2022-09-02 00:20:10 +02:00
|
|
|
get_prop(coredomain, apex_ready_prop)
|
2020-05-21 13:12:55 +02:00
|
|
|
get_prop(coredomain, boot_status_prop)
|
2020-05-14 12:43:08 +02:00
|
|
|
get_prop(coredomain, camera_config_prop)
|
2023-03-30 16:50:05 +02:00
|
|
|
get_prop(coredomain, dalvik_config_prop_type)
|
2020-05-14 12:43:08 +02:00
|
|
|
get_prop(coredomain, dalvik_runtime_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
get_prop(coredomain, exported_pm_prop)
|
2020-04-27 16:49:15 +02:00
|
|
|
get_prop(coredomain, ffs_config_prop)
|
2020-07-20 13:26:07 +02:00
|
|
|
get_prop(coredomain, graphics_config_prop)
|
2023-04-09 02:15:43 +02:00
|
|
|
get_prop(coredomain, graphics_config_writable_prop)
|
2020-05-12 13:53:06 +02:00
|
|
|
get_prop(coredomain, hdmi_config_prop)
|
2020-05-14 12:43:08 +02:00
|
|
|
get_prop(coredomain, init_service_status_private_prop)
|
|
|
|
get_prop(coredomain, lmkd_config_prop)
|
2020-07-08 23:11:03 +02:00
|
|
|
get_prop(coredomain, localization_prop)
|
2020-05-14 12:43:08 +02:00
|
|
|
get_prop(coredomain, pm_prop)
|
2020-08-03 07:29:47 +02:00
|
|
|
get_prop(coredomain, radio_control_prop)
|
2021-02-24 07:29:06 +01:00
|
|
|
get_prop(coredomain, rollback_test_prop)
|
2020-11-05 14:17:26 +01:00
|
|
|
get_prop(coredomain, setupwizard_prop)
|
2023-11-15 14:51:14 +01:00
|
|
|
get_prop(coredomain, setupwizard_mode_prop)
|
2020-11-17 05:54:52 +01:00
|
|
|
get_prop(coredomain, sqlite_log_prop)
|
2020-07-16 15:25:47 +02:00
|
|
|
get_prop(coredomain, storagemanager_config_prop)
|
2020-05-21 13:12:55 +02:00
|
|
|
get_prop(coredomain, surfaceflinger_color_prop)
|
|
|
|
get_prop(coredomain, systemsound_config_prop)
|
2020-05-14 14:47:43 +02:00
|
|
|
get_prop(coredomain, telephony_config_prop)
|
2020-04-27 14:13:01 +02:00
|
|
|
get_prop(coredomain, usb_config_prop)
|
|
|
|
get_prop(coredomain, usb_control_prop)
|
2020-05-21 13:12:55 +02:00
|
|
|
get_prop(coredomain, userspace_reboot_config_prop)
|
|
|
|
get_prop(coredomain, vold_config_prop)
|
2020-07-13 19:10:37 +02:00
|
|
|
get_prop(coredomain, vts_status_prop)
|
2021-01-18 03:03:49 +01:00
|
|
|
get_prop(coredomain, zygote_config_prop)
|
2020-11-05 14:17:26 +01:00
|
|
|
get_prop(coredomain, zygote_wrap_prop)
|
2020-04-27 14:13:01 +02:00
|
|
|
|
2021-01-14 05:08:16 +01:00
|
|
|
# TODO(b/170590987): remove this after cleaning up default_prop
|
|
|
|
get_prop(coredomain, default_prop)
|
|
|
|
|
2017-12-21 01:27:53 +01:00
|
|
|
full_treble_only(`
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
2018-01-19 22:04:57 +01:00
|
|
|
|
|
|
|
# for chowning
|
2017-12-21 01:27:53 +01:00
|
|
|
-init
|
|
|
|
|
|
|
|
# generic access to sysfs_type
|
2021-10-08 18:30:03 +02:00
|
|
|
-apexd
|
2017-12-21 01:27:53 +01:00
|
|
|
-ueventd
|
|
|
|
-vold
|
|
|
|
} sysfs_leds:file *;
|
|
|
|
')
|
2018-11-14 23:59:22 +01:00
|
|
|
|
2018-11-29 02:50:24 +01:00
|
|
|
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
2020-07-31 20:28:11 +02:00
|
|
|
# only a few allowlisted coredomains to keep system/vendor separation.
|
2018-11-29 02:50:24 +01:00
|
|
|
full_treble_only(`
|
|
|
|
# Limit access to /vendor/app
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-appdomain
|
2022-05-26 14:55:33 +02:00
|
|
|
-artd
|
2018-11-29 02:50:24 +01:00
|
|
|
-dex2oat
|
2020-07-14 03:53:38 +02:00
|
|
|
-dexoptanalyzer
|
2018-11-29 02:50:24 +01:00
|
|
|
-idmap
|
|
|
|
-init
|
|
|
|
-installd
|
2021-01-11 18:17:30 +01:00
|
|
|
-heapprofd
|
2018-11-29 02:50:24 +01:00
|
|
|
-postinstall_dexopt
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-11-29 02:50:24 +01:00
|
|
|
-system_server
|
2020-01-22 20:16:13 +01:00
|
|
|
-traced_perf
|
2018-11-29 02:50:24 +01:00
|
|
|
} vendor_app_file:dir { open read getattr search };
|
|
|
|
')
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-appdomain
|
2022-05-26 14:55:33 +02:00
|
|
|
-artd
|
2018-11-29 02:50:24 +01:00
|
|
|
-dex2oat
|
2020-07-14 03:53:38 +02:00
|
|
|
-dexoptanalyzer
|
2018-11-29 02:50:24 +01:00
|
|
|
-idmap
|
|
|
|
-init
|
|
|
|
-installd
|
2021-01-11 18:17:30 +01:00
|
|
|
-heapprofd
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2018-11-29 02:50:24 +01:00
|
|
|
-postinstall_dexopt
|
2022-07-19 22:29:31 +02:00
|
|
|
-profman
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2018-11-29 02:50:24 +01:00
|
|
|
-system_server
|
2020-01-22 20:16:13 +01:00
|
|
|
-traced_perf
|
2018-11-29 02:50:24 +01:00
|
|
|
-mediaserver
|
|
|
|
} vendor_app_file:file r_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
# Limit access to /vendor/overlay
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-appdomain
|
2022-12-12 15:28:40 +01:00
|
|
|
-artd
|
2023-01-17 15:59:34 +01:00
|
|
|
-dex2oat
|
|
|
|
-dexoptanalyzer
|
2018-11-29 02:50:24 +01:00
|
|
|
-idmap
|
|
|
|
-init
|
|
|
|
-installd
|
2019-03-22 20:13:53 +01:00
|
|
|
-postinstall_dexopt
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-11-29 02:50:24 +01:00
|
|
|
-system_server
|
2020-01-22 20:16:13 +01:00
|
|
|
-traced_perf
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-11-29 02:50:24 +01:00
|
|
|
-webview_zygote
|
|
|
|
-zygote
|
2021-01-11 18:17:30 +01:00
|
|
|
-heapprofd
|
2018-11-29 02:50:24 +01:00
|
|
|
} vendor_overlay_file:dir { getattr open read search };
|
|
|
|
')
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-appdomain
|
2022-12-12 15:28:40 +01:00
|
|
|
-artd
|
2023-01-17 15:59:34 +01:00
|
|
|
-dex2oat
|
|
|
|
-dexoptanalyzer
|
2018-11-29 02:50:24 +01:00
|
|
|
-idmap
|
|
|
|
-init
|
|
|
|
-installd
|
2019-03-22 20:13:53 +01:00
|
|
|
-postinstall_dexopt
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-11-29 02:50:24 +01:00
|
|
|
-system_server
|
2020-01-22 20:16:13 +01:00
|
|
|
-traced_perf
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-11-29 02:50:24 +01:00
|
|
|
-webview_zygote
|
|
|
|
-zygote
|
2021-01-11 18:17:30 +01:00
|
|
|
-heapprofd
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2020-04-23 16:38:43 +02:00
|
|
|
} vendor_overlay_file:file open;
|
2018-11-29 02:50:24 +01:00
|
|
|
')
|
|
|
|
|
2018-11-14 23:59:22 +01:00
|
|
|
# Core domains are not permitted to use kernel interfaces which are not
|
|
|
|
# explicitly labeled.
|
|
|
|
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
|
|
|
|
full_treble_only(`
|
|
|
|
# /proc
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
2019-01-17 14:34:51 +01:00
|
|
|
-init
|
2018-11-14 23:59:22 +01:00
|
|
|
-vold
|
|
|
|
} proc:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# /sys
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
2021-10-08 18:30:03 +02:00
|
|
|
-apexd
|
2018-11-14 23:59:22 +01:00
|
|
|
-init
|
|
|
|
-ueventd
|
2023-11-17 10:03:46 +01:00
|
|
|
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
|
2018-11-14 23:59:22 +01:00
|
|
|
-vold
|
|
|
|
} sysfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# /dev
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
2021-10-08 18:30:03 +02:00
|
|
|
-apexd
|
2018-11-14 23:59:22 +01:00
|
|
|
-fsck
|
|
|
|
-init
|
|
|
|
-ueventd
|
|
|
|
} device:{ blk_file file } no_rw_file_perms;
|
|
|
|
|
|
|
|
# debugfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
2021-05-05 07:01:51 +02:00
|
|
|
no_debugfs_restriction(`
|
|
|
|
-dumpstate
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
')
|
2018-11-14 23:59:22 +01:00
|
|
|
} debugfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# tracefs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-atrace
|
|
|
|
-dumpstate
|
2020-02-19 07:58:26 +01:00
|
|
|
-gpuservice
|
2018-11-14 23:59:22 +01:00
|
|
|
-init
|
2021-01-31 15:53:33 +01:00
|
|
|
-traced_perf
|
2018-11-14 23:59:22 +01:00
|
|
|
-traced_probes
|
|
|
|
-shell
|
2020-01-15 00:45:55 +01:00
|
|
|
-system_server
|
2018-11-14 23:59:22 +01:00
|
|
|
-traceur_app
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2018-11-14 23:59:22 +01:00
|
|
|
} debugfs_tracing:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# inotifyfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
} inotify:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# pstorefs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-bootstat
|
|
|
|
-charger
|
|
|
|
-dumpstate
|
|
|
|
userdebug_or_eng(`-incidentd')
|
|
|
|
-init
|
|
|
|
-logd
|
|
|
|
-logpersist
|
|
|
|
-recovery_persist
|
|
|
|
-recovery_refresh
|
|
|
|
-shell
|
|
|
|
-system_server
|
|
|
|
} pstorefs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# configfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} configfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# functionfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-adbd
|
|
|
|
-init
|
|
|
|
-mediaprovider
|
|
|
|
-system_server
|
|
|
|
} functionfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# usbfs and binfmt_miscfs
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
2020-12-15 07:57:49 +01:00
|
|
|
|
|
|
|
# dmabuf heaps
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
-ueventd
|
|
|
|
}{
|
|
|
|
dmabuf_heap_device_type
|
|
|
|
-dmabuf_system_heap_device
|
|
|
|
-dmabuf_system_secure_heap_device
|
|
|
|
}:chr_file no_rw_file_perms;
|
2018-11-14 23:59:22 +01:00
|
|
|
')
|
2018-11-15 22:52:24 +01:00
|
|
|
|
2018-11-29 21:38:50 +01:00
|
|
|
# Following /dev nodes must not be directly accessed by coredomain, but should
|
|
|
|
# instead be wrapped by HALs.
|
|
|
|
neverallow coredomain {
|
|
|
|
iio_device
|
|
|
|
radio_device
|
|
|
|
}:chr_file { open read append write ioctl };
|
2019-01-10 01:37:04 +01:00
|
|
|
|
|
|
|
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
|
|
|
|
# on non-Treble devices.
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow coredomain tee_device:chr_file { open read append write ioctl };
|
|
|
|
')
|