1get_prop(coredomain, boot_status_prop) 2get_prop(coredomain, camera_config_prop) 3get_prop(coredomain, dalvik_config_prop) 4get_prop(coredomain, dalvik_runtime_prop) 5get_prop(coredomain, exported_pm_prop) 6get_prop(coredomain, ffs_config_prop) 7get_prop(coredomain, graphics_config_prop) 8get_prop(coredomain, hdmi_config_prop) 9get_prop(coredomain, init_service_status_private_prop) 10get_prop(coredomain, lmkd_config_prop) 11get_prop(coredomain, localization_prop) 12get_prop(coredomain, pm_prop) 13get_prop(coredomain, radio_control_prop) 14get_prop(coredomain, rollback_test_prop) 15get_prop(coredomain, setupwizard_prop) 16get_prop(coredomain, sqlite_log_prop) 17get_prop(coredomain, storagemanager_config_prop) 18get_prop(coredomain, surfaceflinger_color_prop) 19get_prop(coredomain, systemsound_config_prop) 20get_prop(coredomain, telephony_config_prop) 21get_prop(coredomain, usb_config_prop) 22get_prop(coredomain, usb_control_prop) 23get_prop(coredomain, userspace_reboot_config_prop) 24get_prop(coredomain, vold_config_prop) 25get_prop(coredomain, vts_status_prop) 26get_prop(coredomain, zygote_config_prop) 27get_prop(coredomain, zygote_wrap_prop) 28 29# TODO(b/170590987): remove this after cleaning up default_prop 30get_prop(coredomain, default_prop) 31 32full_treble_only(` 33neverallow { 34 coredomain 35 36 # for chowning 37 -init 38 39 # generic access to sysfs_type 40 -apexd 41 -ueventd 42 -vold 43} sysfs_leds:file *; 44') 45 46# On TREBLE devices, a limited set of files in /vendor are accessible to 47# only a few allowlisted coredomains to keep system/vendor separation. 48full_treble_only(` 49 # Limit access to /vendor/app 50 neverallow { 51 coredomain 52 -appdomain 53 -dex2oat 54 -dexoptanalyzer 55 -idmap 56 -init 57 -installd 58 -heapprofd 59 -postinstall_dexopt 60 -rs # spawned by appdomain, so carryover the exception above 61 -system_server 62 -traced_perf 63 } vendor_app_file:dir { open read getattr search }; 64') 65 66full_treble_only(` 67 neverallow { 68 coredomain 69 -appdomain 70 -dex2oat 71 -dexoptanalyzer 72 -idmap 73 -init 74 -installd 75 -heapprofd 76 userdebug_or_eng(`-profcollectd') 77 -postinstall_dexopt 78 -rs # spawned by appdomain, so carryover the exception above 79 userdebug_or_eng(`-simpleperf_boot') 80 -system_server 81 -traced_perf 82 -mediaserver 83 } vendor_app_file:file r_file_perms; 84') 85 86full_treble_only(` 87 # Limit access to /vendor/overlay 88 neverallow { 89 coredomain 90 -appdomain 91 -idmap 92 -init 93 -installd 94 -iorap_inode2filename 95 -iorap_prefetcherd 96 -postinstall_dexopt 97 -rs # spawned by appdomain, so carryover the exception above 98 -system_server 99 -traced_perf 100 -app_zygote 101 -webview_zygote 102 -zygote 103 -heapprofd 104 } vendor_overlay_file:dir { getattr open read search }; 105') 106 107full_treble_only(` 108 neverallow { 109 coredomain 110 -appdomain 111 -idmap 112 -init 113 -installd 114 -iorap_inode2filename 115 -iorap_prefetcherd 116 -postinstall_dexopt 117 -rs # spawned by appdomain, so carryover the exception above 118 -system_server 119 -traced_perf 120 -app_zygote 121 -webview_zygote 122 -zygote 123 -heapprofd 124 userdebug_or_eng(`-profcollectd') 125 userdebug_or_eng(`-simpleperf_boot') 126 } vendor_overlay_file:file open; 127') 128 129# Core domains are not permitted to use kernel interfaces which are not 130# explicitly labeled. 131# TODO(b/65643247): Apply these neverallow rules to all coredomain. 132full_treble_only(` 133 # /proc 134 neverallow { 135 coredomain 136 -init 137 -vold 138 } proc:file no_rw_file_perms; 139 140 # /sys 141 neverallow { 142 coredomain 143 -apexd 144 -init 145 -ueventd 146 -vold 147 } sysfs:file no_rw_file_perms; 148 149 # /dev 150 neverallow { 151 coredomain 152 -apexd 153 -fsck 154 -init 155 -ueventd 156 } device:{ blk_file file } no_rw_file_perms; 157 158 # debugfs 159 neverallow { 160 coredomain 161 no_debugfs_restriction(` 162 -dumpstate 163 -init 164 -system_server 165 ') 166 } debugfs:file no_rw_file_perms; 167 168 # tracefs 169 neverallow { 170 coredomain 171 -atrace 172 -dumpstate 173 -gpuservice 174 -init 175 -traced_perf 176 -traced_probes 177 -shell 178 -system_server 179 -traceur_app 180 userdebug_or_eng(`-profcollectd') 181 userdebug_or_eng(`-simpleperf_boot') 182 } debugfs_tracing:file no_rw_file_perms; 183 184 # inotifyfs 185 neverallow { 186 coredomain 187 -init 188 } inotify:file no_rw_file_perms; 189 190 # pstorefs 191 neverallow { 192 coredomain 193 -bootstat 194 -charger 195 -dumpstate 196 userdebug_or_eng(`-incidentd') 197 -init 198 -logd 199 -logpersist 200 -recovery_persist 201 -recovery_refresh 202 -shell 203 -system_server 204 } pstorefs:file no_rw_file_perms; 205 206 # configfs 207 neverallow { 208 coredomain 209 -init 210 -system_server 211 } configfs:file no_rw_file_perms; 212 213 # functionfs 214 neverallow { 215 coredomain 216 -adbd 217 -init 218 -mediaprovider 219 -system_server 220 } functionfs:file no_rw_file_perms; 221 222 # usbfs and binfmt_miscfs 223 neverallow { 224 coredomain 225 -init 226 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 227 228 # dmabuf heaps 229 neverallow { 230 coredomain 231 -init 232 -ueventd 233 }{ 234 dmabuf_heap_device_type 235 -dmabuf_system_heap_device 236 -dmabuf_system_secure_heap_device 237 }:chr_file no_rw_file_perms; 238') 239 240# Following /dev nodes must not be directly accessed by coredomain, but should 241# instead be wrapped by HALs. 242neverallow coredomain { 243 iio_device 244 radio_device 245}:chr_file { open read append write ioctl }; 246 247# TODO(b/120243891): HAL permission to tee_device is included into coredomain 248# on non-Treble devices. 249full_treble_only(` 250 neverallow coredomain tee_device:chr_file { open read append write ioctl }; 251') 252