2016-10-19 23:39:30 +02:00
|
|
|
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
|
|
# This occurs when the process crashes.
|
2018-09-06 04:11:38 +02:00
|
|
|
# We do not apply this to the su domain to avoid interfering with
|
|
|
|
# tests (b/114136122)
|
|
|
|
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
|
2016-10-19 23:39:30 +02:00
|
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
|
|
|
# with other UIDs to these whitelisted domains.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-vold
|
2018-08-08 01:03:47 +02:00
|
|
|
userdebug_or_eng(`-llkd')
|
2016-10-12 23:58:09 +02:00
|
|
|
-dumpstate
|
2018-03-13 00:21:40 +01:00
|
|
|
userdebug_or_eng(`-incidentd')
|
2016-07-01 21:18:54 +02:00
|
|
|
-storaged
|
2016-10-12 23:58:09 +02:00
|
|
|
-system_server
|
|
|
|
userdebug_or_eng(`-perfprofd')
|
2017-11-09 23:51:26 +01:00
|
|
|
} self:global_capability_class_set sys_ptrace;
|
2017-04-11 17:41:25 +02:00
|
|
|
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
|
|
|
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
2017-11-02 18:08:30 +01:00
|
|
|
|
2018-01-31 03:14:45 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
userdebug_or_eng(`-domain')
|
|
|
|
} debugfs_tracing_debug:file no_rw_file_perms;
|
|
|
|
|
2017-11-02 18:08:30 +01:00
|
|
|
# Core domains are not permitted to use kernel interfaces which are not
|
|
|
|
# explicitly labeled.
|
|
|
|
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
|
|
|
|
full_treble_only(`
|
|
|
|
# /proc
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-vold
|
|
|
|
} proc:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# /sys
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
-ueventd
|
|
|
|
-vold
|
|
|
|
} sysfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# /dev
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-fsck
|
|
|
|
-init
|
|
|
|
-ueventd
|
|
|
|
} device:{ blk_file file } no_rw_file_perms;
|
|
|
|
|
|
|
|
# debugfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-dumpstate
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} debugfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# tracefs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
2018-03-02 20:27:06 +01:00
|
|
|
-atrace
|
2017-11-02 18:08:30 +01:00
|
|
|
-dumpstate
|
|
|
|
-init
|
2017-12-05 19:54:38 +01:00
|
|
|
userdebug_or_eng(`-perfprofd')
|
2018-02-09 12:15:22 +01:00
|
|
|
-traced_probes
|
2017-11-02 18:08:30 +01:00
|
|
|
-shell
|
2018-01-09 21:24:47 +01:00
|
|
|
-traceur_app
|
2017-11-02 18:08:30 +01:00
|
|
|
} debugfs_tracing:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# inotifyfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
} inotify:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# pstorefs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-bootstat
|
|
|
|
-charger
|
|
|
|
-dumpstate
|
|
|
|
-healthd
|
2018-03-30 19:14:08 +02:00
|
|
|
userdebug_or_eng(`-incidentd')
|
2017-11-02 18:08:30 +01:00
|
|
|
-init
|
|
|
|
-logd
|
|
|
|
-logpersist
|
|
|
|
-recovery_persist
|
|
|
|
-recovery_refresh
|
|
|
|
-shell
|
|
|
|
-system_server
|
|
|
|
} pstorefs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# configfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} configfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# functionfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-adbd
|
|
|
|
-init
|
|
|
|
-mediaprovider
|
2017-12-07 01:13:59 +01:00
|
|
|
-system_server
|
|
|
|
} functionfs:file no_rw_file_perms;
|
2017-11-02 18:08:30 +01:00
|
|
|
|
|
|
|
# usbfs and binfmt_miscfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
|
|
|
')
|
2018-04-16 16:49:49 +02:00
|
|
|
|
|
|
|
# System_server owns dropbox data, and init creates/restorecons the directory
|
|
|
|
# Disallow direct access by other processes.
|
|
|
|
neverallow { domain -init -system_server } dropbox_data_file:dir *;
|
|
|
|
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
###
|
|
|
|
# Services should respect app sandboxes
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
# Only the following processes should be directly accessing private app
|
|
|
|
# directories.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
|
|
|
-dexoptanalyzer
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
userdebug_or_eng(`-perfprofd')
|
|
|
|
-profman
|
|
|
|
-runas
|
|
|
|
-system_server
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir *;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
# Only apps should be modifying app data. init and installd are exempted for
|
|
|
|
# restorecon and package install/uninstall.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-init
|
|
|
|
-installd
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd
|
|
|
|
userdebug_or_eng(`-perfprofd')
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:file_class_set open;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
|