2016-10-19 23:39:30 +02:00
|
|
|
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
|
|
# This occurs when the process crashes.
|
2018-09-06 04:11:38 +02:00
|
|
|
# We do not apply this to the su domain to avoid interfering with
|
|
|
|
# tests (b/114136122)
|
|
|
|
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
|
2016-10-19 23:39:30 +02:00
|
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
|
2018-11-08 14:58:13 +01:00
|
|
|
# Allow every process to check the heapprofd.enable properties to determine
|
|
|
|
# whether to load the heap profiling library. This does not necessarily enable
|
|
|
|
# heap profiling, as initialization will fail if it does not have the
|
|
|
|
# necessary SELinux permissions.
|
|
|
|
get_prop(domain, heapprofd_prop);
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow heap profiling on debug builds.
|
2021-01-11 18:17:30 +01:00
|
|
|
userdebug_or_eng(`can_profile_heap({
|
2018-11-27 12:09:14 +01:00
|
|
|
domain
|
|
|
|
-bpfloader
|
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-keystore
|
|
|
|
-llkd
|
|
|
|
-logd
|
2019-02-28 16:59:32 +01:00
|
|
|
-logpersist
|
|
|
|
-recovery
|
|
|
|
-recovery_persist
|
|
|
|
-recovery_refresh
|
2018-11-27 12:09:14 +01:00
|
|
|
-ueventd
|
|
|
|
-vendor_init
|
|
|
|
-vold
|
|
|
|
})')
|
2018-11-08 14:58:13 +01:00
|
|
|
|
2020-01-22 21:00:13 +01:00
|
|
|
# As above, allow perf profiling most processes on debug builds.
|
2020-02-19 15:59:17 +01:00
|
|
|
# zygote is excluded as system-wide profiling could end up with it
|
|
|
|
# (unexpectedly) holding an open fd across a fork.
|
2020-01-22 21:00:13 +01:00
|
|
|
userdebug_or_eng(`can_profile_perf({
|
|
|
|
domain
|
|
|
|
-bpfloader
|
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-keystore
|
|
|
|
-llkd
|
|
|
|
-logd
|
|
|
|
-logpersist
|
|
|
|
-recovery
|
|
|
|
-recovery_persist
|
|
|
|
-recovery_refresh
|
|
|
|
-ueventd
|
|
|
|
-vendor_init
|
|
|
|
-vold
|
2020-02-19 15:59:17 +01:00
|
|
|
-zygote
|
2020-01-22 21:00:13 +01:00
|
|
|
})')
|
|
|
|
|
2021-04-21 22:58:24 +02:00
|
|
|
# Everyone can access the IncFS list of features.
|
|
|
|
r_dir_file(domain, sysfs_fs_incfs_features);
|
|
|
|
|
2018-11-29 02:50:24 +01:00
|
|
|
# Path resolution access in cgroups.
|
|
|
|
allow domain cgroup:dir search;
|
2018-12-12 18:06:05 +01:00
|
|
|
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
|
|
|
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
2018-11-29 02:50:24 +01:00
|
|
|
|
2021-02-12 00:18:11 +01:00
|
|
|
allow domain cgroup_v2:dir search;
|
|
|
|
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
|
|
|
|
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
|
|
|
|
|
2019-01-11 02:10:31 +01:00
|
|
|
allow domain cgroup_rc_file:dir search;
|
|
|
|
allow domain cgroup_rc_file:file r_file_perms;
|
|
|
|
allow domain task_profiles_file:file r_file_perms;
|
2020-11-21 03:57:36 +01:00
|
|
|
allow domain task_profiles_api_file:file r_file_perms;
|
2019-02-20 00:02:14 +01:00
|
|
|
allow domain vendor_task_profiles_file:file r_file_perms;
|
2019-01-11 02:10:31 +01:00
|
|
|
|
2019-01-31 23:43:57 +01:00
|
|
|
# Allow all domains to read sys.use_memfd to determine
|
|
|
|
# if memfd support can be used if device supports it
|
|
|
|
get_prop(domain, use_memfd_prop);
|
|
|
|
|
2020-01-06 18:29:13 +01:00
|
|
|
# Read access to sdkextensions props
|
|
|
|
get_prop(domain, module_sdkextensions_prop)
|
2019-11-25 14:10:10 +01:00
|
|
|
|
2020-01-20 06:11:07 +01:00
|
|
|
# Read access to bq configuration values
|
|
|
|
get_prop(domain, bq_config_prop);
|
|
|
|
|
2018-11-29 02:50:24 +01:00
|
|
|
# For now, everyone can access core property files
|
|
|
|
# Device specific properties are not granted by default
|
|
|
|
not_compatible_property(`
|
2020-05-21 13:12:55 +02:00
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop(domain, core_property_type)
|
|
|
|
get_prop(domain, exported3_system_prop)
|
|
|
|
get_prop(domain, vendor_default_prop)
|
|
|
|
')
|
|
|
|
compatible_property_only(`
|
2020-05-21 13:12:55 +02:00
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop({coredomain appdomain shell}, core_property_type)
|
|
|
|
get_prop({coredomain appdomain shell}, exported3_system_prop)
|
2020-01-06 13:25:00 +01:00
|
|
|
get_prop({coredomain appdomain shell}, exported_camera_prop)
|
2019-11-14 13:59:15 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_exported_prop)
|
2020-02-07 01:10:29 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_log_prop)
|
2020-03-12 15:45:00 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_test_prop)
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
|
|
|
|
')
|
|
|
|
|
2019-03-13 23:21:41 +01:00
|
|
|
# Allow access to fsverity keyring.
|
|
|
|
allow domain kernel:key search;
|
|
|
|
# Allow access to keys in the fsverity keyring that were installed at boot.
|
2019-03-15 19:15:31 +01:00
|
|
|
allow domain fsverity_init:key search;
|
2019-03-13 23:21:41 +01:00
|
|
|
# For testing purposes, allow access to keys installed with su.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow domain su:key search;
|
|
|
|
')
|
|
|
|
|
2019-07-08 12:02:05 +02:00
|
|
|
# Allow access to linkerconfig file
|
2019-08-05 12:50:53 +02:00
|
|
|
allow domain linkerconfig_file:dir search;
|
2019-07-08 12:02:05 +02:00
|
|
|
allow domain linkerconfig_file:file r_file_perms;
|
|
|
|
|
2019-08-28 23:08:50 +02:00
|
|
|
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
|
|
|
|
allow domain boringssl_self_test_marker:dir search;
|
|
|
|
|
2022-01-26 00:45:17 +01:00
|
|
|
# No domains other than a select few can access the misc_block_device. This
|
|
|
|
# block device is reserved for OTA use.
|
|
|
|
# Do not assert this rule on userdebug/eng builds, due to some devices using
|
|
|
|
# this partition for testing purposes.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
userdebug_or_eng(`-domain') # exclude debuggable builds
|
|
|
|
-fastbootd
|
|
|
|
-hal_bootctl_server
|
|
|
|
-init
|
|
|
|
-uncrypt
|
|
|
|
-update_engine
|
|
|
|
-vendor_init
|
|
|
|
-vendor_misc_writer
|
|
|
|
-vold
|
|
|
|
-recovery
|
|
|
|
-ueventd
|
|
|
|
-mtectrl
|
|
|
|
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
2020-07-31 20:28:11 +02:00
|
|
|
# with other UIDs to these allowlisted domains.
|
2016-10-12 23:58:09 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-vold
|
2018-08-08 01:03:47 +02:00
|
|
|
userdebug_or_eng(`-llkd')
|
2016-10-12 23:58:09 +02:00
|
|
|
-dumpstate
|
2018-03-13 00:21:40 +01:00
|
|
|
userdebug_or_eng(`-incidentd')
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2016-07-01 21:18:54 +02:00
|
|
|
-storaged
|
2016-10-12 23:58:09 +02:00
|
|
|
-system_server
|
2017-11-09 23:51:26 +01:00
|
|
|
} self:global_capability_class_set sys_ptrace;
|
2017-04-11 17:41:25 +02:00
|
|
|
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
2019-10-29 22:13:20 +01:00
|
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
|
2020-07-27 21:53:20 +02:00
|
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
|
|
|
|
neverallow { domain -system_server } *:keystore2_key use_dev_id;
|
|
|
|
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
|
2017-11-02 18:08:30 +01:00
|
|
|
|
2018-01-31 03:14:45 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
userdebug_or_eng(`-domain')
|
|
|
|
} debugfs_tracing_debug:file no_rw_file_perms;
|
|
|
|
|
2018-04-16 16:49:49 +02:00
|
|
|
# System_server owns dropbox data, and init creates/restorecons the directory
|
|
|
|
# Disallow direct access by other processes.
|
|
|
|
neverallow { domain -init -system_server } dropbox_data_file:dir *;
|
|
|
|
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
###
|
|
|
|
# Services should respect app sandboxes
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
# Only the following processes should be directly accessing private app
|
|
|
|
# directories.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-05-29 19:41:36 +02:00
|
|
|
-dexoptanalyzer
|
|
|
|
-installd
|
2020-02-13 01:28:19 +01:00
|
|
|
-iorap_inode2filename
|
2019-09-19 20:04:20 +02:00
|
|
|
-iorap_prefetcherd
|
2018-05-29 19:41:36 +02:00
|
|
|
-profman
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-05-29 19:41:36 +02:00
|
|
|
-runas
|
|
|
|
-system_server
|
2019-01-11 17:13:01 +01:00
|
|
|
-viewcompiler
|
2019-12-13 13:30:26 +01:00
|
|
|
-zygote
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir *;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
2018-11-16 09:59:23 +01:00
|
|
|
# Only apps should be modifying app data. installd is exempted for
|
2018-05-29 19:41:36 +02:00
|
|
|
# restorecon and package install/uninstall.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-05-29 19:41:36 +02:00
|
|
|
-installd
|
2019-09-19 20:04:20 +02:00
|
|
|
-iorap_prefetcherd
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:file_class_set open;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-installd
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
|
2018-10-04 19:57:29 +02:00
|
|
|
|
2019-01-02 15:20:52 +01:00
|
|
|
# The staging directory contains APEX and APK files. It is important to ensure
|
|
|
|
# that these files cannot be accessed by other domains to ensure that the files
|
|
|
|
# do not change between system_server staging the files and apexd processing
|
|
|
|
# the files.
|
2021-10-05 10:22:45 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-apexd
|
|
|
|
-installd
|
|
|
|
-iorap_inode2filename
|
|
|
|
-priv_app
|
|
|
|
-virtualizationservice
|
|
|
|
} staging_data_file:dir *;
|
2021-07-16 06:05:40 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_app
|
|
|
|
-system_server
|
|
|
|
-apexd
|
|
|
|
-adbd
|
|
|
|
-kernel
|
|
|
|
-installd
|
|
|
|
-iorap_inode2filename
|
|
|
|
-priv_app
|
2022-02-25 12:59:25 +01:00
|
|
|
-shell
|
2021-07-16 06:05:40 +02:00
|
|
|
-virtualizationservice
|
2021-07-12 14:11:33 +02:00
|
|
|
-crosvm
|
2021-07-16 06:05:40 +02:00
|
|
|
} staging_data_file:file *;
|
2019-02-19 13:21:59 +01:00
|
|
|
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
|
2019-02-05 23:47:57 +01:00
|
|
|
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
|
|
|
|
# except for `link` and `unlink`.
|
2019-01-02 15:20:52 +01:00
|
|
|
neverallow { domain -init -system_server } staging_data_file:file
|
2019-02-05 23:47:57 +01:00
|
|
|
{ append create relabelfrom rename setattr write no_x_file_perms };
|
2019-01-02 15:20:52 +01:00
|
|
|
|
2018-10-04 19:57:29 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain # for oemfs
|
|
|
|
-bootanim # for oemfs
|
|
|
|
-recovery # for /tmp/update_binary in tmpfs
|
|
|
|
} { fs_type -rootfs }:file execute;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Assert that, to the extent possible, we're not loading executable content from
|
2020-07-31 20:28:11 +02:00
|
|
|
# outside the rootfs or /system partition except for a few allowlisted domains.
|
2018-10-04 19:57:29 +02:00
|
|
|
# Executable files loaded from /data is a persistence vector
|
|
|
|
# we want to avoid. See
|
|
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
|
|
|
#
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
with_asan(`-asan_extract')
|
2019-09-19 20:04:20 +02:00
|
|
|
-iorap_prefetcherd
|
2018-10-04 19:57:29 +02:00
|
|
|
-shell
|
|
|
|
userdebug_or_eng(`-su')
|
|
|
|
-system_server_startup # for memfd backed executable regions
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-10-04 19:57:29 +02:00
|
|
|
-webview_zygote
|
|
|
|
-zygote
|
|
|
|
userdebug_or_eng(`-mediaextractor')
|
|
|
|
userdebug_or_eng(`-mediaswcodec')
|
|
|
|
} {
|
|
|
|
file_type
|
|
|
|
-system_file_type
|
|
|
|
-system_lib_file
|
|
|
|
-system_linker_exec
|
|
|
|
-vendor_file_type
|
|
|
|
-exec_type
|
|
|
|
-postinstall_file
|
|
|
|
}:file execute;
|
2019-01-11 02:10:31 +01:00
|
|
|
|
|
|
|
# Only init is allowed to write cgroup.rc file
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} cgroup_rc_file:file no_w_file_perms;
|
2019-02-22 01:01:50 +01:00
|
|
|
|
|
|
|
# Only authorized processes should be writing to files in /data/dalvik-cache
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init # TODO: limit init to relabelfrom for files
|
|
|
|
-zygote
|
|
|
|
-installd
|
|
|
|
-postinstall_dexopt
|
|
|
|
-cppreopts
|
|
|
|
-dex2oat
|
|
|
|
-otapreopt_slot
|
|
|
|
} dalvikcache_data_file:file no_w_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-postinstall_dexopt
|
|
|
|
-cppreopts
|
|
|
|
-dex2oat
|
|
|
|
-zygote
|
|
|
|
-otapreopt_slot
|
|
|
|
} dalvikcache_data_file:dir no_w_dir_perms;
|
2019-02-26 22:12:05 +01:00
|
|
|
|
2020-10-16 16:29:55 +02:00
|
|
|
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
|
|
|
|
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-12-16 15:31:14 +01:00
|
|
|
# art-related processes
|
|
|
|
-composd
|
2021-12-14 14:30:23 +01:00
|
|
|
-compos_fd_server
|
2020-10-16 16:29:55 +02:00
|
|
|
-odrefresh
|
2020-11-27 12:23:54 +01:00
|
|
|
-odsign
|
2020-10-16 16:29:55 +02:00
|
|
|
# others
|
|
|
|
-apexd
|
|
|
|
-init
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} apex_art_data_file:file no_w_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-12-04 01:46:18 +01:00
|
|
|
# art-related processes
|
2021-12-16 15:31:14 +01:00
|
|
|
-composd
|
2021-12-14 14:30:23 +01:00
|
|
|
-compos_fd_server
|
2020-10-16 16:29:55 +02:00
|
|
|
-odrefresh
|
2020-11-27 12:23:54 +01:00
|
|
|
-odsign
|
2020-10-16 16:29:55 +02:00
|
|
|
# others
|
|
|
|
-apexd
|
|
|
|
-init
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} apex_art_data_file:dir no_w_dir_perms;
|
|
|
|
|
|
|
|
# Protect most domains from executing arbitrary content from /data.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
} {
|
|
|
|
data_file_type
|
|
|
|
-apex_art_data_file
|
|
|
|
-dalvikcache_data_file
|
|
|
|
-system_data_file # shared libs in apks
|
|
|
|
-apk_data_file
|
|
|
|
}:file no_x_file_perms;
|
|
|
|
|
2019-02-26 22:12:05 +01:00
|
|
|
# Minimize dac_override and dac_read_search.
|
|
|
|
# Instead of granting them it is usually better to add the domain to
|
|
|
|
# a Unix group or change the permissions of a file.
|
|
|
|
define(`dac_override_allowed', `{
|
2020-01-24 18:20:19 +01:00
|
|
|
apexd
|
2019-02-26 22:12:05 +01:00
|
|
|
dnsmasq
|
|
|
|
dumpstate
|
|
|
|
init
|
|
|
|
installd
|
|
|
|
userdebug_or_eng(`llkd')
|
|
|
|
lmkd
|
2019-05-17 16:05:18 +02:00
|
|
|
migrate_legacy_obb_data
|
2019-02-26 22:12:05 +01:00
|
|
|
netd
|
|
|
|
postinstall_dexopt
|
|
|
|
recovery
|
|
|
|
rss_hwm_reset
|
|
|
|
sdcardd
|
|
|
|
tee
|
|
|
|
ueventd
|
|
|
|
uncrypt
|
|
|
|
vendor_init
|
|
|
|
vold
|
|
|
|
vold_prepare_subdirs
|
|
|
|
zygote
|
|
|
|
}')
|
|
|
|
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
|
|
|
|
# Since the kernel checks dac_read_search before dac_override, domains that
|
|
|
|
# have dac_override should also have dac_read_search to eliminate spurious
|
|
|
|
# denials. Some domains have dac_read_search without having dac_override, so
|
|
|
|
# this list should be a superset of the one above.
|
|
|
|
neverallow ~{
|
|
|
|
dac_override_allowed
|
2020-02-13 01:28:19 +01:00
|
|
|
iorap_inode2filename
|
2019-09-19 20:04:20 +02:00
|
|
|
iorap_prefetcherd
|
2020-01-22 20:16:13 +01:00
|
|
|
traced_perf
|
2019-02-26 22:12:05 +01:00
|
|
|
traced_probes
|
2021-01-11 18:17:30 +01:00
|
|
|
heapprofd
|
2019-02-26 22:12:05 +01:00
|
|
|
} self:global_capability_class_set dac_read_search;
|
2019-03-18 18:54:42 +01:00
|
|
|
|
|
|
|
# Limit what domains can mount filesystems or change their mount flags.
|
2021-06-23 10:21:49 +02:00
|
|
|
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
|
|
|
|
# set of domains need this capability, including device-specific domains.
|
2019-03-18 18:54:42 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-apexd
|
2021-05-06 01:33:48 +02:00
|
|
|
recovery_only(`-fastbootd')
|
2019-03-18 18:54:42 +01:00
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-otapreopt_chroot
|
|
|
|
-recovery
|
|
|
|
-update_engine
|
|
|
|
-vold
|
|
|
|
-zygote
|
2021-04-27 01:32:17 +02:00
|
|
|
} { fs_type
|
|
|
|
-sdcard_type
|
2021-06-23 10:21:49 +02:00
|
|
|
-fusefs_type
|
2021-04-27 01:32:17 +02:00
|
|
|
}:filesystem { mount remount relabelfrom relabelto };
|
|
|
|
|
|
|
|
enforce_debugfs_restriction(`
|
|
|
|
neverallow {
|
|
|
|
domain userdebug_or_eng(`-init')
|
|
|
|
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
|
|
|
|
')
|
2019-03-16 00:41:15 +01:00
|
|
|
|
2020-07-31 20:28:11 +02:00
|
|
|
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
2019-03-16 00:41:15 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
userdebug_or_eng(`-domain')
|
|
|
|
-kernel
|
|
|
|
-gsid
|
|
|
|
-init
|
|
|
|
-recovery
|
|
|
|
-ueventd
|
|
|
|
-uncrypt
|
|
|
|
-tee
|
|
|
|
-hal_bootctl_server
|
2019-10-26 00:11:58 +02:00
|
|
|
-fastbootd
|
2019-03-16 00:41:15 +01:00
|
|
|
} self:global_capability_class_set sys_rawio;
|
2019-12-13 13:30:26 +01:00
|
|
|
|
|
|
|
# Limit directory operations that doesn't need to do app data isolation.
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-07-13 01:30:49 +02:00
|
|
|
-fsck
|
2019-12-13 13:30:26 +01:00
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-zygote
|
|
|
|
} mirror_data_file:dir *;
|
2020-02-04 12:31:05 +01:00
|
|
|
|
|
|
|
# This property is being removed. Remove remaining access.
|
|
|
|
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
|
|
|
|
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
|
2020-03-04 09:20:35 +01:00
|
|
|
|
|
|
|
# Only core domains are allowed to access package_manager properties
|
|
|
|
neverallow { domain -init -system_server } pm_prop:property_service set;
|
|
|
|
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# Do not allow reading the last boot timestamp from system properties
|
|
|
|
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
|
2020-06-10 12:27:12 +02:00
|
|
|
|
|
|
|
# Kprobes should only be used by adb root
|
|
|
|
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
|
2020-08-31 15:38:04 +02:00
|
|
|
|
|
|
|
# On TREBLE devices, most coredomains should not access vendor_files.
|
|
|
|
# TODO(b/71553434): Remove exceptions here.
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-appdomain
|
|
|
|
-bootanim
|
|
|
|
-crash_dump
|
|
|
|
-heapprofd
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2020-08-31 15:38:04 +02:00
|
|
|
-init
|
|
|
|
-iorap_inode2filename
|
|
|
|
-iorap_prefetcherd
|
|
|
|
-kernel
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2020-08-31 15:38:04 +02:00
|
|
|
-traced_perf
|
|
|
|
-ueventd
|
|
|
|
} vendor_file:file { no_w_file_perms no_x_file_perms open };
|
|
|
|
')
|
|
|
|
|
|
|
|
# Vendor domains are not permitted to initiate communications to core domain sockets
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow_establish_socket_comms({
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-socket_between_core_and_vendor_violators
|
|
|
|
}, {
|
|
|
|
coredomain
|
|
|
|
-logd # Logging by writing to logd Unix domain socket is public API
|
|
|
|
-netd # netdomain needs this
|
|
|
|
-mdnsd # netdomain needs this
|
|
|
|
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
|
|
|
|
-init
|
|
|
|
-tombstoned # linker to tombstoned
|
|
|
|
userdebug_or_eng(`-heapprofd')
|
2022-03-04 17:29:42 +01:00
|
|
|
userdebug_or_eng(`-traced')
|
2020-08-31 15:38:04 +02:00
|
|
|
userdebug_or_eng(`-traced_perf')
|
|
|
|
});
|
|
|
|
')
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
# Do not allow system components access to /vendor files except for the
|
|
|
|
# ones allowed here.
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
# TODO(b/37168747): clean up fwk access to /vendor
|
|
|
|
-crash_dump
|
2021-08-09 02:24:45 +02:00
|
|
|
-crosvm # loads vendor-specific disk images
|
2020-08-31 15:38:04 +02:00
|
|
|
-init # starts vendor executables
|
|
|
|
-iorap_inode2filename
|
|
|
|
-iorap_prefetcherd
|
|
|
|
-kernel # loads /vendor/firmware
|
2021-01-11 18:17:30 +01:00
|
|
|
-heapprofd
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2020-08-31 15:38:04 +02:00
|
|
|
-shell
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2020-08-31 15:38:04 +02:00
|
|
|
-system_executes_vendor_violators
|
|
|
|
-traced_perf # library/binary access for symbolization
|
|
|
|
-ueventd # reads /vendor/ueventd.rc
|
|
|
|
-vold # loads incremental fs driver
|
|
|
|
} {
|
|
|
|
vendor_file_type
|
|
|
|
-same_process_hal_file
|
|
|
|
-vendor_app_file
|
|
|
|
-vendor_apex_file
|
|
|
|
-vendor_configs_file
|
|
|
|
-vendor_service_contexts_file
|
|
|
|
-vendor_framework_file
|
|
|
|
-vendor_idc_file
|
|
|
|
-vendor_keychars_file
|
|
|
|
-vendor_keylayout_file
|
|
|
|
-vendor_overlay_file
|
2021-01-25 13:57:56 +01:00
|
|
|
-vendor_public_framework_file
|
2020-08-31 15:38:04 +02:00
|
|
|
-vendor_public_lib_file
|
|
|
|
-vendor_task_profiles_file
|
2021-11-18 23:59:29 +01:00
|
|
|
-vendor_uuid_mapping_config_file
|
2020-08-31 15:38:04 +02:00
|
|
|
-vndk_sp_file
|
|
|
|
}:file *;
|
|
|
|
')
|
2020-11-16 19:10:33 +01:00
|
|
|
|
|
|
|
# mlsvendorcompat is only for compatibility support for older vendor
|
|
|
|
# images, and should not be granted to any domain in current policy.
|
|
|
|
# (Every domain is allowed self:fork, so this will trigger if the
|
|
|
|
# intsersection of domain & mlsvendorcompat is not empty.)
|
|
|
|
neverallow domain mlsvendorcompat:process fork;
|
2021-03-11 20:26:08 +01:00
|
|
|
|
|
|
|
# Only init and otapreopt_chroot should be mounting filesystems on locations
|
|
|
|
# labeled system or vendor (/product and /vendor respectively).
|
|
|
|
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
|
2021-03-16 19:30:36 +01:00
|
|
|
|
|
|
|
# Only allow init and vendor_init to read/write mm_events properties
|
|
|
|
# NOTE: dumpstate is allowed to read any system property
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-dumpstate
|
|
|
|
} mm_events_config_prop:file no_rw_file_perms;
|
2021-03-18 19:15:36 +01:00
|
|
|
|
|
|
|
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
|
|
|
|
# kernel traces. Addresses are not disclosed, they are repalced with symbol
|
|
|
|
# names (if available). Traces don't disclose KASLR.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
userdebug_or_eng(`-profcollectd')
|
|
|
|
-vendor_init
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2021-03-18 19:15:36 +01:00
|
|
|
-traced_probes
|
|
|
|
-traced_perf
|
|
|
|
} proc_kallsyms:file { open read };
|
2021-05-05 07:01:51 +02:00
|
|
|
|
|
|
|
# debugfs_kcov type is not included in this neverallow statement since the KCOV
|
|
|
|
# tool uses it for kernel fuzzing.
|
2021-05-05 07:02:22 +02:00
|
|
|
# vendor_modprobe is also exempted since the kernel modules it loads may create
|
|
|
|
# debugfs files in its context.
|
2021-05-05 07:01:51 +02:00
|
|
|
enforce_debugfs_restriction(`
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-05-05 07:02:22 +02:00
|
|
|
-vendor_modprobe
|
2021-05-05 07:01:51 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
-init
|
|
|
|
-hal_dumpstate
|
|
|
|
')
|
|
|
|
} { debugfs_type
|
|
|
|
userdebug_or_eng(`-debugfs_kcov')
|
|
|
|
-tracefs_type
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
')
|
2021-07-12 14:11:33 +02:00
|
|
|
|
2022-01-11 20:45:03 +01:00
|
|
|
# Restrict write access to etm sysfs interface.
|
|
|
|
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
|
|
|
|
|
2021-07-12 14:11:33 +02:00
|
|
|
# Restrict write access to shell owned files. The /data/local/tmp directory is
|
|
|
|
# untrustworthy, and non-allowed domains should not be trusting any content in
|
|
|
|
# those directories. We allow shell files to be passed around by file
|
|
|
|
# descriptor, but not directly opened.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
|
|
|
-dumpstate
|
|
|
|
-installd
|
|
|
|
userdebug_or_eng(`-uncrypt')
|
|
|
|
userdebug_or_eng(`-virtualizationservice')
|
|
|
|
userdebug_or_eng(`-crosvm')
|
|
|
|
} shell_data_file:file open;
|