xref: /system/sepolicy/prebuilts/api/202504/public/te_macros

#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
allow $1 $2:file { getattr open read execute map };
allow $1 $3:process transition;
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr map };
# New domain can send SIGCHLD to its caller.
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')

#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
define(`domain_auto_trans', `
# Allow the necessary permissions.
domain_trans($1,$2,$3)
# Make the transition occur by default.
type_transition $1 $2:process $3;
')

#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
define(`file_type_trans', `
# Allow the domain to add entries to the directory.
allow $1 $2:dir ra_dir_perms;
# Allow the domain to create the file.
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
')

#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
define(`file_type_auto_trans', `
# Allow the necessary permissions.
file_type_trans($1, $2, $3)
# Make the transition occur by default.
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
')

#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

#####################################
# tmpfs_domain(domain)
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
define(`tmpfs_domain', `
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write getattr map };
')

# pdx macros for IPC. pdx is a high-level name which contains transport-specific
# rules from underlying transport (e.g. UDS-based implementation).

#####################################
# pdx_service_attributes(service)
# Defines type attribute used to identify various service-related types.
define(`pdx_service_attributes', `
attribute pdx_$1_endpoint_dir_type;
attribute pdx_$1_endpoint_socket_type;
attribute pdx_$1_channel_socket_type;
attribute pdx_$1_server_type;
')

#####################################
# pdx_service_socket_types(service, endpoint_dir_t)
# Define types for endpoint and channel sockets.
define(`pdx_service_socket_types', `
typeattribute $2 pdx_$1_endpoint_dir_type;
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
userdebug_or_eng(`
dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
')
')

#####################################
# pdx_server(server_domain, service)
define(`pdx_server', `
# Mark the server domain as a PDX server.
typeattribute $1 pdx_$2_server_type;
# Allow the init process to create the initial endpoint socket.
allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
# Allow the server domain to use the endpoint socket and accept connections on it.
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
# than we need (e.g. we don"t need "bind" or "connect").
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
allow $1 self:process setsockcreate;
# Allow the server domain to create a client channel socket.
allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
# Prevent other processes from claiming to be a server for the same service.
neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
')

#####################################
# pdx_connect(client, service)
define(`pdx_connect', `
# Allow client to open the service endpoint file.
allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
# Allow the client to connect to endpoint socket.
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
')

#####################################
# pdx_use(client, service)
define(`pdx_use', `
# Allow the client to use the PDX channel socket.
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
# than we need (e.g. we don"t need "bind" or "connect").
allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
# Client needs to use an channel event fd from the server.
allow $1 pdx_$2_server_type:fd use;
# Servers may receive sync fences, gralloc buffers, etc, from clients.
# This could be tightened on a per-server basis, but keeping track of service
# clients is error prone.
allow pdx_$2_server_type $1:fd use;
')

#####################################
# pdx_client(client, service)
define(`pdx_client', `
pdx_connect($1, $2)
pdx_use($1, $2)
')

#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
')

####################################
# userfaultfd_use(domain)
# Allow domain to create/use userfaultfd.
define(`userfaultfd_use', `
# Set up a type_transition to "userfaultfd" named anonymous inode object.
type $1_userfaultfd;
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
# Allow domain to create/use userfaultfd anon_inode.
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
# Suppress errors generate during bugreport
dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
')

####################################
# virtualizationservice_use(domain)
# Allow domain to create and communicate with a virtual machine using
# virtualizationservice and virtualizationmanager.
define(`virtualizationservice_use', `
# Transition to virtualizationmanager when the client executes it.
domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
# Allow virtualizationmanager to communicate over UDS with the client.
allow { virtualizationmanager crosvm } $1:unix_stream_socket { ioctl getattr read write };
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
allow { virtualizationmanager crosvm } $1:fd use;
# Let the client use file descriptors created by virtualizationmanager.
allow $1 virtualizationmanager:fd use;
# Allow piping console log to the client
allow { virtualizationmanager crosvm } $1:fifo_file { ioctl getattr read write };
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
# that it created. Notice that we do not grant permission to create a vsock;
# the client can only connect to VMs that it owns.
allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
# Allow virtualizationmanager to read the path of the client using /proc/{PID}/exe
allow virtualizationmanager $1:dir search;
allow virtualizationmanager $1:file read;
allow virtualizationmanager $1:lnk_file read;
')

####################################
# early_virtmgr_use(domain)
# Allow domain to create and communicate with an early virtual machine using
# early_virtmgr.
define(`early_virtmgr_use', `
# Transition to early_virtmgr when the client executes it.
domain_auto_trans($1, early_virtmgr_exec, early_virtmgr)
# Allow early_virtmgr to communicate over UDS with the client.
allow { early_virtmgr crosvm } $1:unix_stream_socket { ioctl getattr read write };
# Let the client pass file descriptors to early_virtmgr and on to crosvm.
allow { early_virtmgr crosvm } $1:fd use;
allow { early_virtmgr crosvm } $1_tmpfs:file rw_file_perms;
# Let the client use file descriptors created by early_virtmgr.
allow $1 early_virtmgr:fd use;
# Allow piping console log to the client
allow { early_virtmgr crosvm } $1:fifo_file { ioctl getattr read write };
# Allow client to read/write vsock created by early_virtmgr to communicate with the VM
# that it created. Notice that we do not grant permission to create a vsock;
# the client can only connect to VMs that it owns.
allow $1 early_virtmgr:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
# Allow early_virtmgr to read the path of the client using /proc/{PID}/exe
allow early_virtmgr $1:dir search;
allow early_virtmgr $1:file read;
allow early_virtmgr $1:lnk_file read;
')

#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
userfaultfd_use($1)
allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components to
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
# traces. runas_app is excluded, as it operates only on debuggable apps.
# simpleperf is excluded, as it operates only on debuggable or profileable
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
# live lock conditions.
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
')

#####################################
# untrusted_app_domain(domain)
# Allow a base set of permissions required for all untrusted apps.
define(`untrusted_app_domain', `
typeattribute $1 untrusted_app_all;
')

#####################################
# isolated_app_domain(domain)
# Allow a base set of permissions required for all isolated apps.
define(`isolated_app_domain', `
typeattribute $1 isolated_app_all;
')

#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
typeattribute $1 netdomain;
')

#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
define(`bluetooth_domain', `
typeattribute $1 bluetoothdomain;
')

#####################################
# hal_attribute(hal_name)
# Add an attribute for hal implementations along with necessary
# restrictions.
define(`hal_attribute', `
attribute hal_$1;
expandattribute hal_$1 true;
attribute hal_$1_client;
expandattribute hal_$1_client true;
attribute hal_$1_server;
expandattribute hal_$1_server false;

neverallow { hal_$1_server -halserverdomain } domain:process fork;
# hal_*_client and halclientdomain attributes are always expanded for
# performance reasons. Neverallow rules targeting expanded attributes can not be
# verified by CTS since these attributes are already expanded by that time.
build_test_only(`
neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
')

#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
#   type hal_foo_default, domain;
#   hal_server_domain(hal_foo_default, hal_foo)
#
define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')

#####################################
# hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a HAL of the specified type.
#
# For example, make some_domain a client of Foo HAL:
#   hal_client_domain(some_domain, hal_foo)
#
define(`hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;

# TODO(b/34170079): Make the inclusion of the rules below conditional also on
# non-Treble devices. For now, on non-Treble device, always grant clients of a
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
not_full_treble(`
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute map };
')
')

#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
#   passthrough_hal_client_domain(some_domain, hal_foo)
#
define(`passthrough_hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute map };
')

#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#
# Note: If you see denial records that distill to the
# following allow rules:
# allow clientdomain property_socket:sock_file write;
# allow clientdomain init:unix_stream_socket connectto;
# allow clientdomain something_prop:property_service set;
#
# This sequence is indicative of attempting to set a property.
# use set_prop(sourcedomain, targetproperty)
#
define(`unix_socket_connect', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')

#####################################
# set_prop(sourcedomain, targetproperty)
# Allows source domain to set the
# targetproperty.
#
define(`set_prop', `
unix_socket_connect($1, property, init)
allow $1 $2:property_service set;
get_prop($1, $2)
')

#####################################
# get_prop(sourcedomain, targetproperty)
# Allows source domain to read the
# targetproperty.
#
define(`get_prop', `
allow $1 $2:file { getattr open read map };
')

#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
define(`unix_socket_send', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_dgram_socket sendto;
')

#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# Allow servicemanager to send out callbacks
allow servicemanager $1:binder { call transfer };
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')

#####################################
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')

#####################################
# vndbinder_use(domain)
# Allow domain to use Binder IPC.
define(`vndbinder_use', `
# Talk to the vndbinder device node
allow $1 vndbinder_device:chr_file rw_file_perms;
# Call the vndservicemanager and transfer references to it.
allow $1 vndservicemanager:binder { call transfer };
')

#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# Call the server domain and optionally transfer references to it.
allow $1 $2:binder { call transfer };
# Allow the serverdomain to transfer references to the client on the reply.
allow $2 $1:binder transfer;
# Receive and use open files from the server.
allow $1 $2:fd use;
')

#####################################
# binder_service(domain)
# Deprecated. Consider granting the exact permissions required by your service.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')

#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
# deprecated.
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
# system_suspend permissions
binder_call($1, system_suspend_server)
allow $1 system_suspend_hwservice:hwservice_manager find;
# halclientdomain permissions
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
# AIDL suspend hal permissions
allow $1 hal_system_suspend_service:service_manager find;
binder_use($1)
')

#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
')

#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security check_context;
')

#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
# Each domain gets a unique devpts type.
type $1_devpts, fs_type;
# Label the pty with the unique type when created.
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')

#####################################
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')

#####################################
# Recovery only
# SELinux rules which apply only to recovery mode
#
define(`recovery_only', ifelse(target_recovery, `true', $1, ))

#####################################
# Not recovery
# SELinux rules which apply only to non-recovery (normal) mode
#
define(`not_recovery', ifelse(target_recovery, `true', , $1))

#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
ifelse(target_full_treble, `cts',
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
$1
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
, )))

#####################################
# Not full TREBLE
# SELinux rules which apply only to devices which are not full TREBLE devices
#
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))

#####################################
# enforce_debugfs_restriction
# SELinux rules which apply to devices that enable debugfs restrictions.
# The keyword "cts" is used to insert markers to only CTS test the neverallows
# added by the macro for S-launch devices and newer.
define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
ifelse(target_enforce_debugfs_restriction, `cts',
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
$1
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
, )))

#####################################
# no_debugfs_restriction
# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))

#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
ifelse(target_compatible_property, `cts',
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
$1
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
, )))

#####################################
# Not compatible property
# SELinux rules which apply only to devices without compatible property
#
define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))

#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))

#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))

#####################################
# native coverage builds
# SELinux rules which apply only to builds with native coverage
#
define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))

#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))

####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
define(`crash_dump_fallback', `
userdebug_or_eng(`
  allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
allow $1 dumpstate:fd use;
allow $1 incidentd:fd use;
# TODO: Figure out why write is needed.
allow $1 dumpstate:fifo_file { append write };
allow $1 incidentd:fifo_file { append write };
allow $1 system_server:fifo_file { append write };
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;
allow $1 tombstone_data_file:file append;
')

#####################################
# WITH_DEXPREOPT builds
# SELinux rules which apply only when pre-opting.
#
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))

#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
define(`write_logd', `
unix_socket_send($1, logdw, logd)
allow $1 pmsg_device:chr_file w_file_perms;
')

#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
define(`read_logd', `
allow $1 logcat_exec:file rx_file_perms;
unix_socket_connect($1, logdr, logd)
')

#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
define(`read_runtime_log_tags', `
allow $1 runtime_event_log_tags_file:file r_file_perms;
')

#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
define(`control_logd', `
# Group AID_LOG checked by filesystem & logd
# to permit control commands
unix_socket_connect($1, logd, logd)
')

#####################################
# use_keystore(domain)
# Ability to use keystore.
define(`use_keystore', `
  allow $1 apc_service:service_manager find;
  allow $1 keystore_service:service_manager find;
  allow $1 legacykeystore_service:service_manager find;
  binder_call($1, keystore)
  binder_call(keystore, $1)
')

#####################################
# use_credstore(domain)
# Ability to use credstore.
define(`use_credstore', `
  allow $1 credstore_service:service_manager find;
  binder_call($1, credstore)
  binder_call(credstore, $1)
')

###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_service', `
  allow $1 $2:service_manager { add find };
  neverallow { domain -$1 } $2:service_manager add;

  # On debug builds with root, allow binder services to use binder over TCP.
  # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
  userdebug_or_eng(`
    allow $1 su:tcp_socket { accept getopt read write };
  ')
')

###########################################
# add_hwservice(domain, service)
# Ability for domain to add a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_hwservice', `
  allow $1 $2:hwservice_manager { add find };
  allow $1 hidl_base_hwservice:hwservice_manager add;
  neverallow { domain -$1 } $2:hwservice_manager add;
')

###########################################
# hal_attribute_hwservice(attribute, service)
# Ability for domain to get a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_hwservice
define(`hal_attribute_hwservice', `
  allow $1_client $2:hwservice_manager find;
  add_hwservice($1_server, $2)

  build_test_only(`
    # if you are hitting this neverallow, try using:
    #     hal_client_domain(<your domain>, hal_<foo>)
    # instead
    neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
  ')
')

###########################################
# hal_attribute_service(attribute, service)
# Ability for domain to get a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_service
define(`hal_attribute_service', `
  allow $1_client $2:service_manager find;
  add_service($1_server, $2)

  build_test_only(`
    # if you are hitting this neverallow, try using:
    #     hal_client_domain(<your domain>, hal_<foo>)
    # instead
    neverallow {
        domain
        -$1_client
        -$1_server
        # some services are allowed to find all services
        -atrace
        -shell
        -system_app
        -traceur_app
    } $2:service_manager find;
  ')
')

###################################
# can_profile_heap(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
define(`can_profile_heap', `
  # Allow central daemon to send signal for client initialization.
  allow heapprofd $1:process signal;
  # Allow connecting to the daemon.
  unix_socket_connect($1, heapprofd, heapprofd)
  # Allow daemon to use the passed fds.
  allow heapprofd $1:fd use;
  # Allow to read and write to heapprofd shmem.
  # The client needs to read the read and write pointers in order to write.
  allow $1 heapprofd_tmpfs:file { read write getattr map };
  # Use shared memory received over the unix socket.
  allow $1 heapprofd:fd use;

  # To read and write from the received file descriptors.
  # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
  # process they relate to.
  # We need to write to /proc/$PID/page_idle to find idle allocations.
  # The client only opens /proc/self/page_idle with RDWR, everything else
  # with RDONLY.
  # heapprofd cannot open /proc/$PID/mem itself, as it does not have
  # sys_ptrace.
  allow heapprofd $1:file rw_file_perms;
  # Allow searching the /proc/[pid] directory for cmdline.
  allow heapprofd $1:dir r_dir_perms;
')

###################################
# never_profile_heap(domain)
# Opt out of heap profiling by heapprofd.
define(`never_profile_heap', `
  neverallow heapprofd $1:file read;
  neverallow heapprofd $1:process signal;
')

###################################
# can_profile_perf(domain)
# Allow processes within the domain to be profiled, and have their stacks
# sampled, by traced_perf.
define(`can_profile_perf', `
  # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
  # reads /proc/[pid]/cmdline.
  allow traced_perf $1:file r_file_perms;
  allow traced_perf $1:dir r_dir_perms;

  # Allow central daemon to send signal to request /proc/[pid]/maps and
  # /proc/[pid]/mem fds from this process.
  allow traced_perf $1:process signal;

  # Allow connecting to the daemon.
  unix_socket_connect($1, traced_perf, traced_perf)
  # Allow daemon to use the passed fds.
  allow traced_perf $1:fd use;
')

###################################
# never_profile_perf(domain)
# Opt out of profiling by traced_perf.
define(`never_profile_perf', `
  neverallow traced_perf $1:file read;
  neverallow traced_perf $1:process signal;
')

###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
# When applying this macro, you might need to also allow traced to use the
# producer tmpfs domain, if the producer will be the one creating the shared
# memory.
define(`perfetto_producer', `
  allow $1 traced:fd use;
  allow $1 traced_tmpfs:file { read write getattr map };
  unix_socket_connect($1, traced_producer, traced)

  # Also allow the service to use the producer file descriptors. This is
  # necessary when the producer is creating the shared memory, as it will be
  # passed to the service as a file descriptor (obtained from memfd_create).
  allow traced $1:fd use;
')

###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
#
define(`dump_hal', `
  hal_client_domain(dumpstate, $1);
  allow $1_server dumpstate:fifo_file write;
  allow $1_server dumpstate:fd use;
')

#####################################
# treble_sysprop_neverallow(rules)
# SELinux neverallow rules which enforces the accessibility of each property
# outside the owner.
#
# For devices launching with R or later, exported properties must be explicitly marked as
# "restricted" or "public", depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
#
# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
#
define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
ifelse(target_treble_sysprop_neverallow, `cts',
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
$1
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
, )))

#####################################
# enforce_sysprop_owner(rules)
# SELinux neverallow rules which enforces the owner of each property.
#
# For devices launching with S or later, all properties must be explicitly marked as one of:
# system_property_type, vendor_property_type, or product_property_type.
# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these ules only for devices launching with S or later.
#
define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
ifelse(target_enforce_sysprop_owner, `cts',
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
$1
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
, )))

###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
#
define(`define_prop', `
  type $1, property_type, $2_property_type, $2_$3_property_type;
')

###########################################
# system_internal_prop(name)
# Define a /system-owned property used only in /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`system_internal_prop', `
  define_prop($1, system, internal)
  treble_sysprop_neverallow(`
    neverallow { domain -coredomain } $1:file no_rw_file_perms;
  ')
')

###########################################
# system_restricted_prop(name)
# Define a /system-owned property which can't be written outside /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`system_restricted_prop', `
  define_prop($1, system, restricted)
  treble_sysprop_neverallow(`
    neverallow { domain -coredomain } $1:property_service set;
  ')
')

###########################################
# system_public_prop(name)
# Define a /system-owned property with no restrictions
#
define(`system_public_prop', `define_prop($1, system, public)')

###########################################
# system_vendor_config_prop(name)
# Define a /system-owned property which can only be written by vendor_init
# This is a macro for vendor-specific configuration properties which is meant
# to be set once from vendor_init.
#
define(`system_vendor_config_prop', `
  system_public_prop($1)
  set_prop(vendor_init, $1)
  neverallow { domain -init -vendor_init } $1:property_service set;
')

###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`product_internal_prop', `
  define_prop($1, product, internal)
  treble_sysprop_neverallow(`
    neverallow { domain -coredomain } $1:file no_rw_file_perms;
  ')
')

###########################################
# product_restricted_prop(name)
# Define a /product-owned property which can't be written outside /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`product_restricted_prop', `
  define_prop($1, product, restricted)
  treble_sysprop_neverallow(`
    neverallow { domain -coredomain } $1:property_service set;
  ')
')

###########################################
# product_public_prop(name)
# Define a /product-owned property with no restrictions
#
define(`product_public_prop', `define_prop($1, product, public)')

###########################################
# vendor_internal_prop(name)
# Define a /vendor-owned property used only in /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`vendor_internal_prop', `
  define_prop($1, vendor, internal)
  treble_sysprop_neverallow(`
# init and dumpstate are in coredomain, but should be able to read all props.
    neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
  ')
')

###########################################
# vendor_restricted_prop(name)
# Define a /vendor-owned property which can't be written outside /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`vendor_restricted_prop', `
  define_prop($1, vendor, restricted)
  treble_sysprop_neverallow(`
# init is in coredomain, but should be able to write all props.
    neverallow { coredomain -init } $1:property_service set;
  ')
')

###########################################
# vendor_public_prop(name)
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')

#####################################
# read_fstab(domain)
# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
#
define(`read_fstab', `
  allow $1 { metadata_file gsi_metadata_file_type }:dir search;
  allow $1 gsi_public_metadata_file:file r_file_perms;
  allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
')

######################################
# use_bootstrap_libs(domain)
# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
define(`use_bootstrap_libs', `
  allow $1 system_bootstrap_lib_file:dir r_dir_perms;
  allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')

######################################
# use_apex_info(domain)
# Allow access to apex information
define(`use_apex_info', `
  allow $1 apex_mnt_dir:dir r_dir_perms;
  allow $1 apex_info_file:file r_file_perms;
  r_dir_file($1, vendor_apex_metadata_file)
')

####################################
# io_uring_use(domain)
# Allow domain to create/use io_uring.
define(`io_uring_use', `
# Set up a type_transition to "io_uring" named anonymous inode object.
type $1_iouring;
type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
# Allow domain to create/use io_uring anon_inode.
allow $1 $1_iouring:anon_inode { create map read write };
allow $1 self:io_uring sqpoll;
# Other domains may not use iouring anon_inodes created by this domain.
neverallow { domain -$1 } $1_iouring:anon_inode *;
# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
dontaudit $1 self:global_capability_class_set ipc_lock;
')