platform_system_sepolicy/private/toolbox.te

typeattribute toolbox coredomain;

init_daemon_domain(toolbox)

# rm -rf in /data/misc/virtualizationservice
allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
allow toolbox virtualizationservice_data_file:file { getattr unlink };

# If we can't remove these directories we try to chmod them. That
# doesn't work, but it doesn't matter as virtualizationservice itself
# will delete them when it starts. See b/235338094#comment39
dontaudit toolbox virtualizationservice_data_file:dir setattr;

# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };

# Inherit and use pty created by android_fork_execvp_ext().
allow toolbox devpts:chr_file { read write getattr ioctl };

# mkswap-specific.
# Read/write block devices used for swap partitions.
# Assign swap_block_device type any such partition in your
# device/<vendor>/<product>/sepolicy/file_contexts file.
allow toolbox block_device:dir search;
allow toolbox swap_block_device:blk_file rw_file_perms;

# rm -rf /data/per_boot
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };

# chattr +F /data/media in init
allow toolbox media_userdir_file:dir { r_dir_perms setattr };
allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };

###
### Neverallow rules
###

# Only allow entry from init via the toolbox binary.
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute toolbox coredomain;`

Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`init_daemon_domain(toolbox)`
Allow deleting old virtualization files Allow init to use toolbox to rm -rf stale files under /data/misc/virtualizationservice. Bug: 230056726 Test: Create fake stale dir+file, see them deleted Change-Id: I4a31e437344974597fc5280d898f23780a820f16 (cherry picked from commit 8e06fb4109f9139bfdc3d88564e8ed5cf27c433c) 2022-04-27 18:26:57 +02:00
			`# rm -rf in /data/misc/virtualizationservice`
			`allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };`
			`allow toolbox virtualizationservice_data_file:file { getattr unlink };`
Dontaudit chmod of virtualizationsevice_data_file Init attempts to rm -rf these files, to ensure any that are owned by the old virtualizationservice UID get deleted. This fails for newer directories, now we use the system UID, which is harmless. But rm attempts to chmod the directories since it can't read them, which also fails and generates a spurious audit. So here we suppress that. Bug: 235338094 Test: No denials seen even when there are stale directories present Change-Id: If55fbe151174ee08a12b64b301e4aa86ffc1a5bf 2022-06-15 18:25:20 +02:00
			`# If we can't remove these directories we try to chmod them. That`
			`# doesn't work, but it doesn't matter as virtualizationservice itself`
			`# will delete them when it starts. See b/235338094#comment39`
			`dontaudit toolbox virtualizationservice_data_file:dir setattr;`
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged \| grep "^-" \| cut -b2- \| sort) \ <(git diff --staged \| grep "^+" \| cut -b2- \| sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12 2024-03-27 09:18:41 +01:00
			`# /dev/__null__ created by init prior to policy load,`
			`# open fd inherited by fsck.`
			`allow toolbox tmpfs:chr_file { read write ioctl };`

			`# Inherit and use pty created by android_fork_execvp_ext().`
			`allow toolbox devpts:chr_file { read write getattr ioctl };`

			`# mkswap-specific.`
			`# Read/write block devices used for swap partitions.`
			`# Assign swap_block_device type any such partition in your`
			`# device/<vendor>/<product>/sepolicy/file_contexts file.`
			`allow toolbox block_device:dir search;`
			`allow toolbox swap_block_device:blk_file rw_file_perms;`

			`# rm -rf /data/per_boot`
			`allow toolbox system_data_root_file:dir { remove_name write };`
			`allow toolbox system_data_file:dir { rmdir rw_dir_perms };`
			`allow toolbox system_data_file:file { getattr unlink };`

			`# chattr +F /data/media in init`
			`allow toolbox media_userdir_file:dir { r_dir_perms setattr };`
			`allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };`

			`###`
			`### Neverallow rules`
			`###`

			`# Only allow entry from init via the toolbox binary.`
			`neverallow { domain -init } toolbox:process transition;`
			`neverallow * toolbox:process dyntransition;`
			`neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;`