• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint read execute };
15# New domain can send SIGCHLD to its caller.
16allow $3 $1:process sigchld;
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# unconfined_domain(domain)
75# Allow the specified domain to do anything.
76#
77define(`unconfined_domain', `
78typeattribute $1 mlstrustedsubject;
79typeattribute $1 unconfineddomain;
80')
81
82#####################################
83# tmpfs_domain(domain)
84# Define and allow access to a unique type for
85# this domain when creating tmpfs / shmem / ashmem files.
86define(`tmpfs_domain', `
87type $1_tmpfs, file_type;
88type_transition $1 tmpfs:file $1_tmpfs;
89# Map with PROT_EXEC.
90allow $1 $1_tmpfs:file { read execute execmod };
91')
92
93#####################################
94# init_daemon_domain(domain)
95# Set up a transition from init to the daemon domain
96# upon executing its binary.
97define(`init_daemon_domain', `
98domain_auto_trans(init, $1_exec, $1)
99tmpfs_domain($1)
100')
101
102#####################################
103# app_domain(domain)
104# Allow a base set of permissions required for all apps.
105define(`app_domain', `
106typeattribute $1 appdomain;
107# Label ashmem objects with our own unique type.
108tmpfs_domain($1)
109')
110
111#####################################
112# platform_app_domain(domain)
113# Allow permissions specific to platform apps.
114define(`platform_app_domain', `
115typeattribute $1 platformappdomain;
116typeattribute $1 mlstrustedsubject;
117')
118
119#####################################
120# net_domain(domain)
121# Allow a base set of permissions required for network access.
122define(`net_domain', `
123typeattribute $1 netdomain;
124')
125
126#####################################
127# bluetooth_domain(domain)
128# Allow a base set of permissions required for bluetooth access.
129define(`bluetooth_domain', `
130typeattribute $1 bluetoothdomain;
131')
132
133#####################################
134# unix_socket_connect(clientdomain, socket, serverdomain)
135# Allow a local socket connection from clientdomain via
136# socket to serverdomain.
137define(`unix_socket_connect', `
138allow $1 $2_socket:sock_file write;
139allow $1 $3:unix_stream_socket connectto;
140')
141
142#####################################
143# unix_socket_send(clientdomain, socket, serverdomain)
144# Allow a local socket send from clientdomain via
145# socket to serverdomain.
146define(`unix_socket_send', `
147allow $1 $2_socket:sock_file write;
148allow $1 $3:unix_dgram_socket sendto;
149')
150
151#####################################
152# binder_use(domain)
153# Allow domain to use Binder IPC.
154define(`binder_use', `
155# Call the servicemanager and transfer references to it.
156allow $1 servicemanager:binder { call transfer };
157# Map /dev/ashmem with PROT_EXEC.
158allow $1 ashmem_device:chr_file execute;
159# rw access to /dev/binder and /dev/ashmem is presently granted to
160# all domains in domain.te.
161')
162
163#####################################
164# binder_call(clientdomain, serverdomain)
165# Allow clientdomain to perform binder IPC to serverdomain.
166define(`binder_call', `
167# Call the server domain and optionally transfer references to it.
168allow $1 $2:binder { call transfer };
169# Allow the serverdomain to transfer references to the client on the reply.
170allow $2 $1:binder transfer;
171# Receive and use open files from the server.
172allow $1 $2:fd use;
173')
174
175#####################################
176# binder_service(domain)
177# Mark a domain as being a Binder service domain.
178# Used to allow binder IPC to the various system services.
179define(`binder_service', `
180typeattribute $1 binderservicedomain;
181')
182
183#####################################
184# selinux_check_access(domain)
185# Allow domain to check SELinux permissions via selinuxfs.
186define(`selinux_check_access', `
187allow $1 selinuxfs:dir r_dir_perms;
188allow $1 selinuxfs:file rw_file_perms;
189allow $1 kernel:security compute_av;
190allow $1 self:netlink_selinux_socket *;
191')
192
193#####################################
194# selinux_check_context(domain)
195# Allow domain to check SELinux contexts via selinuxfs.
196define(`selinux_check_context', `
197allow $1 selinuxfs:dir r_dir_perms;
198allow $1 selinuxfs:file rw_file_perms;
199allow $1 kernel:security check_context;
200')
201
202#####################################
203# selinux_getenforce(domain)
204# Allow domain to check whether SELinux is enforcing.
205define(`selinux_getenforce', `
206allow $1 selinuxfs:dir r_dir_perms;
207allow $1 selinuxfs:file r_file_perms;
208')
209
210#####################################
211# selinux_setenforce(domain)
212# Allow domain to set SELinux to enforcing.
213define(`selinux_setenforce', `
214allow $1 selinuxfs:dir r_dir_perms;
215allow $1 selinuxfs:file rw_file_perms;
216allow $1 kernel:security setenforce;
217')
218
219#####################################
220# selinux_setbool(domain)
221# Allow domain to set SELinux booleans.
222define(`selinux_setbool', `
223allow $1 selinuxfs:dir r_dir_perms;
224allow $1 selinuxfs:file rw_file_perms;
225allow $1 kernel:security setbool;
226')
227
228#####################################
229# security_access_policy(domain)
230# Read only access to all policy files and
231# selinuxfs
232define(`security_access_policy', `
233allow $1 security_file:dir r_dir_perms;
234allow $1 security_file:file r_file_perms;
235allow $1 security_file:lnk_file read;
236allow $1 selinuxfs:dir r_dir_perms;
237allow $1 selinuxfs:file r_file_perms;
238allow $1 rootfs:dir r_dir_perms;
239allow $1 rootfs:file r_file_perms;
240')
241
242#####################################
243# selinux_manage_policy(domain)
244# Ability to manage policy files,
245# trigger runtime reload, change
246# enforcing mode, manipulate booleans
247# and access kernel logs.
248define(`selinux_manage_policy', `
249selinux_setenforce($1)
250selinux_setbool($1)
251security_access_policy($1)
252unix_socket_connect($1, property, init)
253allow $1 security_file:dir create_dir_perms;
254allow $1 security_file:file create_file_perms;
255allow $1 security_prop:property_service set;
256')
257
258#####################################
259# mmac_manage_policy(domain)
260# Ability to manage mmac policy files,
261# trigger runtime reload, change
262# mmac enforcing mode and access logcat.
263define(`mmac_manage_policy', `
264unix_socket_connect($1, property, init)
265allow $1 security_file:dir create_dir_perms;
266allow $1 security_file:file create_file_perms;
267allow $1 security_prop:property_service set;
268')
269
270#####################################
271# access_logcat(domain)
272# Ability to read from logcat logs
273# and execute the logcat command
274define(`access_logcat', `
275allow $1 log_device:chr_file read;
276allow $1 system_file:file x_file_perms;
277')
278
279#####################################
280# access_kmsg(domain)
281# Ability to read from kernel logs
282# and execute the klogctl syscall
283# in a non destructive manner. See
284# man 2 klogctl
285define(`access_kmsg', `
286allow $1 kernel:system syslog_read;
287')
288
289#####################################
290# write_klog(domain)
291# Ability to write to kernel log via
292# klog_write()
293# See system/core/libcutil/klog.c
294define(`write_klog', `
295type_transition $1 device:chr_file klog_device "__kmsg__";
296allow $1 klog_device:chr_file { create open write unlink };
297allow $1 device:dir { add_name remove_name };
298')
299