2016-10-19 23:39:30 +02:00
|
|
|
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
|
|
# This occurs when the process crashes.
|
2018-09-06 04:11:38 +02:00
|
|
|
# We do not apply this to the su domain to avoid interfering with
|
|
|
|
# tests (b/114136122)
|
|
|
|
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
|
2016-10-19 23:39:30 +02:00
|
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
|
2018-11-08 14:58:13 +01:00
|
|
|
# Allow every process to check the heapprofd.enable properties to determine
|
|
|
|
# whether to load the heap profiling library. This does not necessarily enable
|
|
|
|
# heap profiling, as initialization will fail if it does not have the
|
|
|
|
# necessary SELinux permissions.
|
|
|
|
get_prop(domain, heapprofd_prop);
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow heap profiling on debug builds.
|
2020-03-23 20:10:59 +01:00
|
|
|
userdebug_or_eng(`can_profile_heap_central({
|
2018-11-27 12:09:14 +01:00
|
|
|
domain
|
|
|
|
-bpfloader
|
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-keystore
|
|
|
|
-llkd
|
|
|
|
-logd
|
2019-02-28 16:59:32 +01:00
|
|
|
-logpersist
|
|
|
|
-recovery
|
|
|
|
-recovery_persist
|
|
|
|
-recovery_refresh
|
2018-11-27 12:09:14 +01:00
|
|
|
-ueventd
|
|
|
|
-vendor_init
|
|
|
|
-vold
|
|
|
|
})')
|
2018-11-08 14:58:13 +01:00
|
|
|
|
2020-01-22 21:00:13 +01:00
|
|
|
# As above, allow perf profiling most processes on debug builds.
|
2020-02-19 15:59:17 +01:00
|
|
|
# zygote is excluded as system-wide profiling could end up with it
|
|
|
|
# (unexpectedly) holding an open fd across a fork.
|
2020-01-22 21:00:13 +01:00
|
|
|
userdebug_or_eng(`can_profile_perf({
|
|
|
|
domain
|
|
|
|
-bpfloader
|
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-keystore
|
|
|
|
-llkd
|
|
|
|
-logd
|
|
|
|
-logpersist
|
|
|
|
-recovery
|
|
|
|
-recovery_persist
|
|
|
|
-recovery_refresh
|
|
|
|
-ueventd
|
|
|
|
-vendor_init
|
|
|
|
-vold
|
2020-02-19 15:59:17 +01:00
|
|
|
-zygote
|
2020-01-22 21:00:13 +01:00
|
|
|
})')
|
|
|
|
|
2018-11-29 02:50:24 +01:00
|
|
|
# Path resolution access in cgroups.
|
|
|
|
allow domain cgroup:dir search;
|
2018-12-12 18:06:05 +01:00
|
|
|
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
|
|
|
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
2018-11-29 02:50:24 +01:00
|
|
|
|
2019-01-11 02:10:31 +01:00
|
|
|
allow domain cgroup_rc_file:dir search;
|
|
|
|
allow domain cgroup_rc_file:file r_file_perms;
|
|
|
|
allow domain task_profiles_file:file r_file_perms;
|
2019-02-20 00:02:14 +01:00
|
|
|
allow domain vendor_task_profiles_file:file r_file_perms;
|
2019-01-11 02:10:31 +01:00
|
|
|
|
2019-01-31 23:43:57 +01:00
|
|
|
# Allow all domains to read sys.use_memfd to determine
|
|
|
|
# if memfd support can be used if device supports it
|
|
|
|
get_prop(domain, use_memfd_prop);
|
|
|
|
|
2020-01-06 18:29:13 +01:00
|
|
|
# Read access to sdkextensions props
|
|
|
|
get_prop(domain, module_sdkextensions_prop)
|
2019-11-25 14:10:10 +01:00
|
|
|
|
2020-01-20 06:11:07 +01:00
|
|
|
# Read access to bq configuration values
|
|
|
|
get_prop(domain, bq_config_prop);
|
|
|
|
|
2018-11-29 02:50:24 +01:00
|
|
|
# For now, everyone can access core property files
|
|
|
|
# Device specific properties are not granted by default
|
|
|
|
not_compatible_property(`
|
2020-05-21 13:12:55 +02:00
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop(domain, core_property_type)
|
|
|
|
get_prop(domain, exported3_system_prop)
|
|
|
|
get_prop(domain, vendor_default_prop)
|
|
|
|
')
|
|
|
|
compatible_property_only(`
|
2020-05-21 13:12:55 +02:00
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop({coredomain appdomain shell}, core_property_type)
|
|
|
|
get_prop({coredomain appdomain shell}, exported3_system_prop)
|
2020-01-06 13:25:00 +01:00
|
|
|
get_prop({coredomain appdomain shell}, exported_camera_prop)
|
2019-11-14 13:59:15 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_exported_prop)
|
2020-02-07 01:10:29 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_log_prop)
|
2020-03-12 15:45:00 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_test_prop)
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
|
|
|
|
')
|
|
|
|
|
2019-03-13 23:21:41 +01:00
|
|
|
# Allow access to fsverity keyring.
|
|
|
|
allow domain kernel:key search;
|
|
|
|
# Allow access to keys in the fsverity keyring that were installed at boot.
|
2019-03-15 19:15:31 +01:00
|
|
|
allow domain fsverity_init:key search;
|
2019-03-13 23:21:41 +01:00
|
|
|
# For testing purposes, allow access to keys installed with su.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow domain su:key search;
|
|
|
|
')
|
|
|
|
|
2019-07-08 12:02:05 +02:00
|
|
|
# Allow access to linkerconfig file
|
2019-08-05 12:50:53 +02:00
|
|
|
allow domain linkerconfig_file:dir search;
|
2019-07-08 12:02:05 +02:00
|
|
|
allow domain linkerconfig_file:file r_file_perms;
|
|
|
|
|
2019-08-28 23:08:50 +02:00
|
|
|
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
|
|
|
|
allow domain boringssl_self_test_marker:dir search;
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
2020-07-31 20:28:11 +02:00
|
|
|
# with other UIDs to these allowlisted domains.
|
2016-10-12 23:58:09 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-vold
|
2018-08-08 01:03:47 +02:00
|
|
|
userdebug_or_eng(`-llkd')
|
2016-10-12 23:58:09 +02:00
|
|
|
-dumpstate
|
2018-03-13 00:21:40 +01:00
|
|
|
userdebug_or_eng(`-incidentd')
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2016-07-01 21:18:54 +02:00
|
|
|
-storaged
|
2016-10-12 23:58:09 +02:00
|
|
|
-system_server
|
2017-11-09 23:51:26 +01:00
|
|
|
} self:global_capability_class_set sys_ptrace;
|
2017-04-11 17:41:25 +02:00
|
|
|
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
2019-10-29 22:13:20 +01:00
|
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
|
2020-07-27 21:53:20 +02:00
|
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
|
|
|
|
neverallow { domain -system_server } *:keystore2_key use_dev_id;
|
|
|
|
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
|
2017-11-02 18:08:30 +01:00
|
|
|
|
2018-01-31 03:14:45 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
userdebug_or_eng(`-domain')
|
|
|
|
} debugfs_tracing_debug:file no_rw_file_perms;
|
|
|
|
|
2018-04-16 16:49:49 +02:00
|
|
|
# System_server owns dropbox data, and init creates/restorecons the directory
|
|
|
|
# Disallow direct access by other processes.
|
|
|
|
neverallow { domain -init -system_server } dropbox_data_file:dir *;
|
|
|
|
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
###
|
|
|
|
# Services should respect app sandboxes
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
# Only the following processes should be directly accessing private app
|
|
|
|
# directories.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-05-29 19:41:36 +02:00
|
|
|
-dexoptanalyzer
|
|
|
|
-installd
|
2020-02-13 01:28:19 +01:00
|
|
|
-iorap_inode2filename
|
2019-09-19 20:04:20 +02:00
|
|
|
-iorap_prefetcherd
|
2018-05-29 19:41:36 +02:00
|
|
|
-profman
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-05-29 19:41:36 +02:00
|
|
|
-runas
|
|
|
|
-system_server
|
2019-01-11 17:13:01 +01:00
|
|
|
-viewcompiler
|
2019-12-13 13:30:26 +01:00
|
|
|
-zygote
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir *;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
2018-11-16 09:59:23 +01:00
|
|
|
# Only apps should be modifying app data. installd is exempted for
|
2018-05-29 19:41:36 +02:00
|
|
|
# restorecon and package install/uninstall.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-05-29 19:41:36 +02:00
|
|
|
-installd
|
2019-09-19 20:04:20 +02:00
|
|
|
-iorap_prefetcherd
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:file_class_set open;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-installd
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
|
2018-10-04 19:57:29 +02:00
|
|
|
|
2019-01-02 15:20:52 +01:00
|
|
|
# The staging directory contains APEX and APK files. It is important to ensure
|
|
|
|
# that these files cannot be accessed by other domains to ensure that the files
|
|
|
|
# do not change between system_server staging the files and apexd processing
|
|
|
|
# the files.
|
2020-02-13 01:28:19 +01:00
|
|
|
neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
|
2020-04-22 01:04:04 +02:00
|
|
|
neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
|
2019-02-19 13:21:59 +01:00
|
|
|
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
|
2019-02-05 23:47:57 +01:00
|
|
|
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
|
|
|
|
# except for `link` and `unlink`.
|
2019-01-02 15:20:52 +01:00
|
|
|
neverallow { domain -init -system_server } staging_data_file:file
|
2019-02-05 23:47:57 +01:00
|
|
|
{ append create relabelfrom rename setattr write no_x_file_perms };
|
2019-01-02 15:20:52 +01:00
|
|
|
|
2018-10-04 19:57:29 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain # for oemfs
|
|
|
|
-bootanim # for oemfs
|
|
|
|
-recovery # for /tmp/update_binary in tmpfs
|
|
|
|
} { fs_type -rootfs }:file execute;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Assert that, to the extent possible, we're not loading executable content from
|
2020-07-31 20:28:11 +02:00
|
|
|
# outside the rootfs or /system partition except for a few allowlisted domains.
|
2018-10-04 19:57:29 +02:00
|
|
|
# Executable files loaded from /data is a persistence vector
|
|
|
|
# we want to avoid. See
|
|
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
|
|
|
#
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
with_asan(`-asan_extract')
|
2019-09-19 20:04:20 +02:00
|
|
|
-iorap_prefetcherd
|
2018-10-04 19:57:29 +02:00
|
|
|
-shell
|
|
|
|
userdebug_or_eng(`-su')
|
|
|
|
-system_server_startup # for memfd backed executable regions
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-10-04 19:57:29 +02:00
|
|
|
-webview_zygote
|
|
|
|
-zygote
|
|
|
|
userdebug_or_eng(`-mediaextractor')
|
|
|
|
userdebug_or_eng(`-mediaswcodec')
|
|
|
|
} {
|
|
|
|
file_type
|
|
|
|
-system_file_type
|
|
|
|
-system_lib_file
|
|
|
|
-system_linker_exec
|
|
|
|
-vendor_file_type
|
|
|
|
-exec_type
|
|
|
|
-postinstall_file
|
|
|
|
}:file execute;
|
2019-01-11 02:10:31 +01:00
|
|
|
|
|
|
|
# Only init is allowed to write cgroup.rc file
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} cgroup_rc_file:file no_w_file_perms;
|
2019-02-22 01:01:50 +01:00
|
|
|
|
|
|
|
# Only authorized processes should be writing to files in /data/dalvik-cache
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init # TODO: limit init to relabelfrom for files
|
|
|
|
-zygote
|
|
|
|
-installd
|
|
|
|
-postinstall_dexopt
|
|
|
|
-cppreopts
|
|
|
|
-dex2oat
|
|
|
|
-otapreopt_slot
|
2019-02-21 19:03:07 +01:00
|
|
|
-art_apex_postinstall
|
2019-03-04 23:10:02 +01:00
|
|
|
-art_apex_boot_integrity
|
2019-02-22 01:01:50 +01:00
|
|
|
} dalvikcache_data_file:file no_w_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-postinstall_dexopt
|
|
|
|
-cppreopts
|
|
|
|
-dex2oat
|
|
|
|
-zygote
|
|
|
|
-otapreopt_slot
|
2019-03-04 23:10:02 +01:00
|
|
|
-art_apex_boot_integrity
|
2019-02-21 19:03:07 +01:00
|
|
|
-art_apex_postinstall
|
2019-02-22 01:01:50 +01:00
|
|
|
} dalvikcache_data_file:dir no_w_dir_perms;
|
2019-02-26 22:12:05 +01:00
|
|
|
|
|
|
|
# Minimize dac_override and dac_read_search.
|
|
|
|
# Instead of granting them it is usually better to add the domain to
|
|
|
|
# a Unix group or change the permissions of a file.
|
|
|
|
define(`dac_override_allowed', `{
|
2020-01-24 18:20:19 +01:00
|
|
|
apexd
|
2019-02-26 22:12:05 +01:00
|
|
|
dnsmasq
|
|
|
|
dumpstate
|
|
|
|
init
|
|
|
|
installd
|
|
|
|
userdebug_or_eng(`llkd')
|
|
|
|
lmkd
|
2019-05-17 16:05:18 +02:00
|
|
|
migrate_legacy_obb_data
|
2019-02-26 22:12:05 +01:00
|
|
|
netd
|
|
|
|
postinstall_dexopt
|
|
|
|
recovery
|
|
|
|
rss_hwm_reset
|
|
|
|
sdcardd
|
|
|
|
tee
|
|
|
|
ueventd
|
|
|
|
uncrypt
|
|
|
|
vendor_init
|
|
|
|
vold
|
|
|
|
vold_prepare_subdirs
|
|
|
|
zygote
|
|
|
|
}')
|
|
|
|
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
|
|
|
|
# Since the kernel checks dac_read_search before dac_override, domains that
|
|
|
|
# have dac_override should also have dac_read_search to eliminate spurious
|
|
|
|
# denials. Some domains have dac_read_search without having dac_override, so
|
|
|
|
# this list should be a superset of the one above.
|
|
|
|
neverallow ~{
|
|
|
|
dac_override_allowed
|
2020-02-13 01:28:19 +01:00
|
|
|
iorap_inode2filename
|
2019-09-19 20:04:20 +02:00
|
|
|
iorap_prefetcherd
|
2020-01-22 20:16:13 +01:00
|
|
|
traced_perf
|
2019-02-26 22:12:05 +01:00
|
|
|
traced_probes
|
2019-03-21 14:07:05 +01:00
|
|
|
userdebug_or_eng(`heapprofd')
|
2019-02-26 22:12:05 +01:00
|
|
|
} self:global_capability_class_set dac_read_search;
|
2019-03-18 18:54:42 +01:00
|
|
|
|
|
|
|
# Limit what domains can mount filesystems or change their mount flags.
|
|
|
|
# sdcard_type / vfat is exempt as a larger set of domains need
|
|
|
|
# this capability, including device-specific domains.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-apexd
|
|
|
|
recovery_only(`userdebug_or_eng(`-fastbootd')')
|
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-otapreopt_chroot
|
|
|
|
-recovery
|
|
|
|
-update_engine
|
|
|
|
-vold
|
|
|
|
-zygote
|
|
|
|
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
2019-03-16 00:41:15 +01:00
|
|
|
|
2020-07-31 20:28:11 +02:00
|
|
|
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
2019-03-16 00:41:15 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
userdebug_or_eng(`-domain')
|
|
|
|
-kernel
|
|
|
|
-gsid
|
|
|
|
-init
|
|
|
|
-recovery
|
|
|
|
-ueventd
|
|
|
|
-healthd
|
|
|
|
-uncrypt
|
|
|
|
-tee
|
|
|
|
-hal_bootctl_server
|
2019-10-26 00:11:58 +02:00
|
|
|
-fastbootd
|
2019-03-16 00:41:15 +01:00
|
|
|
} self:global_capability_class_set sys_rawio;
|
2019-12-13 13:30:26 +01:00
|
|
|
|
|
|
|
# Limit directory operations that doesn't need to do app data isolation.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-zygote
|
|
|
|
} mirror_data_file:dir *;
|
2020-02-04 12:31:05 +01:00
|
|
|
|
|
|
|
# This property is being removed. Remove remaining access.
|
|
|
|
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
|
|
|
|
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
|
2020-03-04 09:20:35 +01:00
|
|
|
|
|
|
|
# Only core domains are allowed to access package_manager properties
|
|
|
|
neverallow { domain -init -system_server } pm_prop:property_service set;
|
|
|
|
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# Do not allow reading the last boot timestamp from system properties
|
|
|
|
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
|
2020-06-10 12:27:12 +02:00
|
|
|
|
|
|
|
# Kprobes should only be used by adb root
|
|
|
|
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
|
2020-08-31 15:38:04 +02:00
|
|
|
|
|
|
|
# On TREBLE devices, most coredomains should not access vendor_files.
|
|
|
|
# TODO(b/71553434): Remove exceptions here.
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-appdomain
|
|
|
|
-bootanim
|
|
|
|
-crash_dump
|
|
|
|
-heapprofd
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2020-08-31 15:38:04 +02:00
|
|
|
-init
|
|
|
|
-iorap_inode2filename
|
|
|
|
-iorap_prefetcherd
|
|
|
|
-kernel
|
|
|
|
-traced_perf
|
|
|
|
-ueventd
|
|
|
|
} vendor_file:file { no_w_file_perms no_x_file_perms open };
|
|
|
|
')
|
|
|
|
|
|
|
|
# Vendor domains are not permitted to initiate communications to core domain sockets
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow_establish_socket_comms({
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-socket_between_core_and_vendor_violators
|
|
|
|
}, {
|
|
|
|
coredomain
|
|
|
|
-logd # Logging by writing to logd Unix domain socket is public API
|
|
|
|
-netd # netdomain needs this
|
|
|
|
-mdnsd # netdomain needs this
|
|
|
|
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
|
|
|
|
-init
|
|
|
|
-tombstoned # linker to tombstoned
|
|
|
|
userdebug_or_eng(`-heapprofd')
|
|
|
|
userdebug_or_eng(`-traced_perf')
|
|
|
|
});
|
|
|
|
')
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
# Do not allow system components access to /vendor files except for the
|
|
|
|
# ones allowed here.
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
# TODO(b/37168747): clean up fwk access to /vendor
|
|
|
|
-crash_dump
|
|
|
|
-init # starts vendor executables
|
|
|
|
-iorap_inode2filename
|
|
|
|
-iorap_prefetcherd
|
|
|
|
-kernel # loads /vendor/firmware
|
|
|
|
userdebug_or_eng(`-heapprofd')
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2020-08-31 15:38:04 +02:00
|
|
|
-shell
|
|
|
|
-system_executes_vendor_violators
|
|
|
|
-traced_perf # library/binary access for symbolization
|
|
|
|
-ueventd # reads /vendor/ueventd.rc
|
|
|
|
-vold # loads incremental fs driver
|
|
|
|
} {
|
|
|
|
vendor_file_type
|
|
|
|
-same_process_hal_file
|
|
|
|
-vendor_app_file
|
|
|
|
-vendor_apex_file
|
|
|
|
-vendor_configs_file
|
|
|
|
-vendor_service_contexts_file
|
|
|
|
-vendor_framework_file
|
|
|
|
-vendor_idc_file
|
|
|
|
-vendor_keychars_file
|
|
|
|
-vendor_keylayout_file
|
|
|
|
-vendor_overlay_file
|
|
|
|
-vendor_public_lib_file
|
|
|
|
-vendor_task_profiles_file
|
|
|
|
-vndk_sp_file
|
|
|
|
}:file *;
|
|
|
|
')
|