` 796 neverallow { domain -init } mmc_prop:property_service set; 797 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 798 neverallow { domain -init } exported_secure_prop:property_service set; 799 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 800 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 801 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 802') 803 804compatible_property_only(` 805 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 806 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 807') 808 809# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop. 810neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set; 811neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms; 812 813# ART may introduce new sysprops. SELinux denials due to reading new sysprops on 814# old platforms shouldn't be regarded as a problem. 815dontaudit domain future_pm_prop:file read; 816 817neverallow { domain -init } aac_drc_prop:property_service set; 818neverallow { domain -init } build_prop:property_service set; 819neverallow { domain -init } userdebug_or_eng_prop:property_service set; 820 821# Do not allow reading device's serial number from system properties except form 822# a few allowed domains. 823neverallow { 824 domain 825 -adbd 826 -adbd_tradeinmode 827 -dumpstate 828 -fastbootd 829 -hal_camera_server 830 -hal_cas_server 831 -hal_drm_server 832 -hal_keymint_server 833 userdebug_or_eng(`-incidentd') 834 -init 835 -mediadrmserver 836 -mediaserver 837 -recovery 838 -shell 839 -system_server 840 -vendor_init 841} serialno_prop:file r_file_perms; 842 843neverallow { 844 domain 845 -init 846 -recovery 847 -system_server 848 -ueventd # Further restricted in ueventd.te 849} frp_block_device:blk_file no_rw_file_perms; 850 851# The metadata block device is set aside for device encryption and 852# verified boot metadata. It may be reset at will and should not 853# be used by other domains. 854neverallow { 855 domain 856 -init 857 -recovery 858 -vold 859 -e2fs 860 -fsck 861 -fastbootd 862 -hal_fastboot_server 863} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 864 865# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 866neverallow { 867 domain 868 -fastbootd 869 userdebug_or_eng(`-fsck') 870 userdebug_or_eng(`-init') 871 -recovery 872 userdebug_or_eng(`-remount') 873 -update_engine 874} system_block_device:blk_file { write append }; 875 876# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 877neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 878# The service managers are only allowed to access their own device node 879neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 880neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 881neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 882neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 883neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 884neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 885 886full_treble_only(` 887 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 888 # services which can change any time framework/core is updated, breakage is likely. 889 # 890 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 891 neverallow { 892 appdomain 893 -coredomain 894 } { 895 service_manager_type 896 897 -app_api_service 898 -ephemeral_app_api_service 899 900 -hal_service_type # see app_neverallows.te 901 902 -apc_service 903 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 904 -cameraserver_service 905 -drmserver_service 906 -credstore_service 907 -keystore_maintenance_service 908 -keystore_service 909 -legacykeystore_service 910 -mediadrmserver_service 911 -mediaextractor_service 912 -mediametrics_service 913 -mediaserver_service 914 -nfc_service 915 -radio_service 916 -virtual_touchpad_service 917 -vr_manager_service 918 userdebug_or_eng(`-hal_face_service') 919 }:service_manager find; 920') 921 922# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 923full_treble_only(` 924 neverallow { 925 coredomain 926 -shell 927 userdebug_or_eng(`-su') 928 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 929 } vndbinder_device:chr_file rw_file_perms; 930') 931full_treble_only(` 932 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 933') 934full_treble_only(` 935 neverallow { 936 coredomain 937 -shell 938 userdebug_or_eng(`-su') 939 } vndservice_manager_type:service_manager *; 940') 941full_treble_only(` 942 neverallow { 943 coredomain 944 -shell 945 userdebug_or_eng(`-su') 946 } vndservicemanager:binder *; 947') 948 949# On full TREBLE devices, socket communications between core components and vendor components are 950# not permitted. 951 # Most general rules first, more specific rules below. 952 953 # Core domains are not permitted to initiate communications to vendor domain sockets. 954 # We are not restricting the use of already established sockets because it is fine for a process 955 # to obtain an already established socket via some public/official/stable API and then exchange 956 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 957 # and thus does not break the core-vendor separation. 958full_treble_only(` 959 neverallow_establish_socket_comms({ 960 coredomain 961 -init 962 -adbd 963 }, { 964 domain 965 -coredomain 966 -socket_between_core_and_vendor_violators 967 }); 968') 969 970 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 971full_treble_only(` 972 neverallow { 973 domain 974 -coredomain 975 -appdomain # appdomain restrictions below 976 -data_between_core_and_vendor_violators # b/70393317 977 -socket_between_core_and_vendor_violators 978 -vendor_init 979 } { 980 coredomain_socket 981 core_data_file_type 982 unlabeled # used only by core domains 983 }:sock_file ~{ append getattr ioctl read write }; 984') 985full_treble_only(` 986 neverallow { 987 appdomain 988 -coredomain 989 } { 990 coredomain_socket 991 unlabeled # used only by core domains 992 core_data_file_type 993 -app_data_file 994 -privapp_data_file 995 -pdx_endpoint_socket_type # used by VR layer 996 -pdx_channel_socket_type # used by VR layer 997 }:sock_file ~{ append getattr ioctl read write }; 998') 999 1000 # Core domains are not permitted to create/open sockets owned by vendor domains 1001full_treble_only(` 1002 neverallow { 1003 coredomain 1004 -init 1005 -ueventd 1006 -socket_between_core_and_vendor_violators 1007 } { 1008 file_type 1009 dev_type 1010 -coredomain_socket 1011 -core_data_file_type 1012 -app_data_file_type 1013 -unlabeled 1014 }:sock_file ~{ append getattr ioctl read write }; 1015') 1016 1017# On TREBLE devices, vendor and system components are only allowed to share 1018# files by passing open FDs over hwbinder. Ban all directory access and all file 1019# accesses other than what can be applied to an open FD such as 1020# ioctl/stat/read/write/append. This is enforced by segregating /data. 1021# Vendor domains may directly access file in /data/vendor by path, but may only 1022# access files outside of /data/vendor via an open FD passed over hwbinder. 1023# Likewise, core domains may only directly access files outside /data/vendor by 1024# path and files in /data/vendor by open FD. 1025full_treble_only(` 1026 # only coredomains may only access core_data_file_type, particularly not 1027 # /data/vendor 1028 neverallow { 1029 coredomain 1030 -appdomain # TODO(b/34980020) remove exemption for appdomain 1031 -data_between_core_and_vendor_violators 1032 -init 1033 -vold_prepare_subdirs 1034 } { 1035 data_file_type 1036 -core_data_file_type 1037 -app_data_file_type 1038 }:file_class_set ~{ append getattr ioctl read write map }; 1039') 1040full_treble_only(` 1041 neverallow { 1042 coredomain 1043 -appdomain # TODO(b/34980020) remove exemption for appdomain 1044 -data_between_core_and_vendor_violators 1045 -init 1046 -vold_prepare_subdirs 1047 } { 1048 data_file_type 1049 -core_data_file_type 1050 -app_data_file_type 1051 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 1052 # neverallow. Currently only getattr and search are allowed. 1053 -vendor_data_file 1054 }:dir *; 1055 1056') 1057full_treble_only(` 1058 # vendor domains may only access files in /data/vendor, never core_data_file_types 1059 neverallow { 1060 domain 1061 -appdomain # TODO(b/34980020) remove exemption for appdomain 1062 -coredomain 1063 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1064 -vendor_init 1065 } { 1066 core_data_file_type 1067 with_native_coverage(`-method_trace_data_file') 1068 }:file_class_set ~{ append getattr ioctl read write map }; 1069 neverallow { 1070 vendor_init 1071 -data_between_core_and_vendor_violators 1072 } { 1073 core_data_file_type 1074 -unencrypted_data_file 1075 with_native_coverage(`-method_trace_data_file') 1076 }:file_class_set ~{ append getattr ioctl read write map }; 1077 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 1078 # The vendor init binary lives on the system partition so there is not a concern with stability. 1079 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 1080') 1081full_treble_only(` 1082 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 1083 neverallow { 1084 domain 1085 -appdomain # TODO(b/34980020) remove exemption for appdomain 1086 -coredomain 1087 -data_between_core_and_vendor_violators 1088 -vendor_init 1089 } { 1090 core_data_file_type 1091 -system_data_file # default label for files on /data. Covered below... 1092 -system_data_root_file 1093 -vendor_userdir_file 1094 -vendor_data_file 1095 with_native_coverage(`-method_trace_data_file') 1096 }:dir *; 1097 neverallow { 1098 vendor_init 1099 -data_between_core_and_vendor_violators 1100 } { 1101 core_data_file_type 1102 -unencrypted_data_file 1103 -system_data_file 1104 -system_data_root_file 1105 -vendor_userdir_file 1106 -vendor_data_file 1107 with_native_coverage(`-method_trace_data_file') 1108 }:dir *; 1109 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 1110 # The vendor init binary lives on the system partition so there is not a concern with stability. 1111 neverallow vendor_init unencrypted_data_file:dir ~search; 1112') 1113full_treble_only(` 1114 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 1115 neverallow { 1116 domain 1117 -appdomain # TODO(b/34980020) remove exemption for appdomain 1118 -coredomain 1119 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1120 } { 1121 system_data_file # default label for files on /data. Covered below 1122 }:dir ~{ getattr search }; 1123') 1124 1125full_treble_only(` 1126 # coredomains may not access dirs in /data/vendor. 1127 neverallow { 1128 coredomain 1129 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1130 -init 1131 -vold # vold creates per-user storage for both system and vendor 1132 -vold_prepare_subdirs 1133 } { 1134 vendor_data_file # default label for files on /data. Covered below 1135 }:dir ~{ getattr search }; 1136') 1137 1138full_treble_only(` 1139 # coredomains may not access dirs in /data/vendor. 1140 neverallow { 1141 coredomain 1142 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1143 -init 1144 } { 1145 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 1146 }:file_class_set ~{ append getattr ioctl read write map }; 1147') 1148 1149full_treble_only(` 1150 # Non-vendor domains are not allowed to file execute shell 1151 # from vendor 1152 neverallow { 1153 coredomain 1154 -init 1155 -shell 1156 -ueventd 1157 userdebug_or_eng(`-overlay_remounter') 1158 } vendor_shell_exec:file { execute execute_no_trans }; 1159') 1160 1161full_treble_only(` 1162 # Do not allow vendor components to execute files from system 1163 # except for the ones allowed here. 1164 neverallow { 1165 domain 1166 -coredomain 1167 -appdomain 1168 -vendor_executes_system_violators 1169 -vendor_init 1170 } { 1171 system_file_type 1172 -system_lib_file 1173 -system_bootstrap_lib_file 1174 -system_linker_exec 1175 -crash_dump_exec 1176 -netutils_wrapper_exec 1177 userdebug_or_eng(`-tcpdump_exec') 1178 # Vendor components still can invoke shell commands via /system/bin/sh 1179 -shell_exec 1180 -toolbox_exec 1181 -virtualizationmanager_exec 1182 is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec') 1183 }:file { entrypoint execute execute_no_trans }; 1184') 1185 1186full_treble_only(` 1187 # Do not allow coredomain to access entrypoint for files other 1188 # than system_file_type and postinstall_file 1189 neverallow coredomain { 1190 file_type 1191 -system_file_type 1192 -postinstall_file 1193 }:file entrypoint; 1194 # Do not allow domains other than coredomain to access entrypoint 1195 # for anything but vendor_file_type and init_exec for vendor_init. 1196 neverallow { domain -coredomain } { 1197 file_type 1198 -vendor_file_type 1199 -init_exec 1200 }:file entrypoint; 1201') 1202 1203full_treble_only(` 1204 # Do not allow system components to execute files from vendor 1205 # except for the ones allowed here. 1206 neverallow { 1207 coredomain 1208 -init 1209 -shell 1210 -system_executes_vendor_violators 1211 -ueventd 1212 userdebug_or_eng(`-overlay_remounter') 1213 } { 1214 vendor_file_type 1215 -same_process_hal_file 1216 -vndk_sp_file 1217 -vendor_app_file 1218 -vendor_public_framework_file 1219 -vendor_public_lib_file 1220 }:file execute; 1221') 1222 1223full_treble_only(` 1224 neverallow { 1225 coredomain 1226 -shell 1227 -system_executes_vendor_violators 1228 userdebug_or_eng(`-overlay_remounter') 1229 } { 1230 vendor_file_type 1231 -same_process_hal_file 1232 }:file execute_no_trans; 1233') 1234 1235full_treble_only(` 1236 # Do not allow vendor components access to /system files except for the 1237 # ones allowed here. 1238 neverallow { 1239 domain 1240 -appdomain 1241 -coredomain 1242 -vendor_executes_system_violators 1243 # vendor_init needs access to init_exec for domain transition. vendor_init 1244 # neverallows are covered in public/vendor_init.te 1245 -vendor_init 1246 } { 1247 system_file_type 1248 -cgroup_desc_file 1249 -crash_dump_exec 1250 -file_contexts_file 1251 -netutils_wrapper_exec 1252 -property_contexts_file 1253 -system_event_log_tags_file 1254 -system_group_file 1255 -system_lib_file 1256 -system_bootstrap_lib_file 1257 with_asan(`-system_asan_options_file') 1258 -system_linker_exec 1259 -system_linker_config_file 1260 -system_passwd_file 1261 -system_seccomp_policy_file 1262 -system_security_cacerts_file 1263 -system_zoneinfo_file 1264 -task_profiles_file 1265 userdebug_or_eng(`-tcpdump_exec') 1266 # Vendor components still can invoke shell commands via /system/bin/sh 1267 -shell_exec 1268 -toolbox_exec 1269 -virtualizationmanager_exec 1270 is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec') 1271 }:file *; 1272') 1273 1274# Only system_server should be able to send commands via the zygote socket 1275neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1276neverallow { domain -system_server } zygote_socket:sock_file write; 1277 1278neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1279neverallow { domain -system_server } webview_zygote:sock_file write; 1280neverallow { domain -system_server } app_zygote:sock_file write; 1281 1282neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; 1283 1284# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1285# the tombstoned intercept socket. 1286neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1287neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1288 1289# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1290neverallow { domain -init -system_server } heapdump_data_file:file read; 1291 1292# Android does not support System V IPCs. 1293# 1294# The reason for this is due to the fact that, by design, they lead to global 1295# kernel resource leakage. 1296# 1297# For example, there is no way to automatically release a SysV semaphore 1298# allocated in the kernel when: 1299# 1300# - a buggy or malicious process exits 1301# - a non-buggy and non-malicious process crashes or is explicitly killed. 1302# 1303# Killing processes automatically to make room for new ones is an 1304# important part of Android's application lifecycle implementation. This means 1305# that, even assuming only non-buggy and non-malicious code, it is very likely 1306# that over time, the kernel global tables used to implement SysV IPCs will fill 1307# up. 1308neverallow * *:{ shm sem msg msgq } *; 1309 1310# Do not mount on top of symlinks, fifos, or sockets. 1311# Feature parity with Chromium LSM. 1312neverallow { 1313 domain 1314 userdebug_or_eng(`-overlay_remounter') 1315} { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1316 1317# Nobody should be able to execute su on user builds. 1318# On userdebug/eng builds, only dumpstate, shell, and 1319# su itself execute su. 1320neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -overlay_remounter') } su_exec:file no_x_file_perms; 1321 1322# Do not allow the introduction of new execmod rules. Text relocations 1323# and modification of executable pages are unsafe. 1324# The only exceptions are for NDK text relocations associated with 1325# https://code.google.com/p/android/issues/detail?id=23203 1326# which, long term, need to go away. 1327neverallow { 1328 domain 1329 userdebug_or_eng(`-overlay_remounter') 1330} { 1331 file_type 1332 -apk_data_file 1333 -app_data_file 1334 -asec_public_file 1335}:file execmod; 1336 1337# Do not allow making the stack or heap executable. 1338# We would also like to minimize execmem but it seems to be 1339# required by some device-specific service domains. 1340neverallow * self:process { execstack execheap }; 1341 1342# Do not allow the introduction of new execmod rules. Text relocations 1343# and modification of executable pages are unsafe. 1344neverallow { 1345 domain 1346 -untrusted_app_25 1347 -untrusted_app_27 1348 userdebug_or_eng(`-overlay_remounter') 1349} file_type:file execmod; 1350 1351# Ensure that all types assigned to processes are included 1352# in the domain attribute, so that all allow and neverallow rules 1353# written on domain are applied to all processes. 1354# This is achieved by ensuring that it is impossible to transition 1355# from a domain to a non-domain type and vice versa. 1356# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1357neverallow ~domain domain:process { transition dyntransition }; 1358 1359# 1360# Only system_app and system_server should be creating or writing 1361# their files. The proper way to share files is to setup 1362# type transitions to a more specific type or assigning a type 1363# to its parent directory via a file_contexts entry. 1364# Example type transition: 1365# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1366# 1367neverallow { 1368 domain 1369 -system_server 1370 -system_app 1371 -init 1372 -toolbox # TODO(b/141108496) We want to remove toolbox 1373 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1374 -vold_prepare_subdirs # For unlink 1375 with_asan(`-asan_extract') 1376} system_data_file:file no_w_file_perms; 1377# do not grant anything greater than r_file_perms and relabelfrom unlink 1378# to installd 1379neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1380 1381# 1382# Only these domains should transition to shell domain. This domain is 1383# permissible for the "shell user". If you need a process to exec a shell 1384# script with differing privilege, define a domain and set up a transition. 1385# 1386neverallow { 1387 domain 1388 -adbd 1389 -init 1390 -runas 1391 -zygote 1392} shell:process { transition dyntransition }; 1393 1394# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1395# the appdomain attribute. 1396# 1397# simpleperf is excluded as a domain transitioned to when running an app-scoped 1398# profiling session. 1399# 1400# tradeinmode is excluded; it is only run when adbd is in trade-in mode, 1401# transitioned from the limited adbd_tradeinmode context. It is a wrapper 1402# around "am" to avoid exposing the shell context when adbd is in trade-in 1403# mode. 1404neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1405 appdomain -shell -simpleperf userdebug_or_eng(`-su') -tradeinmode 1406}:process { transition dyntransition }; 1407 1408# Minimize read access to shell- or app-writable symlinks. 1409# This is to prevent malicious symlink attacks. 1410neverallow { 1411 domain 1412 -appdomain 1413 -artd 1414 -installd 1415} { app_data_file privapp_data_file }:lnk_file read; 1416 1417neverallow { 1418 domain 1419 -shell 1420 userdebug_or_eng(`-uncrypt') 1421 -installd 1422} shell_data_file:lnk_file read; 1423 1424# servicemanager and vndservicemanager are the only processes which handle the 1425# service_manager list request 1426neverallow * ~{ 1427 servicemanager 1428 vndservicemanager 1429 }:service_manager list; 1430 1431# hwservicemanager is the only process which handles hw list requests 1432neverallow * ~{ 1433 hwservicemanager 1434 }:hwservice_manager list; 1435 1436# only service_manager_types can be added to service_manager 1437# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1438 1439# Prevent assigning non property types to properties 1440# TODO - rework this: neverallow * ~property_type:property_service set; 1441 1442# Domain types should never be assigned to any files other 1443# than the /proc/pid files associated with a process. The 1444# executable file used to enter a domain should be labeled 1445# with its own _exec type, not with the domain type. 1446# Conventionally, this looks something like: 1447# $ cat mydaemon.te 1448# type mydaemon, domain; 1449# type mydaemon_exec, exec_type, file_type; 1450# init_daemon_domain(mydaemon) 1451# $ grep mydaemon file_contexts 1452# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1453neverallow * domain:file { execute execute_no_trans entrypoint }; 1454 1455# Do not allow access to the generic debugfs label. This is too broad. 1456# Instead, if access to part of debugfs is desired, it should have a 1457# more specific label. 1458# TODO: fix dumpstate 1459neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1460 1461# Do not allow executable files in debugfs. 1462neverallow domain debugfs_type:file { execute execute_no_trans }; 1463 1464# Don't allow access to the FUSE control filesystem, except to vold and init's 1465neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1466 1467# Profiles contain untrusted data and profman parses that. We should only run 1468# it from installd and artd forked processes. 1469neverallow { 1470 domain 1471 -installd 1472 -profman 1473 -artd 1474 userdebug_or_eng(`-overlay_remounter') 1475} profman_exec:file no_x_file_perms; 1476 1477# Enforce restrictions on kernel module origin. 1478# Do not allow kernel module loading except from system, 1479# vendor, boot, and system_dlkm partitions. 1480# TODO(b/218951883): Remove usage of system and rootfs as origin 1481neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; 1482 1483# Only allow filesystem caps to be set at build time. Runtime changes 1484# to filesystem capabilities are not permitted. 1485neverallow * self:global_capability_class_set setfcap; 1486 1487# Enforce AT_SECURE for executing crash_dump. 1488neverallow domain crash_dump:process noatsecure; 1489 1490# Do not permit non-core domains to register HwBinder services which are 1491# guaranteed to be provided by core domains only. 1492neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1493 1494# Do not permit the registeration of HwBinder services which are guaranteed to 1495# be passthrough only (i.e., run in the process of their clients instead of a 1496# separate server process). 1497neverallow * same_process_hwservice:hwservice_manager add; 1498 1499# If an already existing file is opened with O_CREAT, the kernel might generate 1500# a false report of a create denial. Silence these denials and make sure that 1501# inappropriate permissions are not granted. 1502 1503# These filesystems don't allow files or directories to be created, so the permission 1504# to do so should never be granted. 1505neverallow domain { 1506 proc_type 1507 sysfs_type 1508}:dir { add_name create link remove_name rename reparent rmdir write }; 1509 1510# cgroupfs directories can be created, but not files within them. 1511neverallow domain cgroup:file create; 1512neverallow domain cgroup_v2:file create; 1513 1514dontaudit domain proc_type:dir write; 1515dontaudit domain sysfs_type:dir write; 1516dontaudit domain cgroup:file create; 1517dontaudit domain cgroup_v2:file create; 1518 1519# These are only needed in permissive mode - in enforcing mode the 1520# directory write check fails and so these are never attempted. 1521userdebug_or_eng(` 1522 dontaudit domain proc_type:dir add_name; 1523 dontaudit domain sysfs_type:dir add_name; 1524 dontaudit domain proc_type:file create; 1525 dontaudit domain sysfs_type:file create; 1526') 1527 1528# Platform must not have access to /mnt/vendor. 1529neverallow { 1530 coredomain 1531 -init 1532 -ueventd 1533 -vold 1534 -system_writes_mnt_vendor_violators 1535} mnt_vendor_file:dir *; 1536 1537# Only apps are allowed access to vendor public libraries. 1538full_treble_only(` 1539 neverallow { 1540 coredomain 1541 -appdomain 1542 userdebug_or_eng(`-overlay_remounter') 1543 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1544') 1545 1546# Vendor domian must not have access to /mnt/product. 1547neverallow { 1548 domain 1549 -coredomain 1550} mnt_product_file:dir *; 1551 1552# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL 1553full_treble_only(` 1554 neverallow { 1555 coredomain 1556 -shell 1557 # For access to block device information under /sys/class/block. 1558 -apexd 1559 # Read sysfs block device information. 1560 -init 1561 # Generate uevents for health info 1562 -ueventd 1563 # Recovery uses health HAL passthrough implementation. 1564 -recovery 1565 # Charger uses health HAL passthrough implementation. 1566 -charger 1567 # TODO(b/110891300): remove this exception 1568 -incidentd 1569 } sysfs_batteryinfo:file { open read }; 1570') 1571 1572neverallow { 1573 domain 1574 -hal_codec2_server 1575 -hal_omx_server 1576} hal_codec2_hwservice:hwservice_manager add; 1577 1578# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1579# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1580neverallow { 1581 domain 1582 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1583 -untrusted_app_25 1584 -untrusted_app_27 1585} ashmem_device:chr_file open; 1586 1587neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1588 1589# No domains other than a select few can access the misc_block_device. This 1590# block device is reserved for OTA use. 1591# Do not assert this rule on userdebug/eng builds, due to some devices using 1592# this partition for testing purposes. 1593neverallow { 1594 domain 1595 userdebug_or_eng(`-domain') # exclude debuggable builds 1596 -fastbootd 1597 -hal_bootctl_server 1598 -init 1599 -uncrypt 1600 -update_engine 1601 -vendor_init 1602 -vendor_misc_writer 1603 -vold 1604 -recovery 1605 -ueventd 1606 -mtectrl 1607 -misctrl 1608 -kcmdlinectrl 1609} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 1610 1611# Limit ability to ptrace or read sensitive /proc/pid files of processes 1612# with other UIDs to these allowlisted domains. 1613neverallow { 1614 domain 1615 -vold 1616 userdebug_or_eng(`-llkd') 1617 -dumpstate 1618 userdebug_or_eng(`-incidentd') 1619 userdebug_or_eng(`-profcollectd') 1620 userdebug_or_eng(`-simpleperf_boot') 1621 -storaged 1622 -system_server 1623} self:global_capability_class_set sys_ptrace; 1624 1625# Limit ability to generate hardware unique device ID attestations to priv_apps 1626neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; 1627neverallow { domain -system_server } *:keystore2_key use_dev_id; 1628neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; 1629 1630neverallow { 1631 domain 1632 -init 1633 -vendor_init 1634 userdebug_or_eng(`-domain') 1635} debugfs_tracing_debug:file no_rw_file_perms; 1636 1637# System_server owns dropbox data, and init creates/restorecons the directory 1638# Disallow direct access by other processes. 1639neverallow { 1640 domain 1641 -init 1642 -system_server 1643 userdebug_or_eng(`-dumpstate') 1644} dropbox_data_file:dir *; 1645neverallow { 1646 domain 1647 -init 1648 -system_server 1649 userdebug_or_eng(`-dumpstate') 1650} dropbox_data_file:file ~{ getattr read }; 1651 1652### 1653# Services should respect app sandboxes 1654neverallow { 1655 domain 1656 -appdomain 1657 -artd # compile secondary dex files 1658 -installd # creation of sandbox 1659} { 1660 privapp_data_file 1661 app_data_file 1662 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1663}:dir_file_class_set { create unlink }; 1664 1665is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1666 neverallow { 1667 domain 1668 -artd # compile secondary dex files 1669 -installd # creation of sandbox 1670 -vold_prepare_subdirs # creation of storage area directories 1671 } {storage_area_app_dir storage_area_dir }:dir { create unlink }; 1672') 1673 1674# Only the following processes should be directly accessing private app 1675# directories. 1676neverallow { 1677 domain 1678 -adbd 1679 -appdomain 1680 -app_zygote 1681 -artd # compile secondary dex files 1682 -installd 1683 -profman 1684 -rs # spawned by appdomain, so carryover the exception above 1685 -runas 1686 -system_server 1687 -zygote 1688} { 1689 privapp_data_file 1690 app_data_file 1691 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1692}:dir *; 1693 1694is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1695 neverallow { 1696 domain 1697 -appdomain 1698 -app_zygote 1699 -artd # compile secondary dex files 1700 -installd 1701 -rs # spawned by appdomain, so carryover the exception above 1702 -system_server 1703 -vold # encryption of storage area directories 1704 -vold_prepare_subdirs # creation of storage area directories 1705 -zygote 1706 } { storage_area_dir storage_area_app_dir }:dir *; 1707') 1708 1709is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1710 # only vold and installd can access the storage area key files 1711 # (and init, in case of a recursive restorecon) 1712 neverallow { 1713 domain 1714 -init 1715 -vold 1716 -vold_prepare_subdirs 1717 -installd 1718 } { storage_area_key_file }:dir_file_class_set *; 1719') 1720 1721# Only apps should be modifying app data. installd is exempted for 1722# restorecon and package install/uninstall. 1723neverallow { 1724 domain 1725 -appdomain 1726 -artd # compile secondary dex files 1727 -installd 1728 -rs # spawned by appdomain, so carryover the exception above 1729} { 1730 privapp_data_file 1731 app_data_file 1732 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1733}:dir ~r_dir_perms; 1734 1735is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1736 neverallow { 1737 domain 1738 -appdomain 1739 -artd # compile secondary dex files 1740 -installd 1741 -rs # spawned by appdomain, so carryover the exception above 1742 -vold_prepare_subdirs # creation of storage area directories 1743 } { storage_area_dir storage_area_app_dir }:dir ~r_dir_perms; 1744') 1745 1746neverallow { 1747 domain 1748 -appdomain 1749 -app_zygote 1750 -artd # compile secondary dex files 1751 -installd 1752 -rs # spawned by appdomain, so carryover the exception above 1753} { 1754 privapp_data_file 1755 app_data_file 1756 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1757}:file_class_set open; 1758 1759neverallow { 1760 domain 1761 -appdomain 1762 -artd # compile secondary dex files 1763 -installd # creation of sandbox 1764} { 1765 privapp_data_file 1766 app_data_file 1767 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1768}:dir_file_class_set { create unlink }; 1769 1770neverallow { 1771 domain 1772 -artd # compile secondary dex files 1773 -installd 1774} { 1775 privapp_data_file 1776 app_data_file 1777 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1778}:dir_file_class_set { relabelfrom relabelto }; 1779 1780is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1781 neverallow { 1782 domain 1783 -artd # compile secondary dex files 1784 -installd 1785 -vold_prepare_subdirs 1786 } { storage_area_dir storage_area_app_dir }:dir { relabelfrom relabelto }; 1787') 1788 1789# The staging directory contains APEX and APK files. It is important to ensure 1790# that these files cannot be accessed by other domains to ensure that the files 1791# do not change between system_server staging the files and apexd processing 1792# the files. 1793# The update_provider can also stage files before apexd processes them. 1794neverallow { 1795 domain 1796 -init 1797 -system_server 1798 -apexd 1799 -installd 1800 -priv_app 1801 -virtualizationmanager 1802 -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL! 1803} staging_data_file:dir *; 1804neverallow { 1805 domain 1806 -init 1807 -system_app 1808 -system_server 1809 -apexd 1810 -adbd 1811 -kernel 1812 -installd 1813 -priv_app 1814 -shell 1815 -virtualizationmanager 1816 -crosvm 1817 -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL! 1818} staging_data_file:file *; 1819# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 1820neverallow { domain -init -system_server -installd -update_provider } staging_data_file:dir no_w_dir_perms; 1821# apexd needs the link/unlink/rename permissions 1822# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 1823neverallow { domain -init -system_server -installd -apexd -update_provider } staging_data_file:file { 1824 no_w_file_perms no_x_file_perms 1825}; 1826neverallow apexd staging_data_file:file { 1827 append create relabelfrom setattr write # no_w_file_perms -link -unlink -rename 1828 no_x_file_perms 1829}; 1830 1831neverallow { 1832 domain 1833 -appdomain # for oemfs 1834 -bootanim # for oemfs 1835 -recovery # for /tmp/update_binary in tmpfs 1836} { fs_type -rootfs }:file execute; 1837 1838# 1839# Assert that, to the extent possible, we're not loading executable content from 1840# outside the rootfs or /system partition except for a few allowlisted domains. 1841# Executable files loaded from /data is a persistence vector 1842# we want to avoid. See 1843# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1844# 1845neverallow { 1846 domain 1847 -appdomain 1848 with_asan(`-asan_extract') 1849 -shell 1850 userdebug_or_eng(`-su') 1851 -system_server_startup # for memfd backed executable regions 1852 -app_zygote 1853 -webview_zygote 1854 -zygote 1855 userdebug_or_eng(`-mediaextractor') 1856 userdebug_or_eng(`-mediaswcodec') 1857 userdebug_or_eng(`-overlay_remounter') 1858} { 1859 file_type 1860 -system_file_type 1861 -system_lib_file 1862 -system_bootstrap_lib_file 1863 -system_linker_exec 1864 -vendor_file_type 1865 -exec_type 1866 -postinstall_file 1867}:file execute; 1868 1869# Only init is allowed to write cgroup.rc file 1870neverallow { 1871 domain 1872 -init 1873 -vendor_init 1874} cgroup_rc_file:file no_w_file_perms; 1875 1876# Only authorized processes should be writing to files in /data/dalvik-cache 1877neverallow { 1878 domain 1879 -init # TODO: limit init to relabelfrom for files 1880 -zygote 1881 -installd 1882 -postinstall_dexopt 1883 -cppreopts 1884 -dex2oat 1885 -otapreopt_slot 1886 -artd 1887} dalvikcache_data_file:file no_w_file_perms; 1888 1889neverallow { 1890 domain 1891 -init 1892 -installd 1893 -postinstall_dexopt 1894 -cppreopts 1895 -dex2oat 1896 -zygote 1897 -otapreopt_slot 1898 -artd 1899} dalvikcache_data_file:dir no_w_dir_perms; 1900 1901# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it 1902# contains boot class path and system server AOT artifacts following an ART APEX Mainline update. 1903neverallow { 1904 domain 1905 # art-related processes 1906 -composd 1907 -compos_fd_server 1908 -odrefresh 1909 -odsign 1910 # others 1911 -apexd 1912 -init 1913 -vold_prepare_subdirs 1914} apex_art_data_file:file no_w_file_perms; 1915 1916neverallow { 1917 domain 1918 # art-related processes 1919 -composd 1920 -compos_fd_server 1921 -odrefresh 1922 -odsign 1923 # others 1924 -apexd 1925 -init 1926 -vold_prepare_subdirs 1927} apex_art_data_file:dir no_w_dir_perms; 1928 1929# Protect most domains from executing arbitrary content from /data. 1930neverallow { 1931 domain 1932 -appdomain 1933 userdebug_or_eng(`-overlay_remounter') 1934} { 1935 data_file_type 1936 -apex_art_data_file 1937 -dalvikcache_data_file 1938 -system_data_file # shared libs in apks 1939 -apk_data_file 1940}:file no_x_file_perms; 1941 1942# Minimize dac_override and dac_read_search. 1943# Instead of granting them it is usually better to add the domain to 1944# a Unix group or change the permissions of a file. 1945define(`dac_override_allowed', `{ 1946 apexd 1947 artd 1948 dnsmasq 1949 dumpstate 1950 init 1951 installd 1952 userdebug_or_eng(`llkd') 1953 lmkd 1954 migrate_legacy_obb_data 1955 netd 1956 postinstall_dexopt 1957 recovery 1958 rss_hwm_reset 1959 sdcardd 1960 tee 1961 ueventd 1962 uncrypt 1963 vendor_init 1964 vold 1965 vold_prepare_subdirs 1966 zygote 1967 userdebug_or_eng(`overlay_remounter') 1968}') 1969neverallow ~dac_override_allowed self:global_capability_class_set dac_override; 1970# Since the kernel checks dac_read_search before dac_override, domains that 1971# have dac_override should also have dac_read_search to eliminate spurious 1972# denials. Some domains have dac_read_search without having dac_override, so 1973# this list should be a superset of the one above. 1974neverallow ~{ 1975 dac_override_allowed 1976 traced_perf 1977 traced_probes 1978 heapprofd 1979} self:global_capability_class_set dac_read_search; 1980 1981# Limit what domains can mount filesystems or change their mount flags. 1982# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger 1983# set of domains need this capability, including device-specific domains. 1984neverallow { 1985 domain 1986 -apexd 1987 -dexopt_chroot_setup 1988 recovery_only(`-fastbootd') 1989 -init 1990 -kernel 1991 -otapreopt_chroot 1992 -recovery 1993 -update_engine 1994 -vold 1995 -zygote 1996 userdebug_or_eng(`-overlay_remounter') 1997} { fs_type 1998 -sdcard_type 1999 -fusefs_type 2000}:filesystem { mount remount relabelfrom relabelto }; 2001 2002enforce_debugfs_restriction(` 2003 neverallow { 2004 domain userdebug_or_eng(`-init') 2005 } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; 2006') 2007 2008# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. 2009neverallow { 2010 domain 2011 userdebug_or_eng(`-domain') 2012 -kernel 2013 -gsid 2014 -init 2015 -recovery 2016 -ueventd 2017 -uncrypt 2018 -tee 2019 -hal_bootctl_server 2020 -fastbootd 2021} self:global_capability_class_set sys_rawio; 2022 2023# Limit directory operations that doesn't need to do app data isolation. 2024neverallow { 2025 domain 2026 -fsck 2027 -init 2028 -installd 2029 -zygote 2030} mirror_data_file:dir *; 2031 2032# This property is being removed. Remove remaining access. 2033neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; 2034neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; 2035 2036# Only core domains are allowed to access package_manager properties 2037neverallow { domain -init -system_server } pm_prop:property_service set; 2038neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 2039 2040# Do not allow reading the last boot timestamp from system properties 2041neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 2042 2043# Allow ART to set its config properties in its oneshot boot service, in 2044# addition to the common init and vendor_init access. 2045neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set; 2046 2047# Kprobes should only be used by adb root 2048neverallow { domain -init -vendor_init } debugfs_kprobes:file *; 2049 2050# On TREBLE devices, most coredomains should not access vendor_files. 2051# TODO(b/71553434): Remove exceptions here. 2052full_treble_only(` 2053 neverallow { 2054 coredomain 2055 -appdomain 2056 -bootanim 2057 -crash_dump 2058 -heapprofd 2059 userdebug_or_eng(`-profcollectd') 2060 -init 2061 -kernel 2062 userdebug_or_eng(`-simpleperf_boot') 2063 -traced_perf 2064 -ueventd 2065 userdebug_or_eng(`-overlay_remounter') 2066 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 2067') 2068 2069# Vendor domains are not permitted to initiate communications to core domain sockets 2070full_treble_only(` 2071 neverallow_establish_socket_comms({ 2072 domain 2073 -coredomain 2074 -appdomain 2075 -socket_between_core_and_vendor_violators 2076 }, { 2077 coredomain 2078 -logd # Logging by writing to logd Unix domain socket is public API 2079 -netd # netdomain needs this 2080 -mdnsd # netdomain needs this 2081 -prng_seeder # Any process using libcrypto needs this 2082 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 2083 -init 2084 -tombstoned # linker to tombstoned 2085 -heapprofd 2086 -traced 2087 -traced_perf 2088 }); 2089') 2090 2091full_treble_only(` 2092 # Do not allow system components access to /vendor files except for the 2093 # ones allowed here. 2094 neverallow { 2095 coredomain 2096 # TODO(b/37168747): clean up fwk access to /vendor 2097 -crash_dump 2098 -crosvm # loads vendor-specific disk images 2099 -init # starts vendor executables 2100 -kernel # loads /vendor/firmware 2101 -heapprofd 2102 userdebug_or_eng(`-profcollectd') 2103 -shell 2104 userdebug_or_eng(`-simpleperf_boot') 2105 -system_executes_vendor_violators 2106 -traced_perf # library/binary access for symbolization 2107 -ueventd # reads /vendor/ueventd.rc 2108 -vold # loads incremental fs driver 2109 userdebug_or_eng(`-overlay_remounter') 2110 } { 2111 vendor_file_type 2112 -same_process_hal_file 2113 -vendor_app_file 2114 -vendor_apex_file 2115 -vendor_apex_metadata_file 2116 -vendor_boot_ota_file 2117 -vendor_cgroup_desc_file 2118 -vendor_configs_file 2119 -vendor_microdroid_file 2120 -vendor_service_contexts_file 2121 -vendor_framework_file 2122 -vendor_idc_file 2123 -vendor_keychars_file 2124 -vendor_keylayout_file 2125 -vendor_overlay_file 2126 -vendor_public_framework_file 2127 -vendor_public_lib_file 2128 -vendor_task_profiles_file 2129 -vendor_uuid_mapping_config_file 2130 -vndk_sp_file 2131 -vendor_aconfig_storage_file 2132 }:file *; 2133') 2134 2135# mlsvendorcompat is only for compatibility support for older vendor 2136# images, and should not be granted to any domain in current policy. 2137# (Every domain is allowed self:fork, so this will trigger if the 2138# intsersection of domain & mlsvendorcompat is not empty.) 2139neverallow domain mlsvendorcompat:process fork; 2140 2141# Only init and otapreopt_chroot should be mounting filesystems on locations 2142# labeled system or vendor (/product and /vendor respectively). 2143neverallow { 2144 domain 2145 -dexopt_chroot_setup 2146 -init 2147 -otapreopt_chroot 2148 userdebug_or_eng(`-overlay_remounter') 2149} { 2150 system_file_type 2151 vendor_file_type 2152}:dir_file_class_set mounton; 2153 2154# Only allow init and vendor_init to read/write mm_events properties 2155# NOTE: dumpstate is allowed to read any system property 2156neverallow { 2157 domain 2158 -init 2159 -vendor_init 2160 -dumpstate 2161} mm_events_config_prop:file no_rw_file_perms; 2162 2163# Allow init to open /proc/kallsyms while kernel address mappings are still 2164# visible, and later share it with tracing daemons (traced_probes, 2165# traced_perf). These daemons are allowed to read from the shared fd, but also 2166# to separately open the file (which will always have zeroed out addresses due 2167# to init raising kptr_restrict) for locking to coordinate access to the shared 2168# fd. The performance traces contain only the referenced kernel symbols, and 2169# never the raw addresses (i.e. KASLR is not disclosed). 2170# On debuggable builds, performance tools are allowed to open and read the file 2171# directly because init is allowed to temporarily unrestrict systemwide address 2172# visibility. 2173neverallow { 2174 domain 2175 -init 2176 -traced_probes 2177 -traced_perf 2178 userdebug_or_eng(`-profcollectd') 2179 userdebug_or_eng(`-simpleperf_boot') 2180} proc_kallsyms:file *; 2181 2182# debugfs_kcov type is not included in this neverallow statement since the KCOV 2183# tool uses it for kernel fuzzing. 2184# vendor_modprobe is also exempted since the kernel modules it loads may create 2185# debugfs files in its context. 2186enforce_debugfs_restriction(` 2187 neverallow { 2188 domain 2189 -vendor_modprobe 2190 userdebug_or_eng(` 2191 -init 2192 -hal_dumpstate 2193 -incidentd 2194 ') 2195 } { debugfs_type 2196 userdebug_or_eng(`-debugfs_kcov') 2197 -tracefs_type 2198 }:file no_rw_file_perms; 2199') 2200 2201# Restrict write access to etm sysfs interface. 2202neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms; 2203 2204# Restrict CAP_PERFMON. 2205neverallow { 2206 domain 2207 -init 2208 -vendor_modprobe 2209 userdebug_or_eng(`-simpleperf_boot') 2210 -kernel 2211 -uprobestats 2212} self:capability2 perfmon; 2213 2214# Restrict direct access to shell owned files. The /data/local/tmp directory is 2215# untrustworthy, and non-allowed domains should not be trusting any content in 2216# those directories. We allow shell files to be passed around by file 2217# descriptor, but not directly opened. 2218# artd doesn't need to access /data/local/tmp, but it needs to access 2219# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 2220# dex files. 2221neverallow { 2222 domain 2223 -adbd 2224 -appdomain 2225 -artd 2226 -dumpstate 2227 -installd 2228 userdebug_or_eng(`-uncrypt') 2229 userdebug_or_eng(`-virtualizationmanager') 2230 userdebug_or_eng(`-virtualizationservice') 2231 userdebug_or_eng(`-crosvm') 2232} shell_data_file:file open; 2233 2234# In addition to the symlink reading restrictions above, restrict 2235# write access to shell owned directories. The /data/local/tmp 2236# directory is untrustworthy, and non-allowed domains should 2237# not be trusting any content in those directories. 2238# artd doesn't need to access /data/local/tmp, but it needs to access 2239# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 2240# dex files. 2241neverallow { 2242 domain 2243 -adbd 2244 -artd 2245 -dumpstate 2246 -installd 2247 -init 2248 -shell 2249 -vold 2250} shell_data_file:dir no_w_dir_perms; 2251 2252neverallow { 2253 domain 2254 -adbd 2255 -appdomain 2256 -artd 2257 -dumpstate 2258 -init 2259 -installd 2260 -simpleperf_app_runner 2261 -system_server # why? 2262 userdebug_or_eng(`-uncrypt') 2263} shell_data_file:dir open; 2264 2265neverallow { 2266 domain 2267 -adbd 2268 -appdomain 2269 -artd 2270 -dumpstate 2271 -init 2272 -installd 2273 -simpleperf_app_runner 2274 -system_server # why? 2275 userdebug_or_eng(`-uncrypt') 2276 userdebug_or_eng(`-virtualizationmanager') 2277 userdebug_or_eng(`-crosvm') 2278} shell_data_file:dir search; 2279 2280# respect system_app sandboxes 2281neverallow { 2282 domain 2283 -appdomain 2284 -artd # compile secondary dex files 2285 -system_server #populate com.android.providers.settings/databases/settings.db. 2286 -installd # creation of app sandbox 2287 -traced_probes # resolve inodes for i/o tracing. 2288 # only needs open and read, the rest is neverallow in 2289 # traced_probes.te. 2290} system_app_data_file:dir_file_class_set { create unlink open }; 2291neverallow { 2292 isolated_app_all 2293 ephemeral_app 2294 priv_app 2295 sdk_sandbox_all 2296 untrusted_app_all 2297} system_app_data_file:dir_file_class_set { create unlink open }; 2298 2299neverallow { domain -init } mtectrl:process { dyntransition transition }; 2300neverallow { domain -init } kcmdlinectrl:process { dyntransition transition }; 2301 2302# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin 2303neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *; 2304 2305neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton; 2306neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton; 2307 2308# Only init/vendor are allowed to write sysfs_pgsize_migration; 2309# ueventd needs write access to all sysfs files. 2310neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms; 2311 2312# virtmanager enforces access policy for which components can connect 2313# to which VMs. If you have permissions to make direct connections, you 2314# can talk to anything. 2315starting_at_board_api(202504, ` 2316neverallow { 2317 domain 2318 2319 # these are expected 2320 -early_virtmgr 2321 -virtualizationmanager 2322 -virtualizationservice 2323 -adbd_common # maybe should move to emulator/virtual device specific policy 2324 2325 # not expected, and defined outside of system/sepolicy. 2326 # Note: this attribute is strongly recommended to be empty if not required. 2327 -unconstrained_vsock_violators 2328 2329 # these are permissions that should be removed, and they are here for visibility. 2330 -compos_fd_server # TODO: get connections from virtmanager 2331 -hal_keymint_system # TODO: get connections from virtmanager 2332 -vmlauncher_app # TODO: get connections from virtmanager 2333} *:vsock_socket { connect create accept bind }; 2334') 2335