1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 getcap 19 setcap 20 getattr 21 setrlimit 22}; 23allow { domain -artd_subprocess_type } self:process setpgid; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Allow everyone to read aconfig flags 61get_prop(domain, device_config_aconfig_flags_prop); 62 63# Root fs. 64allow domain tmpfs:dir { getattr search }; 65allow domain rootfs:dir search; 66allow domain rootfs:lnk_file { read getattr }; 67 68# Device accesses. 69allow domain device:dir search; 70allow domain dev_type:lnk_file r_file_perms; 71allow domain devpts:dir search; 72allow domain dmabuf_heap_device:dir r_dir_perms; 73allow domain socket_device:dir r_dir_perms; 74allow domain owntty_device:chr_file rw_file_perms; 75allow domain null_device:chr_file rw_file_perms; 76allow domain zero_device:chr_file rw_file_perms; 77 78# /dev/ashmem is being deprecated by means of constraining and eventually 79# removing all "open" permissions. We preserve the other permissions. 80allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 81# This device is used by libcutils, which is accessible to everyone. 82allow domain ashmem_libcutils_device:chr_file rw_file_perms; 83 84# /dev/binder can be accessed by ... everyone! :) 85allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 86get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop) 87# Checking for the existance of the hwservicemanager binary is done in the client API 88# isHwServiceManagerInstalled 89dontaudit domain hwservicemanager_exec:file r_file_perms; 90 91 92# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 93# added to individual domains, but this sets safe defaults for all processes. 94allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 95 96# /dev/binderfs needs to be accessed by everyone too! 97allow domain binderfs:dir { getattr search }; 98allow domain binderfs_logs_proc:dir search; 99allow domain binderfs_features:dir search; 100allow domain binderfs_features:file r_file_perms; 101 102allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 103allow domain ptmx_device:chr_file rw_file_perms; 104allow domain random_device:chr_file rw_file_perms; 105allow domain proc_random:dir r_dir_perms; 106allow domain proc_random:file r_file_perms; 107allow domain properties_device:dir { search getattr }; 108allow domain properties_serial:file r_file_perms; 109allow domain property_info:file r_file_perms; 110 111# Let everyone read log properties, so that liblog can avoid sending unloggable 112# messages to logd. 113get_prop(domain, log_property_type) 114dontaudit domain property_type:file audit_access; 115allow domain property_contexts_file:file r_file_perms; 116 117allow domain init:key search; 118allow domain vold:key search; 119 120# logd access 121write_logd(domain) 122 123# Directory/link file access for path resolution. 124allow domain { 125 system_file 126 system_lib_file 127 system_seccomp_policy_file 128 system_security_cacerts_file 129}:dir r_dir_perms; 130allow domain system_file:lnk_file { getattr read }; 131 132# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 133# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 134allow domain system_seccomp_policy_file:file r_file_perms; 135# cacerts are accessible from public Java API. 136allow domain system_security_cacerts_file:file r_file_perms; 137allow domain system_group_file:file r_file_perms; 138allow domain system_passwd_file:file r_file_perms; 139allow domain system_linker_exec:file { execute read open getattr map }; 140allow domain system_linker_config_file:file r_file_perms; 141allow domain system_lib_file:file { execute read open getattr map }; 142# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 143allow domain system_linker_exec:lnk_file { read open getattr }; 144allow domain system_lib_file:lnk_file { read open getattr }; 145 146allow domain system_event_log_tags_file:file r_file_perms; 147 148allow { appdomain coredomain } system_file:file { execute read open getattr map }; 149 150# Make sure system/vendor split doesn not affect non-treble 151# devices 152not_full_treble(` 153 allow domain system_file:file { execute read open getattr map }; 154 allow domain vendor_file_type:dir { search getattr }; 155 allow domain vendor_file_type:file { execute read open getattr map }; 156 allow domain vendor_file_type:lnk_file { getattr read }; 157') 158 159# All domains are allowed to open and read directories 160# that contain HAL implementations (e.g. passthrough 161# HALs require clients to have these permissions) 162allow domain vendor_hal_file:dir r_dir_perms; 163 164# Everyone can read and execute all same process HALs 165allow domain same_process_hal_file:dir r_dir_perms; 166allow { 167 domain 168 -coredomain # access is explicitly granted to individual coredomains 169} same_process_hal_file:file { execute read open getattr map }; 170 171# Any process can load vndk-sp libraries, which are system libraries 172# used by same process HALs 173allow domain vndk_sp_file:dir r_dir_perms; 174allow domain vndk_sp_file:file { execute read open getattr map }; 175 176# All domains get access to /vendor/etc 177allow domain vendor_configs_file:dir r_dir_perms; 178allow domain vendor_configs_file:file { read open getattr map }; 179 180full_treble_only(` 181 # Allow all domains to be able to follow /system/vendor and/or 182 # /vendor/odm symlinks. 183 allow domain vendor_file_type:lnk_file { getattr open read }; 184 185 # This is required to be able to search & read /vendor/lib64 186 # in order to lookup vendor libraries. The execute permission 187 # for coredomains is granted *only* for same process HALs 188 allow domain vendor_file:dir { getattr search }; 189 190 # Allow reading and executing out of /vendor to all vendor domains 191 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 192 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 193 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 194') 195 196# read and stat any sysfs symlinks 197allow domain sysfs:lnk_file { getattr read }; 198 199# libc references /system/usr/share/zoneinfo for timezone related information. 200# This directory is considered to be a VNDK-stable 201allow domain { system_zoneinfo_file }:file r_file_perms; 202allow domain { system_zoneinfo_file }:dir r_dir_perms; 203 204# Lots of processes access current CPU information 205r_dir_file(domain, sysfs_devices_system_cpu) 206 207r_dir_file(domain, sysfs_usb); 208 209# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 210# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 211allow domain sysfs_transparent_hugepage:dir search; 212allow domain sysfs_transparent_hugepage:file r_file_perms; 213 214# Allow search access, and sometimes getattr access, to various directories 215# under /data. We are fairly lenient in allowing search access to top-level 216# dirs that commonly need to be traversed to get access to the "real" files, as 217# this greatly simplifies the policy and doesn't open up much attack surface. 218not_full_treble(` 219 allow domain system_data_file:dir getattr; 220') 221allow { coredomain appdomain } system_data_file:dir getattr; 222# Anything that accesses anything in /data needs search access to /data itself. 223# This includes vendor components, as they need to access /data/vendor. 224allow domain system_data_root_file:dir { search getattr } ; 225# system_data_file is the default type for directories in /data. Anything 226# accessing data files with a more specific type often has to traverse a 227# system_data_file directory such as /data/misc to get there. 228allow domain system_data_file:dir search; 229# Anything that accesses files in /data/user (and /data/user_de, etc.) needs 230# search access to these directories themselves. getattr access is sometimes 231# needed too. 232allow { coredomain appdomain } system_userdir_file:dir { search getattr }; 233# Anything that accesses files in /data/media needs search access to /data/media 234# itself. 235allow { coredomain appdomain } media_userdir_file:dir search; 236# TODO restrict this to non-coredomain 237allow domain vendor_userdir_file:dir { getattr search }; 238allow domain vendor_data_file:dir { getattr search }; 239 240# required by the dynamic linker 241allow domain proc:lnk_file { getattr read }; 242 243# /proc/cpuinfo 244allow domain proc_cpuinfo:file r_file_perms; 245 246# /dev/cpu_variant:.* 247allow domain dev_cpu_variant:file r_file_perms; 248 249# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 250allow domain proc_perf:file r_file_perms; 251 252# toybox loads libselinux which stats /sys/fs/selinux/ 253allow domain selinuxfs:dir search; 254allow domain selinuxfs:file getattr; 255allow domain sysfs:dir search; 256allow domain selinuxfs:filesystem getattr; 257 258# Almost all processes log tracing information to 259# /sys/kernel/debug/tracing/trace_marker 260# The reason behind this is documented in b/6513400 261allow domain debugfs:dir search; 262allow domain debugfs_tracing:dir search; 263allow domain debugfs_tracing_debug:dir search; 264allow domain debugfs_trace_marker:file w_file_perms; 265 266# Linux lockdown mode offered coarse-grained definitions for access controls. In 267# previous versions of the policy, the integrity permission was neverallowed. 268# It was found that this permission mainly duplicates pre-existing rules in 269# the policy (see b/285443587). Additionally, some access were found to be 270# required (b/269377822). The access vector was removed from kernel 5.16 271# onwards. Grant unconditional access, these rules should be removed from the 272# policy once no kernel <5.16 are supported. 273allow domain self:lockdown { confidentiality integrity }; 274 275# Filesystem access. 276allow domain fs_type:filesystem getattr; 277allow domain fs_type:dir getattr; 278 279# Restrict all domains to an allowlist for common socket types. Additional 280# ioctl commands may be added to individual domains, but this sets safe 281# defaults for all processes. Note that granting this allowlist to domain does 282# not grant the ioctl permission on these socket types. That must be granted 283# separately. 284allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 285 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 286# default allowlist for unix sockets. 287allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 288 ioctl unpriv_unix_sock_ioctls; 289 290# Restrict PTYs to only allowed ioctls. 291# Note that granting this allowlist to domain does 292# not grant the wider ioctl permission. That must be granted 293# separately. 294allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 295 296# All domains must clearly enumerate what ioctls they use 297# on filesystem objects (plain files, directories, symbolic links, 298# named pipes, and named sockets). We start off with a safe set. 299allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 300 301# If a domain has ioctl access to tun_device, it must clearly enumerate the 302# ioctls used. Safe defaults are listed below. 303allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 304 305# Allow a process to make a determination whether a file descriptor 306# for a plain file or pipe (fifo_file) is a tty. Note that granting 307# this allowlist to domain does not grant the ioctl permission to 308# these files. That must be granted separately. 309allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 310allowxperm domain domain:fifo_file ioctl { TCGETS }; 311 312# If a domain has access to perform an ioctl on a block device, allow these 313# very common, benign ioctls 314allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 315 316# Support sqlite F2FS specific optimizations 317# ioctl permission on the specific file type is still required 318# TODO: consider only compiling these rules if we know the 319# /data partition is F2FS 320allowxperm domain { file_type sdcard_type }:file ioctl { 321 F2FS_IOC_ABORT_VOLATILE_WRITE 322 F2FS_IOC_COMMIT_ATOMIC_WRITE 323 F2FS_IOC_GET_FEATURES 324 F2FS_IOC_GET_PIN_FILE 325 F2FS_IOC_SET_PIN_FILE 326 F2FS_IOC_START_ATOMIC_WRITE 327}; 328 329# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 330# when it's not explicitly used in allow rules 331allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 332# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 333# when it's not explicitly used in allow rules 334allow { domain -domain } vndservice_manager_type:service_manager { add find }; 335 336# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 337with_asan(`allow domain system_data_file:dir getattr;') 338# Under ASAN, /system/asan.options needs to be globally accessible. 339with_asan(`allow domain system_asan_options_file:file r_file_perms;') 340 341# read APEX dir and stat any symlink pointing to APEXs. 342allow domain apex_mnt_dir:dir { getattr search }; 343allow domain apex_mnt_dir:lnk_file r_file_perms; 344 345# Allow reading /sys/kernel/mm/pgsize_migration/enabled 346allow domain sysfs_pgsize_migration:dir search; 347allow domain sysfs_pgsize_migration:file r_file_perms; 348 349# Linker is executed from the context of the process requesting the dynamic linking, 350# so this prop must be "world-readable". 351get_prop(domain, bionic_linker_16kb_app_compat_prop) 352 353# Allow everyone to read media server-configurable flags, so that libstagefright can be 354# configured using server-configurable flags 355get_prop(domain, device_config_media_native_prop) 356 357# Transition to crash_dump when /system/bin/crash_dump* is executed. 358# This occurs when the process crashes. 359# We do not apply this to the su domain to avoid interfering with 360# tests (b/114136122) 361domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); 362allow domain crash_dump:process sigchld; 363 364# Allow every process to check the heapprofd.enable properties to determine 365# whether to load the heap profiling library. This does not necessarily enable 366# heap profiling, as initialization will fail if it does not have the 367# necessary SELinux permissions. 368get_prop(domain, heapprofd_prop); 369 370# See private/crash_dump.te 371define(`dumpable_domain',`{ 372 domain 373 -apexd 374 -bpfloader 375 -crash_dump 376 -crosvm # TODO(b/236672526): Remove exception for crosvm 377 -init 378 -kernel 379 -keystore 380 -llkd 381 -logd 382 -ueventd 383 -vendor_init 384 -vold 385}') 386 387# Allow heap profiling by heapprofd. 388# Zygotes are excluded due to potential issues with holding open file 389# descriptors or other state across forks. Other exclusions conflict with 390# neverallows, and are not considered important to profile. 391can_profile_heap({ 392 dumpable_domain 393 -app_zygote 394 -hal_configstore_server 395 -logpersist 396 -recovery 397 -recovery_persist 398 -recovery_refresh 399 -webview_zygote 400 -zygote 401}) 402 403# Allow profiling using perf_event_open by traced_perf. 404can_profile_perf({ 405 dumpable_domain 406 -app_zygote 407 -hal_configstore_server 408 -webview_zygote 409 -zygote 410}) 411 412# Everyone can access the IncFS list of features. 413r_dir_file(domain, sysfs_fs_incfs_features); 414 415# Everyone can access the fuse list of features. 416r_dir_file(domain, sysfs_fs_fuse_features); 417 418# Path resolution access in cgroups. 419allow domain cgroup:dir search; 420allow { domain -appdomain -rs } cgroup:dir w_dir_perms; 421allow { domain -appdomain -rs } cgroup:file w_file_perms; 422 423allow domain cgroup_v2:dir search; 424allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; 425allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; 426 427allow domain cgroup_desc_file:file r_file_perms; 428allow domain cgroup_rc_file:dir search; 429allow domain cgroup_rc_file:file r_file_perms; 430allow domain task_profiles_file:file r_file_perms; 431allow domain vendor_cgroup_desc_file:file r_file_perms; 432allow domain vendor_task_profiles_file:file r_file_perms; 433allow domain libprocessgroup_metadata_file:dir r_dir_perms; 434allow domain libprocessgroup_metadata_file:file r_file_perms; 435 436# Allow all domains to read sys.use_memfd to determine 437# if memfd support can be used if device supports it 438get_prop(domain, use_memfd_prop); 439 440# Read access to sdkextensions props 441get_prop(domain, module_sdkextensions_prop) 442 443# Read access to bq configuration values 444get_prop(domain, bq_config_prop); 445 446# Allow all domains to check whether MTE is set to permissive mode. 447get_prop(domain, permissive_mte_prop); 448 449# Allow ART to be configurable via device_config properties 450# (ART "runs" inside the app process), and MTE bootloader override to be 451# observed by everything 452get_prop(domain, device_config_memory_safety_native_boot_prop); 453get_prop(domain, device_config_memory_safety_native_prop); 454get_prop(domain, device_config_runtime_native_boot_prop); 455get_prop(domain, device_config_runtime_native_prop); 456 457# For now, everyone can access core property files 458# Device specific properties are not granted by default 459not_compatible_property(` 460 # DO NOT ADD ANY PROPERTIES HERE 461 get_prop(domain, core_property_type) 462 get_prop(domain, exported3_system_prop) 463 get_prop(domain, vendor_default_prop) 464') 465compatible_property_only(` 466 # DO NOT ADD ANY PROPERTIES HERE 467 get_prop({coredomain appdomain shell}, core_property_type) 468 get_prop({coredomain appdomain shell}, exported3_system_prop) 469 get_prop({coredomain appdomain shell}, exported_camera_prop) 470 get_prop({coredomain shell}, userspace_reboot_exported_prop) 471 get_prop({coredomain shell}, userspace_reboot_log_prop) 472 get_prop({coredomain shell}, userspace_reboot_test_prop) 473 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 474') 475 476# Public readable properties 477get_prop(domain, aaudio_config_prop) 478get_prop(domain, apexd_select_prop) 479get_prop(domain, arm64_memtag_prop) 480get_prop(domain, bluetooth_config_prop) 481get_prop(domain, bootloader_prop) 482get_prop(domain, build_odm_prop) 483get_prop(domain, build_prop) 484get_prop(domain, build_vendor_prop) 485get_prop(domain, debug_prop) 486get_prop(domain, exported_config_prop) 487get_prop(domain, exported_default_prop) 488get_prop(domain, exported_dumpstate_prop) 489get_prop(domain, exported_secure_prop) 490get_prop(domain, exported_system_prop) 491get_prop(domain, fingerprint_prop) 492get_prop(domain, framework_status_prop) 493get_prop(domain, gwp_asan_prop) 494get_prop(domain, hal_instrumentation_prop) 495get_prop(domain, hw_timeout_multiplier_prop) 496get_prop(domain, init_service_status_prop) 497get_prop(domain, libc_debug_prop) 498get_prop(domain, locale_prop) 499get_prop(domain, logd_prop) 500get_prop(domain, mediadrm_config_prop) 501get_prop(domain, property_service_version_prop) 502get_prop(domain, soc_prop) 503get_prop(domain, socket_hook_prop) 504get_prop(domain, surfaceflinger_prop) 505get_prop(domain, telephony_status_prop) 506get_prop(domain, timezone_prop) 507get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app -app_zygote }, userdebug_or_eng_prop) 508get_prop(domain, vendor_socket_hook_prop) 509get_prop(domain, vndk_prop) 510get_prop(domain, vold_status_prop) 511get_prop(domain, vts_config_prop) 512 513# Binder cache properties are world-readable 514get_prop(domain, binder_cache_bluetooth_server_prop) 515get_prop(domain, binder_cache_system_server_prop) 516get_prop(domain, binder_cache_telephony_server_prop) 517 518# Binderfs logs contain sensitive information about other processes. 519neverallow { 520 domain 521 -init 522 -vendor_init 523 userdebug_or_eng(`-dumpstate') 524 userdebug_or_eng(`-system_server') 525} binderfs_logs_transactions:file no_rw_file_perms; 526 527# Binderfs transaction history is less sensitive than transactions, but it 528# still contains global information about the system. 529neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms; 530 531# Needed for loading kernel modules. 532# TODO(384942085): Reduce the scope. 533is_flag_disabled(RELEASE_SEPOLICY_RESTRICT_KERNEL_KEYRING_SEARCH, ` 534allow domain kernel:key search; 535') 536 537# Allow access to linkerconfig file 538allow domain linkerconfig_file:dir search; 539allow domain linkerconfig_file:file r_file_perms; 540 541# Allow all processes to check for the existence of the boringssl_self_test_marker files. 542allow domain boringssl_self_test_marker:dir search; 543 544# Allow all processes to read the file_logger property that liblog uses to check if file_logger 545# should be used. 546get_prop(domain, log_file_logger_prop) 547 548# Allow all processes to connect to PRNG seeder daemon. 549unix_socket_connect(domain, prng_seeder, prng_seeder) 550 551# Allow calls to system(3), popen(3), ... 552allow { 553 domain 554 # Except domains that explicitly neverallow it. 555 -kernel 556 -init 557 -vendor_init 558 -app_zygote 559 -webview_zygote 560 -system_server 561 -artd 562 -dexopt_chroot_setup 563 -audioserver 564 -cameraserver 565 -mediadrmserver 566 -mediaextractor 567 -mediametrics 568 -mediaserver 569 -mediatuner 570 -mediatranscoding 571 -ueventd 572 -hal_audio_server 573 -hal_camera_server 574 -hal_cas_server 575 -hal_codec2_server 576 -hal_configstore_server 577 -hal_drm_server 578 -hal_omx_server 579} {shell_exec toolbox_exec}:file rx_file_perms; 580 581# Allow all processes to read aconfig flag storage files. The format is hidden behind 582# code-generated APIs, but since the libraries are executed in the context of the caller, 583# all processes need access to the underlying files. 584is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, ` 585 r_dir_file(domain, aconfig_storage_metadata_file); 586') 587 588r_dir_file({ coredomain appdomain }, system_aconfig_storage_file); 589 590# processes needs to access storage file stored at /metadata/aconfig/boot, require search 591# permission on /metadata dir 592allow domain metadata_file:dir search; 593 594# overlayfs performs all file operations as the mounter, being overlay_remounter. 595# It thus opens files as overlay_remounter, and then uses those files in the context of 596# the caller, which is anyone accessing a file on a overlaid read-only partition 597userdebug_or_eng(`allow domain overlay_remounter:fd use'); 598 599### 600### neverallow rules 601### 602 603# All ioctls on file-like objects (except chr_file and blk_file) and 604# sockets must be restricted to an allowlist. 605neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 606 607# b/68014825 and https://android-review.googlesource.com/516535 608# rfc6093 says that processes should not use the TCP urgent mechanism 609neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 610 611# TIOCSTI is only ever used for exploits. Block it. 612# b/33073072, b/7530569 613# http://www.openwall.com/lists/oss-security/2016/09/26/14 614neverallowxperm * devpts:chr_file ioctl TIOCSTI; 615 616# Do not allow any domain other than init to create unlabeled files. 617neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 618 619# Limit device node creation to these allowed domains. 620neverallow { 621 domain 622 -kernel 623 -init 624 -ueventd 625 -vold 626} self:global_capability_class_set mknod; 627 628# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 629neverallow * self:memprotect mmap_zero; 630 631# No domain needs mac_override as it is unused by SELinux. 632neverallow * self:global_capability2_class_set mac_override; 633 634# Disallow attempts to set contexts not defined in current policy 635# This helps guarantee that unknown or dangerous contents will not ever 636# be set. 637neverallow * self:global_capability2_class_set mac_admin; 638 639# Once the policy has been loaded there shall be none to modify the policy. 640# It is sealed. 641neverallow * kernel:security load_policy; 642 643# Only init prior to switching context should be able to set enforcing mode. 644# init starts in kernel domain and switches to init domain via setcon in 645# the init.rc, so the setenforce occurs while still in kernel. After 646# switching domains, there is never any need to setenforce again by init. 647neverallow * kernel:security setenforce; 648neverallow { domain -kernel } kernel:security setcheckreqprot; 649 650# No booleans in AOSP policy, so no need to ever set them. 651neverallow * kernel:security setbool; 652 653# Adjusting the AVC cache threshold. 654# Not presently allowed to anything in policy, but possibly something 655# that could be set from init.rc. 656neverallow { domain -init } kernel:security setsecparam; 657 658# Only the kernel hwrng thread should be able to read from the HW RNG. 659neverallow { 660 domain 661 -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG 662 -shell # For CTS, restricted to just getattr in shell.te 663 -ueventd # To create the /dev/hw_random file 664} hw_random_device:chr_file *; 665# b/78174219 b/64114943 666neverallow { 667 domain 668 -shell # stat of /dev, getattr only 669 -ueventd 670} keychord_device:chr_file *; 671 672# Ensure that all entrypoint executables are in exec_type or postinstall_file. 673neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 674 675# The dynamic linker always calls access(2) on the path. Don't generate SElinux 676# denials since the linker does not actually access the path in case the path 677# does not exist or isn't accessible for the process. 678dontaudit domain postinstall_mnt_dir:dir audit_access; 679 680#Ensure that nothing in userspace can access /dev/port 681neverallow { 682 domain 683 -shell # Shell user should not have any abilities outside of getattr 684 -ueventd 685} port_device:chr_file *; 686neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 687# Only init should be able to configure kernel usermodehelpers or 688# security-sensitive proc settings. 689neverallow { domain -init } usermodehelper:file { append write }; 690neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 691neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 692 693# Init can't do anything with binder calls. If this neverallow rule is being 694# triggered, it's probably due to a service with no SELinux domain. 695neverallow * init:binder *; 696neverallow * vendor_init:binder *; 697 698# Binderfs logs contain sensitive information about other processes. 699neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms; 700neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms; 701 702# Don't allow raw read/write/open access to block_device 703# Rather force a relabel to a more specific type 704neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 705 706# Do not allow renaming of block files or character files 707# Ability to do so can lead to possible use in an exploit chain 708# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 709neverallow { domain userdebug_or_eng(`-overlay_remounter') } *:{ blk_file chr_file } rename; 710 711# Don't allow raw read/write/open access to generic devices. 712# Rather force a relabel to a more specific type. 713neverallow domain device:chr_file { open read write }; 714 715# Files from cache should never be executed 716neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 717 718# The test files and executables MUST not be accessible to any domain 719neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 720neverallow domain nativetest_data_file:dir no_w_dir_perms; 721neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 722 723neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 724neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 725neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; 726neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 727neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 728 729# Only the init property service should write to /data/property and /dev/__properties__ 730neverallow { domain -init } property_data_file:dir no_w_dir_perms; 731neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 732neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 733neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 734neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 735 736# Nobody should be doing writes to /system & /vendor 737# These partitions are intended to be read-only and must never be 738# modified. Doing so would violate important Android security guarantees 739# and invalidate dm-verity signatures. 740neverallow { 741 domain 742 with_asan(`-asan_extract') 743 recovery_only(`userdebug_or_eng(`-fastbootd')') 744 userdebug_or_eng(`-kernel') 745 userdebug_or_eng(`-overlay_remounter') 746} { 747 system_file_type 748 vendor_file_type 749 exec_type 750}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 751 752neverallow { domain -kernel with_asan(`-asan_extract') userdebug_or_eng(`-overlay_remounter') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 753 754# Don't allow mounting on top of /system files or directories 755neverallow { 756 domain 757 userdebug_or_eng(`-overlay_remounter') 758} exec_type:dir_file_class_set mounton; 759 760# Nothing should be writing to files in the rootfs. 761neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 762 763# Restrict context mounts to specific types marked with 764# the contextmount_type attribute. 765neverallow * {fs_type -contextmount_type}:filesystem relabelto; 766 767# Ensure that context mount types are not writable, to ensure that 768# the write to /system restriction above is not bypassed via context= 769# mount to another type. 770neverallow { domain userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set 771 { create setattr relabelfrom relabelto append link rename }; 772neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set { write unlink }; 773 774# Do not allow service_manager add for default service labels. 775# Instead domains should use a more specific type such as 776# system_app_service rather than the generic type. 777# New service_types are defined in {,hw,vnd}service.te and new mappings 778# from service name to service_type are defined in {,hw,vnd}service_contexts. 779neverallow * default_android_service:service_manager *; 780neverallow * default_android_vndservice:service_manager *; 781neverallow * default_android_hwservice:hwservice_manager *; 782 783# Looking up the base class/interface of all HwBinder services is a bad idea. 784# hwservicemanager currently offer such lookups only to make it so that security 785# decisions are expressed in SELinux policy. However, it's unclear whether this 786# lookup has security implications. If it doesn't, hwservicemanager should be 787# modified to not offer this lookup. 788# This rule can be removed if hwservicemanager is modified to not permit these 789# lookups. 790neverallow * hidl_base_hwservice:hwservice_manager find; 791 792# Require that domains explicitly label unknown properties, and do not allow 793# anyone but init to modify unknown properties. 794neverallow { domain -init -vendor_init } mmc_prop:property_service set; 795neverallow { domain -init -vendor_init } vndk_prop:property_service set; 796 797compatible_property_only(` 798 neverallow { domain -init } mmc_prop:property_service set; 799 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 800 neverallow { domain -init } exported_secure_prop:property_service set; 801 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 802 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 803 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 804') 805 806compatible_property_only(` 807 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 808 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 809') 810 811# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop. 812neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set; 813neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms; 814 815# ART may introduce new sysprops. SELinux denials due to reading new sysprops on 816# old platforms shouldn't be regarded as a problem. 817dontaudit domain future_pm_prop:file read; 818 819neverallow { domain -init } aac_drc_prop:property_service set; 820neverallow { domain -init } build_prop:property_service set; 821neverallow { domain -init } userdebug_or_eng_prop:property_service set; 822 823# Do not allow reading device's serial number from system properties except form 824# a few allowed domains. 825neverallow { 826 domain 827 -adbd 828 -adbd_tradeinmode 829 -dumpstate 830 -fastbootd 831 -hal_camera_server 832 -hal_cas_server 833 -hal_drm_server 834 -hal_keymint_server 835 userdebug_or_eng(`-incidentd') 836 -init 837 -mediadrmserver 838 -mediaserver 839 -recovery 840 -shell 841 -system_server 842 -vendor_init 843} serialno_prop:file r_file_perms; 844 845neverallow { 846 domain 847 -init 848 -recovery 849 -system_server 850 -ueventd # Further restricted in ueventd.te 851} frp_block_device:blk_file no_rw_file_perms; 852 853# The metadata block device is set aside for device encryption and 854# verified boot metadata. It may be reset at will and should not 855# be used by other domains. 856neverallow { 857 domain 858 -init 859 -recovery 860 -vold 861 -e2fs 862 -fsck 863 -fastbootd 864 -hal_fastboot_server 865} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 866 867# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 868neverallow { 869 domain 870 -fastbootd 871 userdebug_or_eng(`-fsck') 872 userdebug_or_eng(`-init') 873 -recovery 874 userdebug_or_eng(`-remount') 875 -update_engine 876} system_block_device:blk_file { write append }; 877 878# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 879neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 880# The service managers are only allowed to access their own device node 881neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 882neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 883neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 884neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 885neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 886neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 887 888full_treble_only(` 889 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 890 # services which can change any time framework/core is updated, breakage is likely. 891 # 892 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 893 neverallow { 894 appdomain 895 -coredomain 896 } { 897 service_manager_type 898 899 -app_api_service 900 -ephemeral_app_api_service 901 902 -hal_service_type # see app_neverallows.te 903 904 -apc_service 905 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 906 -cameraserver_service 907 -drmserver_service 908 -credstore_service 909 -keystore_maintenance_service 910 -keystore_service 911 -legacykeystore_service 912 -mediadrmserver_service 913 -mediaextractor_service 914 -mediametrics_service 915 -mediaserver_service 916 -nfc_service 917 -radio_service 918 -virtual_touchpad_service 919 -vr_manager_service 920 userdebug_or_eng(`-hal_face_service') 921 }:service_manager find; 922') 923 924# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 925full_treble_only(` 926 neverallow { 927 coredomain 928 -shell 929 userdebug_or_eng(`-su') 930 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 931 } vndbinder_device:chr_file rw_file_perms; 932') 933full_treble_only(` 934 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 935') 936full_treble_only(` 937 neverallow { 938 coredomain 939 -shell 940 userdebug_or_eng(`-su') 941 } vndservice_manager_type:service_manager *; 942') 943full_treble_only(` 944 neverallow { 945 coredomain 946 -shell 947 userdebug_or_eng(`-su') 948 } vndservicemanager:binder *; 949') 950 951# On full TREBLE devices, socket communications between core components and vendor components are 952# not permitted. 953 # Most general rules first, more specific rules below. 954 955 # Core domains are not permitted to initiate communications to vendor domain sockets. 956 # We are not restricting the use of already established sockets because it is fine for a process 957 # to obtain an already established socket via some public/official/stable API and then exchange 958 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 959 # and thus does not break the core-vendor separation. 960full_treble_only(` 961 neverallow_establish_socket_comms({ 962 coredomain 963 -init 964 -adbd 965 }, { 966 domain 967 -coredomain 968 -socket_between_core_and_vendor_violators 969 }); 970') 971 972 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 973full_treble_only(` 974 neverallow { 975 domain 976 -coredomain 977 -appdomain # appdomain restrictions below 978 -data_between_core_and_vendor_violators # b/70393317 979 -socket_between_core_and_vendor_violators 980 -vendor_init 981 } { 982 coredomain_socket 983 core_data_file_type 984 unlabeled # used only by core domains 985 }:sock_file ~{ append getattr ioctl read write }; 986') 987full_treble_only(` 988 neverallow { 989 appdomain 990 -coredomain 991 } { 992 coredomain_socket 993 unlabeled # used only by core domains 994 core_data_file_type 995 -app_data_file 996 -privapp_data_file 997 -pdx_endpoint_socket_type # used by VR layer 998 -pdx_channel_socket_type # used by VR layer 999 }:sock_file ~{ append getattr ioctl read write }; 1000') 1001 1002 # Core domains are not permitted to create/open sockets owned by vendor domains 1003full_treble_only(` 1004 neverallow { 1005 coredomain 1006 -init 1007 -ueventd 1008 -socket_between_core_and_vendor_violators 1009 } { 1010 file_type 1011 dev_type 1012 -coredomain_socket 1013 -core_data_file_type 1014 -app_data_file_type 1015 -unlabeled 1016 }:sock_file ~{ append getattr ioctl read write }; 1017') 1018 1019# On TREBLE devices, vendor and system components are only allowed to share 1020# files by passing open FDs over hwbinder. Ban all directory access and all file 1021# accesses other than what can be applied to an open FD such as 1022# ioctl/stat/read/write/append. This is enforced by segregating /data. 1023# Vendor domains may directly access file in /data/vendor by path, but may only 1024# access files outside of /data/vendor via an open FD passed over hwbinder. 1025# Likewise, core domains may only directly access files outside /data/vendor by 1026# path and files in /data/vendor by open FD. 1027full_treble_only(` 1028 # only coredomains may only access core_data_file_type, particularly not 1029 # /data/vendor 1030 neverallow { 1031 coredomain 1032 -appdomain # TODO(b/34980020) remove exemption for appdomain 1033 -data_between_core_and_vendor_violators 1034 -init 1035 -vold_prepare_subdirs 1036 } { 1037 data_file_type 1038 -core_data_file_type 1039 -app_data_file_type 1040 }:file_class_set ~{ append getattr ioctl read write map }; 1041') 1042full_treble_only(` 1043 neverallow { 1044 coredomain 1045 -appdomain # TODO(b/34980020) remove exemption for appdomain 1046 -data_between_core_and_vendor_violators 1047 -init 1048 -vold_prepare_subdirs 1049 } { 1050 data_file_type 1051 -core_data_file_type 1052 -app_data_file_type 1053 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 1054 # neverallow. Currently only getattr and search are allowed. 1055 -vendor_data_file 1056 }:dir *; 1057 1058') 1059full_treble_only(` 1060 # vendor domains may only access files in /data/vendor, never core_data_file_types 1061 neverallow { 1062 domain 1063 -appdomain # TODO(b/34980020) remove exemption for appdomain 1064 -coredomain 1065 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1066 -vendor_init 1067 } { 1068 core_data_file_type 1069 with_native_coverage(`-method_trace_data_file') 1070 }:file_class_set ~{ append getattr ioctl read write map }; 1071 neverallow { 1072 vendor_init 1073 -data_between_core_and_vendor_violators 1074 } { 1075 core_data_file_type 1076 -unencrypted_data_file 1077 with_native_coverage(`-method_trace_data_file') 1078 }:file_class_set ~{ append getattr ioctl read write map }; 1079 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 1080 # The vendor init binary lives on the system partition so there is not a concern with stability. 1081 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 1082') 1083full_treble_only(` 1084 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 1085 neverallow { 1086 domain 1087 -appdomain # TODO(b/34980020) remove exemption for appdomain 1088 -coredomain 1089 -data_between_core_and_vendor_violators 1090 -vendor_init 1091 } { 1092 core_data_file_type 1093 -system_data_file # default label for files on /data. Covered below... 1094 -system_data_root_file 1095 -vendor_userdir_file 1096 -vendor_data_file 1097 with_native_coverage(`-method_trace_data_file') 1098 }:dir *; 1099 neverallow { 1100 vendor_init 1101 -data_between_core_and_vendor_violators 1102 } { 1103 core_data_file_type 1104 -unencrypted_data_file 1105 -system_data_file 1106 -system_data_root_file 1107 -vendor_userdir_file 1108 -vendor_data_file 1109 with_native_coverage(`-method_trace_data_file') 1110 }:dir *; 1111 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 1112 # The vendor init binary lives on the system partition so there is not a concern with stability. 1113 neverallow vendor_init unencrypted_data_file:dir ~search; 1114') 1115full_treble_only(` 1116 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 1117 neverallow { 1118 domain 1119 -appdomain # TODO(b/34980020) remove exemption for appdomain 1120 -coredomain 1121 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1122 } { 1123 system_data_file # default label for files on /data. Covered below 1124 }:dir ~{ getattr search }; 1125') 1126 1127full_treble_only(` 1128 # coredomains may not access dirs in /data/vendor. 1129 neverallow { 1130 coredomain 1131 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1132 -init 1133 -vold # vold creates per-user storage for both system and vendor 1134 -vold_prepare_subdirs 1135 } { 1136 vendor_data_file # default label for files on /data. Covered below 1137 }:dir ~{ getattr search }; 1138') 1139 1140full_treble_only(` 1141 # coredomains may not access dirs in /data/vendor. 1142 neverallow { 1143 coredomain 1144 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1145 -init 1146 } { 1147 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 1148 }:file_class_set ~{ append getattr ioctl read write map }; 1149') 1150 1151full_treble_only(` 1152 # Non-vendor domains are not allowed to file execute shell 1153 # from vendor 1154 neverallow { 1155 coredomain 1156 -init 1157 -shell 1158 -ueventd 1159 userdebug_or_eng(`-overlay_remounter') 1160 } vendor_shell_exec:file { execute execute_no_trans }; 1161') 1162 1163full_treble_only(` 1164 # Do not allow vendor components to execute files from system 1165 # except for the ones allowed here. 1166 neverallow { 1167 domain 1168 -coredomain 1169 -appdomain 1170 -vendor_executes_system_violators 1171 -vendor_init 1172 } { 1173 system_file_type 1174 -system_lib_file 1175 -system_bootstrap_lib_file 1176 -system_linker_exec 1177 -crash_dump_exec 1178 -netutils_wrapper_exec 1179 userdebug_or_eng(`-tcpdump_exec') 1180 # Vendor components still can invoke shell commands via /system/bin/sh 1181 -shell_exec 1182 -toolbox_exec 1183 -virtualizationmanager_exec 1184 is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec') 1185 }:file { entrypoint execute execute_no_trans }; 1186') 1187 1188full_treble_only(` 1189 # Do not allow coredomain to access entrypoint for files other 1190 # than system_file_type and postinstall_file 1191 neverallow coredomain { 1192 file_type 1193 -system_file_type 1194 -postinstall_file 1195 }:file entrypoint; 1196 # Do not allow domains other than coredomain to access entrypoint 1197 # for anything but vendor_file_type and init_exec for vendor_init. 1198 neverallow { domain -coredomain } { 1199 file_type 1200 -vendor_file_type 1201 -init_exec 1202 }:file entrypoint; 1203') 1204 1205full_treble_only(` 1206 # Do not allow system components to execute files from vendor 1207 # except for the ones allowed here. 1208 neverallow { 1209 coredomain 1210 -init 1211 -shell 1212 -system_executes_vendor_violators 1213 -ueventd 1214 userdebug_or_eng(`-overlay_remounter') 1215 } { 1216 vendor_file_type 1217 -same_process_hal_file 1218 -vndk_sp_file 1219 -vendor_app_file 1220 -vendor_public_framework_file 1221 -vendor_public_lib_file 1222 }:file execute; 1223') 1224 1225full_treble_only(` 1226 neverallow { 1227 coredomain 1228 -shell 1229 -system_executes_vendor_violators 1230 userdebug_or_eng(`-overlay_remounter') 1231 } { 1232 vendor_file_type 1233 -same_process_hal_file 1234 }:file execute_no_trans; 1235') 1236 1237full_treble_only(` 1238 # Do not allow vendor components access to /system files except for the 1239 # ones allowed here. 1240 neverallow { 1241 domain 1242 -appdomain 1243 -coredomain 1244 -vendor_executes_system_violators 1245 # vendor_init needs access to init_exec for domain transition. vendor_init 1246 # neverallows are covered in public/vendor_init.te 1247 -vendor_init 1248 } { 1249 system_file_type 1250 -cgroup_desc_file 1251 -crash_dump_exec 1252 -file_contexts_file 1253 -netutils_wrapper_exec 1254 -property_contexts_file 1255 -system_event_log_tags_file 1256 -system_group_file 1257 -system_lib_file 1258 -system_bootstrap_lib_file 1259 with_asan(`-system_asan_options_file') 1260 -system_linker_exec 1261 -system_linker_config_file 1262 -system_passwd_file 1263 -system_seccomp_policy_file 1264 -system_security_cacerts_file 1265 -system_zoneinfo_file 1266 -task_profiles_file 1267 userdebug_or_eng(`-tcpdump_exec') 1268 # Vendor components still can invoke shell commands via /system/bin/sh 1269 -shell_exec 1270 -toolbox_exec 1271 -virtualizationmanager_exec 1272 is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec') 1273 }:file *; 1274') 1275 1276# Only system_server should be able to send commands via the zygote socket 1277neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1278neverallow { domain -system_server } zygote_socket:sock_file write; 1279 1280neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1281neverallow { domain -system_server } webview_zygote:sock_file write; 1282neverallow { domain -system_server } app_zygote:sock_file write; 1283 1284neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; 1285 1286# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1287# the tombstoned intercept socket. 1288neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1289neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1290 1291# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1292neverallow { domain -init -system_server } heapdump_data_file:file read; 1293 1294# Android does not support System V IPCs. 1295# 1296# The reason for this is due to the fact that, by design, they lead to global 1297# kernel resource leakage. 1298# 1299# For example, there is no way to automatically release a SysV semaphore 1300# allocated in the kernel when: 1301# 1302# - a buggy or malicious process exits 1303# - a non-buggy and non-malicious process crashes or is explicitly killed. 1304# 1305# Killing processes automatically to make room for new ones is an 1306# important part of Android's application lifecycle implementation. This means 1307# that, even assuming only non-buggy and non-malicious code, it is very likely 1308# that over time, the kernel global tables used to implement SysV IPCs will fill 1309# up. 1310neverallow * *:{ shm sem msg msgq } *; 1311 1312# Do not mount on top of symlinks, fifos, or sockets. 1313# Feature parity with Chromium LSM. 1314neverallow { 1315 domain 1316 userdebug_or_eng(`-overlay_remounter') 1317} { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1318 1319# Nobody should be able to execute su on user builds. 1320# On userdebug/eng builds, only dumpstate, shell, and 1321# su itself execute su. 1322neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -overlay_remounter') } su_exec:file no_x_file_perms; 1323 1324# Do not allow the introduction of new execmod rules. Text relocations 1325# and modification of executable pages are unsafe. 1326# The only exceptions are for NDK text relocations associated with 1327# https://code.google.com/p/android/issues/detail?id=23203 1328# which, long term, need to go away. 1329neverallow { 1330 domain 1331 userdebug_or_eng(`-overlay_remounter') 1332} { 1333 file_type 1334 -apk_data_file 1335 -app_data_file 1336 -asec_public_file 1337}:file execmod; 1338 1339# Do not allow making the stack or heap executable. 1340# We would also like to minimize execmem but it seems to be 1341# required by some device-specific service domains. 1342neverallow * self:process { execstack execheap }; 1343 1344# Do not allow the introduction of new execmod rules. Text relocations 1345# and modification of executable pages are unsafe. 1346neverallow { 1347 domain 1348 -untrusted_app_25 1349 -untrusted_app_27 1350 userdebug_or_eng(`-overlay_remounter') 1351} file_type:file execmod; 1352 1353# Ensure that all types assigned to processes are included 1354# in the domain attribute, so that all allow and neverallow rules 1355# written on domain are applied to all processes. 1356# This is achieved by ensuring that it is impossible to transition 1357# from a domain to a non-domain type and vice versa. 1358# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1359neverallow ~domain domain:process { transition dyntransition }; 1360 1361# 1362# Only system_app and system_server should be creating or writing 1363# their files. The proper way to share files is to setup 1364# type transitions to a more specific type or assigning a type 1365# to its parent directory via a file_contexts entry. 1366# Example type transition: 1367# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1368# 1369neverallow { 1370 domain 1371 -system_server 1372 -system_app 1373 -init 1374 -toolbox # TODO(b/141108496) We want to remove toolbox 1375 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1376 -vold_prepare_subdirs # For unlink 1377 with_asan(`-asan_extract') 1378} system_data_file:file no_w_file_perms; 1379# do not grant anything greater than r_file_perms and relabelfrom unlink 1380# to installd 1381neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1382 1383# 1384# Only these domains should transition to shell domain. This domain is 1385# permissible for the "shell user". If you need a process to exec a shell 1386# script with differing privilege, define a domain and set up a transition. 1387# 1388neverallow { 1389 domain 1390 -adbd 1391 -init 1392 -runas 1393 -zygote 1394} shell:process { transition dyntransition }; 1395 1396# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1397# the appdomain attribute. 1398# 1399# simpleperf is excluded as a domain transitioned to when running an app-scoped 1400# profiling session. 1401# 1402# tradeinmode is excluded; it is only run when adbd is in trade-in mode, 1403# transitioned from the limited adbd_tradeinmode context. It is a wrapper 1404# around "am" to avoid exposing the shell context when adbd is in trade-in 1405# mode. 1406neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1407 appdomain -shell -simpleperf userdebug_or_eng(`-su') -tradeinmode 1408}:process { transition dyntransition }; 1409 1410# Minimize read access to shell- or app-writable symlinks. 1411# This is to prevent malicious symlink attacks. 1412neverallow { 1413 domain 1414 -appdomain 1415 -artd 1416 -installd 1417} { app_data_file privapp_data_file }:lnk_file read; 1418 1419neverallow { 1420 domain 1421 -shell 1422 userdebug_or_eng(`-uncrypt') 1423 -installd 1424} shell_data_file:lnk_file read; 1425 1426# servicemanager and vndservicemanager are the only processes which handle the 1427# service_manager list request 1428neverallow * ~{ 1429 servicemanager 1430 vndservicemanager 1431 }:service_manager list; 1432 1433# hwservicemanager is the only process which handles hw list requests 1434neverallow * ~{ 1435 hwservicemanager 1436 }:hwservice_manager list; 1437 1438# only service_manager_types can be added to service_manager 1439# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1440 1441# Prevent assigning non property types to properties 1442# TODO - rework this: neverallow * ~property_type:property_service set; 1443 1444# Domain types should never be assigned to any files other 1445# than the /proc/pid files associated with a process. The 1446# executable file used to enter a domain should be labeled 1447# with its own _exec type, not with the domain type. 1448# Conventionally, this looks something like: 1449# $ cat mydaemon.te 1450# type mydaemon, domain; 1451# type mydaemon_exec, exec_type, file_type; 1452# init_daemon_domain(mydaemon) 1453# $ grep mydaemon file_contexts 1454# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1455neverallow * domain:file { execute execute_no_trans entrypoint }; 1456 1457# Do not allow access to the generic debugfs label. This is too broad. 1458# Instead, if access to part of debugfs is desired, it should have a 1459# more specific label. 1460# TODO: fix dumpstate 1461neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1462 1463# Do not allow executable files in debugfs. 1464neverallow domain debugfs_type:file { execute execute_no_trans }; 1465 1466# Don't allow access to the FUSE control filesystem, except to vold and init's 1467neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1468 1469# Profiles contain untrusted data and profman parses that. We should only run 1470# it from installd and artd forked processes. 1471neverallow { 1472 domain 1473 -installd 1474 -profman 1475 -artd 1476 userdebug_or_eng(`-overlay_remounter') 1477} profman_exec:file no_x_file_perms; 1478 1479# Enforce restrictions on kernel module origin. 1480# Do not allow kernel module loading except from system, 1481# vendor, boot, and system_dlkm partitions. 1482# TODO(b/218951883): Remove usage of system and rootfs as origin 1483neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; 1484 1485# Only allow filesystem caps to be set at build time. Runtime changes 1486# to filesystem capabilities are not permitted. 1487neverallow * self:global_capability_class_set setfcap; 1488 1489# Enforce AT_SECURE for executing crash_dump. 1490neverallow domain crash_dump:process noatsecure; 1491 1492# Do not permit non-core domains to register HwBinder services which are 1493# guaranteed to be provided by core domains only. 1494neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1495 1496# Do not permit the registeration of HwBinder services which are guaranteed to 1497# be passthrough only (i.e., run in the process of their clients instead of a 1498# separate server process). 1499neverallow * same_process_hwservice:hwservice_manager add; 1500 1501# If an already existing file is opened with O_CREAT, the kernel might generate 1502# a false report of a create denial. Silence these denials and make sure that 1503# inappropriate permissions are not granted. 1504 1505# These filesystems don't allow files or directories to be created, so the permission 1506# to do so should never be granted. 1507neverallow domain { 1508 proc_type 1509 sysfs_type 1510}:dir { add_name create link remove_name rename reparent rmdir write }; 1511 1512# cgroupfs directories can be created, but not files within them. 1513neverallow domain cgroup:file create; 1514neverallow domain cgroup_v2:file create; 1515 1516dontaudit domain proc_type:dir write; 1517dontaudit domain sysfs_type:dir write; 1518dontaudit domain cgroup:file create; 1519dontaudit domain cgroup_v2:file create; 1520 1521# These are only needed in permissive mode - in enforcing mode the 1522# directory write check fails and so these are never attempted. 1523userdebug_or_eng(` 1524 dontaudit domain proc_type:dir add_name; 1525 dontaudit domain sysfs_type:dir add_name; 1526 dontaudit domain proc_type:file create; 1527 dontaudit domain sysfs_type:file create; 1528') 1529 1530# Platform must not have access to /mnt/vendor. 1531neverallow { 1532 coredomain 1533 -init 1534 -ueventd 1535 -vold 1536 -system_writes_mnt_vendor_violators 1537} mnt_vendor_file:dir *; 1538 1539# Only apps are allowed access to vendor public libraries. 1540full_treble_only(` 1541 neverallow { 1542 coredomain 1543 -appdomain 1544 userdebug_or_eng(`-overlay_remounter') 1545 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1546') 1547 1548# Vendor domian must not have access to /mnt/product. 1549neverallow { 1550 domain 1551 -coredomain 1552} mnt_product_file:dir *; 1553 1554# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL 1555full_treble_only(` 1556 neverallow { 1557 coredomain 1558 -shell 1559 # For access to block device information under /sys/class/block. 1560 -apexd 1561 # Read sysfs block device information. 1562 -init 1563 # Generate uevents for health info 1564 -ueventd 1565 # Recovery uses health HAL passthrough implementation. 1566 -recovery 1567 # Charger uses health HAL passthrough implementation. 1568 -charger 1569 # TODO(b/110891300): remove this exception 1570 -incidentd 1571 } sysfs_batteryinfo:file { open read }; 1572') 1573 1574neverallow { 1575 domain 1576 -hal_codec2_server 1577 -hal_omx_server 1578} hal_codec2_hwservice:hwservice_manager add; 1579 1580# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1581# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1582neverallow { 1583 domain 1584 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1585 -untrusted_app_25 1586 -untrusted_app_27 1587} ashmem_device:chr_file open; 1588 1589neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1590 1591# No domains other than a select few can access the misc_block_device. This 1592# block device is reserved for OTA use. 1593# Do not assert this rule on userdebug/eng builds, due to some devices using 1594# this partition for testing purposes. 1595neverallow { 1596 domain 1597 userdebug_or_eng(`-domain') # exclude debuggable builds 1598 -fastbootd 1599 -hal_bootctl_server 1600 -init 1601 -uncrypt 1602 -update_engine 1603 -vendor_init 1604 -vendor_misc_writer 1605 -vold 1606 -recovery 1607 -ueventd 1608 -mtectrl 1609 -misctrl 1610 -kcmdlinectrl 1611} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 1612 1613# Limit ability to ptrace or read sensitive /proc/pid files of processes 1614# with other UIDs to these allowlisted domains. 1615neverallow { 1616 domain 1617 -vold 1618 userdebug_or_eng(`-llkd') 1619 -dumpstate 1620 userdebug_or_eng(`-incidentd') 1621 userdebug_or_eng(`-profcollectd') 1622 userdebug_or_eng(`-simpleperf_boot') 1623 -storaged 1624 -system_server 1625} self:global_capability_class_set sys_ptrace; 1626 1627# Limit ability to generate hardware unique device ID attestations to priv_apps 1628neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; 1629neverallow { domain -system_server } *:keystore2_key use_dev_id; 1630neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; 1631 1632neverallow { 1633 domain 1634 -init 1635 -vendor_init 1636 userdebug_or_eng(`-domain') 1637} debugfs_tracing_debug:file no_rw_file_perms; 1638 1639# System_server owns dropbox data, and init creates/restorecons the directory 1640# Disallow direct access by other processes. 1641neverallow { 1642 domain 1643 -init 1644 -system_server 1645 userdebug_or_eng(`-dumpstate') 1646} dropbox_data_file:dir *; 1647neverallow { 1648 domain 1649 -init 1650 -system_server 1651 userdebug_or_eng(`-dumpstate') 1652} dropbox_data_file:file ~{ getattr read }; 1653 1654### 1655# Services should respect app sandboxes 1656neverallow { 1657 domain 1658 -appdomain 1659 -artd # compile secondary dex files 1660 -installd # creation of sandbox 1661} { 1662 privapp_data_file 1663 app_data_file 1664 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1665}:dir_file_class_set { create unlink }; 1666 1667is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1668 neverallow { 1669 domain 1670 -artd # compile secondary dex files 1671 -installd # creation of sandbox 1672 -vold_prepare_subdirs # creation of storage area directories 1673 } {storage_area_app_dir storage_area_dir }:dir { create unlink }; 1674') 1675 1676# Only the following processes should be directly accessing private app 1677# directories. 1678neverallow { 1679 domain 1680 -adbd 1681 -appdomain 1682 -app_zygote 1683 -artd # compile secondary dex files 1684 -installd 1685 -profman 1686 -rs # spawned by appdomain, so carryover the exception above 1687 -runas 1688 -system_server 1689 -zygote 1690} { 1691 privapp_data_file 1692 app_data_file 1693 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1694}:dir *; 1695 1696is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1697 neverallow { 1698 domain 1699 -appdomain 1700 -app_zygote 1701 -artd # compile secondary dex files 1702 -installd 1703 -rs # spawned by appdomain, so carryover the exception above 1704 -system_server 1705 -vold # encryption of storage area directories 1706 -vold_prepare_subdirs # creation of storage area directories 1707 -zygote 1708 } { storage_area_dir storage_area_app_dir }:dir *; 1709') 1710 1711is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1712 # only vold and installd can access the storage area key files 1713 # (and init, in case of a recursive restorecon) 1714 neverallow { 1715 domain 1716 -init 1717 -vold 1718 -vold_prepare_subdirs 1719 -installd 1720 } { storage_area_key_file }:dir_file_class_set *; 1721') 1722 1723# Only apps should be modifying app data. installd is exempted for 1724# restorecon and package install/uninstall. 1725neverallow { 1726 domain 1727 -appdomain 1728 -artd # compile secondary dex files 1729 -installd 1730 -rs # spawned by appdomain, so carryover the exception above 1731} { 1732 privapp_data_file 1733 app_data_file 1734 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1735}:dir ~r_dir_perms; 1736 1737is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1738 neverallow { 1739 domain 1740 -appdomain 1741 -artd # compile secondary dex files 1742 -installd 1743 -rs # spawned by appdomain, so carryover the exception above 1744 -vold_prepare_subdirs # creation of storage area directories 1745 } { storage_area_dir storage_area_app_dir }:dir ~r_dir_perms; 1746') 1747 1748neverallow { 1749 domain 1750 -appdomain 1751 -app_zygote 1752 -artd # compile secondary dex files 1753 -installd 1754 -rs # spawned by appdomain, so carryover the exception above 1755} { 1756 privapp_data_file 1757 app_data_file 1758 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1759}:file_class_set open; 1760 1761neverallow { 1762 domain 1763 -appdomain 1764 -artd # compile secondary dex files 1765 -installd # creation of sandbox 1766} { 1767 privapp_data_file 1768 app_data_file 1769 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1770}:dir_file_class_set { create unlink }; 1771 1772neverallow { 1773 domain 1774 -artd # compile secondary dex files 1775 -installd 1776} { 1777 privapp_data_file 1778 app_data_file 1779 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1780}:dir_file_class_set { relabelfrom relabelto }; 1781 1782is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1783 neverallow { 1784 domain 1785 -artd # compile secondary dex files 1786 -installd 1787 -vold_prepare_subdirs 1788 } { storage_area_dir storage_area_app_dir }:dir { relabelfrom relabelto }; 1789') 1790 1791# The staging directory contains APEX and APK files. It is important to ensure 1792# that these files cannot be accessed by other domains to ensure that the files 1793# do not change between system_server staging the files and apexd processing 1794# the files. 1795# The update_provider can also stage files before apexd processes them. 1796neverallow { 1797 domain 1798 -init 1799 -system_server 1800 -apexd 1801 -installd 1802 -priv_app 1803 -virtualizationmanager 1804 -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL! 1805} staging_data_file:dir *; 1806neverallow { 1807 domain 1808 -init 1809 -system_app 1810 -system_server 1811 -apexd 1812 -adbd 1813 -kernel 1814 -installd 1815 -priv_app 1816 -shell 1817 -virtualizationmanager 1818 -crosvm 1819 -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL! 1820} staging_data_file:file *; 1821# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 1822neverallow { domain -init -system_server -installd -update_provider } staging_data_file:dir no_w_dir_perms; 1823# apexd needs the link/unlink/rename permissions 1824# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 1825neverallow { domain -init -system_server -installd -apexd -update_provider } staging_data_file:file { 1826 no_w_file_perms no_x_file_perms 1827}; 1828neverallow apexd staging_data_file:file { 1829 append create relabelfrom setattr write # no_w_file_perms -link -unlink -rename 1830 no_x_file_perms 1831}; 1832 1833neverallow { 1834 domain 1835 -appdomain # for oemfs 1836 -bootanim # for oemfs 1837 -recovery # for /tmp/update_binary in tmpfs 1838} { fs_type -rootfs }:file execute; 1839 1840# 1841# Assert that, to the extent possible, we're not loading executable content from 1842# outside the rootfs or /system partition except for a few allowlisted domains. 1843# Executable files loaded from /data is a persistence vector 1844# we want to avoid. See 1845# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1846# 1847neverallow { 1848 domain 1849 -appdomain 1850 with_asan(`-asan_extract') 1851 -shell 1852 userdebug_or_eng(`-su') 1853 -system_server_startup # for memfd backed executable regions 1854 -app_zygote 1855 -webview_zygote 1856 -zygote 1857 userdebug_or_eng(`-mediaextractor') 1858 userdebug_or_eng(`-mediaswcodec') 1859 userdebug_or_eng(`-overlay_remounter') 1860} { 1861 file_type 1862 -system_file_type 1863 -system_lib_file 1864 -system_bootstrap_lib_file 1865 -system_linker_exec 1866 -vendor_file_type 1867 -exec_type 1868 -postinstall_file 1869}:file execute; 1870 1871# Only init is allowed to write cgroup.rc file 1872neverallow { 1873 domain 1874 -init 1875 -vendor_init 1876} cgroup_rc_file:file no_w_file_perms; 1877 1878# Only authorized processes should be writing to files in /data/dalvik-cache 1879neverallow { 1880 domain 1881 -init # TODO: limit init to relabelfrom for files 1882 -zygote 1883 -installd 1884 -postinstall_dexopt 1885 -cppreopts 1886 -dex2oat 1887 -otapreopt_slot 1888 -artd 1889} dalvikcache_data_file:file no_w_file_perms; 1890 1891neverallow { 1892 domain 1893 -init 1894 -installd 1895 -postinstall_dexopt 1896 -cppreopts 1897 -dex2oat 1898 -zygote 1899 -otapreopt_slot 1900 -artd 1901} dalvikcache_data_file:dir no_w_dir_perms; 1902 1903# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it 1904# contains boot class path and system server AOT artifacts following an ART APEX Mainline update. 1905neverallow { 1906 domain 1907 # art-related processes 1908 -composd 1909 -compos_fd_server 1910 -odrefresh 1911 -odsign 1912 # others 1913 -apexd 1914 -init 1915 -vold_prepare_subdirs 1916} apex_art_data_file:file no_w_file_perms; 1917 1918neverallow { 1919 domain 1920 # art-related processes 1921 -composd 1922 -compos_fd_server 1923 -odrefresh 1924 -odsign 1925 # others 1926 -apexd 1927 -init 1928 -vold_prepare_subdirs 1929} apex_art_data_file:dir no_w_dir_perms; 1930 1931# Protect most domains from executing arbitrary content from /data. 1932neverallow { 1933 domain 1934 -appdomain 1935 userdebug_or_eng(`-overlay_remounter') 1936} { 1937 data_file_type 1938 -apex_art_data_file 1939 -dalvikcache_data_file 1940 -system_data_file # shared libs in apks 1941 -apk_data_file 1942}:file no_x_file_perms; 1943 1944# Minimize dac_override and dac_read_search. 1945# Instead of granting them it is usually better to add the domain to 1946# a Unix group or change the permissions of a file. 1947define(`dac_override_allowed', `{ 1948 apexd 1949 artd 1950 dnsmasq 1951 dumpstate 1952 init 1953 installd 1954 userdebug_or_eng(`llkd') 1955 lmkd 1956 migrate_legacy_obb_data 1957 netd 1958 postinstall_dexopt 1959 recovery 1960 rss_hwm_reset 1961 sdcardd 1962 tee 1963 ueventd 1964 uncrypt 1965 vendor_init 1966 vold 1967 vold_prepare_subdirs 1968 zygote 1969 userdebug_or_eng(`overlay_remounter') 1970}') 1971neverallow ~dac_override_allowed self:global_capability_class_set dac_override; 1972# Since the kernel checks dac_read_search before dac_override, domains that 1973# have dac_override should also have dac_read_search to eliminate spurious 1974# denials. Some domains have dac_read_search without having dac_override, so 1975# this list should be a superset of the one above. 1976neverallow ~{ 1977 dac_override_allowed 1978 traced_perf 1979 traced_probes 1980 heapprofd 1981} self:global_capability_class_set dac_read_search; 1982 1983# Limit what domains can mount filesystems or change their mount flags. 1984# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger 1985# set of domains need this capability, including device-specific domains. 1986neverallow { 1987 domain 1988 -apexd 1989 -dexopt_chroot_setup 1990 recovery_only(`-fastbootd') 1991 -init 1992 -kernel 1993 -otapreopt_chroot 1994 -recovery 1995 -update_engine 1996 -vold 1997 -zygote 1998 userdebug_or_eng(`-overlay_remounter') 1999} { fs_type 2000 -sdcard_type 2001 -fusefs_type 2002}:filesystem { mount remount relabelfrom relabelto }; 2003 2004enforce_debugfs_restriction(` 2005 neverallow { 2006 domain userdebug_or_eng(`-init') 2007 } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; 2008') 2009 2010# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. 2011neverallow { 2012 domain 2013 userdebug_or_eng(`-domain') 2014 -kernel 2015 -gsid 2016 -init 2017 -recovery 2018 -ueventd 2019 -uncrypt 2020 -tee 2021 -hal_bootctl_server 2022 -fastbootd 2023} self:global_capability_class_set sys_rawio; 2024 2025# Limit directory operations that doesn't need to do app data isolation. 2026neverallow { 2027 domain 2028 -fsck 2029 -init 2030 -installd 2031 -zygote 2032} mirror_data_file:dir *; 2033 2034# This property is being removed. Remove remaining access. 2035neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; 2036neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; 2037 2038# Only core domains are allowed to access package_manager properties 2039neverallow { domain -init -system_server } pm_prop:property_service set; 2040neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 2041 2042# Do not allow reading the last boot timestamp from system properties 2043neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 2044 2045# Allow ART to set its config properties in its oneshot boot service, in 2046# addition to the common init and vendor_init access. 2047neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set; 2048 2049# Kprobes should only be used by adb root 2050neverallow { domain -init -vendor_init } debugfs_kprobes:file *; 2051 2052# On TREBLE devices, most coredomains should not access vendor_files. 2053# TODO(b/71553434): Remove exceptions here. 2054full_treble_only(` 2055 neverallow { 2056 coredomain 2057 -appdomain 2058 -bootanim 2059 -crash_dump 2060 -heapprofd 2061 userdebug_or_eng(`-profcollectd') 2062 -init 2063 -kernel 2064 userdebug_or_eng(`-simpleperf_boot') 2065 -traced_perf 2066 -ueventd 2067 userdebug_or_eng(`-overlay_remounter') 2068 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 2069') 2070 2071# Vendor domains are not permitted to initiate communications to core domain sockets 2072full_treble_only(` 2073 neverallow_establish_socket_comms({ 2074 domain 2075 -coredomain 2076 -appdomain 2077 -socket_between_core_and_vendor_violators 2078 }, { 2079 coredomain 2080 -logd # Logging by writing to logd Unix domain socket is public API 2081 -netd # netdomain needs this 2082 -mdnsd # netdomain needs this 2083 -prng_seeder # Any process using libcrypto needs this 2084 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 2085 -init 2086 -tombstoned # linker to tombstoned 2087 -heapprofd 2088 -traced 2089 -traced_perf 2090 }); 2091') 2092 2093full_treble_only(` 2094 # Do not allow system components access to /vendor files except for the 2095 # ones allowed here. 2096 neverallow { 2097 coredomain 2098 # TODO(b/37168747): clean up fwk access to /vendor 2099 -crash_dump 2100 -crosvm # loads vendor-specific disk images 2101 -init # starts vendor executables 2102 -kernel # loads /vendor/firmware 2103 -heapprofd 2104 userdebug_or_eng(`-profcollectd') 2105 -shell 2106 userdebug_or_eng(`-simpleperf_boot') 2107 -system_executes_vendor_violators 2108 -traced_perf # library/binary access for symbolization 2109 -ueventd # reads /vendor/ueventd.rc 2110 -vold # loads incremental fs driver 2111 userdebug_or_eng(`-overlay_remounter') 2112 } { 2113 vendor_file_type 2114 -same_process_hal_file 2115 -vendor_app_file 2116 -vendor_apex_file 2117 -vendor_apex_metadata_file 2118 -vendor_boot_ota_file 2119 -vendor_cgroup_desc_file 2120 -vendor_configs_file 2121 -vendor_microdroid_file 2122 -vendor_service_contexts_file 2123 -vendor_framework_file 2124 -vendor_idc_file 2125 -vendor_keychars_file 2126 -vendor_keylayout_file 2127 -vendor_overlay_file 2128 -vendor_public_framework_file 2129 -vendor_public_lib_file 2130 -vendor_task_profiles_file 2131 -vendor_uuid_mapping_config_file 2132 -vndk_sp_file 2133 -vendor_aconfig_storage_file 2134 }:file *; 2135') 2136 2137# mlsvendorcompat is only for compatibility support for older vendor 2138# images, and should not be granted to any domain in current policy. 2139# (Every domain is allowed self:fork, so this will trigger if the 2140# intsersection of domain & mlsvendorcompat is not empty.) 2141neverallow domain mlsvendorcompat:process fork; 2142 2143# Only init and otapreopt_chroot should be mounting filesystems on locations 2144# labeled system or vendor (/product and /vendor respectively). 2145neverallow { 2146 domain 2147 -dexopt_chroot_setup 2148 -init 2149 -otapreopt_chroot 2150 userdebug_or_eng(`-overlay_remounter') 2151 userdebug_or_eng(`-zygote') 2152} { 2153 system_file_type 2154 vendor_file_type 2155}:dir_file_class_set mounton; 2156 2157# Only allow init and vendor_init to read/write mm_events properties 2158# NOTE: dumpstate is allowed to read any system property 2159neverallow { 2160 domain 2161 -init 2162 -vendor_init 2163 -dumpstate 2164} mm_events_config_prop:file no_rw_file_perms; 2165 2166# Allow init to open /proc/kallsyms while kernel address mappings are still 2167# visible, and later share it with tracing daemons (traced_probes, 2168# traced_perf). These daemons are allowed to read from the shared fd, but also 2169# to separately open the file (which will always have zeroed out addresses due 2170# to init raising kptr_restrict) for locking to coordinate access to the shared 2171# fd. The performance traces contain only the referenced kernel symbols, and 2172# never the raw addresses (i.e. KASLR is not disclosed). 2173# On debuggable builds, performance tools are allowed to open and read the file 2174# directly because init is allowed to temporarily unrestrict systemwide address 2175# visibility. 2176neverallow { 2177 domain 2178 -init 2179 -traced_probes 2180 -traced_perf 2181 userdebug_or_eng(`-profcollectd') 2182 userdebug_or_eng(`-simpleperf_boot') 2183} proc_kallsyms:file *; 2184 2185# debugfs_kcov type is not included in this neverallow statement since the KCOV 2186# tool uses it for kernel fuzzing. 2187# vendor_modprobe is also exempted since the kernel modules it loads may create 2188# debugfs files in its context. 2189enforce_debugfs_restriction(` 2190 neverallow { 2191 domain 2192 -vendor_modprobe 2193 userdebug_or_eng(` 2194 -init 2195 -hal_dumpstate 2196 -incidentd 2197 ') 2198 } { debugfs_type 2199 userdebug_or_eng(`-debugfs_kcov') 2200 -tracefs_type 2201 }:file no_rw_file_perms; 2202') 2203 2204# Restrict write access to etm sysfs interface. 2205neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms; 2206 2207# Restrict CAP_PERFMON. 2208neverallow { 2209 domain 2210 -init 2211 -vendor_modprobe 2212 userdebug_or_eng(`-simpleperf_boot') 2213 -kernel 2214 -uprobestats 2215} self:capability2 perfmon; 2216 2217# Restrict direct access to shell owned files. The /data/local/tmp directory is 2218# untrustworthy, and non-allowed domains should not be trusting any content in 2219# those directories. We allow shell files to be passed around by file 2220# descriptor, but not directly opened. 2221# artd doesn't need to access /data/local/tmp, but it needs to access 2222# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 2223# dex files. 2224neverallow { 2225 domain 2226 -adbd 2227 -appdomain 2228 -artd 2229 -dumpstate 2230 -installd 2231 userdebug_or_eng(`-uncrypt') 2232 userdebug_or_eng(`-virtualizationmanager') 2233 userdebug_or_eng(`-virtualizationservice') 2234 userdebug_or_eng(`-crosvm') 2235} shell_data_file:file open; 2236 2237# In addition to the symlink reading restrictions above, restrict 2238# write access to shell owned directories. The /data/local/tmp 2239# directory is untrustworthy, and non-allowed domains should 2240# not be trusting any content in those directories. 2241# artd doesn't need to access /data/local/tmp, but it needs to access 2242# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 2243# dex files. 2244neverallow { 2245 domain 2246 -adbd 2247 -artd 2248 -dumpstate 2249 -installd 2250 -init 2251 -shell 2252 -vold 2253} shell_data_file:dir no_w_dir_perms; 2254 2255neverallow { 2256 domain 2257 -adbd 2258 -appdomain 2259 -artd 2260 -dumpstate 2261 -init 2262 -installd 2263 -simpleperf_app_runner 2264 -system_server # why? 2265 userdebug_or_eng(`-uncrypt') 2266} shell_data_file:dir open; 2267 2268neverallow { 2269 domain 2270 -adbd 2271 -appdomain 2272 -artd 2273 -dumpstate 2274 -init 2275 -installd 2276 -simpleperf_app_runner 2277 -system_server # why? 2278 userdebug_or_eng(`-uncrypt') 2279 userdebug_or_eng(`-virtualizationmanager') 2280 userdebug_or_eng(`-crosvm') 2281} shell_data_file:dir search; 2282 2283# respect system_app sandboxes 2284neverallow { 2285 domain 2286 -appdomain 2287 -artd # compile secondary dex files 2288 -system_server #populate com.android.providers.settings/databases/settings.db. 2289 -installd # creation of app sandbox 2290 -traced_probes # resolve inodes for i/o tracing. 2291 # only needs open and read, the rest is neverallow in 2292 # traced_probes.te. 2293} system_app_data_file:dir_file_class_set { create unlink open }; 2294neverallow { 2295 isolated_app_all 2296 ephemeral_app 2297 priv_app 2298 sdk_sandbox_all 2299 untrusted_app_all 2300} system_app_data_file:dir_file_class_set { create unlink open }; 2301 2302neverallow { domain -init } mtectrl:process { dyntransition transition }; 2303neverallow { domain -init } kcmdlinectrl:process { dyntransition transition }; 2304 2305# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin 2306neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *; 2307 2308neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton; 2309neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton; 2310 2311# Only init/vendor are allowed to write sysfs_pgsize_migration; 2312# ueventd needs write access to all sysfs files. 2313neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms; 2314 2315# virtmanager enforces access policy for which components can connect 2316# to which VMs. If you have permissions to make direct connections, you 2317# can talk to anything. 2318starting_at_board_api(202504, ` 2319neverallow { 2320 domain 2321 2322 # these are expected 2323 is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr') 2324 -virtualizationmanager 2325 -virtualizationservice 2326 -adbd_common # maybe should move to emulator/virtual device specific policy 2327 2328 # not expected, and defined outside of system/sepolicy. 2329 # Note: this attribute is strongly recommended to be empty if not required. 2330 -unconstrained_vsock_violators 2331 2332 # these are permissions that should be removed, and they are here for visibility. 2333 -compos_fd_server # TODO: get connections from virtmanager 2334 -hal_keymint_system # TODO: get connections from virtmanager 2335 -hal_widevine_system # TODO: get connections from virtmanager 2336 -vmlauncher_app # TODO: get connections from virtmanager 2337} *:vsock_socket { connect create accept bind }; 2338') 2339