2016-10-19 23:39:30 +02:00
|
|
|
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
|
|
|
# This occurs when the process crashes.
|
|
|
|
|
domain_auto_trans(domain, crash_dump_exec, crash_dump);
|
|
|
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
|
|
|
|
# with other UIDs to these whitelisted domains.
|
|
|
|
|
neverallow {
|
|
|
|
|
domain
|
|
|
|
|
-vold
|
|
|
|
|
-dumpstate
|
2016-07-01 21:18:54 +02:00
|
|
|
-storaged
|
2016-10-12 23:58:09 +02:00
|
|
|
-system_server
|
|
|
|
|
userdebug_or_eng(`-perfprofd')
|
|
|
|
|
} self:capability sys_ptrace;
|
2017-04-11 17:41:25 +02:00
|
|
|
|
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
|
|
|
|
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
2017-11-02 18:08:30 +01:00
|
|
|
|
|
|
|
|
# Core domains are not permitted to use kernel interfaces which are not
|
|
|
|
|
# explicitly labeled.
|
|
|
|
|
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
|
|
|
|
|
full_treble_only(`
|
|
|
|
|
# /proc
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-dumpstate
|
|
|
|
|
-platform_app
|
|
|
|
|
-priv_app
|
|
|
|
|
-system_app
|
|
|
|
|
-vold
|
|
|
|
|
-vendor_init
|
|
|
|
|
} proc:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# /sys
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-charger
|
|
|
|
|
-dumpstate
|
|
|
|
|
-healthd
|
|
|
|
|
-init
|
|
|
|
|
-priv_app
|
|
|
|
|
-storaged
|
|
|
|
|
-system_app
|
|
|
|
|
-ueventd
|
|
|
|
|
-vold
|
|
|
|
|
-vendor_init
|
|
|
|
|
} sysfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# /dev
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-fsck
|
|
|
|
|
-init
|
|
|
|
|
-shell
|
|
|
|
|
-ueventd
|
|
|
|
|
-vendor_init
|
|
|
|
|
} device:{ blk_file file } no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# debugfs
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-dumpstate
|
|
|
|
|
-init
|
|
|
|
|
-system_server
|
|
|
|
|
-vendor_init
|
|
|
|
|
} debugfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# tracefs
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
userdebug_or_eng(`-atrace')
|
|
|
|
|
-dumpstate
|
|
|
|
|
-init
|
|
|
|
|
-perfprofd
|
|
|
|
|
-shell
|
|
|
|
|
-vendor_init
|
|
|
|
|
} debugfs_tracing:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# inotifyfs
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-init
|
|
|
|
|
-vendor_init
|
|
|
|
|
} inotify:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# pstorefs
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-bootstat
|
|
|
|
|
-charger
|
|
|
|
|
-dumpstate
|
|
|
|
|
-healthd
|
|
|
|
|
-init
|
|
|
|
|
-logd
|
|
|
|
|
-logpersist
|
|
|
|
|
-recovery_persist
|
|
|
|
|
-recovery_refresh
|
|
|
|
|
-shell
|
|
|
|
|
-system_server
|
|
|
|
|
-vendor_init
|
|
|
|
|
} pstorefs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# configfs
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-init
|
|
|
|
|
-system_server
|
|
|
|
|
-vendor_init
|
|
|
|
|
} configfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# functionfs
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-adbd
|
|
|
|
|
-init
|
|
|
|
|
-mediaprovider
|
|
|
|
|
-vendor_init
|
|
|
|
|
}functionfs:file no_rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# usbfs and binfmt_miscfs
|
|
|
|
|
neverallow {
|
|
|
|
|
coredomain
|
|
|
|
|
-init
|
|
|
|
|
-vendor_init
|
|
|
|
|
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
|
|
|
|
')
|
