2015-11-03 18:54:39 +01:00
|
|
|
# rules removed from the domain attribute
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Search /storage/emulated tmpfs mount.
|
|
|
|
|
allow domain_deprecated tmpfs:dir r_dir_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-sdcardd
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-vold
|
|
|
|
|
-zygote
|
|
|
|
|
} tmpfs:dir r_dir_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Inherit or receive open files from others.
|
|
|
|
|
allow domain_deprecated system_server:fd use;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2016-10-01 14:26:15 +02:00
|
|
|
auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Connect to adbd and use a socket transferred from it.
|
|
|
|
|
# This is used for e.g. adb backup/restore.
|
|
|
|
|
allow domain_deprecated adbd:fd use;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2016-09-10 01:27:17 +02:00
|
|
|
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Root fs.
|
|
|
|
|
allow domain_deprecated rootfs:dir r_dir_perms;
|
|
|
|
|
allow domain_deprecated rootfs:file r_file_perms;
|
|
|
|
|
allow domain_deprecated rootfs:lnk_file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2017-02-10 18:39:37 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-fsck
|
|
|
|
|
-healthd
|
|
|
|
|
-installd
|
|
|
|
|
-servicemanager
|
|
|
|
|
-system_server
|
|
|
|
|
-ueventd
|
|
|
|
|
-uncrypt
|
|
|
|
|
-vold
|
|
|
|
|
-zygote
|
|
|
|
|
} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-healthd
|
|
|
|
|
-installd
|
|
|
|
|
-servicemanager
|
|
|
|
|
-system_server
|
|
|
|
|
-ueventd
|
|
|
|
|
-uncrypt
|
|
|
|
|
-vold
|
|
|
|
|
-zygote
|
|
|
|
|
} rootfs:file r_file_perms;
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-healthd
|
|
|
|
|
-installd
|
|
|
|
|
-servicemanager
|
|
|
|
|
-system_server
|
|
|
|
|
-ueventd
|
|
|
|
|
-uncrypt
|
|
|
|
|
-vold
|
|
|
|
|
-zygote
|
|
|
|
|
} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# System file accesses.
|
|
|
|
|
allow domain_deprecated system_file:dir r_dir_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2016-11-08 01:14:28 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
2016-11-26 03:00:38 +01:00
|
|
|
-fingerprintd
|
2016-11-08 01:14:28 +01:00
|
|
|
-installd
|
2017-02-10 18:39:37 +01:00
|
|
|
-keystore
|
2016-11-08 01:14:28 +01:00
|
|
|
-rild
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
2017-02-10 18:39:37 +01:00
|
|
|
-update_engine
|
|
|
|
|
-vold
|
2016-11-08 01:14:28 +01:00
|
|
|
-zygote
|
|
|
|
|
} system_file:dir { open read ioctl lock }; # search getattr in domain
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Read files already opened under /data.
|
|
|
|
|
allow domain_deprecated system_data_file:file { getattr read };
|
|
|
|
|
allow domain_deprecated system_data_file:lnk_file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-sdcardd
|
|
|
|
|
-system_server
|
|
|
|
|
-tee
|
|
|
|
|
} system_data_file:file { getattr read };
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-system_server
|
|
|
|
|
-tee
|
|
|
|
|
} system_data_file:lnk_file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Read apk files under /data/app.
|
|
|
|
|
allow domain_deprecated apk_data_file:dir { getattr search };
|
|
|
|
|
allow domain_deprecated apk_data_file:file r_file_perms;
|
|
|
|
|
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-dex2oat
|
|
|
|
|
-installd
|
|
|
|
|
-system_server
|
|
|
|
|
} apk_data_file:dir { getattr search };
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-dex2oat
|
|
|
|
|
-installd
|
|
|
|
|
-system_server
|
|
|
|
|
} apk_data_file:file r_file_perms;
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-dex2oat
|
|
|
|
|
-installd
|
|
|
|
|
-system_server
|
|
|
|
|
} apk_data_file:lnk_file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Read already opened /cache files.
|
2016-01-16 17:15:52 +01:00
|
|
|
allow domain_deprecated cache_file:dir r_dir_perms;
|
|
|
|
|
allow domain_deprecated cache_file:file { getattr read };
|
2016-01-07 21:56:54 +01:00
|
|
|
allow domain_deprecated cache_file:lnk_file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-system_server
|
|
|
|
|
-vold
|
|
|
|
|
} cache_file:dir { open read search ioctl lock };
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-system_server
|
|
|
|
|
-vold
|
|
|
|
|
} cache_file:dir getattr;
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-system_server
|
|
|
|
|
-vold
|
|
|
|
|
} cache_file:file { getattr read };
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-system_server
|
|
|
|
|
-vold
|
|
|
|
|
} cache_file:lnk_file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-12-22 21:37:17 +01:00
|
|
|
|
2017-02-10 21:58:41 +01:00
|
|
|
# Allow access to ion memory allocation device
|
2015-11-06 00:24:22 +01:00
|
|
|
allow domain_deprecated ion_device:chr_file rw_file_perms;
|
2016-09-10 01:27:17 +02:00
|
|
|
# split this auditallow into read and write perms since most domains seem to
|
|
|
|
|
# only require read
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-fingerprintd
|
|
|
|
|
-keystore
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-tee
|
|
|
|
|
-vold
|
|
|
|
|
-zygote
|
|
|
|
|
} ion_device:chr_file r_file_perms;
|
2016-09-10 01:27:17 +02:00
|
|
|
auditallow domain_deprecated ion_device:chr_file { write append };
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Read access to pseudo filesystems.
|
|
|
|
|
r_dir_file(domain_deprecated, proc)
|
2016-09-13 20:03:36 +02:00
|
|
|
r_dir_file(domain_deprecated, sysfs)
|
2015-11-06 00:24:22 +01:00
|
|
|
r_dir_file(domain_deprecated, cgroup)
|
2016-03-31 23:11:50 +02:00
|
|
|
allow domain_deprecated proc_meminfo:file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
|
|
|
|
|
userdebug_or_eng(`
|
2017-02-10 18:39:37 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-fsck
|
|
|
|
|
-fsck_untrusted
|
|
|
|
|
-rild
|
|
|
|
|
-sdcardd
|
|
|
|
|
-system_server
|
|
|
|
|
-update_engine
|
|
|
|
|
-vold
|
|
|
|
|
} proc:file r_file_perms;
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-fsck
|
|
|
|
|
-fsck_untrusted
|
|
|
|
|
-rild
|
|
|
|
|
-system_server
|
|
|
|
|
-vold
|
|
|
|
|
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-bluetooth
|
|
|
|
|
-fingerprintd
|
|
|
|
|
-healthd
|
|
|
|
|
-netd
|
|
|
|
|
-rild
|
|
|
|
|
-system_app
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-tee
|
|
|
|
|
-ueventd
|
|
|
|
|
-vold
|
|
|
|
|
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-bluetooth
|
|
|
|
|
-fingerprintd
|
|
|
|
|
-healthd
|
|
|
|
|
-netd
|
|
|
|
|
-rild
|
|
|
|
|
-system_app
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-tee
|
|
|
|
|
-ueventd
|
|
|
|
|
-vold
|
|
|
|
|
} sysfs:file r_file_perms;
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-bluetooth
|
|
|
|
|
-fingerprintd
|
|
|
|
|
-healthd
|
|
|
|
|
-netd
|
|
|
|
|
-rild
|
|
|
|
|
-system_app
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-tee
|
|
|
|
|
-ueventd
|
|
|
|
|
-vold
|
|
|
|
|
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
|
2016-10-29 17:07:12 +02:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-dumpstate
|
|
|
|
|
-fingerprintd
|
|
|
|
|
-healthd
|
|
|
|
|
-inputflinger
|
|
|
|
|
-installd
|
|
|
|
|
-keystore
|
|
|
|
|
-netd
|
|
|
|
|
-rild
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-zygote
|
|
|
|
|
} cgroup:dir r_dir_perms;
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-dumpstate
|
|
|
|
|
-fingerprintd
|
|
|
|
|
-healthd
|
|
|
|
|
-inputflinger
|
|
|
|
|
-installd
|
|
|
|
|
-keystore
|
|
|
|
|
-netd
|
|
|
|
|
-rild
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-zygote
|
|
|
|
|
} cgroup:{ file lnk_file } r_file_perms;
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-surfaceflinger
|
|
|
|
|
-system_server
|
|
|
|
|
-vold
|
|
|
|
|
} proc_meminfo:file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
2015-11-06 00:24:22 +01:00
|
|
|
|
|
|
|
|
# Get SELinux enforcing status.
|
|
|
|
|
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
|
|
|
|
allow domain_deprecated selinuxfs:file r_file_perms;
|
2017-02-10 21:58:41 +01:00
|
|
|
userdebug_or_eng(`
|
2017-02-10 21:06:46 +01:00
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-installd
|
|
|
|
|
-keystore
|
|
|
|
|
-postinstall_dexopt
|
|
|
|
|
-runas
|
|
|
|
|
-servicemanager
|
|
|
|
|
-system_server
|
|
|
|
|
-ueventd
|
|
|
|
|
-zygote
|
|
|
|
|
} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
|
|
|
|
|
auditallow {
|
|
|
|
|
domain_deprecated
|
|
|
|
|
-appdomain
|
|
|
|
|
-installd
|
|
|
|
|
-keystore
|
|
|
|
|
-postinstall_dexopt
|
|
|
|
|
-runas
|
|
|
|
|
-servicemanager
|
|
|
|
|
-system_server
|
|
|
|
|
-ueventd
|
|
|
|
|
-zygote
|
|
|
|
|
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
|
2017-02-10 21:58:41 +01:00
|
|
|
')
|
