1##################################### 2# domain_trans(olddomain, type, newdomain) 3# Allow a transition from olddomain to newdomain 4# upon executing a file labeled with type. 5# This only allows the transition; it does not 6# cause it to occur automatically - use domain_auto_trans 7# if that is what you want. 8# 9define(`domain_trans', ` 10# Old domain may exec the file and transition to the new domain. 11allow $1 $2:file { getattr open read execute }; 12allow $1 $3:process transition; 13# New domain is entered by executing the file. 14allow $3 $2:file { entrypoint read execute }; 15# New domain can send SIGCHLD to its caller. 16allow $3 $1:process sigchld; 17# Enable AT_SECURE, i.e. libc secure mode. 18dontaudit $1 $3:process noatsecure; 19# XXX dontaudit candidate but requires further study. 20allow $1 $3:process { siginh rlimitinh }; 21') 22 23##################################### 24# domain_auto_trans(olddomain, type, newdomain) 25# Automatically transition from olddomain to newdomain 26# upon executing a file labeled with type. 27# 28define(`domain_auto_trans', ` 29# Allow the necessary permissions. 30domain_trans($1,$2,$3) 31# Make the transition occur by default. 32type_transition $1 $2:process $3; 33') 34 35##################################### 36# file_type_trans(domain, dir_type, file_type) 37# Allow domain to create a file labeled file_type in a 38# directory labeled dir_type. 39# This only allows the transition; it does not 40# cause it to occur automatically - use file_type_auto_trans 41# if that is what you want. 42# 43define(`file_type_trans', ` 44# Allow the domain to add entries to the directory. 45allow $1 $2:dir ra_dir_perms; 46# Allow the domain to create the file. 47allow $1 $3:notdevfile_class_set create_file_perms; 48allow $1 $3:dir create_dir_perms; 49') 50 51##################################### 52# file_type_auto_trans(domain, dir_type, file_type) 53# Automatically label new files with file_type when 54# they are created by domain in directories labeled dir_type. 55# 56define(`file_type_auto_trans', ` 57# Allow the necessary permissions. 58file_type_trans($1, $2, $3) 59# Make the transition occur by default. 60type_transition $1 $2:dir $3; 61type_transition $1 $2:notdevfile_class_set $3; 62') 63 64##################################### 65# r_dir_file(domain, type) 66# Allow the specified domain to read directories, files 67# and symbolic links of the specified type. 68define(`r_dir_file', ` 69allow $1 $2:dir r_dir_perms; 70allow $1 $2:{ file lnk_file } r_file_perms; 71') 72 73##################################### 74# unconfined_domain(domain) 75# Allow the specified domain to do anything. 76# 77define(`unconfined_domain', ` 78typeattribute $1 mlstrustedsubject; 79typeattribute $1 unconfineddomain; 80') 81 82##################################### 83# tmpfs_domain(domain) 84# Define and allow access to a unique type for 85# this domain when creating tmpfs / shmem / ashmem files. 86define(`tmpfs_domain', ` 87type $1_tmpfs, file_type; 88type_transition $1 tmpfs:file $1_tmpfs; 89# Map with PROT_EXEC. 90allow $1 $1_tmpfs:file { read execute execmod }; 91') 92 93##################################### 94# init_daemon_domain(domain) 95# Set up a transition from init to the daemon domain 96# upon executing its binary. 97define(`init_daemon_domain', ` 98domain_auto_trans(init, $1_exec, $1) 99tmpfs_domain($1) 100') 101 102##################################### 103# app_domain(domain) 104# Allow a base set of permissions required for all apps. 105define(`app_domain', ` 106typeattribute $1 appdomain; 107# Label ashmem objects with our own unique type. 108tmpfs_domain($1) 109') 110 111##################################### 112# relabelto_domain(domain) 113# Allows this domain to use the relabelto permission 114define(`relabelto_domain', ` 115typeattribute $1 relabeltodomain; 116') 117 118##################################### 119# platform_app_domain(domain) 120# Allow permissions specific to platform apps. 121define(`platform_app_domain', ` 122typeattribute $1 platformappdomain; 123typeattribute $1 mlstrustedsubject; 124') 125 126##################################### 127# net_domain(domain) 128# Allow a base set of permissions required for network access. 129define(`net_domain', ` 130typeattribute $1 netdomain; 131') 132 133##################################### 134# bluetooth_domain(domain) 135# Allow a base set of permissions required for bluetooth access. 136define(`bluetooth_domain', ` 137typeattribute $1 bluetoothdomain; 138') 139 140##################################### 141# unix_socket_connect(clientdomain, socket, serverdomain) 142# Allow a local socket connection from clientdomain via 143# socket to serverdomain. 144define(`unix_socket_connect', ` 145allow $1 $2_socket:sock_file write; 146allow $1 $3:unix_stream_socket connectto; 147') 148 149##################################### 150# unix_socket_send(clientdomain, socket, serverdomain) 151# Allow a local socket send from clientdomain via 152# socket to serverdomain. 153define(`unix_socket_send', ` 154allow $1 $2_socket:sock_file write; 155allow $1 $3:unix_dgram_socket sendto; 156') 157 158##################################### 159# binder_use(domain) 160# Allow domain to use Binder IPC. 161define(`binder_use', ` 162# Call the servicemanager and transfer references to it. 163allow $1 servicemanager:binder { call transfer }; 164# Map /dev/ashmem with PROT_EXEC. 165allow $1 ashmem_device:chr_file execute; 166# rw access to /dev/binder and /dev/ashmem is presently granted to 167# all domains in domain.te. 168') 169 170##################################### 171# binder_call(clientdomain, serverdomain) 172# Allow clientdomain to perform binder IPC to serverdomain. 173define(`binder_call', ` 174# Call the server domain and optionally transfer references to it. 175allow $1 $2:binder { call transfer }; 176# Allow the serverdomain to transfer references to the client on the reply. 177allow $2 $1:binder transfer; 178# Receive and use open files from the server. 179allow $1 $2:fd use; 180') 181 182##################################### 183# binder_service(domain) 184# Mark a domain as being a Binder service domain. 185# Used to allow binder IPC to the various system services. 186define(`binder_service', ` 187typeattribute $1 binderservicedomain; 188') 189 190##################################### 191# selinux_check_access(domain) 192# Allow domain to check SELinux permissions via selinuxfs. 193define(`selinux_check_access', ` 194allow $1 selinuxfs:dir r_dir_perms; 195allow $1 selinuxfs:file rw_file_perms; 196allow $1 kernel:security compute_av; 197allow $1 self:netlink_selinux_socket *; 198') 199 200##################################### 201# selinux_check_context(domain) 202# Allow domain to check SELinux contexts via selinuxfs. 203define(`selinux_check_context', ` 204allow $1 selinuxfs:dir r_dir_perms; 205allow $1 selinuxfs:file rw_file_perms; 206allow $1 kernel:security check_context; 207') 208 209##################################### 210# selinux_getenforce(domain) 211# Allow domain to check whether SELinux is enforcing. 212define(`selinux_getenforce', ` 213allow $1 selinuxfs:dir r_dir_perms; 214allow $1 selinuxfs:file r_file_perms; 215') 216 217##################################### 218# selinux_setenforce(domain) 219# Allow domain to set SELinux to enforcing. 220define(`selinux_setenforce', ` 221allow $1 selinuxfs:dir r_dir_perms; 222allow $1 selinuxfs:file rw_file_perms; 223allow $1 kernel:security setenforce; 224') 225 226##################################### 227# selinux_setbool(domain) 228# Allow domain to set SELinux booleans. 229define(`selinux_setbool', ` 230allow $1 selinuxfs:dir r_dir_perms; 231allow $1 selinuxfs:file rw_file_perms; 232allow $1 kernel:security setbool; 233') 234 235##################################### 236# security_access_policy(domain) 237# Read only access to all policy files and 238# selinuxfs 239define(`security_access_policy', ` 240allow $1 security_file:dir r_dir_perms; 241allow $1 security_file:file r_file_perms; 242allow $1 security_file:lnk_file read; 243allow $1 selinuxfs:dir r_dir_perms; 244allow $1 selinuxfs:file r_file_perms; 245allow $1 rootfs:dir r_dir_perms; 246allow $1 rootfs:file r_file_perms; 247') 248 249##################################### 250# selinux_manage_policy(domain) 251# Ability to manage policy files, 252# trigger runtime reload, change 253# enforcing mode, manipulate booleans 254# and access kernel logs. 255define(`selinux_manage_policy', ` 256selinux_setenforce($1) 257selinux_setbool($1) 258security_access_policy($1) 259unix_socket_connect($1, property, init) 260allow $1 security_file:dir create_dir_perms; 261allow $1 security_file:file create_file_perms; 262allow $1 security_prop:property_service set; 263') 264 265##################################### 266# mmac_manage_policy(domain) 267# Ability to manage mmac policy files, 268# trigger runtime reload, change 269# mmac enforcing mode and access logcat. 270define(`mmac_manage_policy', ` 271unix_socket_connect($1, property, init) 272allow $1 security_file:dir create_dir_perms; 273allow $1 security_file:file create_file_perms; 274allow $1 security_prop:property_service set; 275') 276 277##################################### 278# access_logcat(domain) 279# Ability to read from logcat logs 280# and execute the logcat command 281define(`access_logcat', ` 282allow $1 log_device:chr_file read; 283allow $1 system_file:file x_file_perms; 284') 285 286##################################### 287# access_kmsg(domain) 288# Ability to read from kernel logs 289# and execute the klogctl syscall 290# in a non destructive manner. See 291# man 2 klogctl 292define(`access_kmsg', ` 293allow $1 kernel:system syslog_read; 294') 295 296##################################### 297# write_klog(domain) 298# Ability to write to kernel log via 299# klog_write() 300# See system/core/libcutil/klog.c 301define(`write_klog', ` 302type_transition $1 device:chr_file klog_device "__kmsg__"; 303allow $1 klog_device:chr_file { create open write unlink }; 304allow $1 device:dir { add_name remove_name }; 305') 306 307##################################### 308# Non system_app application set 309# 310define(`non_system_app_set', `{ appdomain -system_app }') 311