1get_prop(coredomain, apex_ready_prop) 2get_prop(coredomain, boot_status_prop) 3get_prop(coredomain, camera_config_prop) 4get_prop(coredomain, dalvik_config_prop_type) 5get_prop(coredomain, dalvik_runtime_prop) 6get_prop(coredomain, exported_pm_prop) 7get_prop(coredomain, ffs_config_prop) 8get_prop(coredomain, graphics_config_prop) 9get_prop(coredomain, graphics_config_writable_prop) 10get_prop(coredomain, hdmi_config_prop) 11get_prop(coredomain, init_service_status_private_prop) 12get_prop(coredomain, lmkd_config_prop) 13get_prop(coredomain, localization_prop) 14get_prop(coredomain, pm_prop) 15get_prop(coredomain, radio_control_prop) 16get_prop(coredomain, rollback_test_prop) 17get_prop(coredomain, setupwizard_prop) 18get_prop(coredomain, sqlite_log_prop) 19get_prop(coredomain, storagemanager_config_prop) 20get_prop(coredomain, surfaceflinger_color_prop) 21get_prop(coredomain, systemsound_config_prop) 22get_prop(coredomain, telephony_config_prop) 23get_prop(coredomain, usb_config_prop) 24get_prop(coredomain, usb_control_prop) 25get_prop(coredomain, userspace_reboot_config_prop) 26get_prop(coredomain, vold_config_prop) 27get_prop(coredomain, vts_status_prop) 28get_prop(coredomain, zygote_config_prop) 29get_prop(coredomain, zygote_wrap_prop) 30 31# TODO(b/170590987): remove this after cleaning up default_prop 32get_prop(coredomain, default_prop) 33 34full_treble_only(` 35neverallow { 36 coredomain 37 38 # for chowning 39 -init 40 41 # generic access to sysfs_type 42 -apexd 43 -ueventd 44 -vold 45} sysfs_leds:file *; 46') 47 48# On TREBLE devices, a limited set of files in /vendor are accessible to 49# only a few allowlisted coredomains to keep system/vendor separation. 50full_treble_only(` 51 # Limit access to /vendor/app 52 neverallow { 53 coredomain 54 -appdomain 55 -artd 56 -dex2oat 57 -dexoptanalyzer 58 -idmap 59 -init 60 -installd 61 -heapprofd 62 -postinstall_dexopt 63 -rs # spawned by appdomain, so carryover the exception above 64 -system_server 65 -traced_perf 66 } vendor_app_file:dir { open read getattr search }; 67') 68 69full_treble_only(` 70 neverallow { 71 coredomain 72 -appdomain 73 -artd 74 -dex2oat 75 -dexoptanalyzer 76 -idmap 77 -init 78 -installd 79 -heapprofd 80 userdebug_or_eng(`-profcollectd') 81 -postinstall_dexopt 82 -profman 83 -rs # spawned by appdomain, so carryover the exception above 84 userdebug_or_eng(`-simpleperf_boot') 85 -system_server 86 -traced_perf 87 -mediaserver 88 } vendor_app_file:file r_file_perms; 89') 90 91full_treble_only(` 92 # Limit access to /vendor/overlay 93 neverallow { 94 coredomain 95 -appdomain 96 -artd 97 -dex2oat 98 -dexoptanalyzer 99 -idmap 100 -init 101 -installd 102 -postinstall_dexopt 103 -rs # spawned by appdomain, so carryover the exception above 104 -system_server 105 -traced_perf 106 -app_zygote 107 -webview_zygote 108 -zygote 109 -heapprofd 110 } vendor_overlay_file:dir { getattr open read search }; 111') 112 113full_treble_only(` 114 neverallow { 115 coredomain 116 -appdomain 117 -artd 118 -dex2oat 119 -dexoptanalyzer 120 -idmap 121 -init 122 -installd 123 -postinstall_dexopt 124 -rs # spawned by appdomain, so carryover the exception above 125 -system_server 126 -traced_perf 127 -app_zygote 128 -webview_zygote 129 -zygote 130 -heapprofd 131 userdebug_or_eng(`-profcollectd') 132 userdebug_or_eng(`-simpleperf_boot') 133 } vendor_overlay_file:file open; 134') 135 136# Core domains are not permitted to use kernel interfaces which are not 137# explicitly labeled. 138# TODO(b/65643247): Apply these neverallow rules to all coredomain. 139full_treble_only(` 140 # /proc 141 neverallow { 142 coredomain 143 -init 144 -vold 145 } proc:file no_rw_file_perms; 146 147 # /sys 148 neverallow { 149 coredomain 150 -apexd 151 -init 152 -ueventd 153 -vold 154 } sysfs:file no_rw_file_perms; 155 156 # /dev 157 neverallow { 158 coredomain 159 -apexd 160 -fsck 161 -init 162 -ueventd 163 } device:{ blk_file file } no_rw_file_perms; 164 165 # debugfs 166 neverallow { 167 coredomain 168 no_debugfs_restriction(` 169 -dumpstate 170 -init 171 -system_server 172 ') 173 } debugfs:file no_rw_file_perms; 174 175 # tracefs 176 neverallow { 177 coredomain 178 -atrace 179 -dumpstate 180 -gpuservice 181 -init 182 -traced_perf 183 -traced_probes 184 -shell 185 -system_server 186 -traceur_app 187 userdebug_or_eng(`-profcollectd') 188 userdebug_or_eng(`-simpleperf_boot') 189 } debugfs_tracing:file no_rw_file_perms; 190 191 # inotifyfs 192 neverallow { 193 coredomain 194 -init 195 } inotify:file no_rw_file_perms; 196 197 # pstorefs 198 neverallow { 199 coredomain 200 -bootstat 201 -charger 202 -dumpstate 203 userdebug_or_eng(`-incidentd') 204 -init 205 -logd 206 -logpersist 207 -recovery_persist 208 -recovery_refresh 209 -shell 210 -system_server 211 } pstorefs:file no_rw_file_perms; 212 213 # configfs 214 neverallow { 215 coredomain 216 -init 217 -system_server 218 } configfs:file no_rw_file_perms; 219 220 # functionfs 221 neverallow { 222 coredomain 223 -adbd 224 -init 225 -mediaprovider 226 -system_server 227 } functionfs:file no_rw_file_perms; 228 229 # usbfs and binfmt_miscfs 230 neverallow { 231 coredomain 232 -init 233 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 234 235 # dmabuf heaps 236 neverallow { 237 coredomain 238 -init 239 -ueventd 240 }{ 241 dmabuf_heap_device_type 242 -dmabuf_system_heap_device 243 -dmabuf_system_secure_heap_device 244 }:chr_file no_rw_file_perms; 245') 246 247# Following /dev nodes must not be directly accessed by coredomain, but should 248# instead be wrapped by HALs. 249neverallow coredomain { 250 iio_device 251 radio_device 252}:chr_file { open read append write ioctl }; 253 254# TODO(b/120243891): HAL permission to tee_device is included into coredomain 255# on non-Treble devices. 256full_treble_only(` 257 neverallow coredomain tee_device:chr_file { open read append write ioctl }; 258') 259