2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# domain_trans(olddomain, type, newdomain)
|
|
|
|
# Allow a transition from olddomain to newdomain
|
|
|
|
# upon executing a file labeled with type.
|
|
|
|
# This only allows the transition; it does not
|
|
|
|
# cause it to occur automatically - use domain_auto_trans
|
|
|
|
# if that is what you want.
|
|
|
|
#
|
|
|
|
define(`domain_trans', `
|
|
|
|
# Old domain may exec the file and transition to the new domain.
|
|
|
|
allow $1 $2:file { getattr open read execute };
|
|
|
|
allow $1 $3:process transition;
|
|
|
|
# New domain is entered by executing the file.
|
2014-03-26 15:32:09 +01:00
|
|
|
allow $3 $2:file { entrypoint open read execute getattr };
|
2012-01-04 18:33:27 +01:00
|
|
|
# New domain can send SIGCHLD to its caller.
|
2016-04-23 20:14:06 +02:00
|
|
|
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
|
2012-01-04 18:33:27 +01:00
|
|
|
# Enable AT_SECURE, i.e. libc secure mode.
|
|
|
|
dontaudit $1 $3:process noatsecure;
|
|
|
|
# XXX dontaudit candidate but requires further study.
|
|
|
|
allow $1 $3:process { siginh rlimitinh };
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# domain_auto_trans(olddomain, type, newdomain)
|
|
|
|
# Automatically transition from olddomain to newdomain
|
|
|
|
# upon executing a file labeled with type.
|
|
|
|
#
|
|
|
|
define(`domain_auto_trans', `
|
|
|
|
# Allow the necessary permissions.
|
|
|
|
domain_trans($1,$2,$3)
|
|
|
|
# Make the transition occur by default.
|
|
|
|
type_transition $1 $2:process $3;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# file_type_trans(domain, dir_type, file_type)
|
|
|
|
# Allow domain to create a file labeled file_type in a
|
|
|
|
# directory labeled dir_type.
|
|
|
|
# This only allows the transition; it does not
|
|
|
|
# cause it to occur automatically - use file_type_auto_trans
|
|
|
|
# if that is what you want.
|
|
|
|
#
|
|
|
|
define(`file_type_trans', `
|
|
|
|
# Allow the domain to add entries to the directory.
|
|
|
|
allow $1 $2:dir ra_dir_perms;
|
|
|
|
# Allow the domain to create the file.
|
|
|
|
allow $1 $3:notdevfile_class_set create_file_perms;
|
|
|
|
allow $1 $3:dir create_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# file_type_auto_trans(domain, dir_type, file_type)
|
|
|
|
# Automatically label new files with file_type when
|
|
|
|
# they are created by domain in directories labeled dir_type.
|
|
|
|
#
|
|
|
|
define(`file_type_auto_trans', `
|
|
|
|
# Allow the necessary permissions.
|
|
|
|
file_type_trans($1, $2, $3)
|
|
|
|
# Make the transition occur by default.
|
|
|
|
type_transition $1 $2:dir $3;
|
|
|
|
type_transition $1 $2:notdevfile_class_set $3;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# r_dir_file(domain, type)
|
|
|
|
# Allow the specified domain to read directories, files
|
|
|
|
# and symbolic links of the specified type.
|
|
|
|
define(`r_dir_file', `
|
|
|
|
allow $1 $2:dir r_dir_perms;
|
|
|
|
allow $1 $2:{ file lnk_file } r_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# tmpfs_domain(domain)
|
|
|
|
# Define and allow access to a unique type for
|
|
|
|
# this domain when creating tmpfs / shmem / ashmem files.
|
|
|
|
define(`tmpfs_domain', `
|
|
|
|
type $1_tmpfs, file_type;
|
|
|
|
type_transition $1 tmpfs:file $1_tmpfs;
|
2013-12-23 22:18:55 +01:00
|
|
|
allow $1 $1_tmpfs:file { read write };
|
2016-09-10 01:27:17 +02:00
|
|
|
allow $1 tmpfs:dir { getattr search };
|
2012-01-04 18:33:27 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# init_daemon_domain(domain)
|
|
|
|
# Set up a transition from init to the daemon domain
|
|
|
|
# upon executing its binary.
|
|
|
|
define(`init_daemon_domain', `
|
|
|
|
domain_auto_trans(init, $1_exec, $1)
|
|
|
|
tmpfs_domain($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# app_domain(domain)
|
|
|
|
# Allow a base set of permissions required for all apps.
|
|
|
|
define(`app_domain', `
|
|
|
|
typeattribute $1 appdomain;
|
2016-12-08 20:23:34 +01:00
|
|
|
# Label ashmem objects with our own unique type.
|
|
|
|
tmpfs_domain($1)
|
|
|
|
# Map with PROT_EXEC.
|
|
|
|
allow $1 $1_tmpfs:file execute;
|
2012-01-04 18:33:27 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# net_domain(domain)
|
|
|
|
# Allow a base set of permissions required for network access.
|
|
|
|
define(`net_domain', `
|
|
|
|
typeattribute $1 netdomain;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# bluetooth_domain(domain)
|
|
|
|
# Allow a base set of permissions required for bluetooth access.
|
|
|
|
define(`bluetooth_domain', `
|
|
|
|
typeattribute $1 bluetoothdomain;
|
|
|
|
')
|
|
|
|
|
2017-01-11 00:54:25 +01:00
|
|
|
#####################################
|
2017-01-17 23:58:20 +01:00
|
|
|
# hal_impl_domain(domain[, hal_type_attr])
|
2017-01-11 00:54:25 +01:00
|
|
|
# Allow a base set of permissions required for a domain to host a
|
2017-01-17 23:58:20 +01:00
|
|
|
# HAL implementation.
|
|
|
|
#
|
|
|
|
# Optionally, the type of the HAL can be specified as the second
|
|
|
|
# argument. This is useful for HALs which may have multiple
|
|
|
|
# implementations. Attributes are used to group the various
|
|
|
|
# implementations of such HALs.
|
2017-01-11 00:54:25 +01:00
|
|
|
#
|
|
|
|
# For example, default implementation of Foo HAL:
|
|
|
|
# type hal_foo_default, domain;
|
|
|
|
# hal_impl_domain(hal_foo_default, hal_foo)
|
|
|
|
#
|
|
|
|
define(`hal_impl_domain', `
|
|
|
|
typeattribute $1 haldomain;
|
2017-01-17 23:58:20 +01:00
|
|
|
ifelse($2, `', `', `typeattribute $1 $2;')
|
2017-01-11 00:54:25 +01:00
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# unix_socket_connect(clientdomain, socket, serverdomain)
|
|
|
|
# Allow a local socket connection from clientdomain via
|
|
|
|
# socket to serverdomain.
|
2015-05-05 03:22:45 +02:00
|
|
|
#
|
|
|
|
# Note: If you see denial records that distill to the
|
|
|
|
# following allow rules:
|
|
|
|
# allow clientdomain property_socket:sock_file write;
|
|
|
|
# allow clientdomain init:unix_stream_socket connectto;
|
|
|
|
# allow clientdomain something_prop:property_service set;
|
|
|
|
#
|
|
|
|
# This sequence is indicative of attempting to set a property.
|
|
|
|
# use set_prop(sourcedomain, targetproperty)
|
|
|
|
#
|
2012-01-04 18:33:27 +01:00
|
|
|
define(`unix_socket_connect', `
|
2015-05-11 22:02:46 +02:00
|
|
|
ifelse($2, `property', `
|
|
|
|
ifelse($3,`init', `
|
|
|
|
print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
|
|
|
|
')
|
|
|
|
')
|
|
|
|
__unix_socket_connect__($1, $2, $3)
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`__unix_socket_connect__', `
|
2012-01-04 18:33:27 +01:00
|
|
|
allow $1 $2_socket:sock_file write;
|
|
|
|
allow $1 $3:unix_stream_socket connectto;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
2015-05-05 03:22:45 +02:00
|
|
|
# set_prop(sourcedomain, targetproperty)
|
|
|
|
# Allows source domain to set the
|
|
|
|
# targetproperty.
|
|
|
|
#
|
|
|
|
define(`set_prop', `
|
2015-05-11 22:02:46 +02:00
|
|
|
__unix_socket_connect__($1, property, init)
|
2015-05-05 03:22:45 +02:00
|
|
|
allow $1 $2:property_service set;
|
2015-12-08 23:45:50 +01:00
|
|
|
get_prop($1, $2)
|
2015-05-05 03:22:45 +02:00
|
|
|
')
|
|
|
|
|
2015-12-02 01:58:27 +01:00
|
|
|
#####################################
|
|
|
|
# get_prop(sourcedomain, targetproperty)
|
|
|
|
# Allows source domain to read the
|
|
|
|
# targetproperty.
|
|
|
|
#
|
|
|
|
define(`get_prop', `
|
|
|
|
allow $1 $2:file r_file_perms;
|
|
|
|
')
|
|
|
|
|
2015-05-05 03:22:45 +02:00
|
|
|
#####################################
|
2012-01-04 18:33:27 +01:00
|
|
|
# unix_socket_send(clientdomain, socket, serverdomain)
|
|
|
|
# Allow a local socket send from clientdomain via
|
|
|
|
# socket to serverdomain.
|
|
|
|
define(`unix_socket_send', `
|
|
|
|
allow $1 $2_socket:sock_file write;
|
|
|
|
allow $1 $3:unix_dgram_socket sendto;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# binder_use(domain)
|
|
|
|
# Allow domain to use Binder IPC.
|
|
|
|
define(`binder_use', `
|
2012-11-16 15:17:54 +01:00
|
|
|
# Call the servicemanager and transfer references to it.
|
|
|
|
allow $1 servicemanager:binder { call transfer };
|
2014-07-07 22:56:27 +02:00
|
|
|
# servicemanager performs getpidcon on clients.
|
|
|
|
allow servicemanager $1:dir search;
|
|
|
|
allow servicemanager $1:file { read open };
|
|
|
|
allow servicemanager $1:process getattr;
|
2012-01-04 18:33:27 +01:00
|
|
|
# rw access to /dev/binder and /dev/ashmem is presently granted to
|
|
|
|
# all domains in domain.te.
|
|
|
|
')
|
|
|
|
|
2016-07-08 13:49:09 +02:00
|
|
|
#####################################
|
|
|
|
# hwbinder_use(domain)
|
|
|
|
# Allow domain to use HwBinder IPC.
|
|
|
|
define(`hwbinder_use', `
|
|
|
|
# Call the hwservicemanager and transfer references to it.
|
|
|
|
allow $1 hwservicemanager:binder { call transfer };
|
2016-12-15 19:46:22 +01:00
|
|
|
# Allow hwservicemanager to send out callbacks
|
|
|
|
allow hwservicemanager $1:binder { call transfer };
|
2016-07-08 13:49:09 +02:00
|
|
|
# hwservicemanager performs getpidcon on clients.
|
|
|
|
allow hwservicemanager $1:dir search;
|
|
|
|
allow hwservicemanager $1:file { read open };
|
|
|
|
allow hwservicemanager $1:process getattr;
|
|
|
|
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
|
|
|
|
# all domains in domain.te.
|
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# binder_call(clientdomain, serverdomain)
|
|
|
|
# Allow clientdomain to perform binder IPC to serverdomain.
|
|
|
|
define(`binder_call', `
|
2012-11-16 15:17:54 +01:00
|
|
|
# Call the server domain and optionally transfer references to it.
|
|
|
|
allow $1 $2:binder { call transfer };
|
|
|
|
# Allow the serverdomain to transfer references to the client on the reply.
|
|
|
|
allow $2 $1:binder transfer;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Receive and use open files from the server.
|
|
|
|
allow $1 $2:fd use;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# binder_service(domain)
|
|
|
|
# Mark a domain as being a Binder service domain.
|
|
|
|
# Used to allow binder IPC to the various system services.
|
|
|
|
define(`binder_service', `
|
|
|
|
typeattribute $1 binderservicedomain;
|
|
|
|
')
|
|
|
|
|
2014-05-23 22:33:32 +02:00
|
|
|
#####################################
|
2016-12-15 21:49:38 +01:00
|
|
|
# hwallocator_use(domain)
|
|
|
|
# Allow a domain to use Hidl shared memory
|
|
|
|
define(`hwallocator_use', `
|
|
|
|
# Call into the allocator hal
|
|
|
|
binder_call($1, hal_allocator);
|
2017-01-10 03:23:12 +01:00
|
|
|
')
|
2016-12-15 21:49:38 +01:00
|
|
|
|
|
|
|
#####################################
|
2014-05-23 22:33:32 +02:00
|
|
|
# wakelock_use(domain)
|
|
|
|
# Allow domain to manage wake locks
|
|
|
|
define(`wakelock_use', `
|
|
|
|
# Access /sys/power/wake_lock and /sys/power/wake_unlock
|
|
|
|
allow $1 sysfs_wake_lock:file rw_file_perms;
|
|
|
|
# Accessing these files requires CAP_BLOCK_SUSPEND
|
|
|
|
allow $1 self:capability2 block_suspend;
|
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# selinux_check_access(domain)
|
|
|
|
# Allow domain to check SELinux permissions via selinuxfs.
|
|
|
|
define(`selinux_check_access', `
|
2016-09-10 01:27:17 +02:00
|
|
|
r_dir_file($1, selinuxfs)
|
|
|
|
allow $1 selinuxfs:file w_file_perms;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow $1 kernel:security compute_av;
|
2016-11-21 23:38:17 +01:00
|
|
|
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
|
2012-01-04 18:33:27 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# selinux_check_context(domain)
|
|
|
|
# Allow domain to check SELinux contexts via selinuxfs.
|
|
|
|
define(`selinux_check_context', `
|
2016-09-10 01:27:17 +02:00
|
|
|
r_dir_file($1, selinuxfs)
|
|
|
|
allow $1 selinuxfs:file w_file_perms;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow $1 kernel:security check_context;
|
|
|
|
')
|
|
|
|
|
2013-09-27 15:44:32 +02:00
|
|
|
#####################################
|
|
|
|
# create_pty(domain)
|
|
|
|
# Allow domain to create and use a pty, isolated from any other domain ptys.
|
|
|
|
define(`create_pty', `
|
|
|
|
# Each domain gets a unique devpts type.
|
|
|
|
type $1_devpts, fs_type;
|
|
|
|
# Label the pty with the unique type when created.
|
|
|
|
type_transition $1 devpts:chr_file $1_devpts;
|
|
|
|
# Allow use of the pty after creation.
|
|
|
|
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
|
2016-11-22 23:22:43 +01:00
|
|
|
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
|
|
|
|
# TIOCSTI is only ever used for exploits. Block it.
|
|
|
|
# b/33073072, b/7530569
|
|
|
|
# http://www.openwall.com/lists/oss-security/2016/09/26/14
|
|
|
|
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
|
2013-09-27 15:44:32 +02:00
|
|
|
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
|
|
|
|
# allowed to everyone via domain.te.
|
|
|
|
')
|
|
|
|
|
2013-04-29 16:31:24 +02:00
|
|
|
#####################################
|
|
|
|
# Non system_app application set
|
|
|
|
#
|
|
|
|
define(`non_system_app_set', `{ appdomain -system_app }')
|
2014-01-10 00:25:36 +01:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
#####################################
|
|
|
|
# Recovery only
|
|
|
|
# SELinux rules which apply only to recovery mode
|
|
|
|
#
|
|
|
|
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
|
|
|
|
|
2014-01-10 00:25:36 +01:00
|
|
|
#####################################
|
|
|
|
# Userdebug or eng builds
|
|
|
|
# SELinux rules which apply only to userdebug or eng builds
|
|
|
|
#
|
|
|
|
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
|
2014-01-11 10:31:03 +01:00
|
|
|
|
2016-11-18 14:42:35 +01:00
|
|
|
#####################################
|
|
|
|
# WITH_DEXPREOPT builds
|
2016-12-05 12:46:42 +01:00
|
|
|
# SELinux rules which apply only when pre-opting.
|
2016-11-18 14:42:35 +01:00
|
|
|
#
|
2016-12-05 12:46:42 +01:00
|
|
|
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
|
2016-11-18 14:42:35 +01:00
|
|
|
|
2013-11-13 00:34:52 +01:00
|
|
|
#####################################
|
|
|
|
# write_logd(domain)
|
|
|
|
# Ability to write to android log
|
|
|
|
# daemon via sockets
|
|
|
|
define(`write_logd', `
|
|
|
|
unix_socket_send($1, logdw, logd)
|
2014-12-15 21:01:35 +01:00
|
|
|
allow $1 pmsg_device:chr_file w_file_perms;
|
2013-11-13 00:34:52 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# read_logd(domain)
|
2014-09-04 14:44:49 +02:00
|
|
|
# Ability to run logcat and read from android
|
2013-11-13 00:34:52 +01:00
|
|
|
# log daemon via sockets
|
|
|
|
define(`read_logd', `
|
2014-09-04 14:44:49 +02:00
|
|
|
allow $1 logcat_exec:file rx_file_perms;
|
2013-11-13 00:34:52 +01:00
|
|
|
unix_socket_connect($1, logdr, logd)
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# control_logd(domain)
|
|
|
|
# Ability to control
|
|
|
|
# android log daemon via sockets
|
|
|
|
define(`control_logd', `
|
|
|
|
# Group AID_LOG checked by filesystem & logd
|
|
|
|
# to permit control commands
|
|
|
|
unix_socket_connect($1, logd, logd)
|
|
|
|
')
|
2014-06-17 23:58:52 +02:00
|
|
|
|
|
|
|
#####################################
|
|
|
|
# use_keystore(domain)
|
|
|
|
# Ability to use keystore.
|
|
|
|
# Keystore is requires the following permissions
|
|
|
|
# to call getpidcon.
|
|
|
|
define(`use_keystore', `
|
|
|
|
allow keystore $1:dir search;
|
|
|
|
allow keystore $1:file { read open };
|
|
|
|
allow keystore $1:process getattr;
|
2015-03-02 19:59:05 +01:00
|
|
|
allow $1 keystore_service:service_manager find;
|
2014-06-17 23:58:52 +02:00
|
|
|
binder_call($1, keystore)
|
|
|
|
')
|
2014-07-07 22:56:27 +02:00
|
|
|
|
2014-07-02 21:42:59 +02:00
|
|
|
###########################################
|
|
|
|
# use_drmservice(domain)
|
|
|
|
# Ability to use DrmService which requires
|
|
|
|
# DrmService to call getpidcon.
|
|
|
|
define(`use_drmservice', `
|
|
|
|
allow drmserver $1:dir search;
|
|
|
|
allow drmserver $1:file { read open };
|
|
|
|
allow drmserver $1:process getattr;
|
|
|
|
')
|
2015-05-11 22:02:46 +02:00
|
|
|
|
2017-01-19 22:23:52 +01:00
|
|
|
###########################################
|
|
|
|
# add_service(domain, service)
|
|
|
|
# Ability for domain to add a service to service_manager
|
|
|
|
# and find it. It also creates a neverallow preventing
|
|
|
|
# others from adding it.
|
|
|
|
define(`add_service', `
|
|
|
|
allow $1 $2:service_manager { add find };
|
|
|
|
neverallow { domain -$1 } $2:service_manager add;
|
|
|
|
')
|
|
|
|
|
2015-05-11 22:02:46 +02:00
|
|
|
##########################################
|
|
|
|
# print a message with a trailing newline
|
|
|
|
# print(`args')
|
|
|
|
define(`print', `errprint(`m4: '__file__: __line__`: $*
|
|
|
|
')')
|