1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Read access to properties mapping. 7allow domain kernel:fd use; 8allow domain tmpfs:file { read getattr }; 9 10# Search /storage/emulated tmpfs mount. 11allow domain tmpfs:dir r_dir_perms; 12 13# binder adjusts the nice value during IPC. 14allow domain self:capability sys_nice; 15 16# Intra-domain accesses. 17allow domain self:process ~{ execstack execheap ptrace }; 18allow domain self:fd use; 19allow domain self:dir r_dir_perms; 20allow domain self:lnk_file r_file_perms; 21allow domain self:{ fifo_file file } rw_file_perms; 22allow domain self:{ unix_dgram_socket unix_stream_socket } *; 23 24# Inherit or receive open files from others. 25allow domain init:fd use; 26allow domain system:fd use; 27 28# Connect to adbd and use a socket transferred from it. 29allow domain adbd:unix_stream_socket connectto; 30allow domain adbd:fd use; 31allow domain adbd:unix_stream_socket { getattr read write shutdown }; 32 33### 34### Talk to debuggerd. 35### 36allow domain debuggerd:process sigchld; 37allow domain debuggerd:unix_stream_socket connectto; 38# b/9858255 - debuggerd sockets are not getting properly labeled. 39# TODO: Remove this temporary workaround. 40allow domain init:unix_stream_socket connectto; 41 42# Root fs. 43allow domain rootfs:dir r_dir_perms; 44allow domain rootfs:file r_file_perms; 45allow domain rootfs:lnk_file { read getattr }; 46 47# Device accesses. 48allow domain device:dir search; 49allow domain dev_type:lnk_file read; 50allow domain devpts:dir search; 51allow domain device:file read; 52allow domain socket_device:dir search; 53allow domain owntty_device:chr_file rw_file_perms; 54allow domain null_device:chr_file rw_file_perms; 55allow domain zero_device:chr_file r_file_perms; 56allow domain ashmem_device:chr_file rw_file_perms; 57allow domain binder_device:chr_file rw_file_perms; 58allow domain ptmx_device:chr_file rw_file_perms; 59allow domain powervr_device:chr_file rw_file_perms; 60allow domain log_device:dir search; 61allow domain log_device:chr_file rw_file_perms; 62allow domain nv_device:chr_file rw_file_perms; 63allow domain alarm_device:chr_file r_file_perms; 64allow domain urandom_device:chr_file r_file_perms; 65allow domain random_device:chr_file r_file_perms; 66allow domain properties_device:file r_file_perms; 67 68# Filesystem accesses. 69allow domain fs_type:filesystem getattr; 70allow domain fs_type:dir getattr; 71 72# System file accesses. 73allow domain system_file:dir r_dir_perms; 74allow domain system_file:file r_file_perms; 75allow domain system_file:file execute; 76allow domain system_file:lnk_file read; 77 78# Read files already opened under /data. 79allow domain system_data_file:dir { search getattr }; 80allow domain system_data_file:file { getattr read }; 81allow domain system_data_file:lnk_file read; 82 83# Read apk files under /data/app. 84allow domain apk_data_file:dir search; 85allow domain apk_data_file:file r_file_perms; 86 87# Read /data/dalvik-cache. 88allow domain dalvikcache_data_file:dir { search getattr }; 89allow domain dalvikcache_data_file:file r_file_perms; 90 91# Read already opened /cache files. 92allow domain cache_file:dir r_dir_perms; 93allow domain cache_file:file { getattr read }; 94allow domain cache_file:lnk_file read; 95 96# For /acct/uid/*/tasks. 97allow domain cgroup:dir { search write }; 98allow domain cgroup:file w_file_perms; 99 100#Allow access to ion memory allocation device 101allow domain ion_device:chr_file rw_file_perms; 102 103# For /sys/qemu_trace files in the emulator. 104bool in_qemu false; 105if (in_qemu) { 106allow domain sysfs:file rw_file_perms; 107} 108allow domain sysfs_writable:file rw_file_perms; 109 110# Read access to pseudo filesystems. 111r_dir_file(domain, proc) 112r_dir_file(domain, sysfs) 113r_dir_file(domain, inotify) 114r_dir_file(domain, cgroup) 115 116# debugfs access 117allow domain debugfs:dir r_dir_perms; 118allow domain debugfs:file w_file_perms; 119 120# security files 121allow domain security_file:dir { search getattr }; 122allow domain security_file:file getattr; 123 124######## Backwards compatibility - Unlabeled files ############ 125 126# Revert to DAC rules when looking at unlabeled files. Over time, the number 127# of unlabeled files should decrease. 128# TODO: delete these rules in the future. 129# 130# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto 131# capability, it's essentially useless. This is needed to allow an app with 132# relabelto to relabel unlabeled files. 133# 134allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom }; 135allow domain unlabeled:dir { create_dir_perms relabelfrom }; 136allow domain unlabeled:lnk_file { create_file_perms }; 137neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; 138 139### 140### neverallow rules 141### 142 143# Only init should be able to load SELinux policies 144neverallow { domain -init } kernel:security load_policy; 145