2016-10-19 23:39:30 +02:00
|
|
|
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
|
|
# This occurs when the process crashes.
|
2018-09-06 04:11:38 +02:00
|
|
|
# We do not apply this to the su domain to avoid interfering with
|
|
|
|
# tests (b/114136122)
|
2023-02-16 22:05:24 +01:00
|
|
|
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
|
2016-10-19 23:39:30 +02:00
|
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
|
2018-11-08 14:58:13 +01:00
|
|
|
# Allow every process to check the heapprofd.enable properties to determine
|
|
|
|
# whether to load the heap profiling library. This does not necessarily enable
|
|
|
|
# heap profiling, as initialization will fail if it does not have the
|
|
|
|
# necessary SELinux permissions.
|
|
|
|
get_prop(domain, heapprofd_prop);
|
2023-02-02 15:24:45 +01:00
|
|
|
|
|
|
|
# See private/crash_dump.te
|
|
|
|
define(`dumpable_domain',`{
|
2018-11-27 12:09:14 +01:00
|
|
|
domain
|
2023-02-02 15:24:45 +01:00
|
|
|
-apexd
|
2018-11-27 12:09:14 +01:00
|
|
|
-bpfloader
|
2023-02-02 15:24:45 +01:00
|
|
|
-crash_dump
|
|
|
|
-crosvm # TODO(b/236672526): Remove exception for crosvm
|
2018-11-27 12:09:14 +01:00
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-keystore
|
|
|
|
-llkd
|
|
|
|
-logd
|
|
|
|
-ueventd
|
|
|
|
-vendor_init
|
|
|
|
-vold
|
2023-02-02 15:24:45 +01:00
|
|
|
}')
|
2018-11-08 14:58:13 +01:00
|
|
|
|
2023-02-02 15:24:45 +01:00
|
|
|
# Allow heap profiling by heapprofd.
|
|
|
|
# Zygotes are excluded due to potential issues with holding open file
|
|
|
|
# descriptors or other state across forks. Other exclusions conflict with
|
|
|
|
# neverallows, and are not considered important to profile.
|
|
|
|
can_profile_heap({
|
|
|
|
dumpable_domain
|
|
|
|
-app_zygote
|
2023-02-21 17:19:29 +01:00
|
|
|
-hal_configstore_server
|
2020-01-22 21:00:13 +01:00
|
|
|
-logpersist
|
|
|
|
-recovery
|
|
|
|
-recovery_persist
|
|
|
|
-recovery_refresh
|
2023-02-02 15:24:45 +01:00
|
|
|
-webview_zygote
|
2020-02-19 15:59:17 +01:00
|
|
|
-zygote
|
2023-02-02 15:24:45 +01:00
|
|
|
})
|
|
|
|
|
|
|
|
# Allow profiling using perf_event_open by traced_perf.
|
|
|
|
can_profile_perf({
|
|
|
|
dumpable_domain
|
|
|
|
-app_zygote
|
2023-02-21 17:19:29 +01:00
|
|
|
-hal_configstore_server
|
2023-02-02 15:24:45 +01:00
|
|
|
-webview_zygote
|
|
|
|
-zygote
|
|
|
|
})
|
2020-01-22 21:00:13 +01:00
|
|
|
|
2021-04-21 22:58:24 +02:00
|
|
|
# Everyone can access the IncFS list of features.
|
|
|
|
r_dir_file(domain, sysfs_fs_incfs_features);
|
|
|
|
|
2023-03-01 23:32:25 +01:00
|
|
|
# Everyone can access the fuse list of features.
|
|
|
|
r_dir_file(domain, sysfs_fs_fuse_features);
|
|
|
|
|
2018-11-29 02:50:24 +01:00
|
|
|
# Path resolution access in cgroups.
|
|
|
|
allow domain cgroup:dir search;
|
2018-12-12 18:06:05 +01:00
|
|
|
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
|
|
|
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
2018-11-29 02:50:24 +01:00
|
|
|
|
2021-02-12 00:18:11 +01:00
|
|
|
allow domain cgroup_v2:dir search;
|
|
|
|
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
|
|
|
|
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
|
|
|
|
|
2019-01-11 02:10:31 +01:00
|
|
|
allow domain cgroup_rc_file:dir search;
|
|
|
|
allow domain cgroup_rc_file:file r_file_perms;
|
|
|
|
allow domain task_profiles_file:file r_file_perms;
|
2020-11-21 03:57:36 +01:00
|
|
|
allow domain task_profiles_api_file:file r_file_perms;
|
2019-02-20 00:02:14 +01:00
|
|
|
allow domain vendor_task_profiles_file:file r_file_perms;
|
2019-01-11 02:10:31 +01:00
|
|
|
|
2019-01-31 23:43:57 +01:00
|
|
|
# Allow all domains to read sys.use_memfd to determine
|
|
|
|
# if memfd support can be used if device supports it
|
|
|
|
get_prop(domain, use_memfd_prop);
|
|
|
|
|
2020-01-06 18:29:13 +01:00
|
|
|
# Read access to sdkextensions props
|
|
|
|
get_prop(domain, module_sdkextensions_prop)
|
2019-11-25 14:10:10 +01:00
|
|
|
|
2020-01-20 06:11:07 +01:00
|
|
|
# Read access to bq configuration values
|
|
|
|
get_prop(domain, bq_config_prop);
|
|
|
|
|
2022-05-20 20:25:26 +02:00
|
|
|
# Allow all domains to check whether MTE is set to permissive mode.
|
|
|
|
get_prop(domain, permissive_mte_prop);
|
|
|
|
|
2023-04-27 23:47:39 +02:00
|
|
|
# Allow ART to be configurable via device_config properties
|
|
|
|
# (ART "runs" inside the app process), and MTE bootloader override to be
|
|
|
|
# observed by everything
|
2023-02-01 00:47:07 +01:00
|
|
|
get_prop(domain, device_config_memory_safety_native_boot_prop);
|
2022-06-08 19:45:18 +02:00
|
|
|
get_prop(domain, device_config_memory_safety_native_prop);
|
2023-04-27 23:47:39 +02:00
|
|
|
get_prop(domain, device_config_runtime_native_boot_prop);
|
|
|
|
get_prop(domain, device_config_runtime_native_prop);
|
2022-06-08 19:45:18 +02:00
|
|
|
|
2018-11-29 02:50:24 +01:00
|
|
|
# For now, everyone can access core property files
|
|
|
|
# Device specific properties are not granted by default
|
|
|
|
not_compatible_property(`
|
2020-05-21 13:12:55 +02:00
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop(domain, core_property_type)
|
|
|
|
get_prop(domain, exported3_system_prop)
|
|
|
|
get_prop(domain, vendor_default_prop)
|
|
|
|
')
|
|
|
|
compatible_property_only(`
|
2020-05-21 13:12:55 +02:00
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop({coredomain appdomain shell}, core_property_type)
|
|
|
|
get_prop({coredomain appdomain shell}, exported3_system_prop)
|
2020-01-06 13:25:00 +01:00
|
|
|
get_prop({coredomain appdomain shell}, exported_camera_prop)
|
2019-11-14 13:59:15 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_exported_prop)
|
2020-02-07 01:10:29 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_log_prop)
|
2020-03-12 15:45:00 +01:00
|
|
|
get_prop({coredomain shell}, userspace_reboot_test_prop)
|
2018-11-29 02:50:24 +01:00
|
|
|
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
|
|
|
|
')
|
|
|
|
|
2022-11-03 15:51:01 +01:00
|
|
|
# Public readable properties
|
|
|
|
get_prop(domain, aaudio_config_prop)
|
|
|
|
get_prop(domain, apexd_select_prop)
|
|
|
|
get_prop(domain, arm64_memtag_prop)
|
|
|
|
get_prop(domain, bluetooth_config_prop)
|
|
|
|
get_prop(domain, bootloader_prop)
|
|
|
|
get_prop(domain, build_odm_prop)
|
|
|
|
get_prop(domain, build_prop)
|
|
|
|
get_prop(domain, build_vendor_prop)
|
|
|
|
get_prop(domain, debug_prop)
|
|
|
|
get_prop(domain, exported_config_prop)
|
|
|
|
get_prop(domain, exported_default_prop)
|
|
|
|
get_prop(domain, exported_dumpstate_prop)
|
|
|
|
get_prop(domain, exported_secure_prop)
|
|
|
|
get_prop(domain, exported_system_prop)
|
|
|
|
get_prop(domain, fingerprint_prop)
|
|
|
|
get_prop(domain, framework_status_prop)
|
|
|
|
get_prop(domain, gwp_asan_prop)
|
|
|
|
get_prop(domain, hal_instrumentation_prop)
|
|
|
|
get_prop(domain, hw_timeout_multiplier_prop)
|
|
|
|
get_prop(domain, init_service_status_prop)
|
|
|
|
get_prop(domain, libc_debug_prop)
|
|
|
|
get_prop(domain, locale_prop)
|
|
|
|
get_prop(domain, logd_prop)
|
|
|
|
get_prop(domain, mediadrm_config_prop)
|
|
|
|
get_prop(domain, property_service_version_prop)
|
|
|
|
get_prop(domain, soc_prop)
|
|
|
|
get_prop(domain, socket_hook_prop)
|
|
|
|
get_prop(domain, surfaceflinger_prop)
|
|
|
|
get_prop(domain, telephony_status_prop)
|
|
|
|
get_prop(domain, timezone_prop)
|
2023-01-20 04:34:19 +01:00
|
|
|
get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
|
2022-11-03 15:51:01 +01:00
|
|
|
get_prop(domain, vendor_socket_hook_prop)
|
|
|
|
get_prop(domain, vndk_prop)
|
|
|
|
get_prop(domain, vold_status_prop)
|
|
|
|
get_prop(domain, vts_config_prop)
|
|
|
|
|
|
|
|
# Binder cache properties are world-readable
|
|
|
|
get_prop(domain, binder_cache_bluetooth_server_prop)
|
|
|
|
get_prop(domain, binder_cache_system_server_prop)
|
|
|
|
get_prop(domain, binder_cache_telephony_server_prop)
|
|
|
|
|
2023-07-26 08:21:30 +02:00
|
|
|
# Allow access to fsverity keyring.
|
2019-03-13 23:21:41 +01:00
|
|
|
allow domain kernel:key search;
|
2023-07-26 08:21:30 +02:00
|
|
|
# Allow access to keys in the fsverity keyring that were installed at boot.
|
|
|
|
allow domain fsverity_init:key search;
|
2019-03-13 23:21:41 +01:00
|
|
|
# For testing purposes, allow access to keys installed with su.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow domain su:key search;
|
|
|
|
')
|
|
|
|
|
2019-07-08 12:02:05 +02:00
|
|
|
# Allow access to linkerconfig file
|
2019-08-05 12:50:53 +02:00
|
|
|
allow domain linkerconfig_file:dir search;
|
2019-07-08 12:02:05 +02:00
|
|
|
allow domain linkerconfig_file:file r_file_perms;
|
|
|
|
|
2019-08-28 23:08:50 +02:00
|
|
|
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
|
|
|
|
allow domain boringssl_self_test_marker:dir search;
|
|
|
|
|
2022-09-18 16:09:53 +02:00
|
|
|
# Allow all processes to read the file_logger property that liblog uses to check if file_logger
|
|
|
|
# should be used.
|
|
|
|
get_prop(domain, log_file_logger_prop)
|
|
|
|
|
2022-09-16 16:31:39 +02:00
|
|
|
# Allow all processes to connect to PRNG seeder daemon.
|
|
|
|
unix_socket_connect(domain, prng_seeder, prng_seeder)
|
|
|
|
|
2024-02-20 06:14:37 +01:00
|
|
|
# Allow calls to system(3), popen(3), ...
|
|
|
|
allow {
|
|
|
|
domain
|
|
|
|
# Except domains that explicitly neverallow it.
|
|
|
|
-kernel
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-app_zygote
|
|
|
|
-webview_zygote
|
|
|
|
-system_server
|
|
|
|
-artd
|
|
|
|
-audioserver
|
|
|
|
-cameraserver
|
|
|
|
-mediadrmserver
|
|
|
|
-mediaextractor
|
|
|
|
-mediametrics
|
|
|
|
-mediaserver
|
|
|
|
-mediatuner
|
|
|
|
-mediatranscoding
|
|
|
|
-ueventd
|
|
|
|
-hal_audio_server
|
|
|
|
-hal_camera_server
|
|
|
|
-hal_cas_server
|
|
|
|
-hal_codec2_server
|
|
|
|
-hal_configstore_server
|
|
|
|
-hal_drm_server
|
|
|
|
-hal_omx_server
|
|
|
|
} {shell_exec toolbox_exec}:file rx_file_perms;
|
|
|
|
|
2022-01-26 00:45:17 +01:00
|
|
|
# No domains other than a select few can access the misc_block_device. This
|
|
|
|
# block device is reserved for OTA use.
|
|
|
|
# Do not assert this rule on userdebug/eng builds, due to some devices using
|
|
|
|
# this partition for testing purposes.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
userdebug_or_eng(`-domain') # exclude debuggable builds
|
|
|
|
-fastbootd
|
|
|
|
-hal_bootctl_server
|
|
|
|
-init
|
|
|
|
-uncrypt
|
|
|
|
-update_engine
|
|
|
|
-vendor_init
|
|
|
|
-vendor_misc_writer
|
|
|
|
-vold
|
|
|
|
-recovery
|
|
|
|
-ueventd
|
|
|
|
-mtectrl
|
2024-02-16 23:32:02 +01:00
|
|
|
-misctrl
|
2022-01-26 00:45:17 +01:00
|
|
|
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
2020-07-31 20:28:11 +02:00
|
|
|
# with other UIDs to these allowlisted domains.
|
2016-10-12 23:58:09 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-vold
|
2018-08-08 01:03:47 +02:00
|
|
|
userdebug_or_eng(`-llkd')
|
2016-10-12 23:58:09 +02:00
|
|
|
-dumpstate
|
2018-03-13 00:21:40 +01:00
|
|
|
userdebug_or_eng(`-incidentd')
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2016-07-01 21:18:54 +02:00
|
|
|
-storaged
|
2016-10-12 23:58:09 +02:00
|
|
|
-system_server
|
2017-11-09 23:51:26 +01:00
|
|
|
} self:global_capability_class_set sys_ptrace;
|
2017-04-11 17:41:25 +02:00
|
|
|
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
2020-07-27 21:53:20 +02:00
|
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
|
|
|
|
neverallow { domain -system_server } *:keystore2_key use_dev_id;
|
|
|
|
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
|
2017-11-02 18:08:30 +01:00
|
|
|
|
2018-01-31 03:14:45 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
userdebug_or_eng(`-domain')
|
|
|
|
} debugfs_tracing_debug:file no_rw_file_perms;
|
|
|
|
|
2018-04-16 16:49:49 +02:00
|
|
|
# System_server owns dropbox data, and init creates/restorecons the directory
|
|
|
|
# Disallow direct access by other processes.
|
2023-02-06 22:25:48 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
userdebug_or_eng(`-dumpstate')
|
|
|
|
} dropbox_data_file:dir *;
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
userdebug_or_eng(`-dumpstate')
|
|
|
|
} dropbox_data_file:file ~{ getattr read };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
###
|
|
|
|
# Services should respect app sandboxes
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd # compile secondary dex files
|
2018-05-29 19:41:36 +02:00
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
# Only the following processes should be directly accessing private app
|
|
|
|
# directories.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd # compile secondary dex files
|
2018-05-29 19:41:36 +02:00
|
|
|
-dexoptanalyzer
|
|
|
|
-installd
|
|
|
|
-profman
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-05-29 19:41:36 +02:00
|
|
|
-runas
|
|
|
|
-system_server
|
2019-01-11 17:13:01 +01:00
|
|
|
-viewcompiler
|
2019-12-13 13:30:26 +01:00
|
|
|
-zygote
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir *;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
2018-11-16 09:59:23 +01:00
|
|
|
# Only apps should be modifying app data. installd is exempted for
|
2018-05-29 19:41:36 +02:00
|
|
|
# restorecon and package install/uninstall.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd # compile secondary dex files
|
2018-05-29 19:41:36 +02:00
|
|
|
-installd
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd # compile secondary dex files
|
2018-05-29 19:41:36 +02:00
|
|
|
-installd
|
2018-12-12 18:06:05 +01:00
|
|
|
-rs # spawned by appdomain, so carryover the exception above
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:file_class_set open;
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd # compile secondary dex files
|
2018-05-29 19:41:36 +02:00
|
|
|
-installd # creation of sandbox
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
2018-05-29 19:41:36 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd # compile secondary dex files
|
2018-05-29 19:41:36 +02:00
|
|
|
-installd
|
2018-08-03 00:54:23 +02:00
|
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
|
2018-10-04 19:57:29 +02:00
|
|
|
|
2019-01-02 15:20:52 +01:00
|
|
|
# The staging directory contains APEX and APK files. It is important to ensure
|
|
|
|
# that these files cannot be accessed by other domains to ensure that the files
|
|
|
|
# do not change between system_server staging the files and apexd processing
|
|
|
|
# the files.
|
2021-10-05 10:22:45 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-apexd
|
|
|
|
-installd
|
|
|
|
-priv_app
|
2022-12-15 14:38:42 +01:00
|
|
|
-virtualizationmanager
|
2021-10-05 10:22:45 +02:00
|
|
|
} staging_data_file:dir *;
|
2021-07-16 06:05:40 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_app
|
|
|
|
-system_server
|
|
|
|
-apexd
|
|
|
|
-adbd
|
|
|
|
-kernel
|
|
|
|
-installd
|
|
|
|
-priv_app
|
2022-02-25 12:59:25 +01:00
|
|
|
-shell
|
2022-12-15 14:38:42 +01:00
|
|
|
-virtualizationmanager
|
2021-07-12 14:11:33 +02:00
|
|
|
-crosvm
|
2021-07-16 06:05:40 +02:00
|
|
|
} staging_data_file:file *;
|
2019-02-19 13:21:59 +01:00
|
|
|
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
|
2019-02-05 23:47:57 +01:00
|
|
|
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
|
|
|
|
# except for `link` and `unlink`.
|
2019-01-02 15:20:52 +01:00
|
|
|
neverallow { domain -init -system_server } staging_data_file:file
|
2019-02-05 23:47:57 +01:00
|
|
|
{ append create relabelfrom rename setattr write no_x_file_perms };
|
2019-01-02 15:20:52 +01:00
|
|
|
|
2018-10-04 19:57:29 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain # for oemfs
|
|
|
|
-bootanim # for oemfs
|
|
|
|
-recovery # for /tmp/update_binary in tmpfs
|
|
|
|
} { fs_type -rootfs }:file execute;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Assert that, to the extent possible, we're not loading executable content from
|
2020-07-31 20:28:11 +02:00
|
|
|
# outside the rootfs or /system partition except for a few allowlisted domains.
|
2018-10-04 19:57:29 +02:00
|
|
|
# Executable files loaded from /data is a persistence vector
|
|
|
|
# we want to avoid. See
|
|
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
|
|
|
#
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
with_asan(`-asan_extract')
|
|
|
|
-shell
|
|
|
|
userdebug_or_eng(`-su')
|
|
|
|
-system_server_startup # for memfd backed executable regions
|
2018-11-05 11:39:15 +01:00
|
|
|
-app_zygote
|
2018-10-04 19:57:29 +02:00
|
|
|
-webview_zygote
|
|
|
|
-zygote
|
|
|
|
userdebug_or_eng(`-mediaextractor')
|
|
|
|
userdebug_or_eng(`-mediaswcodec')
|
|
|
|
} {
|
|
|
|
file_type
|
|
|
|
-system_file_type
|
|
|
|
-system_lib_file
|
|
|
|
-system_linker_exec
|
|
|
|
-vendor_file_type
|
|
|
|
-exec_type
|
|
|
|
-postinstall_file
|
|
|
|
}:file execute;
|
2019-01-11 02:10:31 +01:00
|
|
|
|
|
|
|
# Only init is allowed to write cgroup.rc file
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} cgroup_rc_file:file no_w_file_perms;
|
2019-02-22 01:01:50 +01:00
|
|
|
|
|
|
|
# Only authorized processes should be writing to files in /data/dalvik-cache
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init # TODO: limit init to relabelfrom for files
|
|
|
|
-zygote
|
|
|
|
-installd
|
|
|
|
-postinstall_dexopt
|
|
|
|
-cppreopts
|
|
|
|
-dex2oat
|
|
|
|
-otapreopt_slot
|
2022-06-07 16:20:58 +02:00
|
|
|
-artd
|
2019-02-22 01:01:50 +01:00
|
|
|
} dalvikcache_data_file:file no_w_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-postinstall_dexopt
|
|
|
|
-cppreopts
|
|
|
|
-dex2oat
|
|
|
|
-zygote
|
|
|
|
-otapreopt_slot
|
2022-06-07 16:20:58 +02:00
|
|
|
-artd
|
2019-02-22 01:01:50 +01:00
|
|
|
} dalvikcache_data_file:dir no_w_dir_perms;
|
2019-02-26 22:12:05 +01:00
|
|
|
|
2020-10-16 16:29:55 +02:00
|
|
|
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
|
|
|
|
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-12-16 15:31:14 +01:00
|
|
|
# art-related processes
|
|
|
|
-composd
|
2021-12-14 14:30:23 +01:00
|
|
|
-compos_fd_server
|
2020-10-16 16:29:55 +02:00
|
|
|
-odrefresh
|
2020-11-27 12:23:54 +01:00
|
|
|
-odsign
|
2020-10-16 16:29:55 +02:00
|
|
|
# others
|
|
|
|
-apexd
|
|
|
|
-init
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} apex_art_data_file:file no_w_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-12-04 01:46:18 +01:00
|
|
|
# art-related processes
|
2021-12-16 15:31:14 +01:00
|
|
|
-composd
|
2021-12-14 14:30:23 +01:00
|
|
|
-compos_fd_server
|
2020-10-16 16:29:55 +02:00
|
|
|
-odrefresh
|
2020-11-27 12:23:54 +01:00
|
|
|
-odsign
|
2020-10-16 16:29:55 +02:00
|
|
|
# others
|
|
|
|
-apexd
|
|
|
|
-init
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} apex_art_data_file:dir no_w_dir_perms;
|
|
|
|
|
|
|
|
# Protect most domains from executing arbitrary content from /data.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
|
|
|
} {
|
|
|
|
data_file_type
|
|
|
|
-apex_art_data_file
|
|
|
|
-dalvikcache_data_file
|
|
|
|
-system_data_file # shared libs in apks
|
|
|
|
-apk_data_file
|
|
|
|
}:file no_x_file_perms;
|
|
|
|
|
2019-02-26 22:12:05 +01:00
|
|
|
# Minimize dac_override and dac_read_search.
|
|
|
|
# Instead of granting them it is usually better to add the domain to
|
|
|
|
# a Unix group or change the permissions of a file.
|
|
|
|
define(`dac_override_allowed', `{
|
2020-01-24 18:20:19 +01:00
|
|
|
apexd
|
2022-06-07 16:20:58 +02:00
|
|
|
artd
|
2019-02-26 22:12:05 +01:00
|
|
|
dnsmasq
|
|
|
|
dumpstate
|
|
|
|
init
|
|
|
|
installd
|
|
|
|
userdebug_or_eng(`llkd')
|
|
|
|
lmkd
|
2019-05-17 16:05:18 +02:00
|
|
|
migrate_legacy_obb_data
|
2019-02-26 22:12:05 +01:00
|
|
|
netd
|
|
|
|
postinstall_dexopt
|
|
|
|
recovery
|
|
|
|
rss_hwm_reset
|
|
|
|
sdcardd
|
|
|
|
tee
|
|
|
|
ueventd
|
|
|
|
uncrypt
|
|
|
|
vendor_init
|
|
|
|
vold
|
|
|
|
vold_prepare_subdirs
|
|
|
|
zygote
|
|
|
|
}')
|
|
|
|
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
|
|
|
|
# Since the kernel checks dac_read_search before dac_override, domains that
|
|
|
|
# have dac_override should also have dac_read_search to eliminate spurious
|
|
|
|
# denials. Some domains have dac_read_search without having dac_override, so
|
|
|
|
# this list should be a superset of the one above.
|
|
|
|
neverallow ~{
|
|
|
|
dac_override_allowed
|
2020-01-22 20:16:13 +01:00
|
|
|
traced_perf
|
2019-02-26 22:12:05 +01:00
|
|
|
traced_probes
|
2021-01-11 18:17:30 +01:00
|
|
|
heapprofd
|
2019-02-26 22:12:05 +01:00
|
|
|
} self:global_capability_class_set dac_read_search;
|
2019-03-18 18:54:42 +01:00
|
|
|
|
|
|
|
# Limit what domains can mount filesystems or change their mount flags.
|
2021-06-23 10:21:49 +02:00
|
|
|
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
|
|
|
|
# set of domains need this capability, including device-specific domains.
|
2019-03-18 18:54:42 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-apexd
|
2021-05-06 01:33:48 +02:00
|
|
|
recovery_only(`-fastbootd')
|
2019-03-18 18:54:42 +01:00
|
|
|
-init
|
|
|
|
-kernel
|
|
|
|
-otapreopt_chroot
|
|
|
|
-recovery
|
|
|
|
-update_engine
|
|
|
|
-vold
|
|
|
|
-zygote
|
2021-04-27 01:32:17 +02:00
|
|
|
} { fs_type
|
|
|
|
-sdcard_type
|
2021-06-23 10:21:49 +02:00
|
|
|
-fusefs_type
|
2021-04-27 01:32:17 +02:00
|
|
|
}:filesystem { mount remount relabelfrom relabelto };
|
|
|
|
|
|
|
|
enforce_debugfs_restriction(`
|
|
|
|
neverallow {
|
|
|
|
domain userdebug_or_eng(`-init')
|
|
|
|
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
|
|
|
|
')
|
2019-03-16 00:41:15 +01:00
|
|
|
|
2020-07-31 20:28:11 +02:00
|
|
|
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
2019-03-16 00:41:15 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
userdebug_or_eng(`-domain')
|
|
|
|
-kernel
|
|
|
|
-gsid
|
|
|
|
-init
|
|
|
|
-recovery
|
|
|
|
-ueventd
|
|
|
|
-uncrypt
|
|
|
|
-tee
|
|
|
|
-hal_bootctl_server
|
2019-10-26 00:11:58 +02:00
|
|
|
-fastbootd
|
2019-03-16 00:41:15 +01:00
|
|
|
} self:global_capability_class_set sys_rawio;
|
2019-12-13 13:30:26 +01:00
|
|
|
|
|
|
|
# Limit directory operations that doesn't need to do app data isolation.
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-07-13 01:30:49 +02:00
|
|
|
-fsck
|
2019-12-13 13:30:26 +01:00
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-zygote
|
|
|
|
} mirror_data_file:dir *;
|
2020-02-04 12:31:05 +01:00
|
|
|
|
|
|
|
# This property is being removed. Remove remaining access.
|
|
|
|
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
|
|
|
|
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
|
2020-03-04 09:20:35 +01:00
|
|
|
|
|
|
|
# Only core domains are allowed to access package_manager properties
|
|
|
|
neverallow { domain -init -system_server } pm_prop:property_service set;
|
|
|
|
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# Do not allow reading the last boot timestamp from system properties
|
|
|
|
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
|
2020-06-10 12:27:12 +02:00
|
|
|
|
2023-05-10 17:52:39 +02:00
|
|
|
# Allow ART to set its config properties in its oneshot boot service, in
|
|
|
|
# addition to the common init and vendor_init access.
|
|
|
|
neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
|
|
|
|
|
2020-06-10 12:27:12 +02:00
|
|
|
# Kprobes should only be used by adb root
|
|
|
|
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
|
2020-08-31 15:38:04 +02:00
|
|
|
|
|
|
|
# On TREBLE devices, most coredomains should not access vendor_files.
|
|
|
|
# TODO(b/71553434): Remove exceptions here.
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-appdomain
|
|
|
|
-bootanim
|
|
|
|
-crash_dump
|
|
|
|
-heapprofd
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2020-08-31 15:38:04 +02:00
|
|
|
-init
|
|
|
|
-kernel
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2020-08-31 15:38:04 +02:00
|
|
|
-traced_perf
|
|
|
|
-ueventd
|
|
|
|
} vendor_file:file { no_w_file_perms no_x_file_perms open };
|
|
|
|
')
|
|
|
|
|
|
|
|
# Vendor domains are not permitted to initiate communications to core domain sockets
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow_establish_socket_comms({
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-socket_between_core_and_vendor_violators
|
|
|
|
}, {
|
|
|
|
coredomain
|
|
|
|
-logd # Logging by writing to logd Unix domain socket is public API
|
|
|
|
-netd # netdomain needs this
|
|
|
|
-mdnsd # netdomain needs this
|
2022-09-16 16:31:39 +02:00
|
|
|
-prng_seeder # Any process using libcrypto needs this
|
2020-08-31 15:38:04 +02:00
|
|
|
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
|
|
|
|
-init
|
|
|
|
-tombstoned # linker to tombstoned
|
2023-02-02 15:24:45 +01:00
|
|
|
-heapprofd
|
|
|
|
-traced
|
|
|
|
-traced_perf
|
2020-08-31 15:38:04 +02:00
|
|
|
});
|
|
|
|
')
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
# Do not allow system components access to /vendor files except for the
|
|
|
|
# ones allowed here.
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
# TODO(b/37168747): clean up fwk access to /vendor
|
|
|
|
-crash_dump
|
2021-08-09 02:24:45 +02:00
|
|
|
-crosvm # loads vendor-specific disk images
|
2020-08-31 15:38:04 +02:00
|
|
|
-init # starts vendor executables
|
|
|
|
-kernel # loads /vendor/firmware
|
2021-01-11 18:17:30 +01:00
|
|
|
-heapprofd
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2020-08-31 15:38:04 +02:00
|
|
|
-shell
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2020-08-31 15:38:04 +02:00
|
|
|
-system_executes_vendor_violators
|
|
|
|
-traced_perf # library/binary access for symbolization
|
|
|
|
-ueventd # reads /vendor/ueventd.rc
|
|
|
|
-vold # loads incremental fs driver
|
|
|
|
} {
|
|
|
|
vendor_file_type
|
|
|
|
-same_process_hal_file
|
|
|
|
-vendor_app_file
|
|
|
|
-vendor_apex_file
|
2023-05-31 10:51:14 +02:00
|
|
|
-vendor_apex_metadata_file
|
2020-08-31 15:38:04 +02:00
|
|
|
-vendor_configs_file
|
2023-11-15 09:59:30 +01:00
|
|
|
-vendor_microdroid_file
|
2020-08-31 15:38:04 +02:00
|
|
|
-vendor_service_contexts_file
|
|
|
|
-vendor_framework_file
|
|
|
|
-vendor_idc_file
|
|
|
|
-vendor_keychars_file
|
|
|
|
-vendor_keylayout_file
|
|
|
|
-vendor_overlay_file
|
2021-01-25 13:57:56 +01:00
|
|
|
-vendor_public_framework_file
|
2020-08-31 15:38:04 +02:00
|
|
|
-vendor_public_lib_file
|
|
|
|
-vendor_task_profiles_file
|
2021-11-18 23:59:29 +01:00
|
|
|
-vendor_uuid_mapping_config_file
|
2020-08-31 15:38:04 +02:00
|
|
|
-vndk_sp_file
|
|
|
|
}:file *;
|
|
|
|
')
|
2020-11-16 19:10:33 +01:00
|
|
|
|
|
|
|
# mlsvendorcompat is only for compatibility support for older vendor
|
|
|
|
# images, and should not be granted to any domain in current policy.
|
|
|
|
# (Every domain is allowed self:fork, so this will trigger if the
|
|
|
|
# intsersection of domain & mlsvendorcompat is not empty.)
|
|
|
|
neverallow domain mlsvendorcompat:process fork;
|
2021-03-11 20:26:08 +01:00
|
|
|
|
|
|
|
# Only init and otapreopt_chroot should be mounting filesystems on locations
|
|
|
|
# labeled system or vendor (/product and /vendor respectively).
|
|
|
|
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
|
2021-03-16 19:30:36 +01:00
|
|
|
|
|
|
|
# Only allow init and vendor_init to read/write mm_events properties
|
|
|
|
# NOTE: dumpstate is allowed to read any system property
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-dumpstate
|
|
|
|
} mm_events_config_prop:file no_rw_file_perms;
|
2021-03-18 19:15:36 +01:00
|
|
|
|
|
|
|
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
|
|
|
|
# kernel traces. Addresses are not disclosed, they are repalced with symbol
|
|
|
|
# names (if available). Traces don't disclose KASLR.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
userdebug_or_eng(`-profcollectd')
|
|
|
|
-vendor_init
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2021-03-18 19:15:36 +01:00
|
|
|
-traced_probes
|
|
|
|
-traced_perf
|
|
|
|
} proc_kallsyms:file { open read };
|
2021-05-05 07:01:51 +02:00
|
|
|
|
|
|
|
# debugfs_kcov type is not included in this neverallow statement since the KCOV
|
|
|
|
# tool uses it for kernel fuzzing.
|
2021-05-05 07:02:22 +02:00
|
|
|
# vendor_modprobe is also exempted since the kernel modules it loads may create
|
|
|
|
# debugfs files in its context.
|
2021-05-05 07:01:51 +02:00
|
|
|
enforce_debugfs_restriction(`
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-05-05 07:02:22 +02:00
|
|
|
-vendor_modprobe
|
2021-05-05 07:01:51 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
-init
|
|
|
|
-hal_dumpstate
|
2023-09-20 22:33:46 +02:00
|
|
|
-incidentd
|
2021-05-05 07:01:51 +02:00
|
|
|
')
|
|
|
|
} { debugfs_type
|
|
|
|
userdebug_or_eng(`-debugfs_kcov')
|
|
|
|
-tracefs_type
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
')
|
2021-07-12 14:11:33 +02:00
|
|
|
|
2022-01-11 20:45:03 +01:00
|
|
|
# Restrict write access to etm sysfs interface.
|
|
|
|
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
|
|
|
|
|
2023-09-25 20:42:03 +02:00
|
|
|
# Restrict CAP_PERFMON.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_modprobe
|
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
|
|
|
-kernel
|
|
|
|
-uprobestats
|
|
|
|
} self:capability2 perfmon;
|
|
|
|
|
2022-12-07 08:18:18 +01:00
|
|
|
# Restrict direct access to shell owned files. The /data/local/tmp directory is
|
2021-07-12 14:11:33 +02:00
|
|
|
# untrustworthy, and non-allowed domains should not be trusting any content in
|
|
|
|
# those directories. We allow shell files to be passed around by file
|
|
|
|
# descriptor, but not directly opened.
|
2022-10-21 18:03:56 +02:00
|
|
|
# artd doesn't need to access /data/local/tmp, but it needs to access
|
|
|
|
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
|
|
|
|
# dex files.
|
2021-07-12 14:11:33 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd
|
2021-07-12 14:11:33 +02:00
|
|
|
-dumpstate
|
|
|
|
-installd
|
|
|
|
userdebug_or_eng(`-uncrypt')
|
2023-04-03 05:57:25 +02:00
|
|
|
userdebug_or_eng(`-virtualizationmanager')
|
2021-07-12 14:11:33 +02:00
|
|
|
userdebug_or_eng(`-virtualizationservice')
|
|
|
|
userdebug_or_eng(`-crosvm')
|
|
|
|
} shell_data_file:file open;
|
2021-10-27 16:12:44 +02:00
|
|
|
|
2022-12-07 08:18:18 +01:00
|
|
|
# In addition to the symlink reading restrictions above, restrict
|
|
|
|
# write access to shell owned directories. The /data/local/tmp
|
|
|
|
# directory is untrustworthy, and non-allowed domains should
|
|
|
|
# not be trusting any content in those directories.
|
|
|
|
# artd doesn't need to access /data/local/tmp, but it needs to access
|
|
|
|
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
|
|
|
|
# dex files.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-artd
|
|
|
|
-dumpstate
|
|
|
|
-installd
|
|
|
|
-init
|
|
|
|
-shell
|
|
|
|
-vold
|
|
|
|
} shell_data_file:dir no_w_dir_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
|
|
|
-artd
|
|
|
|
-dumpstate
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-simpleperf_app_runner
|
|
|
|
-system_server # why?
|
|
|
|
userdebug_or_eng(`-uncrypt')
|
|
|
|
} shell_data_file:dir open;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-adbd
|
|
|
|
-appdomain
|
|
|
|
-artd
|
|
|
|
-dumpstate
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-simpleperf_app_runner
|
|
|
|
-system_server # why?
|
|
|
|
userdebug_or_eng(`-uncrypt')
|
2023-04-03 05:57:25 +02:00
|
|
|
userdebug_or_eng(`-virtualizationmanager')
|
2022-12-07 08:18:18 +01:00
|
|
|
userdebug_or_eng(`-crosvm')
|
|
|
|
} shell_data_file:dir search;
|
|
|
|
|
2021-10-27 16:12:44 +02:00
|
|
|
# respect system_app sandboxes
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-appdomain
|
2022-10-21 18:03:56 +02:00
|
|
|
-artd # compile secondary dex files
|
2021-10-27 16:12:44 +02:00
|
|
|
-system_server #populate com.android.providers.settings/databases/settings.db.
|
|
|
|
-installd # creation of app sandbox
|
|
|
|
-traced_probes # resolve inodes for i/o tracing.
|
|
|
|
# only needs open and read, the rest is neverallow in
|
|
|
|
# traced_probes.te.
|
|
|
|
} system_app_data_file:dir_file_class_set { create unlink open };
|
|
|
|
neverallow {
|
2023-01-20 04:34:19 +01:00
|
|
|
isolated_app_all
|
2021-10-27 16:12:44 +02:00
|
|
|
ephemeral_app
|
|
|
|
priv_app
|
2023-04-28 11:22:15 +02:00
|
|
|
sdk_sandbox_all
|
2021-10-27 16:12:44 +02:00
|
|
|
untrusted_app_all
|
|
|
|
} system_app_data_file:dir_file_class_set { create unlink open };
|
2022-09-21 23:53:48 +02:00
|
|
|
|
|
|
|
neverallow { domain -init } mtectrl:process { dyntransition transition };
|
2023-02-01 23:55:35 +01:00
|
|
|
|
|
|
|
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
|
2023-02-06 22:25:48 +01:00
|
|
|
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
|