• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Read access to properties mapping.
7allow domain kernel:fd use;
8allow domain tmpfs:file { read getattr };
9allow domain tmpfs:lnk_file { read getattr };
10
11# Search /storage/emulated tmpfs mount.
12allow domain tmpfs:dir r_dir_perms;
13
14# Intra-domain accesses.
15allow domain self:process {
16    fork
17    sigchld
18    sigkill
19    sigstop
20    signull
21    signal
22    getsched
23    setsched
24    getsession
25    getpgid
26    setpgid
27    getcap
28    setcap
29    getattr
30    setrlimit
31};
32allow domain self:fd use;
33allow domain self:dir r_dir_perms;
34allow domain self:lnk_file r_file_perms;
35allow domain self:{ fifo_file file } rw_file_perms;
36allow domain self:unix_dgram_socket { create_socket_perms sendto };
37allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
38allow domain domain:{ unix_dgram_socket unix_stream_socket } unpriv_unix_sock_ioctls;
39
40# Inherit or receive open files from others.
41allow domain init:fd use;
42allow domain system_server:fd use;
43
44# Connect to adbd and use a socket transferred from it.
45# This is used for e.g. adb backup/restore.
46allow domain adbd:unix_stream_socket connectto;
47allow domain adbd:fd use;
48allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
49
50userdebug_or_eng(`
51  # Same as adbd rules above, except allow su to do the same thing
52  allow domain su:unix_stream_socket connectto;
53  allow domain su:fd use;
54  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
55
56  binder_call({ domain -init }, su)
57
58  # Running something like "pm dump com.android.bluetooth" requires
59  # fifo writes
60  allow domain su:fifo_file { write getattr };
61
62  # allow "gdbserver --attach" to work for su.
63  allow domain su:process sigchld;
64
65  # Allow writing coredumps to /cores/*
66  allow domain coredump_file:file create_file_perms;
67  allow domain coredump_file:dir ra_dir_perms;
68')
69
70###
71### Talk to debuggerd.
72###
73allow domain debuggerd:process sigchld;
74allow domain debuggerd:unix_stream_socket connectto;
75
76# Root fs.
77allow domain rootfs:dir r_dir_perms;
78allow domain rootfs:file r_file_perms;
79allow domain rootfs:lnk_file r_file_perms;
80
81# Device accesses.
82allow domain device:dir search;
83allow domain dev_type:lnk_file r_file_perms;
84allow domain devpts:dir search;
85allow domain device:file read;
86allow domain socket_device:dir r_dir_perms;
87allow domain owntty_device:chr_file rw_file_perms;
88allow domain null_device:chr_file rw_file_perms;
89allow domain zero_device:chr_file rw_file_perms;
90allow domain ashmem_device:chr_file rw_file_perms;
91allow domain binder_device:chr_file rw_file_perms;
92allow domain ptmx_device:chr_file rw_file_perms;
93allow domain alarm_device:chr_file r_file_perms;
94allow domain urandom_device:chr_file rw_file_perms;
95allow domain random_device:chr_file rw_file_perms;
96allow domain properties_device:file r_file_perms;
97allow domain init:key search;
98allow domain vold:key search;
99
100# logd access
101write_logd(domain)
102
103# Filesystem accesses.
104allow domain fs_type:filesystem getattr;
105allow domain fs_type:dir getattr;
106
107# System file accesses.
108allow domain system_file:dir r_dir_perms;
109allow domain system_file:file r_file_perms;
110allow domain system_file:file execute;
111allow domain system_file:lnk_file r_file_perms;
112
113# Run toolbox.
114# Kernel and init never run anything without changing domains.
115allow { domain -kernel -init } toolbox_exec:file rx_file_perms;
116
117# Read files already opened under /data.
118allow domain system_data_file:dir { search getattr };
119allow domain system_data_file:file { getattr read };
120allow domain system_data_file:lnk_file r_file_perms;
121
122# Read apk files under /data/app.
123allow domain apk_data_file:dir { getattr search };
124allow domain apk_data_file:file r_file_perms;
125allow domain apk_data_file:lnk_file r_file_perms;
126
127# Read /data/dalvik-cache.
128allow domain dalvikcache_data_file:dir { search getattr };
129allow domain dalvikcache_data_file:file r_file_perms;
130
131# Read already opened /cache files.
132allow domain cache_file:dir r_dir_perms;
133allow domain cache_file:file { getattr read };
134allow domain cache_file:lnk_file r_file_perms;
135
136# Read timezone related information
137r_dir_file(domain, zoneinfo_data_file)
138
139# For /acct/uid/*/tasks.
140allow domain cgroup:dir { search write };
141allow domain cgroup:file w_file_perms;
142
143#Allow access to ion memory allocation device
144allow domain ion_device:chr_file rw_file_perms;
145
146# Read access to pseudo filesystems.
147r_dir_file(domain, proc)
148r_dir_file(domain, sysfs)
149r_dir_file(domain, sysfs_devices_system_cpu)
150r_dir_file(domain, inotify)
151r_dir_file(domain, cgroup)
152r_dir_file(domain, proc_net)
153allow domain proc_cpuinfo:file r_file_perms;
154
155# debugfs access
156allow domain debugfs:dir r_dir_perms;
157allow domain debugfs:file w_file_perms;
158
159# Get SELinux enforcing status.
160allow domain selinuxfs:dir r_dir_perms;
161allow domain selinuxfs:file r_file_perms;
162
163# /data/security files
164allow domain security_file:dir { search getattr };
165allow domain security_file:file getattr;
166allow domain security_file:lnk_file r_file_perms;
167
168# World readable asec image contents
169allow domain asec_public_file:file r_file_perms;
170allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
171
172###
173### neverallow rules
174###
175
176# Do not allow any domain other than init or recovery to create unlabeled files.
177neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
178
179# Limit ability to ptrace or read sensitive /proc/pid files of processes
180# with other UIDs to these whitelisted domains.
181neverallow {
182  domain
183  -debuggerd
184  -vold
185  -dumpstate
186  -system_server
187  userdebug_or_eng(`-procrank')
188  userdebug_or_eng(`-perfprofd')
189} self:capability sys_ptrace;
190
191# Limit device node creation to these whitelisted domains.
192neverallow {
193  domain
194  -kernel
195  -init
196  -ueventd
197  -vold
198} self:capability mknod;
199
200# Limit raw I/O to these whitelisted domains.
201neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
202
203# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
204neverallow domain self:memprotect mmap_zero;
205
206# No domain needs mac_override as it is unused by SELinux.
207neverallow domain self:capability2 mac_override;
208
209# Only recovery needs mac_admin to set contexts not defined in current policy.
210neverallow { domain -recovery } self:capability2 mac_admin;
211
212# Only init should be able to load SELinux policies.
213# The first load technically occurs while still in the kernel domain,
214# but this does not trigger a denial since there is no policy yet.
215# Policy reload requires allowing this to the init domain.
216neverallow { domain -init } kernel:security load_policy;
217
218# Only init and the system_server can set selinux.reload_policy 1
219# to trigger a policy reload.
220neverallow { domain -init -system_server } security_prop:property_service set;
221
222# Only init and system_server can write to /data/security, where runtime
223# policy updates live.
224# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
225neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
226# Only init and system_server can create/setattr directories with this type.
227# init is for init.rc mkdir /data/security.
228# system_server is for creating subdirectories under /data/security.
229neverallow { domain -init -system_server } security_file:dir { create setattr };
230# Only system_server can create subdirectories and files under /data/security.
231neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
232neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
233neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
234
235# Only init prior to switching context should be able to set enforcing mode.
236# init starts in kernel domain and switches to init domain via setcon in
237# the init.rc, so the setenforce occurs while still in kernel. After
238# switching domains, there is never any need to setenforce again by init.
239neverallow domain kernel:security setenforce;
240neverallow { domain -kernel } kernel:security setcheckreqprot;
241
242# No booleans in AOSP policy, so no need to ever set them.
243neverallow domain kernel:security setbool;
244
245# Adjusting the AVC cache threshold.
246# Not presently allowed to anything in policy, but possibly something
247# that could be set from init.rc.
248neverallow { domain -init } kernel:security setsecparam;
249
250# Only init, ueventd and system_server should be able to access HW RNG
251neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
252
253# Ensure that all entrypoint executables are in exec_type.
254neverallow domain { file_type -exec_type }:file entrypoint;
255
256# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
257neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
258neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
259
260# Only init should be able to configure kernel usermodehelpers or
261# security-sensitive proc settings.
262neverallow { domain -init } usermodehelper:file { append write };
263neverallow { domain -init } proc_security:file { append write };
264
265# No domain should be allowed to ptrace init.
266neverallow domain init:process ptrace;
267
268# Init can't do anything with binder calls. If this neverallow rule is being
269# triggered, it's probably due to a service with no SELinux domain.
270neverallow domain init:binder *;
271
272# Don't allow raw read/write/open access to block_device
273# Rather force a relabel to a more specific type
274neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
275
276# Don't allow raw read/write/open access to generic devices.
277# Rather force a relabel to a more specific type.
278# init is exempt from this as there are character devices that only it uses.
279# ueventd is exempt from this, as it is managing these devices.
280neverallow { domain -init -ueventd } device:chr_file { open read write };
281
282# Limit what domains can mount filesystems or change their mount flags.
283# sdcard_type / vfat is exempt as a larger set of domains need
284# this capability, including device-specific domains.
285neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
286
287#
288# Assert that, to the extent possible, we're not loading executable content from
289# outside the rootfs or /system partition except for a few whitelisted domains.
290#
291neverallow {
292    domain
293    -appdomain
294    -dumpstate
295    -shell
296    userdebug_or_eng(`-su')
297    -system_server
298    -zygote
299} { file_type -system_file -exec_type }:file execute;
300neverallow {
301    domain
302    -appdomain # for oemfs
303    -recovery # for /tmp/update_binary in tmpfs
304} { fs_type -rootfs }:file execute;
305
306# Only the init property service should write to /data/property.
307neverallow { domain -init } property_data_file:dir no_w_dir_perms;
308neverallow { domain -init } property_data_file:file no_w_file_perms;
309
310# Only recovery should be doing writes to /system
311neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
312    { create write setattr relabelfrom append unlink link rename };
313neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
314
315# Don't allow mounting on top of /system files or directories
316neverallow domain { system_file exec_type }:dir_file_class_set mounton;
317
318# Nothing should be writing to files in the rootfs.
319neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
320
321# Restrict context mounts to specific types marked with
322# the contextmount_type attribute.
323neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
324
325# Ensure that context mount types are not writable, to ensure that
326# the write to /system restriction above is not bypassed via context=
327# mount to another type.
328neverallow { domain -recovery } contextmount_type:dir_file_class_set
329    { create write setattr relabelfrom relabelto append unlink link rename };
330
331# Do not allow service_manager add for default_android_service.
332# Instead domains should use a more specific type such as
333# system_app_service rather than the generic type.
334# New service_types are defined in service.te and new mappings
335# from service name to service_type are defined in service_contexts.
336neverallow domain default_android_service:service_manager add;
337
338# Require that domains explicitly label unknown properties, and do not allow
339# anyone but init to modify unknown properties.
340neverallow { domain -init } default_prop:property_service set;
341
342neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
343
344# No domain other than recovery can write to system.
345neverallow { domain -recovery } system_block_device:blk_file write;
346
347# No domains other than install_recovery or recovery can write to recovery.
348neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
349
350# Only servicemanager should be able to register with binder as the context manager
351neverallow { domain -servicemanager } *:binder set_context_mgr;
352
353# Only authorized processes should be writing to files in /data/dalvik-cache
354# (excluding /data/dalvik-cache/profiles, which is labeled differently)
355neverallow {
356  domain
357  -init # TODO: limit init to relabelfrom for files
358  -zygote
359  -installd
360  -dex2oat
361} dalvikcache_data_file:file no_w_file_perms;
362
363neverallow {
364  domain
365  -init
366  -installd
367  -dex2oat
368  -zygote
369} dalvikcache_data_file:dir no_w_dir_perms;
370
371# Only system_server should be able to send commands via the zygote socket
372neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
373neverallow { domain -system_server } zygote_socket:sock_file write;
374
375# Android does not support System V IPCs.
376#
377# The reason for this is due to the fact that, by design, they lead to global
378# kernel resource leakage.
379#
380# For example, there is no way to automatically release a SysV semaphore
381# allocated in the kernel when:
382#
383# - a buggy or malicious process exits
384# - a non-buggy and non-malicious process crashes or is explicitly killed.
385#
386# Killing processes automatically to make room for new ones is an
387# important part of Android's application lifecycle implementation. This means
388# that, even assuming only non-buggy and non-malicious code, it is very likely
389# that over time, the kernel global tables used to implement SysV IPCs will fill
390# up.
391neverallow domain domain:{ shm sem msg msgq } *;
392
393# Do not mount on top of symlinks, fifos, or sockets.
394# Feature parity with Chromium LSM.
395neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
396
397# Nobody should be able to execute su on user builds.
398# On userdebug/eng builds, only dumpstate, shell, and
399# su itself execute su.
400neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
401
402# Do not allow the introduction of new execmod rules. Text relocations
403# and modification of executable pages are unsafe.
404# The only exceptions are for NDK text relocations associated with
405# https://code.google.com/p/android/issues/detail?id=23203
406# which, long term, need to go away.
407neverallow domain {
408  file_type
409  -system_file      # needs to die. b/20013628
410  -system_data_file
411  -apk_data_file
412  -app_data_file
413  -asec_public_file
414}:file execmod;
415
416# TODO: prohibit non-zygote spawned processes from using shared libraries
417# with text relocations. b/20013628 .
418# neverallow { domain -appdomain } file_type:file execmod;
419
420neverallow { domain -init } proc:{ file dir } mounton;
421
422# Ensure that all types assigned to processes are included
423# in the domain attribute, so that all allow and neverallow rules
424# written on domain are applied to all processes.
425# This is achieved by ensuring that it is impossible to transition
426# from a domain to a non-domain type and vice versa.
427neverallow domain ~domain:process { transition dyntransition };
428neverallow ~domain domain:process { transition dyntransition };
429
430#
431# Only system_app and system_server should be creating or writing
432# their files. The proper way to share files is to setup
433# type transitions to a more specific type or assigning a type
434# to its parent directory via a file_contexts entry.
435# Example type transition:
436#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
437#
438neverallow {
439  domain
440  -system_server
441  -system_app
442  -init
443  -installd # for relabelfrom and unlink, check for this in explicit neverallow
444} system_data_file:file no_w_file_perms;
445# do not grant anything greater than r_file_perms and relabelfrom unlink
446# to installd
447neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
448
449#
450# Only these domains should transition to shell domain. This domain is
451# permissible for the "shell user". If you need a process to exec a shell
452# script with differing privilege, define a domain and set up a transition.
453#
454neverallow {
455  domain
456  -adbd
457  -init
458  -runas
459  -zygote
460} shell:process { transition dyntransition };
461
462# Minimize read access to shell- or app-writable symlinks.
463# This is to prevent malicious symlink attacks.
464neverallow {
465  domain
466  -appdomain
467  -installd
468  -uncrypt  # TODO: see if we can remove
469} app_data_file:lnk_file read;
470
471neverallow {
472  domain
473  -shell
474  userdebug_or_eng(`-uncrypt')
475  -installd
476} shell_data_file:lnk_file read;
477