2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# domain_trans(olddomain, type, newdomain)
|
|
|
|
# Allow a transition from olddomain to newdomain
|
|
|
|
# upon executing a file labeled with type.
|
|
|
|
# This only allows the transition; it does not
|
|
|
|
# cause it to occur automatically - use domain_auto_trans
|
|
|
|
# if that is what you want.
|
|
|
|
#
|
|
|
|
define(`domain_trans', `
|
|
|
|
# Old domain may exec the file and transition to the new domain.
|
2017-07-10 15:32:10 +02:00
|
|
|
allow $1 $2:file { getattr open read execute map };
|
2012-01-04 18:33:27 +01:00
|
|
|
allow $1 $3:process transition;
|
|
|
|
# New domain is entered by executing the file.
|
2017-07-10 15:32:10 +02:00
|
|
|
allow $3 $2:file { entrypoint open read execute getattr map };
|
2012-01-04 18:33:27 +01:00
|
|
|
# New domain can send SIGCHLD to its caller.
|
2016-04-23 20:14:06 +02:00
|
|
|
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
|
2012-01-04 18:33:27 +01:00
|
|
|
# Enable AT_SECURE, i.e. libc secure mode.
|
|
|
|
dontaudit $1 $3:process noatsecure;
|
|
|
|
# XXX dontaudit candidate but requires further study.
|
|
|
|
allow $1 $3:process { siginh rlimitinh };
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# domain_auto_trans(olddomain, type, newdomain)
|
|
|
|
# Automatically transition from olddomain to newdomain
|
|
|
|
# upon executing a file labeled with type.
|
|
|
|
#
|
|
|
|
define(`domain_auto_trans', `
|
|
|
|
# Allow the necessary permissions.
|
|
|
|
domain_trans($1,$2,$3)
|
|
|
|
# Make the transition occur by default.
|
|
|
|
type_transition $1 $2:process $3;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# file_type_trans(domain, dir_type, file_type)
|
|
|
|
# Allow domain to create a file labeled file_type in a
|
|
|
|
# directory labeled dir_type.
|
|
|
|
# This only allows the transition; it does not
|
|
|
|
# cause it to occur automatically - use file_type_auto_trans
|
|
|
|
# if that is what you want.
|
|
|
|
#
|
|
|
|
define(`file_type_trans', `
|
|
|
|
# Allow the domain to add entries to the directory.
|
|
|
|
allow $1 $2:dir ra_dir_perms;
|
|
|
|
# Allow the domain to create the file.
|
|
|
|
allow $1 $3:notdevfile_class_set create_file_perms;
|
|
|
|
allow $1 $3:dir create_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# file_type_auto_trans(domain, dir_type, file_type)
|
|
|
|
# Automatically label new files with file_type when
|
|
|
|
# they are created by domain in directories labeled dir_type.
|
|
|
|
#
|
|
|
|
define(`file_type_auto_trans', `
|
|
|
|
# Allow the necessary permissions.
|
|
|
|
file_type_trans($1, $2, $3)
|
|
|
|
# Make the transition occur by default.
|
|
|
|
type_transition $1 $2:dir $3;
|
|
|
|
type_transition $1 $2:notdevfile_class_set $3;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# r_dir_file(domain, type)
|
|
|
|
# Allow the specified domain to read directories, files
|
|
|
|
# and symbolic links of the specified type.
|
|
|
|
define(`r_dir_file', `
|
|
|
|
allow $1 $2:dir r_dir_perms;
|
|
|
|
allow $1 $2:{ file lnk_file } r_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# tmpfs_domain(domain)
|
2019-01-24 00:07:40 +01:00
|
|
|
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
|
2012-01-04 18:33:27 +01:00
|
|
|
define(`tmpfs_domain', `
|
|
|
|
type_transition $1 tmpfs:file $1_tmpfs;
|
2017-11-01 18:22:58 +01:00
|
|
|
allow $1 $1_tmpfs:file { read write getattr map };
|
2012-01-04 18:33:27 +01:00
|
|
|
')
|
|
|
|
|
2017-02-10 00:15:11 +01:00
|
|
|
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
|
|
|
|
# rules from underlying transport (e.g. UDS-based implementation).
|
|
|
|
|
|
|
|
#####################################
|
2017-05-01 22:01:44 +02:00
|
|
|
# pdx_service_attributes(service)
|
|
|
|
# Defines type attribute used to identify various service-related types.
|
|
|
|
define(`pdx_service_attributes', `
|
|
|
|
attribute pdx_$1_endpoint_dir_type;
|
|
|
|
attribute pdx_$1_endpoint_socket_type;
|
|
|
|
attribute pdx_$1_channel_socket_type;
|
|
|
|
attribute pdx_$1_server_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# pdx_service_socket_types(service, endpoint_dir_t)
|
|
|
|
# Define types for endpoint and channel sockets.
|
|
|
|
define(`pdx_service_socket_types', `
|
|
|
|
typeattribute $2 pdx_$1_endpoint_dir_type;
|
|
|
|
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
|
|
|
|
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
|
2017-06-27 01:25:20 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
|
|
|
|
dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
|
|
|
|
')
|
2017-05-01 22:01:44 +02:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# pdx_server(server_domain, service)
|
2017-02-10 00:15:11 +01:00
|
|
|
define(`pdx_server', `
|
2017-05-01 22:01:44 +02:00
|
|
|
# Mark the server domain as a PDX server.
|
|
|
|
typeattribute $1 pdx_$2_server_type;
|
|
|
|
# Allow the init process to create the initial endpoint socket.
|
|
|
|
allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
|
|
|
|
# Allow the server domain to use the endpoint socket and accept connections on it.
|
|
|
|
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
|
|
|
|
# than we need (e.g. we don"t need "bind" or "connect").
|
|
|
|
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
|
|
|
|
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
|
|
|
|
allow $1 self:process setsockcreate;
|
|
|
|
# Allow the server domain to create a client channel socket.
|
|
|
|
allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
|
|
|
|
# Prevent other processes from claiming to be a server for the same service.
|
|
|
|
neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
|
2017-02-10 00:15:11 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
2017-05-01 22:01:44 +02:00
|
|
|
# pdx_connect(client, service)
|
|
|
|
define(`pdx_connect', `
|
|
|
|
# Allow client to open the service endpoint file.
|
|
|
|
allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
|
|
|
|
allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
|
|
|
|
# Allow the client to connect to endpoint socket.
|
|
|
|
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# pdx_use(client, service)
|
|
|
|
define(`pdx_use', `
|
|
|
|
# Allow the client to use the PDX channel socket.
|
|
|
|
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
|
|
|
|
# than we need (e.g. we don"t need "bind" or "connect").
|
|
|
|
allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
|
|
|
|
# Client needs to use an channel event fd from the server.
|
|
|
|
allow $1 pdx_$2_server_type:fd use;
|
2017-02-10 00:15:11 +01:00
|
|
|
# Servers may receive sync fences, gralloc buffers, etc, from clients.
|
|
|
|
# This could be tightened on a per-server basis, but keeping track of service
|
|
|
|
# clients is error prone.
|
2017-05-01 22:01:44 +02:00
|
|
|
allow pdx_$2_server_type $1:fd use;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# pdx_client(client, service)
|
|
|
|
define(`pdx_client', `
|
|
|
|
pdx_connect($1, $2)
|
|
|
|
pdx_use($1, $2)
|
2017-02-10 00:15:11 +01:00
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# init_daemon_domain(domain)
|
|
|
|
# Set up a transition from init to the daemon domain
|
|
|
|
# upon executing its binary.
|
|
|
|
define(`init_daemon_domain', `
|
|
|
|
domain_auto_trans(init, $1_exec, $1)
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# app_domain(domain)
|
|
|
|
# Allow a base set of permissions required for all apps.
|
|
|
|
define(`app_domain', `
|
|
|
|
typeattribute $1 appdomain;
|
2019-01-29 23:43:45 +01:00
|
|
|
# Label tmpfs objects for all apps.
|
|
|
|
type_transition $1 tmpfs:file appdomain_tmpfs;
|
|
|
|
allow $1 appdomain_tmpfs:file { execute getattr map read write };
|
2019-01-08 01:37:24 +01:00
|
|
|
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
|
|
|
|
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
|
2018-07-26 08:48:14 +02:00
|
|
|
# The Android security model guarantees the confidentiality and integrity
|
|
|
|
# of application data and execution state. Ptrace bypasses those
|
|
|
|
# confidentiality guarantees. Disallow ptrace access from system components
|
|
|
|
# to apps. Crash_dump is excluded, as it needs ptrace access to
|
2018-08-08 01:03:47 +02:00
|
|
|
# produce stack traces. llkd is excluded, as it needs to inspect
|
2019-01-08 01:37:24 +01:00
|
|
|
# the kernel stack for live lock conditions. runas_app is excluded, as it can
|
|
|
|
# only access debuggable apps.
|
|
|
|
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
|
2012-01-04 18:33:27 +01:00
|
|
|
')
|
|
|
|
|
2017-02-13 22:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# untrusted_app_domain(domain)
|
|
|
|
# Allow a base set of permissions required for all untrusted apps.
|
|
|
|
define(`untrusted_app_domain', `
|
|
|
|
typeattribute $1 untrusted_app_all;
|
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# net_domain(domain)
|
|
|
|
# Allow a base set of permissions required for network access.
|
|
|
|
define(`net_domain', `
|
|
|
|
typeattribute $1 netdomain;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# bluetooth_domain(domain)
|
|
|
|
# Allow a base set of permissions required for bluetooth access.
|
|
|
|
define(`bluetooth_domain', `
|
|
|
|
typeattribute $1 bluetoothdomain;
|
|
|
|
')
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
#####################################
|
|
|
|
# hal_attribute(hal_name)
|
|
|
|
# Add an attribute for hal implementations along with necessary
|
|
|
|
# restrictions.
|
|
|
|
define(`hal_attribute', `
|
|
|
|
attribute hal_$1;
|
|
|
|
expandattribute hal_$1 true;
|
|
|
|
attribute hal_$1_client;
|
|
|
|
expandattribute hal_$1_client true;
|
|
|
|
attribute hal_$1_server;
|
|
|
|
expandattribute hal_$1_server false;
|
|
|
|
|
|
|
|
neverallow { hal_$1_server -halserverdomain } domain:process fork;
|
2018-06-05 23:11:08 +02:00
|
|
|
# hal_*_client and halclientdomain attributes are always expanded for
|
|
|
|
# performance reasons. Neverallow rules targeting expanded attributes can not be
|
|
|
|
# verified by CTS since these attributes are already expanded by that time.
|
|
|
|
build_test_only(`
|
|
|
|
neverallow { hal_$1_server -hal_$1 } domain:process fork;
|
2018-04-26 19:10:43 +02:00
|
|
|
neverallow { hal_$1_client -halclientdomain } domain:process fork;
|
2017-09-26 21:58:29 +02:00
|
|
|
')
|
2018-06-05 23:11:08 +02:00
|
|
|
')
|
2017-09-26 21:58:29 +02:00
|
|
|
|
2017-02-13 23:40:49 +01:00
|
|
|
#####################################
|
|
|
|
# hal_server_domain(domain, hal_type)
|
|
|
|
# Allow a base set of permissions required for a domain to offer a
|
|
|
|
# HAL implementation of the specified type over HwBinder.
|
|
|
|
#
|
|
|
|
# For example, default implementation of Foo HAL:
|
|
|
|
# type hal_foo_default, domain;
|
|
|
|
# hal_server_domain(hal_foo_default, hal_foo)
|
|
|
|
#
|
|
|
|
define(`hal_server_domain', `
|
|
|
|
typeattribute $1 halserverdomain;
|
|
|
|
typeattribute $1 $2_server;
|
|
|
|
typeattribute $1 $2;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# hal_client_domain(domain, hal_type)
|
|
|
|
# Allow a base set of permissions required for a domain to be a
|
|
|
|
# client of a HAL of the specified type.
|
|
|
|
#
|
|
|
|
# For example, make some_domain a client of Foo HAL:
|
|
|
|
# hal_client_domain(some_domain, hal_foo)
|
|
|
|
#
|
|
|
|
define(`hal_client_domain', `
|
|
|
|
typeattribute $1 halclientdomain;
|
|
|
|
typeattribute $1 $2_client;
|
|
|
|
|
2017-04-07 22:29:57 +02:00
|
|
|
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
|
|
|
|
# non-Treble devices. For now, on non-Treble device, always grant clients of a
|
|
|
|
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
|
|
|
|
not_full_treble(`
|
2017-02-13 23:40:49 +01:00
|
|
|
typeattribute $1 $2;
|
|
|
|
# Find passthrough HAL implementations
|
|
|
|
allow $2 system_file:dir r_dir_perms;
|
2017-04-02 02:17:12 +02:00
|
|
|
allow $2 vendor_file:dir r_dir_perms;
|
2017-08-23 07:10:33 +02:00
|
|
|
allow $2 vendor_file:file { read open getattr execute map };
|
2017-02-13 23:40:49 +01:00
|
|
|
')
|
2017-04-07 22:29:57 +02:00
|
|
|
')
|
2017-02-13 23:40:49 +01:00
|
|
|
|
2017-03-20 21:11:33 +01:00
|
|
|
#####################################
|
|
|
|
# passthrough_hal_client_domain(domain, hal_type)
|
|
|
|
# Allow a base set of permissions required for a domain to be a
|
|
|
|
# client of a passthrough HAL of the specified type.
|
|
|
|
#
|
|
|
|
# For example, make some_domain a client of passthrough Foo HAL:
|
|
|
|
# passthrough_hal_client_domain(some_domain, hal_foo)
|
|
|
|
#
|
|
|
|
define(`passthrough_hal_client_domain', `
|
|
|
|
typeattribute $1 halclientdomain;
|
|
|
|
typeattribute $1 $2_client;
|
|
|
|
typeattribute $1 $2;
|
|
|
|
# Find passthrough HAL implementations
|
|
|
|
allow $2 system_file:dir r_dir_perms;
|
2017-04-02 02:17:12 +02:00
|
|
|
allow $2 vendor_file:dir r_dir_perms;
|
2017-08-23 07:10:33 +02:00
|
|
|
allow $2 vendor_file:file { read open getattr execute map };
|
2017-03-20 21:11:33 +01:00
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# unix_socket_connect(clientdomain, socket, serverdomain)
|
|
|
|
# Allow a local socket connection from clientdomain via
|
|
|
|
# socket to serverdomain.
|
2015-05-05 03:22:45 +02:00
|
|
|
#
|
|
|
|
# Note: If you see denial records that distill to the
|
|
|
|
# following allow rules:
|
|
|
|
# allow clientdomain property_socket:sock_file write;
|
|
|
|
# allow clientdomain init:unix_stream_socket connectto;
|
|
|
|
# allow clientdomain something_prop:property_service set;
|
|
|
|
#
|
|
|
|
# This sequence is indicative of attempting to set a property.
|
|
|
|
# use set_prop(sourcedomain, targetproperty)
|
|
|
|
#
|
2012-01-04 18:33:27 +01:00
|
|
|
define(`unix_socket_connect', `
|
|
|
|
allow $1 $2_socket:sock_file write;
|
|
|
|
allow $1 $3:unix_stream_socket connectto;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
2015-05-05 03:22:45 +02:00
|
|
|
# set_prop(sourcedomain, targetproperty)
|
|
|
|
# Allows source domain to set the
|
|
|
|
# targetproperty.
|
|
|
|
#
|
|
|
|
define(`set_prop', `
|
2018-02-02 17:57:35 +01:00
|
|
|
unix_socket_connect($1, property, init)
|
2015-05-05 03:22:45 +02:00
|
|
|
allow $1 $2:property_service set;
|
2015-12-08 23:45:50 +01:00
|
|
|
get_prop($1, $2)
|
2015-05-05 03:22:45 +02:00
|
|
|
')
|
|
|
|
|
2015-12-02 01:58:27 +01:00
|
|
|
#####################################
|
|
|
|
# get_prop(sourcedomain, targetproperty)
|
|
|
|
# Allows source domain to read the
|
|
|
|
# targetproperty.
|
|
|
|
#
|
|
|
|
define(`get_prop', `
|
2018-10-10 18:02:12 +02:00
|
|
|
allow $1 $2:file { getattr open read map };
|
2015-12-02 01:58:27 +01:00
|
|
|
')
|
|
|
|
|
2015-05-05 03:22:45 +02:00
|
|
|
#####################################
|
2012-01-04 18:33:27 +01:00
|
|
|
# unix_socket_send(clientdomain, socket, serverdomain)
|
|
|
|
# Allow a local socket send from clientdomain via
|
|
|
|
# socket to serverdomain.
|
|
|
|
define(`unix_socket_send', `
|
|
|
|
allow $1 $2_socket:sock_file write;
|
|
|
|
allow $1 $3:unix_dgram_socket sendto;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# binder_use(domain)
|
|
|
|
# Allow domain to use Binder IPC.
|
|
|
|
define(`binder_use', `
|
2012-11-16 15:17:54 +01:00
|
|
|
# Call the servicemanager and transfer references to it.
|
|
|
|
allow $1 servicemanager:binder { call transfer };
|
2014-07-07 22:56:27 +02:00
|
|
|
# servicemanager performs getpidcon on clients.
|
|
|
|
allow servicemanager $1:dir search;
|
|
|
|
allow servicemanager $1:file { read open };
|
|
|
|
allow servicemanager $1:process getattr;
|
2012-01-04 18:33:27 +01:00
|
|
|
# rw access to /dev/binder and /dev/ashmem is presently granted to
|
|
|
|
# all domains in domain.te.
|
|
|
|
')
|
|
|
|
|
2016-07-08 13:49:09 +02:00
|
|
|
#####################################
|
|
|
|
# hwbinder_use(domain)
|
|
|
|
# Allow domain to use HwBinder IPC.
|
|
|
|
define(`hwbinder_use', `
|
|
|
|
# Call the hwservicemanager and transfer references to it.
|
|
|
|
allow $1 hwservicemanager:binder { call transfer };
|
2016-12-15 19:46:22 +01:00
|
|
|
# Allow hwservicemanager to send out callbacks
|
|
|
|
allow hwservicemanager $1:binder { call transfer };
|
2016-07-08 13:49:09 +02:00
|
|
|
# hwservicemanager performs getpidcon on clients.
|
|
|
|
allow hwservicemanager $1:dir search;
|
2018-08-13 19:31:58 +02:00
|
|
|
allow hwservicemanager $1:file { read open map };
|
2016-07-08 13:49:09 +02:00
|
|
|
allow hwservicemanager $1:process getattr;
|
|
|
|
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
|
|
|
|
# all domains in domain.te.
|
|
|
|
')
|
|
|
|
|
2017-03-22 00:01:52 +01:00
|
|
|
#####################################
|
|
|
|
# vndbinder_use(domain)
|
|
|
|
# Allow domain to use Binder IPC.
|
|
|
|
define(`vndbinder_use', `
|
|
|
|
# Talk to the vndbinder device node
|
|
|
|
allow $1 vndbinder_device:chr_file rw_file_perms;
|
|
|
|
# Call the vndservicemanager and transfer references to it.
|
|
|
|
allow $1 vndservicemanager:binder { call transfer };
|
|
|
|
# vndservicemanager performs getpidcon on clients.
|
|
|
|
allow vndservicemanager $1:dir search;
|
2018-08-13 19:31:58 +02:00
|
|
|
allow vndservicemanager $1:file { read open map };
|
2017-03-22 00:01:52 +01:00
|
|
|
allow vndservicemanager $1:process getattr;
|
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# binder_call(clientdomain, serverdomain)
|
|
|
|
# Allow clientdomain to perform binder IPC to serverdomain.
|
|
|
|
define(`binder_call', `
|
2012-11-16 15:17:54 +01:00
|
|
|
# Call the server domain and optionally transfer references to it.
|
|
|
|
allow $1 $2:binder { call transfer };
|
|
|
|
# Allow the serverdomain to transfer references to the client on the reply.
|
|
|
|
allow $2 $1:binder transfer;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Receive and use open files from the server.
|
|
|
|
allow $1 $2:fd use;
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# binder_service(domain)
|
|
|
|
# Mark a domain as being a Binder service domain.
|
|
|
|
# Used to allow binder IPC to the various system services.
|
|
|
|
define(`binder_service', `
|
|
|
|
typeattribute $1 binderservicedomain;
|
|
|
|
')
|
|
|
|
|
2016-12-15 21:49:38 +01:00
|
|
|
#####################################
|
2014-05-23 22:33:32 +02:00
|
|
|
# wakelock_use(domain)
|
|
|
|
# Allow domain to manage wake locks
|
|
|
|
define(`wakelock_use', `
|
2019-02-27 01:45:40 +01:00
|
|
|
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
|
|
|
|
# deprecated.
|
2014-05-23 22:33:32 +02:00
|
|
|
# Access /sys/power/wake_lock and /sys/power/wake_unlock
|
|
|
|
allow $1 sysfs_wake_lock:file rw_file_perms;
|
|
|
|
# Accessing these files requires CAP_BLOCK_SUSPEND
|
2017-11-09 23:51:26 +01:00
|
|
|
allow $1 self:global_capability2_class_set block_suspend;
|
2019-02-27 01:45:40 +01:00
|
|
|
# system_suspend permissions
|
|
|
|
binder_call($1, system_suspend_server)
|
2018-04-09 02:15:08 +02:00
|
|
|
allow $1 system_suspend_hwservice:hwservice_manager find;
|
2019-02-27 01:45:40 +01:00
|
|
|
# halclientdomain permissions
|
2018-04-09 02:15:08 +02:00
|
|
|
hwbinder_use($1)
|
|
|
|
get_prop($1, hwservicemanager_prop)
|
|
|
|
allow $1 hidl_manager_hwservice:hwservice_manager find;
|
2014-05-23 22:33:32 +02:00
|
|
|
')
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
#####################################
|
|
|
|
# selinux_check_access(domain)
|
|
|
|
# Allow domain to check SELinux permissions via selinuxfs.
|
|
|
|
define(`selinux_check_access', `
|
2016-09-10 01:27:17 +02:00
|
|
|
r_dir_file($1, selinuxfs)
|
|
|
|
allow $1 selinuxfs:file w_file_perms;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow $1 kernel:security compute_av;
|
2016-11-21 23:38:17 +01:00
|
|
|
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
|
2012-01-04 18:33:27 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# selinux_check_context(domain)
|
|
|
|
# Allow domain to check SELinux contexts via selinuxfs.
|
|
|
|
define(`selinux_check_context', `
|
2016-09-10 01:27:17 +02:00
|
|
|
r_dir_file($1, selinuxfs)
|
|
|
|
allow $1 selinuxfs:file w_file_perms;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow $1 kernel:security check_context;
|
|
|
|
')
|
|
|
|
|
2013-09-27 15:44:32 +02:00
|
|
|
#####################################
|
|
|
|
# create_pty(domain)
|
|
|
|
# Allow domain to create and use a pty, isolated from any other domain ptys.
|
|
|
|
define(`create_pty', `
|
|
|
|
# Each domain gets a unique devpts type.
|
|
|
|
type $1_devpts, fs_type;
|
|
|
|
# Label the pty with the unique type when created.
|
|
|
|
type_transition $1 devpts:chr_file $1_devpts;
|
|
|
|
# Allow use of the pty after creation.
|
|
|
|
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
|
2016-11-22 23:22:43 +01:00
|
|
|
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
|
|
|
|
# TIOCSTI is only ever used for exploits. Block it.
|
|
|
|
# b/33073072, b/7530569
|
|
|
|
# http://www.openwall.com/lists/oss-security/2016/09/26/14
|
|
|
|
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
|
2013-09-27 15:44:32 +02:00
|
|
|
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
|
|
|
|
# allowed to everyone via domain.te.
|
|
|
|
')
|
|
|
|
|
2013-04-29 16:31:24 +02:00
|
|
|
#####################################
|
|
|
|
# Non system_app application set
|
|
|
|
#
|
|
|
|
define(`non_system_app_set', `{ appdomain -system_app }')
|
2014-01-10 00:25:36 +01:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
#####################################
|
|
|
|
# Recovery only
|
|
|
|
# SELinux rules which apply only to recovery mode
|
|
|
|
#
|
|
|
|
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
#####################################
|
|
|
|
# Full TREBLE only
|
|
|
|
# SELinux rules which apply only to full TREBLE devices
|
|
|
|
#
|
2017-04-06 23:45:50 +02:00
|
|
|
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
|
|
|
|
ifelse(target_full_treble, `cts',
|
|
|
|
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
|
|
|
$1
|
|
|
|
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
|
|
|
, )))
|
2017-03-23 22:27:32 +01:00
|
|
|
|
|
|
|
#####################################
|
|
|
|
# Not full TREBLE
|
|
|
|
# SELinux rules which apply only to devices which are not full TREBLE devices
|
|
|
|
#
|
|
|
|
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
|
|
|
|
|
2017-10-19 09:54:49 +02:00
|
|
|
#####################################
|
|
|
|
# Compatible property only
|
|
|
|
# SELinux rules which apply only to devices with compatible property
|
|
|
|
#
|
|
|
|
define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
|
|
|
|
ifelse(target_compatible_property, `cts',
|
|
|
|
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
|
|
|
|
$1
|
|
|
|
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
|
|
|
|
, )))
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# Not compatible property
|
|
|
|
# SELinux rules which apply only to devices without compatible property
|
|
|
|
#
|
|
|
|
define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
|
|
|
|
|
2014-01-10 00:25:36 +01:00
|
|
|
#####################################
|
|
|
|
# Userdebug or eng builds
|
|
|
|
# SELinux rules which apply only to userdebug or eng builds
|
|
|
|
#
|
|
|
|
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
|
2014-01-11 10:31:03 +01:00
|
|
|
|
2017-03-13 20:22:15 +01:00
|
|
|
#####################################
|
|
|
|
# asan builds
|
|
|
|
# SELinux rules which apply only to asan builds
|
|
|
|
#
|
|
|
|
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
|
|
|
|
|
2018-06-05 23:11:08 +02:00
|
|
|
#####################################
|
|
|
|
# Build-time-only test
|
|
|
|
# SELinux rules which are verified during build, but not as part of *TS testing.
|
|
|
|
#
|
|
|
|
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
|
|
|
|
|
2017-03-07 03:13:05 +01:00
|
|
|
####################################
|
|
|
|
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
|
|
|
|
#
|
|
|
|
define(`crash_dump_fallback', `
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow $1 su:fifo_file append;
|
|
|
|
')
|
|
|
|
allow $1 anr_data_file:file append;
|
2017-06-02 23:43:27 +02:00
|
|
|
allow $1 dumpstate:fd use;
|
2018-03-13 00:21:40 +01:00
|
|
|
allow $1 incidentd:fd use;
|
2017-07-20 02:29:43 +02:00
|
|
|
# TODO: Figure out why write is needed.
|
2017-06-05 23:12:16 +02:00
|
|
|
allow $1 dumpstate:fifo_file { append write };
|
2018-03-13 00:21:40 +01:00
|
|
|
allow $1 incidentd:fifo_file { append write };
|
2017-07-20 02:29:43 +02:00
|
|
|
allow $1 system_server:fifo_file { append write };
|
2017-03-07 03:13:05 +01:00
|
|
|
allow $1 tombstoned:unix_stream_socket connectto;
|
2017-03-13 03:02:36 +01:00
|
|
|
allow $1 tombstoned:fd use;
|
2017-03-07 03:13:05 +01:00
|
|
|
allow $1 tombstoned_crash_socket:sock_file write;
|
2017-03-13 03:02:36 +01:00
|
|
|
allow $1 tombstone_data_file:file append;
|
2017-03-07 03:13:05 +01:00
|
|
|
')
|
|
|
|
|
2016-11-18 14:42:35 +01:00
|
|
|
#####################################
|
|
|
|
# WITH_DEXPREOPT builds
|
2016-12-05 12:46:42 +01:00
|
|
|
# SELinux rules which apply only when pre-opting.
|
2016-11-18 14:42:35 +01:00
|
|
|
#
|
2016-12-05 12:46:42 +01:00
|
|
|
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
|
2016-11-18 14:42:35 +01:00
|
|
|
|
2013-11-13 00:34:52 +01:00
|
|
|
#####################################
|
|
|
|
# write_logd(domain)
|
|
|
|
# Ability to write to android log
|
|
|
|
# daemon via sockets
|
|
|
|
define(`write_logd', `
|
|
|
|
unix_socket_send($1, logdw, logd)
|
2014-12-15 21:01:35 +01:00
|
|
|
allow $1 pmsg_device:chr_file w_file_perms;
|
2013-11-13 00:34:52 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# read_logd(domain)
|
2014-09-04 14:44:49 +02:00
|
|
|
# Ability to run logcat and read from android
|
2013-11-13 00:34:52 +01:00
|
|
|
# log daemon via sockets
|
|
|
|
define(`read_logd', `
|
2014-09-04 14:44:49 +02:00
|
|
|
allow $1 logcat_exec:file rx_file_perms;
|
2013-11-13 00:34:52 +01:00
|
|
|
unix_socket_connect($1, logdr, logd)
|
|
|
|
')
|
|
|
|
|
2016-11-08 00:11:39 +01:00
|
|
|
#####################################
|
|
|
|
# read_runtime_log_tags(domain)
|
|
|
|
# ability to directly map the runtime event log tags
|
|
|
|
define(`read_runtime_log_tags', `
|
|
|
|
allow $1 runtime_event_log_tags_file:file r_file_perms;
|
|
|
|
')
|
|
|
|
|
2013-11-13 00:34:52 +01:00
|
|
|
#####################################
|
|
|
|
# control_logd(domain)
|
|
|
|
# Ability to control
|
|
|
|
# android log daemon via sockets
|
|
|
|
define(`control_logd', `
|
|
|
|
# Group AID_LOG checked by filesystem & logd
|
|
|
|
# to permit control commands
|
|
|
|
unix_socket_connect($1, logd, logd)
|
|
|
|
')
|
2014-06-17 23:58:52 +02:00
|
|
|
|
|
|
|
#####################################
|
|
|
|
# use_keystore(domain)
|
|
|
|
# Ability to use keystore.
|
|
|
|
# Keystore is requires the following permissions
|
|
|
|
# to call getpidcon.
|
|
|
|
define(`use_keystore', `
|
|
|
|
allow keystore $1:dir search;
|
|
|
|
allow keystore $1:file { read open };
|
|
|
|
allow keystore $1:process getattr;
|
2015-03-02 19:59:05 +01:00
|
|
|
allow $1 keystore_service:service_manager find;
|
2014-06-17 23:58:52 +02:00
|
|
|
binder_call($1, keystore)
|
2018-03-27 22:08:51 +02:00
|
|
|
binder_call(keystore, $1)
|
2014-06-17 23:58:52 +02:00
|
|
|
')
|
2014-07-07 22:56:27 +02:00
|
|
|
|
2014-07-02 21:42:59 +02:00
|
|
|
###########################################
|
|
|
|
# use_drmservice(domain)
|
|
|
|
# Ability to use DrmService which requires
|
|
|
|
# DrmService to call getpidcon.
|
|
|
|
define(`use_drmservice', `
|
|
|
|
allow drmserver $1:dir search;
|
|
|
|
allow drmserver $1:file { read open };
|
|
|
|
allow drmserver $1:process getattr;
|
|
|
|
')
|
2015-05-11 22:02:46 +02:00
|
|
|
|
2017-01-19 22:23:52 +01:00
|
|
|
###########################################
|
|
|
|
# add_service(domain, service)
|
|
|
|
# Ability for domain to add a service to service_manager
|
|
|
|
# and find it. It also creates a neverallow preventing
|
|
|
|
# others from adding it.
|
|
|
|
define(`add_service', `
|
|
|
|
allow $1 $2:service_manager { add find };
|
|
|
|
neverallow { domain -$1 } $2:service_manager add;
|
|
|
|
')
|
|
|
|
|
2017-04-13 19:29:42 +02:00
|
|
|
###########################################
|
|
|
|
# add_hwservice(domain, service)
|
|
|
|
# Ability for domain to add a service to hwservice_manager
|
|
|
|
# and find it. It also creates a neverallow preventing
|
|
|
|
# others from adding it.
|
|
|
|
define(`add_hwservice', `
|
|
|
|
allow $1 $2:hwservice_manager { add find };
|
2017-04-14 04:05:27 +02:00
|
|
|
allow $1 hidl_base_hwservice:hwservice_manager add;
|
2017-04-13 22:28:35 +02:00
|
|
|
neverallow { domain -$1 } $2:hwservice_manager add;
|
2017-04-13 19:29:42 +02:00
|
|
|
')
|
2018-05-31 01:43:17 +02:00
|
|
|
|
|
|
|
###########################################
|
2018-06-06 18:30:18 +02:00
|
|
|
# hal_attribute_hwservice(attribute, service)
|
2018-05-31 01:43:17 +02:00
|
|
|
# Ability for domain to get a service to hwservice_manager
|
|
|
|
# and find it. It also creates a neverallow preventing
|
|
|
|
# others from adding it.
|
|
|
|
#
|
|
|
|
# Used to pair hal_foo_client with hal_foo_hwservice
|
2018-06-06 18:30:18 +02:00
|
|
|
define(`hal_attribute_hwservice', `
|
2018-05-31 01:43:17 +02:00
|
|
|
allow $1_client $2:hwservice_manager find;
|
2018-06-06 18:22:56 +02:00
|
|
|
add_hwservice($1_server, $2)
|
2018-06-05 23:11:08 +02:00
|
|
|
|
|
|
|
build_test_only(`
|
|
|
|
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
|
|
|
|
')
|
2018-05-31 01:43:17 +02:00
|
|
|
')
|
2018-10-30 13:19:27 +01:00
|
|
|
|
|
|
|
###################################
|
|
|
|
# can_profile_heap(domain)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow processes within the domain to have their heap profiled by heapprofd.
|
2018-10-30 13:19:27 +01:00
|
|
|
#
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Note that profiling is performed differently between debug and user builds.
|
|
|
|
# This macro covers both user and debug builds, but see
|
|
|
|
# can_profile_heap_userdebug_or_eng for a variant that can be used when
|
|
|
|
# allowing profiling for a domain only on debug builds, without granting
|
|
|
|
# the exec permission. The exec permission is necessary for user builds, but
|
|
|
|
# only a nice-to-have for development and testing purposes on debug builds.
|
2018-10-30 13:19:27 +01:00
|
|
|
define(`can_profile_heap', `
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow central daemon to send signal for client initialization.
|
|
|
|
allow heapprofd $1:process signal;
|
|
|
|
|
|
|
|
# Allow executing a private heapprofd process to handle profiling on
|
|
|
|
# user builds (also debug builds for testing & development purposes).
|
|
|
|
allow $1 heapprofd_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
# Allow directory & file read to the central heapprofd daemon, as it scans
|
|
|
|
# /proc/[pid]/cmdline for by-process-name profiling configs.
|
|
|
|
# Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
|
|
|
|
allow heapprofd $1:file r_file_perms;
|
|
|
|
allow heapprofd $1:dir r_dir_perms;
|
|
|
|
|
2019-02-28 16:59:32 +01:00
|
|
|
# Profilability on user implies profilability on userdebug and eng.
|
|
|
|
can_profile_heap_userdebug_or_eng($1)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
###################################
|
|
|
|
# can_profile_heap_userdebug_or_eng(domain)
|
|
|
|
# Allow processes within the domain to have their heap profiled by heapprofd on
|
|
|
|
# debug builds only.
|
|
|
|
#
|
|
|
|
# Only necessary when can_profile_heap cannot be applied, see its description
|
|
|
|
# for rationale.
|
|
|
|
define(`can_profile_heap_userdebug_or_eng', `
|
2018-10-30 13:19:27 +01:00
|
|
|
userdebug_or_eng(`
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow central daemon to send signal for client initialization.
|
2018-10-30 13:19:27 +01:00
|
|
|
allow heapprofd $1:process signal;
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow connecting to the daemon.
|
2018-10-30 13:19:27 +01:00
|
|
|
unix_socket_connect($1, heapprofd, heapprofd)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow daemon to use the passed fds.
|
2018-10-30 13:19:27 +01:00
|
|
|
allow heapprofd $1:fd use;
|
2019-02-28 16:59:32 +01:00
|
|
|
# Allow to read and write to heapprofd shmem.
|
|
|
|
# The client needs to read the read and write pointers in order to write.
|
|
|
|
allow $1 heapprofd_tmpfs:file { read write getattr map };
|
|
|
|
# Use shared memory received over the unix socket.
|
|
|
|
allow $1 heapprofd:fd use;
|
2018-10-30 13:19:27 +01:00
|
|
|
|
|
|
|
# To read from the received file descriptors.
|
|
|
|
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
|
|
|
|
# process they relate to.
|
|
|
|
allow heapprofd $1:file r_file_perms;
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow searching the /proc/[pid] directory for cmdline.
|
2018-10-30 13:19:27 +01:00
|
|
|
allow heapprofd $1:dir r_dir_perms;
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
###################################
|
|
|
|
# never_profile_heap(domain)
|
|
|
|
# Opt out of heap profiling by heapprofd.
|
2018-10-30 13:19:27 +01:00
|
|
|
define(`never_profile_heap', `
|
|
|
|
neverallow heapprofd $1:file read;
|
|
|
|
neverallow heapprofd $1:process signal;
|
|
|
|
')
|