1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 # Same as adbd rules above, except allow su to do the same thing 37 allow domain su:unix_stream_socket connectto; 38 allow domain su:fd use; 39 allow domain su:unix_stream_socket { getattr getopt read write shutdown }; 40 41 allow { domain -init } su:binder { call transfer }; 42 allow { domain -init } su:fd use; 43 44 # Running something like "pm dump com.android.bluetooth" requires 45 # fifo writes 46 allow domain su:fifo_file { write getattr }; 47 48 # allow "gdbserver --attach" to work for su. 49 allow domain su:process sigchld; 50 51 # Allow writing coredumps to /cores/* 52 allow domain coredump_file:file create_file_perms; 53 allow domain coredump_file:dir ra_dir_perms; 54') 55 56# Root fs. 57allow domain rootfs:dir search; 58allow domain rootfs:lnk_file { read getattr }; 59 60# Device accesses. 61allow domain device:dir search; 62allow domain dev_type:lnk_file r_file_perms; 63allow domain devpts:dir search; 64allow domain socket_device:dir r_dir_perms; 65allow domain owntty_device:chr_file rw_file_perms; 66allow domain null_device:chr_file rw_file_perms; 67allow domain zero_device:chr_file rw_file_perms; 68allow domain ashmem_device:chr_file rw_file_perms; 69# /dev/binder can be accessed by non-vendor domains and by apps 70allow { 71 coredomain 72 appdomain 73 binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 74 -hwservicemanager 75} binder_device:chr_file rw_file_perms; 76# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder 77not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') 78allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 79allow domain ptmx_device:chr_file rw_file_perms; 80allow domain alarm_device:chr_file r_file_perms; 81allow domain random_device:chr_file rw_file_perms; 82allow domain properties_device:dir { search getattr }; 83allow domain properties_serial:file r_file_perms; 84 85# For now, everyone can access core property files 86# Device specific properties are not granted by default 87get_prop(domain, core_property_type) 88# Let everyone read log properties, so that liblog can avoid sending unloggable 89# messages to logd. 90get_prop(domain, log_property_type) 91dontaudit domain property_type:file audit_access; 92allow domain property_contexts_file:file r_file_perms; 93 94allow domain init:key search; 95allow domain vold:key search; 96 97# logd access 98write_logd(domain) 99 100# System file accesses. 101allow domain system_file:dir { search getattr }; 102allow domain system_file:file { execute read open getattr map }; 103allow domain system_file:lnk_file { getattr read }; 104 105# Make sure system/vendor split doesn not affect non-treble 106# devices 107not_full_treble(` 108 allow domain vendor_file_type:dir { search getattr }; 109 allow domain vendor_file_type:file { execute read open getattr map }; 110 allow domain vendor_file_type:lnk_file { getattr read }; 111') 112 113# All domains are allowed to open and read directories 114# that contain HAL implementations (e.g. passthrough 115# HALs require clients to have these permissions) 116allow domain vendor_hal_file:dir r_dir_perms; 117 118# Everyone can read and execute all same process HALs 119allow domain same_process_hal_file:dir r_dir_perms; 120allow domain same_process_hal_file:file { execute read open getattr map }; 121 122# Any process can load vndk-sp libraries, which are system libraries 123# used by same process HALs 124allow domain vndk_sp_file:dir r_dir_perms; 125allow domain vndk_sp_file:file { execute read open getattr map }; 126 127# All domains get access to /vendor/etc 128allow domain vendor_configs_file:dir r_dir_perms; 129allow domain vendor_configs_file:file { read open getattr }; 130 131full_treble_only(` 132 # Allow all domains to be able to follow /system/vendor symlink 133 allow domain vendor_file:lnk_file { getattr open read }; 134 135 # This is required to be able to search & read /vendor/lib64 136 # in order to lookup vendor libraries. The execute permission 137 # for coredomains is granted *only* for same process HALs 138 allow domain vendor_file:dir { getattr search }; 139 140 # Allow reading and executing out of /vendor to all vendor domains 141 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 142 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 143 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 144') 145 146# read and stat any sysfs symlinks 147allow domain sysfs:lnk_file { getattr read }; 148 149# libc references /data/misc/zoneinfo for timezone related information 150# This directory is considered to be a VNDK-stable 151r_dir_file(domain, zoneinfo_data_file) 152 153# Lots of processes access current CPU information 154r_dir_file(domain, sysfs_devices_system_cpu) 155 156r_dir_file(domain, sysfs_usb); 157 158# files under /data. 159not_full_treble(`allow domain system_data_file:dir getattr;') 160allow { coredomain appdomain } system_data_file:dir getattr; 161# /data has the label system_data_file. Vendor components need the search 162# permission on system_data_file for path traversal to /data/vendor. 163allow domain system_data_file:dir search; 164 165# required by the dynamic linker 166allow domain proc:lnk_file { getattr read }; 167 168# /proc/cpuinfo 169allow domain proc_cpuinfo:file r_file_perms; 170 171# jemalloc needs to read /proc/sys/vm/overcommit_memory 172allow domain proc_overcommit_memory:file r_file_perms; 173 174# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 175allow domain proc_perf:file r_file_perms; 176 177# toybox loads libselinux which stats /sys/fs/selinux/ 178allow domain selinuxfs:dir search; 179allow domain selinuxfs:file getattr; 180allow domain sysfs:dir search; 181allow domain selinuxfs:filesystem getattr; 182 183# For /acct/uid/*/tasks. 184allow domain cgroup:dir { search write }; 185allow domain cgroup:file w_file_perms; 186 187# Almost all processes log tracing information to 188# /sys/kernel/debug/tracing/trace_marker 189# The reason behind this is documented in b/6513400 190allow domain debugfs:dir search; 191allow domain debugfs_tracing:dir search; 192allow domain debugfs_trace_marker:file w_file_perms; 193 194# Filesystem access. 195allow domain fs_type:filesystem getattr; 196allow domain fs_type:dir getattr; 197 198# Restrict all domains to a whitelist for common socket types. Additional 199# ioctl commands may be added to individual domains, but this sets safe 200# defaults for all processes. Note that granting this whitelist to domain does 201# not grant the ioctl permission on these socket types. That must be granted 202# separately. 203allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } 204 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 205# default whitelist for unix sockets. 206allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } 207 ioctl unpriv_unix_sock_ioctls; 208 209# Restrict PTYs to only whitelisted ioctls. 210# Note that granting this whitelist to domain does 211# not grant the wider ioctl permission. That must be granted 212# separately. 213allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 214 215# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 216# when it's not explicitly used in allow rules 217allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 218# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 219# when it's not explicitly used in allow rules 220allow { domain -domain } vndservice_manager_type:service_manager { add find }; 221 222# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 223with_asan(`allow domain system_data_file:dir getattr;') 224 225### 226### neverallow rules 227### 228 229# All socket ioctls must be restricted to a whitelist. 230neverallowxperm domain domain:socket_class_set ioctl { 0 }; 231 232# TIOCSTI is only ever used for exploits. Block it. 233# b/33073072, b/7530569 234# http://www.openwall.com/lists/oss-security/2016/09/26/14 235neverallowxperm * devpts:chr_file ioctl TIOCSTI; 236 237# Do not allow any domain other than init or recovery to create unlabeled files. 238neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 239 240# Limit device node creation to these whitelisted domains. 241neverallow { 242 domain 243 -kernel 244 -init 245 -ueventd 246 -vold 247} self:capability mknod; 248 249# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. 250neverallow { 251 domain 252 userdebug_or_eng(`-domain') 253 -kernel 254 -init 255 -recovery 256 -ueventd 257 -healthd 258 -uncrypt 259 -tee 260} self:capability sys_rawio; 261 262# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 263neverallow * self:memprotect mmap_zero; 264 265# No domain needs mac_override as it is unused by SELinux. 266neverallow * self:capability2 mac_override; 267 268# Only recovery needs mac_admin to set contexts not defined in current policy. 269neverallow { domain -recovery } self:capability2 mac_admin; 270 271# Once the policy has been loaded there shall be none to modify the policy. 272# It is sealed. 273neverallow * kernel:security load_policy; 274 275# Only init prior to switching context should be able to set enforcing mode. 276# init starts in kernel domain and switches to init domain via setcon in 277# the init.rc, so the setenforce occurs while still in kernel. After 278# switching domains, there is never any need to setenforce again by init. 279neverallow * kernel:security setenforce; 280neverallow { domain -kernel } kernel:security setcheckreqprot; 281 282# No booleans in AOSP policy, so no need to ever set them. 283neverallow * kernel:security setbool; 284 285# Adjusting the AVC cache threshold. 286# Not presently allowed to anything in policy, but possibly something 287# that could be set from init.rc. 288neverallow { domain -init } kernel:security setsecparam; 289 290# Only init, ueventd, shell and system_server should be able to access HW RNG 291neverallow { 292 domain 293 -init 294 -shell # For CTS and is restricted to getattr in shell.te 295 -system_server 296 -ueventd 297} hw_random_device:chr_file *; 298 299# Ensure that all entrypoint executables are in exec_type or postinstall_file. 300neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 301 302# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 303neverallow { 304 domain 305 -shell # For CTS and is restricted to getattr in shell.te 306 -ueventd # Further restricted in ueventd.te 307} kmem_device:chr_file *; 308neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; 309 310#Ensure that nothing in userspace can access /dev/port 311neverallow { 312 domain 313 -shell # Shell user should not have any abilities outside of getattr 314 -ueventd 315} port_device:chr_file *; 316neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 317# Only init should be able to configure kernel usermodehelpers or 318# security-sensitive proc settings. 319neverallow { domain -init } usermodehelper:file { append write }; 320neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 321neverallow { domain -init } proc_security:file { append open read write }; 322 323# No domain should be allowed to ptrace init. 324neverallow * init:process ptrace; 325 326# Init can't do anything with binder calls. If this neverallow rule is being 327# triggered, it's probably due to a service with no SELinux domain. 328neverallow * init:binder *; 329 330# Don't allow raw read/write/open access to block_device 331# Rather force a relabel to a more specific type 332neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 333 334# Do not allow renaming of block files or character files 335# Ability to do so can lead to possible use in an exploit chain 336# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 337neverallow * *:{ blk_file chr_file } rename; 338 339# Don't allow raw read/write/open access to generic devices. 340# Rather force a relabel to a more specific type. 341neverallow domain device:chr_file { open read write }; 342 343# Limit what domains can mount filesystems or change their mount flags. 344# sdcard_type / vfat is exempt as a larger set of domains need 345# this capability, including device-specific domains. 346neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 347 348# 349# Assert that, to the extent possible, we're not loading executable content from 350# outside the rootfs or /system partition except for a few whitelisted domains. 351# 352neverallow { 353 domain 354 -appdomain 355 with_asan(`-asan_extract') 356 -dumpstate 357 -shell 358 userdebug_or_eng(`-su') 359 -webview_zygote 360 -zygote 361} { 362 file_type 363 -system_file 364 -vendor_file_type 365 -exec_type 366 -postinstall_file 367}:file execute; 368 369neverallow { 370 domain 371 -appdomain # for oemfs 372 -recovery # for /tmp/update_binary in tmpfs 373} { fs_type -rootfs }:file execute; 374# Files from cache should never be executed 375neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 376 377# Protect most domains from executing arbitrary content from /data. 378neverallow { 379 domain 380 -appdomain 381} { 382 data_file_type 383 -dalvikcache_data_file 384 -system_data_file # shared libs in apks 385 -apk_data_file 386}:file no_x_file_perms; 387 388neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 389 390# Only the init property service should write to /data/property and /dev/__properties__ 391neverallow { domain -init } property_data_file:dir no_w_dir_perms; 392neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 393neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 394neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 395neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 396 397# Only recovery should be doing writes to /system & /vendor 398neverallow { 399 domain 400 -recovery 401 with_asan(`-asan_extract') 402} { 403 system_file 404 vendor_file_type 405 exec_type 406}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 407 408neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; 409 410# Don't allow mounting on top of /system files or directories 411neverallow * exec_type:dir_file_class_set mounton; 412neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton; 413 414# Nothing should be writing to files in the rootfs. 415neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 416 417# Restrict context mounts to specific types marked with 418# the contextmount_type attribute. 419neverallow * {fs_type -contextmount_type}:filesystem relabelto; 420 421# Ensure that context mount types are not writable, to ensure that 422# the write to /system restriction above is not bypassed via context= 423# mount to another type. 424neverallow { domain -recovery } contextmount_type:dir_file_class_set 425 { create write setattr relabelfrom relabelto append unlink link rename }; 426 427# Do not allow service_manager add for default service labels. 428# Instead domains should use a more specific type such as 429# system_app_service rather than the generic type. 430# New service_types are defined in {,hw,vnd}service.te and new mappings 431# from service name to service_type are defined in {,hw,vnd}service_contexts. 432neverallow * default_android_service:service_manager add; 433neverallow * default_android_vndservice:service_manager { add find }; 434neverallow * default_android_hwservice:hwservice_manager { add find }; 435 436# Looking up the base class/interface of all HwBinder services is a bad idea. 437# hwservicemanager currently offer such lookups only to make it so that security 438# decisions are expressed in SELinux policy. However, it's unclear whether this 439# lookup has security implications. If it doesn't, hwservicemanager should be 440# modified to not offer this lookup. 441# This rule can be removed if hwservicemanager is modified to not permit these 442# lookups. 443neverallow * hidl_base_hwservice:hwservice_manager find; 444 445# Require that domains explicitly label unknown properties, and do not allow 446# anyone but init to modify unknown properties. 447neverallow { domain -init } default_prop:property_service set; 448neverallow { domain -init } mmc_prop:property_service set; 449 450# Do not allow reading device's serial number from system properties except form 451# a few whitelisted domains. 452neverallow { 453 domain 454 -adbd 455 -dumpstate 456 -hal_drm 457 -hal_cas 458 -init 459 -mediadrmserver 460 -recovery 461 -shell 462 -system_server 463} serialno_prop:file r_file_perms; 464 465# Do not allow reading the last boot timestamp from system properties 466neverallow { domain -init -system_server } firstboot_prop:file r_file_perms; 467 468neverallow { 469 domain 470 -init 471 -recovery 472 -system_server 473 -shell # Shell is further restricted in shell.te 474 -ueventd # Further restricted in ueventd.te 475} frp_block_device:blk_file no_rw_file_perms; 476 477# The metadata block device is set aside for device encryption and 478# verified boot metadata. It may be reset at will and should not 479# be used by other domains. 480neverallow { domain -init -recovery -vold } metadata_block_device:blk_file 481 { append link rename write open read ioctl lock }; 482 483# No domain other than recovery and update_engine can write to system partition(s). 484neverallow { domain -recovery -update_engine } system_block_device:blk_file write; 485 486# No domains other than install_recovery or recovery can write to recovery. 487neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; 488 489# No domains other than a select few can access the misc_block_device. This 490# block device is reserved for OTA use. 491# Do not assert this rule on userdebug/eng builds, due to some devices using 492# this partition for testing purposes. 493neverallow { 494 domain 495 userdebug_or_eng(`-domain') # exclude debuggable builds 496 -hal_bootctl 497 -init 498 -uncrypt 499 -update_engine 500 -vold 501 -recovery 502 -ueventd 503} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 504 505# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 506neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 507# The service managers are only allowed to access their own device node 508neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 509neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 510neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 511neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 512neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 513neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 514 515# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core 516# domain apps need this because Android framework offers many of its services to apps as Binder 517# services. 518full_treble_only(` 519 neverallow { 520 domain 521 -coredomain 522 -appdomain 523 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 524 } binder_device:chr_file rw_file_perms; 525 neverallow { 526 domain 527 -coredomain 528 -appdomain # restrictions for vendor apps are declared lower down 529 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 530 } service_manager_type:service_manager find; 531 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 532 # services which can change any time framework/core is updated, breakage is likely. 533 neverallow { 534 appdomain 535 -coredomain 536 } { 537 service_manager_type 538 -app_api_service 539 -ephemeral_app_api_service 540 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 541 -cameraserver_service 542 -drmserver_service 543 -keystore_service 544 -mediadrmserver_service 545 -mediaextractor_service 546 -mediametrics_service 547 -mediaserver_service 548 -nfc_service 549 -radio_service 550 -surfaceflinger_service 551 -virtual_touchpad_service 552 -vr_hwc_service 553 -vr_manager_service 554 }:service_manager find; 555 neverallow { 556 domain 557 -coredomain 558 -appdomain 559 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 560 } servicemanager:binder { call transfer }; 561') 562 563# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 564full_treble_only(` 565 neverallow { 566 coredomain 567 -shell 568 userdebug_or_eng(`-su') 569 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 570 } vndbinder_device:chr_file rw_file_perms; 571 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 572 neverallow { 573 coredomain 574 -shell 575 userdebug_or_eng(`-su') 576 } vndservice_manager_type:service_manager *; 577 neverallow { 578 coredomain 579 -shell 580 userdebug_or_eng(`-su') 581 } vndservicemanager:binder *; 582') 583 584# On full TREBLE devices, socket communications between core components and vendor components are 585# not permitted. 586full_treble_only(` 587 # Most general rules first, more specific rules below. 588 589 # Core domains are not permitted to initiate communications to vendor domain sockets. 590 # We are not restricting the use of already established sockets because it is fine for a process 591 # to obtain an already established socket via some public/official/stable API and then exchange 592 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 593 # and thus does not break the core-vendor separation. 594 neverallow_establish_socket_comms({ 595 coredomain 596 -init 597 -adbd 598 }, { 599 domain 600 -coredomain 601 -socket_between_core_and_vendor_violators 602 }); 603 # Vendor domains are not permitted to initiate communications to core domain sockets 604 neverallow_establish_socket_comms({ 605 domain 606 -coredomain 607 -appdomain 608 -socket_between_core_and_vendor_violators 609 }, { 610 coredomain 611 -logd # Logging by writing to logd Unix domain socket is public API 612 -netd # netdomain needs this 613 -mdnsd # netdomain needs this 614 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 615 -init 616 -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services 617 -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services 618 }); 619 620 # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets 621 neverallow_establish_socket_comms({ 622 domain 623 -coredomain 624 -netdomain 625 -socket_between_core_and_vendor_violators 626 }, netd); 627 628 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 629 neverallow { 630 domain 631 -coredomain 632 -appdomain # appdomain restrictions below 633 -socket_between_core_and_vendor_violators 634 } { 635 coredomain_socket 636 core_data_file_type 637 unlabeled # used only by core domains 638 }:sock_file ~{ append getattr ioctl read write }; 639 neverallow { 640 appdomain 641 -coredomain 642 } { 643 coredomain_socket 644 unlabeled # used only by core domains 645 core_data_file_type 646 -app_data_file 647 -pdx_endpoint_socket_type # used by VR layer 648 -pdx_channel_socket_type # used by VR layer 649 }:sock_file ~{ append getattr ioctl read write }; 650 651 # Core domains are not permitted to create/open sockets owned by vendor domains 652 neverallow { 653 coredomain 654 -init 655 -ueventd 656 -socket_between_core_and_vendor_violators 657 } { 658 file_type 659 dev_type 660 -coredomain_socket 661 -core_data_file_type 662 -unlabeled 663 }:sock_file ~{ append getattr ioctl read write }; 664') 665 666# On TREBLE devices, a limited set of files in /vendor are accessible to 667# only a few whitelisted coredomains to keep system/vendor separation. 668full_treble_only(` 669 # Limit access to /vendor/app 670 neverallow { 671 coredomain 672 -appdomain 673 -dex2oat 674 -idmap 675 -init 676 -installd 677 -postinstall_dexopt 678 -system_server 679 } vendor_app_file:dir { open read getattr search }; 680 681 neverallow { 682 coredomain 683 -appdomain 684 -dex2oat 685 -idmap 686 -init 687 -installd 688 -postinstall_dexopt 689 -system_server 690 } vendor_app_file:{ file lnk_file } r_file_perms; 691 692 # Limit access to /vendor/overlay 693 neverallow { 694 coredomain 695 -appdomain 696 -idmap 697 -init 698 -installd 699 -system_server 700 -zygote 701 } vendor_overlay_file:dir { getattr open read search }; 702 703 neverallow { 704 coredomain 705 -appdomain 706 -idmap 707 -init 708 -installd 709 -system_server 710 -zygote 711 } vendor_overlay_file:{ file lnk_file } r_file_perms; 712 713 # Non-vendor domains are not allowed to file execute shell 714 # from vendor 715 neverallow { 716 coredomain 717 -init 718 } vendor_shell_exec:file { execute execute_no_trans }; 719 720 # Do not allow vendor components to execute files from system 721 # except for the ones whitelist here. 722 neverallow { 723 domain 724 -coredomain 725 -appdomain 726 -rild 727 -vendor_executes_system_violators 728 } { 729 exec_type 730 -vendor_file_type 731 -crash_dump_exec 732 -netutils_wrapper_exec 733 }:file { entrypoint execute execute_no_trans }; 734') 735 736# Only authorized processes should be writing to files in /data/dalvik-cache 737neverallow { 738 domain 739 -init # TODO: limit init to relabelfrom for files 740 -zygote 741 -installd 742 -postinstall_dexopt 743 -cppreopts 744 -dex2oat 745 -otapreopt_slot 746} dalvikcache_data_file:file no_w_file_perms; 747 748neverallow { 749 domain 750 -init 751 -installd 752 -postinstall_dexopt 753 -cppreopts 754 -dex2oat 755 -zygote 756 -otapreopt_slot 757} dalvikcache_data_file:dir no_w_dir_perms; 758 759# Only system_server should be able to send commands via the zygote socket 760neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 761neverallow { domain -system_server } zygote_socket:sock_file write; 762 763neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; 764neverallow { domain -system_server } webview_zygote_socket:sock_file write; 765 766neverallow { 767 domain 768 -tombstoned 769 -crash_dump 770 -dumpstate 771 -system_server 772 773 # Processes that can't exec crash_dump 774 -mediacodec 775 -mediaextractor 776} tombstoned_crash_socket:unix_stream_socket connectto; 777 778# Never allow anyone except dumpstate or the system server to connect or write to 779# the tombstoned intercept socket. 780neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write; 781neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 782 783# Android does not support System V IPCs. 784# 785# The reason for this is due to the fact that, by design, they lead to global 786# kernel resource leakage. 787# 788# For example, there is no way to automatically release a SysV semaphore 789# allocated in the kernel when: 790# 791# - a buggy or malicious process exits 792# - a non-buggy and non-malicious process crashes or is explicitly killed. 793# 794# Killing processes automatically to make room for new ones is an 795# important part of Android's application lifecycle implementation. This means 796# that, even assuming only non-buggy and non-malicious code, it is very likely 797# that over time, the kernel global tables used to implement SysV IPCs will fill 798# up. 799neverallow * *:{ shm sem msg msgq } *; 800 801# Do not mount on top of symlinks, fifos, or sockets. 802# Feature parity with Chromium LSM. 803neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 804 805# Nobody should be able to execute su on user builds. 806# On userdebug/eng builds, only dumpstate, shell, and 807# su itself execute su. 808neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 809 810# Do not allow the introduction of new execmod rules. Text relocations 811# and modification of executable pages are unsafe. 812# The only exceptions are for NDK text relocations associated with 813# https://code.google.com/p/android/issues/detail?id=23203 814# which, long term, need to go away. 815neverallow * { 816 file_type 817 -apk_data_file 818 -app_data_file 819 -asec_public_file 820}:file execmod; 821 822# Do not allow making the stack or heap executable. 823# We would also like to minimize execmem but it seems to be 824# required by some device-specific service domains. 825neverallow * self:process { execstack execheap }; 826 827# prohibit non-zygote spawned processes from using shared libraries 828# with text relocations. b/20013628 . 829neverallow { domain -untrusted_app_all } file_type:file execmod; 830 831neverallow { domain -init } proc:{ file dir } mounton; 832 833# Ensure that all types assigned to processes are included 834# in the domain attribute, so that all allow and neverallow rules 835# written on domain are applied to all processes. 836# This is achieved by ensuring that it is impossible to transition 837# from a domain to a non-domain type and vice versa. 838# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 839neverallow ~domain domain:process { transition dyntransition }; 840 841# 842# Only system_app and system_server should be creating or writing 843# their files. The proper way to share files is to setup 844# type transitions to a more specific type or assigning a type 845# to its parent directory via a file_contexts entry. 846# Example type transition: 847# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 848# 849neverallow { 850 domain 851 -system_server 852 -system_app 853 -init 854 -installd # for relabelfrom and unlink, check for this in explicit neverallow 855 with_asan(`-asan_extract') 856} system_data_file:file no_w_file_perms; 857# do not grant anything greater than r_file_perms and relabelfrom unlink 858# to installd 859neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 860 861# respect system_app sandboxes 862neverallow { 863 domain 864 -appdomain # finer-grained rules for appdomain are listed below 865 -system_server #populate com.android.providers.settings/databases/settings.db. 866 -installd # creation of app sandbox 867} system_app_data_file:dir_file_class_set { create unlink open }; 868neverallow { 869 isolated_app 870 untrusted_app_all # finer-grained rules for appdomain are listed below 871 ephemeral_app 872 priv_app 873} system_app_data_file:dir_file_class_set { create unlink open }; 874 875 876# Services should respect app sandboxes 877neverallow { 878 domain 879 -appdomain 880 -installd # creation of sandbox 881} app_data_file:dir_file_class_set { create unlink }; 882 883# 884# Only these domains should transition to shell domain. This domain is 885# permissible for the "shell user". If you need a process to exec a shell 886# script with differing privilege, define a domain and set up a transition. 887# 888neverallow { 889 domain 890 -adbd 891 -init 892 -runas 893 -zygote 894} shell:process { transition dyntransition }; 895 896# Only domains spawned from zygote and runas may have the appdomain attribute. 897neverallow { domain -runas -webview_zygote -zygote } { 898 appdomain -shell userdebug_or_eng(`-su') 899}:process { transition dyntransition }; 900 901# Minimize read access to shell- or app-writable symlinks. 902# This is to prevent malicious symlink attacks. 903neverallow { 904 domain 905 -appdomain 906 -installd 907 -uncrypt # TODO: see if we can remove 908} app_data_file:lnk_file read; 909 910neverallow { 911 domain 912 -shell 913 userdebug_or_eng(`-uncrypt') 914 -installd 915} shell_data_file:lnk_file read; 916 917# In addition to the symlink reading restrictions above, restrict 918# write access to shell owned directories. The /data/local/tmp 919# directory is untrustworthy, and non-whitelisted domains should 920# not be trusting any content in those directories. 921neverallow { 922 domain 923 -adbd 924 -dumpstate 925 -installd 926 -init 927 -shell 928 -vold 929} shell_data_file:dir no_w_dir_perms; 930 931neverallow { 932 domain 933 -adbd 934 -appdomain 935 -dumpstate 936 -init 937 -installd 938 -system_server # why? 939 userdebug_or_eng(`-uncrypt') 940} shell_data_file:dir { open search }; 941 942# Same as above for /data/local/tmp files. We allow shell files 943# to be passed around by file descriptor, but not directly opened. 944neverallow { 945 domain 946 -adbd 947 -appdomain 948 -dumpstate 949 -installd 950 userdebug_or_eng(`-uncrypt') 951} shell_data_file:file open; 952 953 954# servicemanager and vndservicemanager are the only processes which handle the 955# service_manager list request 956neverallow * ~{ 957 servicemanager 958 vndservicemanager 959 }:service_manager list; 960 961# hwservicemanager is the only process which handles hw list requests 962neverallow * ~{ 963 hwservicemanager 964 }:hwservice_manager list; 965 966# only service_manager_types can be added to service_manager 967# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 968 969# Prevent assigning non property types to properties 970# TODO - rework this: neverallow * ~property_type:property_service set; 971 972# Domain types should never be assigned to any files other 973# than the /proc/pid files associated with a process. The 974# executable file used to enter a domain should be labeled 975# with its own _exec type, not with the domain type. 976# Conventionally, this looks something like: 977# $ cat mydaemon.te 978# type mydaemon, domain; 979# type mydaemon_exec, exec_type, file_type; 980# init_daemon_domain(mydaemon) 981# $ grep mydaemon file_contexts 982# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 983neverallow * domain:file { execute execute_no_trans entrypoint }; 984 985# Do not allow access to the generic debugfs label. This is too broad. 986# Instead, if access to part of debugfs is desired, it should have a 987# more specific label. 988# TODO: fix system_server and dumpstate 989neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms; 990 991# Profiles contain untrusted data and profman parses that. We should only run 992# in from installd forked processes. 993neverallow { 994 domain 995 -installd 996 -profman 997} profman_exec:file no_x_file_perms; 998 999# Enforce restrictions on kernel module origin. 1000# Do not allow kernel module loading except from system, 1001# vendor, and boot partitions. 1002neverallow * ~{ system_file vendor_file rootfs }:system module_load; 1003 1004# Only allow filesystem caps to be set at build time or 1005# during upgrade by recovery. 1006neverallow { 1007 domain 1008 -recovery 1009} self:capability setfcap; 1010 1011# Enforce AT_SECURE for executing crash_dump. 1012neverallow domain crash_dump:process noatsecure; 1013 1014# Do not permit non-core domains to register HwBinder services which are 1015# guaranteed to be provided by core domains only. 1016neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1017 1018# Do not permit the registeration of HwBinder services which are guaranteed to 1019# be passthrough only (i.e., run in the process of their clients instead of a 1020# separate server process). 1021neverallow * same_process_hwservice:hwservice_manager add; 1022