• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint open read execute getattr };
15# New domain can send SIGCHLD to its caller.
16allow $3 $1:process sigchld;
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# tmpfs_domain(domain)
75# Define and allow access to a unique type for
76# this domain when creating tmpfs / shmem / ashmem files.
77define(`tmpfs_domain', `
78type $1_tmpfs, file_type;
79type_transition $1 tmpfs:file $1_tmpfs;
80allow $1 $1_tmpfs:file { read write };
81')
82
83#####################################
84# init_daemon_domain(domain)
85# Set up a transition from init to the daemon domain
86# upon executing its binary.
87define(`init_daemon_domain', `
88domain_auto_trans(init, $1_exec, $1)
89tmpfs_domain($1)
90')
91
92#####################################
93# app_domain(domain)
94# Allow a base set of permissions required for all apps.
95define(`app_domain', `
96typeattribute $1 appdomain;
97# Label ashmem objects with our own unique type.
98tmpfs_domain($1)
99# Map with PROT_EXEC.
100allow $1 $1_tmpfs:file execute;
101')
102
103#####################################
104# net_domain(domain)
105# Allow a base set of permissions required for network access.
106define(`net_domain', `
107typeattribute $1 netdomain;
108')
109
110#####################################
111# bluetooth_domain(domain)
112# Allow a base set of permissions required for bluetooth access.
113define(`bluetooth_domain', `
114typeattribute $1 bluetoothdomain;
115')
116
117#####################################
118# unix_socket_connect(clientdomain, socket, serverdomain)
119# Allow a local socket connection from clientdomain via
120# socket to serverdomain.
121#
122# Note: If you see denial records that distill to the
123# following allow rules:
124# allow clientdomain property_socket:sock_file write;
125# allow clientdomain init:unix_stream_socket connectto;
126# allow clientdomain something_prop:property_service set;
127#
128# This sequence is indicative of attempting to set a property.
129# use set_prop(sourcedomain, targetproperty)
130#
131define(`unix_socket_connect', `
132ifelse($2, `property', `
133    ifelse($3,`init', `
134       print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
135   ')
136')
137__unix_socket_connect__($1, $2, $3)
138')
139
140define(`__unix_socket_connect__', `
141allow $1 $2_socket:sock_file write;
142allow $1 $3:unix_stream_socket connectto;
143')
144
145#####################################
146# set_prop(sourcedomain, targetproperty)
147# Allows source domain to set the
148# targetproperty.
149#
150define(`set_prop', `
151__unix_socket_connect__($1, property, init)
152allow $1 $2:property_service set;
153get_prop($1, $2)
154')
155
156#####################################
157# get_prop(sourcedomain, targetproperty)
158# Allows source domain to read the
159# targetproperty.
160#
161define(`get_prop', `
162allow $1 $2:file r_file_perms;
163')
164
165#####################################
166# unix_socket_send(clientdomain, socket, serverdomain)
167# Allow a local socket send from clientdomain via
168# socket to serverdomain.
169define(`unix_socket_send', `
170allow $1 $2_socket:sock_file write;
171allow $1 $3:unix_dgram_socket sendto;
172')
173
174#####################################
175# binder_use(domain)
176# Allow domain to use Binder IPC.
177define(`binder_use', `
178# Call the servicemanager and transfer references to it.
179allow $1 servicemanager:binder { call transfer };
180# servicemanager performs getpidcon on clients.
181allow servicemanager $1:dir search;
182allow servicemanager $1:file { read open };
183allow servicemanager $1:process getattr;
184# rw access to /dev/binder and /dev/ashmem is presently granted to
185# all domains in domain.te.
186')
187
188#####################################
189# binder_call(clientdomain, serverdomain)
190# Allow clientdomain to perform binder IPC to serverdomain.
191define(`binder_call', `
192# Call the server domain and optionally transfer references to it.
193allow $1 $2:binder { call transfer };
194# Allow the serverdomain to transfer references to the client on the reply.
195allow $2 $1:binder transfer;
196# Receive and use open files from the server.
197allow $1 $2:fd use;
198')
199
200#####################################
201# binder_service(domain)
202# Mark a domain as being a Binder service domain.
203# Used to allow binder IPC to the various system services.
204define(`binder_service', `
205typeattribute $1 binderservicedomain;
206')
207
208#####################################
209# wakelock_use(domain)
210# Allow domain to manage wake locks
211define(`wakelock_use', `
212# Access /sys/power/wake_lock and /sys/power/wake_unlock
213allow $1 sysfs_wake_lock:file rw_file_perms;
214# Accessing these files requires CAP_BLOCK_SUSPEND
215allow $1 self:capability2 block_suspend;
216')
217
218#####################################
219# selinux_check_access(domain)
220# Allow domain to check SELinux permissions via selinuxfs.
221define(`selinux_check_access', `
222allow $1 selinuxfs:file rw_file_perms;
223allow $1 kernel:security compute_av;
224allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
225')
226
227#####################################
228# selinux_check_context(domain)
229# Allow domain to check SELinux contexts via selinuxfs.
230define(`selinux_check_context', `
231allow $1 selinuxfs:file rw_file_perms;
232allow $1 kernel:security check_context;
233')
234
235#####################################
236# selinux_setenforce(domain)
237# Allow domain to set SELinux to enforcing.
238define(`selinux_setenforce', `
239allow $1 selinuxfs:file rw_file_perms;
240allow $1 kernel:security setenforce;
241')
242
243#####################################
244# selinux_setbool(domain)
245# Allow domain to set SELinux booleans.
246define(`selinux_setbool', `
247allow $1 selinuxfs:file rw_file_perms;
248allow $1 kernel:security setbool;
249')
250
251#####################################
252# security_access_policy(domain)
253# Read only access to all policy files and
254# selinuxfs
255define(`security_access_policy', `
256allow $1 security_file:dir r_dir_perms;
257allow $1 security_file:file r_file_perms;
258')
259
260#####################################
261# mmac_manage_policy(domain)
262# Ability to manage mmac policy files,
263# trigger runtime reload, change
264# mmac enforcing mode and access logcat.
265define(`mmac_manage_policy', `
266allow $1 security_file:dir create_dir_perms;
267allow $1 security_file:file create_file_perms;
268allow $1 security_file:lnk_file { create rename unlink };
269set_prop($1, security_prop)
270')
271
272#####################################
273# create_pty(domain)
274# Allow domain to create and use a pty, isolated from any other domain ptys.
275define(`create_pty', `
276# Each domain gets a unique devpts type.
277type $1_devpts, fs_type;
278# Label the pty with the unique type when created.
279type_transition $1 devpts:chr_file $1_devpts;
280# Allow use of the pty after creation.
281allow $1 $1_devpts:chr_file { open getattr read write ioctl };
282# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
283# allowed to everyone via domain.te.
284')
285
286#####################################
287# Non system_app application set
288#
289define(`non_system_app_set', `{ appdomain -system_app }')
290
291#####################################
292# Recovery only
293# SELinux rules which apply only to recovery mode
294#
295define(`recovery_only', ifelse(target_recovery, `true', $1, ))
296
297#####################################
298# Userdebug or eng builds
299# SELinux rules which apply only to userdebug or eng builds
300#
301define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
302define(`eng', ifelse(target_build_variant, `eng', $1))
303
304#####################################
305# write_logd(domain)
306# Ability to write to android log
307# daemon via sockets
308define(`write_logd', `
309unix_socket_send($1, logdw, logd)
310allow $1 pmsg_device:chr_file w_file_perms;
311')
312
313#####################################
314# read_logd(domain)
315# Ability to run logcat and read from android
316# log daemon via sockets
317define(`read_logd', `
318allow $1 logcat_exec:file rx_file_perms;
319unix_socket_connect($1, logdr, logd)
320')
321
322#####################################
323# control_logd(domain)
324# Ability to control
325# android log daemon via sockets
326define(`control_logd', `
327# Group AID_LOG checked by filesystem & logd
328# to permit control commands
329unix_socket_connect($1, logd, logd)
330')
331
332#####################################
333# use_keystore(domain)
334# Ability to use keystore.
335# Keystore is requires the following permissions
336# to call getpidcon.
337define(`use_keystore', `
338  allow keystore $1:dir search;
339  allow keystore $1:file { read open };
340  allow keystore $1:process getattr;
341  allow $1 keystore_service:service_manager find;
342  binder_call($1, keystore)
343')
344
345###########################################
346# use_drmservice(domain)
347# Ability to use DrmService which requires
348# DrmService to call getpidcon.
349define(`use_drmservice', `
350  allow drmserver $1:dir search;
351  allow drmserver $1:file { read open };
352  allow drmserver $1:process getattr;
353')
354
355##########################################
356# print a message with a trailing newline
357# print(`args')
358define(`print', `errprint(`m4: '__file__: __line__`: $*
359')')
360