am 77d4731e: Make all domains unconfined.

* commit '77d4731e9d30c8971e076e2469d6957619019921':
  Make all domains unconfined.
This commit is contained in:
gcondra@google.com 2013-05-20 15:52:25 -07:00 committed by Android Git Automerger
commit 0f60427d2e
41 changed files with 58 additions and 1264 deletions

43
adbd.te
View file

@ -1,41 +1,8 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain, mlstrustedsubject;
allow adbd adb_device:chr_file rw_file_perms;
allow adbd qemu_device:chr_file rw_file_perms;
allow adbd self:capability { net_raw setgid setuid setpcap dac_override sys_boot sys_admin };
allow adbd rootfs:file { r_file_perms entrypoint };
allow adbd init:process sigchld;
allow adbd self:tcp_socket *;
allow adbd self:unix_stream_socket *;
allow adbd node:tcp_socket node_bind;
allow adbd port:tcp_socket name_bind;
allow adbd devpts:chr_file rw_file_perms;
allow adbd cgroup:dir { write add_name create };
allow adbd labeledfs:filesystem remount;
allow adbd shell_data_file:dir rw_dir_perms;
allow adbd shell_data_file:file create_file_perms;
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
allow adbd graphics_device:dir search;
allow adbd graphics_device:chr_file r_file_perms;
# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain?
allow adbd system_file:file rx_file_perms;
unix_socket_connect(adbd, vold, vold)
# Talk to init via the property socket.
unix_socket_connect(adbd, property, init)
# Run sh in its own domain.
type adbd, domain;
permissive adbd;
unconfined_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
# Do not sanitize the environment of the shell.
allow adbd shell:process noatsecure;
# XXX Mostly to access system properties and keys- maybe those should be their own type?
allow adbd system_data_file:file create_file_perms;
allow adbd system_data_file:dir create_dir_perms;
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
# this is an entrypoint
allow adbd rootfs:file entrypoint;

149
app.te
View file

@ -14,21 +14,7 @@ platform_app_domain(platform_app)
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Write to /cache.
allow platform_app cache_file:dir rw_dir_perms;
allow platform_app cache_file:file create_file_perms;
# Read from /data/local.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app shell_data_file:lnk_file read;
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;
allow platform_app download_file:file rw_file_perms;
unconfined_domain(platform_app)
# Apps signed with the media key.
type media_app, domain;
@ -37,22 +23,7 @@ app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
net_domain(media_app)
# Access /dev/mtp_usb.
allow media_app mtp_device:chr_file rw_file_perms;
# Write to /cache.
allow media_app cache_file:dir rw_dir_perms;
allow media_app cache_file:file create_file_perms;
# Stat /cache/lost+found
allow media_app unlabeled:file getattr;
allow media_app unlabeled:dir getattr;
# Stat /cache/backup
allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr;
# Read files in the rootdir
allow media_app rootfs:file r_file_perms;
# Allow platform apps to mark platform app data files as download files
allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;
unconfined_domain(media_app)
# Apps signed with the shared key.
type shared_app, domain;
@ -63,8 +34,7 @@ platform_app_domain(shared_app)
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
# ASEC
r_dir_file(shared_app, asec_apk_file)
unconfined_domain(shared_app)
# Apps signed with the release key (testkey in AOSP).
type release_app, domain;
@ -75,6 +45,7 @@ platform_app_domain(release_app)
net_domain(release_app)
# Access bluetooth.
bluetooth_domain(release_app)
unconfined_domain(release_app)
# Services with isolatedProcess=true in their manifest.
# In order for isolated_apps to interact with apps that have levelFromUid=true
@ -82,18 +53,7 @@ bluetooth_domain(release_app)
type isolated_app, domain, mlstrustedsubject;
permissive isolated_app;
app_domain(isolated_app)
#
# Rules for platform app domains.
#
# App sandbox file accesses.
allow platformappdomain platform_app_data_file:dir create_dir_perms;
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
# App sdcard file accesses
allow platformappdomain sdcard_type:dir create_dir_perms;
allow platformappdomain sdcard_type:file create_file_perms;
unconfined_domain(isolated_app)
#
# Untrusted apps.
@ -103,101 +63,4 @@ permissive untrusted_app;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
allow untrusted_app tun_device:chr_file rw_file_perms;
# Internal SDCard rw access.
bool app_internal_sdcard_rw true;
if (app_internal_sdcard_rw) {
allow untrusted_app sdcard_internal:dir create_dir_perms;
allow untrusted_app sdcard_internal:file create_file_perms;
}
# External SDCard rw access.
bool app_external_sdcard_rw true;
if (app_external_sdcard_rw) {
allow untrusted_app sdcard_external:dir create_dir_perms;
allow untrusted_app sdcard_external:file create_file_perms;
}
#
# Rules for all app domains.
#
# Allow apps to connect to the keystore
unix_socket_connect(appdomain, keystore, keystore)
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
# Notify zygote of death;
allow appdomain zygote:process sigchld;
# Communicate over a FIFO or socket created by the system_server.
allow appdomain system:fifo_file rw_file_perms;
allow appdomain system:unix_stream_socket { read write setopt };
# Communicate over a socket created by surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
allow appdomain app_data_file:notdevfile_class_set create_file_perms;
# Read/write data files created by the platform apps if they
# were passed to the app via binder or local IPC. Do not allow open.
allow appdomain platform_app_data_file:file { getattr read write };
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute open };
# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { read write };
# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
# Use the Binder.
binder_use(appdomain)
# Perform binder IPC to binder services.
binder_call(appdomain, binderservicedomain)
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
# Appdomain interaction with isolated apps
r_dir_file(appdomain, isolated_app)
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow appdomain isolated_app:unix_stream_socket { read write };
allow isolated_app appdomain:unix_stream_socket { read write };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
allow { appdomain isolated_app } backup_data_file:file { read write };
allow { appdomain isolated_app } cache_backup_file:file { read write };
# Backup ability using 'adb backup'
allow { appdomain isolated_app } system_data_file:lnk_file getattr;
# Allow all applications to read downloaded files
allow appdomain download_file:file r_file_perms;
file_type_auto_trans(appdomain, download_file, download_file)
# ASEC
allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms;
unconfined_domain(untrusted_app)

View file

@ -1,52 +0,0 @@
# Policy assertions.
# These neverallow rules are checked by checkpolicy at policy build time.
# checkpolicy will refuse to generate the kernel policy if any of these
# assertions fail.
# Superuser capabilities.
# Only exception is sys_nice for binder, might not be necessary.
neverallow { appdomain -bluetooth } self:capability ~sys_nice;
neverallow bluetooth self:capability ~{ sys_nice net_admin };
neverallow appdomain self:capability2 *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
# Kernel memory access.
neverallow appdomain kmem_device:chr_file { read write };
# Setting SELinux enforcing status or booleans.
# Conditionally allowed to system_app for SEAndroidManager.
neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
# Load security policy.
neverallow appdomain kernel:security load_policy;
# Privileged netlink socket interfaces.
neverallow appdomain self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *;
# Access to /proc/pid entries for any non-app domain.
# Violated by cts.te rules so commented out for now.
#neverallow appdomain { domain - appdomain }:dir search;
#neverallow appdomain { domain - appdomain }:lnk_file read;
#neverallow appdomain { domain - appdomain }:file { read write };
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
# Transition to a non-app domain.
# Shell excluded since it has a transition to runas.
neverallow { appdomain -shell } ~appdomain:process { transition dyntransition };
# Map low memory.
neverallow appdomain self:memprotect mmap_zero;
# Write to /system.
neverallow appdomain system_file:dir_file_class_set write;
# Write to system-owned parts of /data.
# This is the default type for anything under /data not otherwise
# specified in file_contexts. Define a different type for portions
# that should be writable by apps.
# Exception for system_app for Settings.
neverallow { appdomain -system_app } system_data_file:dir_file_class_set write;

View file

@ -2,37 +2,4 @@
type bluetooth, domain;
permissive bluetooth;
app_domain(bluetooth)
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
# bluetooth factory file accesses.
r_dir_file(bluetooth, bluetooth_efs_file)
# Device accesses.
allow bluetooth { hci_attach_dev }:chr_file rw_file_perms;
allow bluetooth input_device:chr_file write;
# sysfs access.
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
allow bluetoothdomain self:socket *;
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
# tethering
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
allow bluetooth efs_file:dir search;
# Talk to init over the property socket.
unix_socket_connect(bluetooth, property, init)
# Property Service
allow bluetooth bluetooth_prop:property_service set;
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
unconfined_domain(bluetooth)

View file

@ -4,8 +4,4 @@ permissive bluetoothd;
type bluetoothd_exec, exec_type, file_type;
init_daemon_domain(bluetoothd)
allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin };
allow bluetoothd self:socket *;
allow bluetoothd bluetoothd_data_file:dir create_dir_perms;
allow bluetoothd bluetoothd_data_file:file create_file_perms;
unix_socket_connect(bluetoothd, dbus, dbusd)
unconfined_domain(bluetoothd)

39
cts.te
View file

@ -1,39 +0,0 @@
#
# Rules to allow the Android CTS to run.
# Do not enable in production policy.
#
bool android_cts false;
if (android_cts) {
# For TestDeviceSetup (RootProcessScanner).
# Reads /proc/pid/status and statm entries to check that
# no unexpected root processes are running.
# Also for android.security.cts.VoldExploitTest.
# Requires ability to read /proc/pid/cmdline of vold.
allow appdomain domain:dir r_dir_perms;
allow appdomain domain:{ file lnk_file } r_file_perms;
# Will still fail when trying to read other app /proc/pid
# entries due to MLS constraints. Just silence the denials.
dontaudit appdomain appdomain:dir r_dir_perms;
dontaudit appdomain appdomain:file r_file_perms;
# For android.permission.cts.FileSystemPermissionTest.
# Walk the file tree, stat any file in order to check file permissions.
allow appdomain fs_type:dir r_dir_perms;
allow appdomain dev_type:dir r_dir_perms;
allow appdomain file_type:dir_file_class_set getattr;
allow appdomain dev_type:dir_file_class_set getattr;
allow appdomain fs_type:dir_file_class_set getattr;
# Tries to open /dev/alarm for writing but expects failure.
dontaudit appdomain alarm_device:chr_file write;
# For android.security.cts.VoldExploitTest.
# Tries to create and use a netlink kobject uevent socket
# to test for a vulnerable vold.
dontaudit appdomain self:netlink_kobject_uevent_socket create;
# Tries to override DAC restrictions but expects to fail.
dontaudit shell self:capability dac_override;
}

View file

@ -4,6 +4,4 @@ permissive dbusd;
type dbusd_exec, exec_type, file_type;
init_daemon_domain(dbusd)
# Reads /proc/pid/cmdline of clients
r_dir_file(dbusd, system)
r_dir_file(dbusd, bluetoothd)
unconfined_domain(dbusd)

View file

@ -4,17 +4,4 @@ permissive debuggerd;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
typeattribute debuggerd mlstrustedsubject;
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:process ptrace;
security_access_policy(debuggerd)
allow debuggerd system_data_file:dir create_dir_perms;
allow debuggerd system_data_file:dir relabelfrom;
allow debuggerd tombstone_data_file:dir relabelto;
allow debuggerd tombstone_data_file:dir create_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd domain:process { sigstop signal };
allow debuggerd exec_type:file r_file_perms;
unconfined_domain(debuggerd)

25
dhcp.te
View file

@ -6,29 +6,6 @@ type dhcp_system_file, file_type, data_file_type;
init_daemon_domain(dhcp)
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms;
allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
allow dhcp proc:file write;
allow dhcp system_prop:property_service set ;
allow dhcp dhcp_system_file:file rx_file_perms;
allow dhcp dhcp_system_file:dir r_dir_perms;
unix_socket_connect(dhcp, property, init)
unconfined_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
# PAN connections
allow dhcp netd:fd use;
allow dhcp netd:fifo_file rw_file_perms;
allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
# netdev-bt-pan driver loading
allow dhcp kernel:system module_request;
allow dhcp tty_device:chr_file { rw_file_perms };

122
domain.te
View file

@ -1,122 +0,0 @@
# Rules for all domains.
# Allow reaping by init.
allow domain init:process sigchld;
# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;
# binder adjusts the nice value during IPC.
allow domain self:capability sys_nice;
# Intra-domain accesses.
allow domain self:process ~{ execstack execheap };
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:{ unix_dgram_socket unix_stream_socket } *;
# Inherit or receive open files from others.
allow domain init:fd use;
allow domain system:fd use;
# Connect to adbd and use a socket transferred from it.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
allow domain adbd:unix_stream_socket { getattr read write shutdown };
# Talk to debuggerd.
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;
# Root fs.
allow domain rootfs:dir r_dir_perms;
allow domain rootfs:lnk_file { read getattr };
# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file read;
allow domain devpts:dir search;
allow domain device:file read;
allow domain socket_device:dir search;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file r_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
allow domain binder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain powervr_device:chr_file rw_file_perms;
allow domain log_device:dir search;
allow domain log_device:chr_file rw_file_perms;
allow domain nv_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain urandom_device:chr_file r_file_perms;
allow domain random_device:chr_file r_file_perms;
allow domain properties_device:file r_file_perms;
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
# System file accesses.
allow domain system_file:dir r_dir_perms;
allow domain system_file:file r_file_perms;
allow domain system_file:file execute;
allow domain system_file:lnk_file read;
# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
allow domain system_data_file:lnk_file read;
# Read apk files under /data/app.
allow domain apk_data_file:dir search;
allow domain apk_data_file:file r_file_perms;
# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
allow domain cache_file:file { getattr read };
allow domain cache_file:lnk_file read;
# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;
#Allow access to ion memory allocation device
allow domain ion_device:chr_file rw_file_perms;
# For /sys/qemu_trace files in the emulator.
bool in_qemu false;
if (in_qemu) {
allow domain sysfs:file rw_file_perms;
}
allow domain sysfs_writable:file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain, proc)
r_dir_file(domain, sysfs)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
# debugfs access
bool debugfs false;
if (debugfs) {
allow domain debugfs:dir r_dir_perms;
allow domain debugfs:file rw_file_perms;
} else {
dontaudit domain debugfs:dir r_dir_perms;
dontaudit domain debugfs:file rw_file_perms;
}
# security files
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;

View file

@ -4,29 +4,4 @@ permissive drmserver;
type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
typeattribute drmserver mlstrustedsubject;
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system)
binder_call(drmserver, appdomain)
binder_service(drmserver)
# Perform Binder IPC to mediaserver
binder_call(drmserver, mediaserver)
# Talk to the tee
allow drmserver tee:unix_stream_socket { connectto };
allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver self:{ tcp_socket udp_socket } *;
allow drmserver port:tcp_socket name_connect;
allow drmserver tee_device:chr_file rw_file_perms;
allow drmserver platform_app_data_file:file { read write getattr };
allow drmserver app_data_file:file { read write getattr };
allow drmserver apk_data_file:dir { write add_name remove_name };
allow drmserver apk_data_file:sock_file { create setattr unlink };
allow drmserver sdcard_type:file { read write getattr };
allow drmserver efs_file:file { open read getattr };
unconfined_domain(drmserver)

View file

@ -5,13 +5,8 @@ type gpsd_exec, exec_type, file_type;
init_daemon_domain(gpsd)
net_domain(gpsd)
allow gpsd gps_data_file:dir rw_dir_perms;
allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
unconfined_domain(gpsd)
# Socket is created by the daemon, not by init, and under /data/gps,
# not under /dev/socket.
type_transition gpsd gps_data_file:sock_file gps_socket;
allow gpsd gps_socket:sock_file create_file_perms;
# XXX Label sysfs files with a specific type?
allow gpsd sysfs:file rw_file_perms;
allow gpsd gps_device:chr_file rw_file_perms;

View file

@ -3,8 +3,4 @@ permissive hci_attach;
type hci_attach_exec, exec_type, file_type;
init_daemon_domain(hci_attach)
allow hci_attach kernel:system module_request;
allow hci_attach hci_attach_dev:chr_file rw_file_perms;
allow hci_attach bluetooth_efs_file:dir r_dir_perms;
allow hci_attach bluetooth_efs_file:file r_file_perms;
unconfined_domain(hci_attach)

View file

@ -4,3 +4,5 @@ permissive init;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;

View file

@ -1,14 +1,5 @@
# Restricted domain for shell processes spawned by init
type init_shell, domain, mlstrustedsubject;
type init_shell, domain;
permissive init_shell;
domain_auto_trans(init, shell_exec, init_shell)
allow init_shell rootfs:dir r_dir_perms;
allow init_shell devpts:chr_file rw_file_perms;
allow init_shell tty_device:chr_file rw_file_perms;
allow init_shell console_device:chr_file rw_file_perms;
allow init_shell input_device:chr_file rw_file_perms;
allow init_shell system_file:file x_file_perms;
allow init_shell shell_exec:file rx_file_perms;
allow init_shell zygote_exec:file rx_file_perms;
# setprop toolbox command
unix_socket_connect(init_shell, property, init)
unconfined_domain(init_shell)

View file

@ -4,24 +4,4 @@ permissive installd;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
allow installd system_data_file:file create_file_perms;
allow installd system_data_file:lnk_file create;
allow installd dalvikcache_data_file:file create_file_perms;
allow installd data_file_type:dir create_dir_perms;
allow installd data_file_type:dir { relabelfrom relabelto };
allow installd data_file_type:{ file lnk_file } { getattr unlink };
allow installd apk_data_file:file r_file_perms;
allow installd apk_tmp_file:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
dontaudit installd self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(installd)
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(installd)
# ASEC
allow installd platform_app_data_file:lnk_file { create setattr };
allow installd app_data_file:lnk_file { create setattr };
allow installd asec_apk_file:file r_file_perms;
unconfined_domain(installd)

View file

@ -4,9 +4,4 @@ type keystore_exec, exec_type, file_type;
# keystore daemon
init_daemon_domain(keystore)
binder_use(keystore)
binder_service(keystore)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file rw_file_perms;
unconfined_domain(keystore)

View file

@ -3,52 +3,6 @@ type mediaserver, domain;
permissive mediaserver;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
net_domain(mediaserver)
init_daemon_domain(mediaserver)
unix_socket_connect(mediaserver, property, init)
r_dir_file(mediaserver, sdcard_type)
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver kernel:system module_request;
allow mediaserver app_data_file:dir search;
allow mediaserver app_data_file:file rw_file_perms;
allow mediaserver platform_app_data_file:file { getattr read };
allow mediaserver sdcard_type:file write;
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver graphics_device:chr_file rw_file_perms;
allow mediaserver video_device:chr_file rw_file_perms;
allow mediaserver audio_device:dir r_dir_perms;
allow mediaserver audio_device:chr_file rw_file_perms;
allow mediaserver qemu_device:chr_file rw_file_perms;
allow mediaserver tee_device:chr_file rw_file_perms;
allow mediaserver audio_prop:property_service set;
# XXX Label with a specific type?
allow mediaserver sysfs:file rw_file_perms;
# XXX Why?
allow mediaserver apk_data_file:file { read getattr };
# To use remote processor
allow mediaserver rpmsg_device:chr_file rw_file_perms;
# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system:fifo_file r_file_perms;
# Camera calibration
allow mediaserver camera_calibration_file:dir r_dir_perms;
allow mediaserver camera_calibration_file:file r_file_perms;
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
# Allow abstract socket connection
allow mediaserver rild:unix_stream_socket { connectto read write setopt };
unconfined_domain(mediaserver)

10
mtp.te
View file

@ -5,12 +5,4 @@ type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
net_domain(mtp)
# pptp policy
allow mtp self:tcp_socket { create setopt connect write read };
allow mtp self:socket { create connect };
allow mtp self:rawip_socket create;
allow mtp self:capability net_raw;
allow mtp ppp:process signal;
allow mtp port:tcp_socket name_connect;
allow mtp vpn_data_file:dir search;
unconfined_domain(mtp)

14
net.te
View file

@ -2,17 +2,3 @@
type node, node_type;
type netif, netif_type;
type port, port_type;
# Use network sockets.
allow netdomain self:{ tcp_socket udp_socket } *;
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
allow netdomain port_type:udp_socket name_bind;
allow netdomain port_type:tcp_socket name_bind;
# Get route information.
allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)

34
netd.te
View file

@ -1,38 +1,8 @@
# network manager
type netd, domain;
permissive netd;
type netd_exec, exec_type, file_type;
permissive netd;
unconfined_domain(netd)
init_daemon_domain(netd)
typeattribute netd mlstrustedsubject;
allow netd self:capability { net_admin net_raw sys_module kill };
allow netd self:netlink_kobject_uevent_socket *;
allow netd self:netlink_route_socket *;
allow netd self:netlink_nflog_socket *;
allow netd self:rawip_socket *;
allow netd self:udp_socket *;
allow netd node:udp_socket node_bind;
allow netd port:udp_socket name_bind;
allow netd self:unix_stream_socket *;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
# XXX Split /proc/sys/net into its own type.
allow netd proc:file write;
# For /sys/modules/bcmdhd/parameters/firmware_path
# XXX Split into its own type.
allow netd sysfs:file write;
# Network driver loading.
allow netd kernel:system module_request;
# Set dhcp lease for PAN connection
unix_socket_connect(netd, property, init)
allow netd system_prop:property_service set;
# Connect to PAN
domain_auto_trans(netd, dhcp_exec, dhcp)
allow netd dhcp:process signal;

11
nfc.te
View file

@ -2,13 +2,4 @@
type nfc, domain;
permissive nfc;
app_domain(nfc)
# NFC device access.
allow nfc nfc_device:chr_file rw_file_perms;
# Data file accesses.
allow nfc nfc_data_file:dir create_dir_perms;
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
unconfined_domain(nfc)

10
ping.te
View file

@ -2,12 +2,4 @@ type ping, domain;
permissive ping;
type ping_exec, file_type;
domain_auto_trans(shell, ping_exec, ping)
allow ping self:capability net_raw;
allow ping self:rawip_socket create_socket_perms;
allow ping self:udp_socket create_socket_perms;
allow ping node:rawip_socket node_bind;
allow ping dnsproxyd_socket:sock_file write;
allow ping netd:unix_stream_socket connectto;
allow ping devpts:chr_file rw_file_perms;
allow ping shell:fd use;
unconfined_domain(ping)

12
ppp.te
View file

@ -4,15 +4,5 @@ permissive ppp;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
type ppp_system_file, file_type;
unconfined_domain(ppp)
domain_auto_trans(mtp, ppp_exec, ppp)
allow ppp mtp:socket { read write ioctl };
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp self:udp_socket { create ioctl };
allow ppp ppp_system_file:dir search;
allow ppp ppp_system_file:file rx_file_perms;
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;

View file

@ -4,4 +4,4 @@ permissive qemud;
type qemud_exec, exec_type, file_type;
init_daemon_domain(qemud)
allow qemud serial_device:chr_file rw_file_perms;
unconfined_domain(qemud)

View file

@ -3,24 +3,4 @@ type racoon, domain;
permissive racoon;
type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
binder_call(racoon, servicemanager)
binder_call(racoon, keystore)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon port:udp_socket name_bind;
allow racoon node:udp_socket node_bind;
allow racoon self:{ key_socket udp_socket } create_socket_perms;
allow racoon self:tun_socket create;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon ppp_system_file:file rx_file_perms;
allow racoon ppp_system_file:dir search;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
unconfined_domain(racoon)

View file

@ -5,20 +5,4 @@ app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
# Talks to init via the property socket.
unix_socket_connect(radio, property, init)
# Talks to rild via the rild socket.
unix_socket_connect(radio, rild, rild)
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
allow radio alarm_device:chr_file rw_file_perms;
# Property service
allow radio radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
unconfined_domain(radio)

40
rild.te
View file

@ -5,42 +5,4 @@ type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
net_domain(rild)
allow rild self:netlink_route_socket { setopt write };
allow rild kernel:system module_request;
unix_socket_connect(rild, property, init)
unix_socket_connect(rild, qemud, qemud)
allow rild self:capability { setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
allow rild radio_device:chr_file rw_file_perms;
allow rild radio_device:blk_file r_file_perms;
allow rild qemu_device:chr_file rw_file_perms;
allow rild mtd_device:dir search;
allow rild efs_file:dir create_dir_perms;
allow rild efs_file:file create_file_perms;
allow rild shell_exec:file rx_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
allow rild system_data_file:dir create_dir_perms;
allow rild system_data_file:file create_file_perms;
allow rild system_file:file x_file_perms;
dontaudit rild self:capability sys_admin;
# XXX Label sysfs files with a specific type?
allow rild sysfs:file rw_file_perms;
# property service
allow rild rild_prop:property_service set;
allow rild radio_prop:property_service set;
# Read/Write to uart driver (for GPS)
allow rild gps_device:chr_file rw_file_perms;
allow rild tty_device:chr_file rw_file_perms;
# Allow rild to create, bind, read, write to itself through a netlink socket
allow rild self:netlink_socket { create bind read write };
allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
unconfined_domain(rild)

View file

@ -1,67 +1,7 @@
type runas, domain, mlstrustedsubject;
type runas, domain;
type runas_exec, file_type;
bool support_runas true;
if (support_runas) {
# ndk-gdb invokes adb shell ps to find the app PID.
r_dir_file(shell, untrusted_app)
dontaudit shell domain:dir r_dir_perms;
dontaudit shell domain:file r_file_perms;
# ndk-gdb invokes adb shell ls to check the app data dir.
allow shell app_data_file:dir search;
# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
allow shell untrusted_app:process sigkill;
dontaudit shell self:capability { sys_ptrace kill };
permissive runas;
unconfined_domain(runas)
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
allow runas adbd:process sigchld;
allow runas shell:fd use;
allow runas devpts:chr_file { read write ioctl };
# run-as reads package information.
allow runas system_data_file:file r_file_perms;
# run-as checks and changes to the app data dir.
dontaudit runas self:capability dac_override;
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
# read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas untrusted_app:process dyntransition; # setcon
# run-as runs lib/gdbserver from the app data dir.
allow untrusted_app system_data_file:file rx_file_perms;
# gdbserver reads the zygote.
allow untrusted_app zygote_exec:file r_file_perms;
# (grand)child death notification.
allow untrusted_app shell:process sigchld;
allow untrusted_app adbd:process sigchld;
# child shell or gdbserver pty access.
allow untrusted_app devpts:chr_file { getattr read write ioctl };
# gdbserver creates a socket in the app data dir.
allow untrusted_app app_data_file:sock_file { create unlink };
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd untrusted_app:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
}

View file

@ -3,11 +3,4 @@ permissive sdcardd;
type sdcardd_exec, exec_type, file_type;
init_daemon_domain(sdcardd)
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton;
allow sdcardd sdcard_type:filesystem mount;
allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
allow sdcardd system_data_file:dir create_dir_perms;
allow sdcardd system_data_file:file create_file_perms;
unconfined_domain(sdcardd)

View file

@ -4,12 +4,4 @@ permissive servicemanager;
type servicemanager_exec, exec_type, file_type;
init_daemon_domain(servicemanager)
# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
unconfined_domain(servicemanager)

View file

@ -1,34 +1,8 @@
# Domain for shell processes spawned by ADB
type shell, domain, mlstrustedsubject;
type shell, domain;
type shell_exec, file_type;
allow shell rootfs:dir r_dir_perms;
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
# Access sdcard.
allow shell sdcard_type:dir rw_dir_perms;
allow shell sdcard_type:file create_file_perms;
r_dir_file(shell, apk_data_file)
allow shell dalvikcache_data_file:file { write setattr };
unconfined_domain(shell)
# Run app_process.
# XXX Split into its own domain?
app_domain(shell)
# Property Service
allow shell shell_prop:property_service set;
# setprop toolbox command
unix_socket_connect(shell, property, init)
# ctl interface
allow shell ctl_dumpstate_prop:property_service set;

View file

@ -4,32 +4,7 @@ permissive surfaceflinger;
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
unconfined_domain(surfaceflinger)
# Talk to init over the property socket.
unix_socket_connect(surfaceflinger, property, init)
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, system)
binder_service(surfaceflinger)
allow surfaceflinger init:binder transfer;
# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
allow surfaceflinger graphics_device:chr_file rw_file_perms;
# Access /dev/video1.
allow surfaceflinger video_device:chr_file rw_file_perms;
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket *;
# Set properties.
allow surfaceflinger system_prop:property_service set;
allow surfaceflinger ctl_default_prop:property_service set;
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger platform_app_data_file:file { read write };
allow surfaceflinger app_data_file:file { read write };

223
system.te
View file

@ -1,226 +1,11 @@
#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
type system_app, domain;
permissive system_app;
app_domain(system_app)
unconfined_domain(system_app)
# Perform binder IPC to any app domain.
binder_call(system_app, appdomain)
# Read and write system data files.
# May want to split into separate types.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };
# Talk to keystore.
unix_socket_connect(system_app, keystore, keystore)
# Read SELinux enforcing status.
selinux_getenforce(system)
selinux_getenforce(system_app)
# Settings app reads sdcard for storage stats
allow system_app sdcard_type:dir r_dir_perms;
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system, domain, mlstrustedsubject;
# Child of the zygote.
allow system zygote:fd use;
allow system zygote:process sigchld;
allow system zygote_tmpfs:file read;
# system server gets network and bluetooth permissions.
net_domain(system)
bluetooth_domain(system)
# These are the capabilities assigned by the zygote to the
# system server.
# XXX See if we can remove some of these.
allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
# Triggered by /proc/pid accesses, not allowed.
dontaudit system self:capability sys_ptrace;
# Trigger module auto-load.
allow system kernel:system module_request;
# Use netlink uevent sockets.
allow system self:netlink_kobject_uevent_socket *;
# Kill apps.
allow system appdomain:process { sigkill signal };
# Set scheduling info for apps.
allow system appdomain:process { getsched setsched };
allow system mediaserver:process { getsched setsched };
# Read /proc data for apps.
allow system appdomain:dir r_dir_perms;
allow system appdomain:{ file lnk_file } rw_file_perms;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system qtaguid_proc:file rw_file_perms;
allow system qtaguid_device:chr_file rw_file_perms;
# WifiWatchdog uses a packet_socket
allow system self:packet_socket *;
# Notify init of death.
allow system init:process sigchld;
# 3rd party VPN clients require a tun_socket to be created
allow system self:tun_socket create;
# Talk to init and various daemons via sockets.
unix_socket_connect(system, property, init)
unix_socket_connect(system, qemud, qemud)
unix_socket_connect(system, installd, installd)
unix_socket_connect(system, netd, netd)
unix_socket_connect(system, vold, vold)
unix_socket_connect(system, zygote, zygote)
unix_socket_connect(system, keystore, keystore)
unix_socket_connect(system, dbus, dbusd)
unix_socket_connect(system, gps, gpsd)
unix_socket_connect(system, bluetooth, bluetoothd)
unix_socket_connect(system, racoon, racoon)
unix_socket_send(system, wpa, wpa)
unix_socket_send(system, wpa, init)
# Communicate over a socket created by surfaceflinger.
allow system surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC.
tmpfs_domain(system)
binder_use(system)
binder_call(system, binderservicedomain)
binder_call(system, appdomain)
binder_service(system)
# Read /proc/pid files for Binder clients.
r_dir_file(system, appdomain)
r_dir_file(system, mediaserver)
allow system appdomain:process getattr;
allow system mediaserver:process getattr;
# Specify any arguments to zygote.
allow system self:zygote *;
# Check SELinux permissions.
selinux_check_access(system)
# XXX Label sysfs files with a specific type?
allow system sysfs:file rw_file_perms;
allow system sysfs_nfc_power_writable:file rw_file_perms;
# Access devices.
allow system device:dir r_dir_perms;
allow system device:sock_file rw_file_perms;
allow system akm_device:chr_file rw_file_perms;
allow system accelerometer_device:chr_file rw_file_perms;
allow system alarm_device:chr_file rw_file_perms;
allow system graphics_device:dir search;
allow system graphics_device:chr_file rw_file_perms;
allow system iio_device:chr_file rw_file_perms;
allow system input_device:dir r_dir_perms;
allow system input_device:chr_file rw_file_perms;
allow system tty_device:chr_file rw_file_perms;
allow system urandom_device:chr_file rw_file_perms;
allow system usbaccessory_device:chr_file rw_file_perms;
allow system video_device:chr_file rw_file_perms;
allow system qemu_device:chr_file rw_file_perms;
allow system devpts:chr_file rw_file_perms;
# tun device used for 3rd party vpn apps
allow system tun_device:chr_file rw_file_perms;
# Manage data files.
allow system data_file_type:dir create_dir_perms;
allow system data_file_type:notdevfile_class_set create_file_perms;
# Read /file_contexts and /data/security/file_contexts
security_access_policy(system)
# Relabel apk files.
allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
allow system { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
# Relabel wallpaper.
allow system system_data_file:file relabelfrom;
allow system wallpaper_file:file relabelto;
allow system wallpaper_file:file rw_file_perms;
# Relabel /data/anr.
allow system system_data_file:dir relabelfrom;
allow system anr_data_file:dir relabelto;
# Property Service write
allow system system_prop:property_service set;
allow system radio_prop:property_service set;
# ctl interface
allow system ctl_default_prop:property_service set;
type system, domain;
permissive system;
unconfined_domain(system);
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system system_wpa_socket:sock_file create_file_perms;
# Manage cache files.
allow system cache_file:dir { relabelfrom create_dir_perms };
allow system cache_file:file { relabelfrom create_file_perms };
# Run system programs, e.g. dexopt.
allow system system_file:file x_file_perms;
# Allow reading of /proc/pid data for other domains.
# XXX dontaudit candidate
allow system domain:dir r_dir_perms;
allow system domain:file r_file_perms;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system gps_device:chr_file rw_file_perms;
allow system gps_control:file rw_file_perms;
# system Read/Write tcp/udp_socket of untrusted_app
allow system appdomain:{ tcp_socket udp_socket } { setopt read write };
# Allow abstract socket connection
allow system rild:unix_stream_socket connectto;
# connect to vpn tunnel
allow system mtp:unix_stream_socket { connectto };
# BackupManagerService lets PMS create a data backup file
allow system cache_backup_file:file create_file_perms;
# Relabel /data/backup
allow system backup_data_file:dir { relabelto relabelfrom };
# Relabel /cache/.*\.{data|restore}
allow system cache_backup_file:file { relabelto relabelfrom };
# LocalTransport creates and relabels /cache/backup
allow system cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
# Allow system to talk to usb device
allow system usb_device:chr_file rw_file_perms;
allow system usb_device:dir r_dir_perms;
# Allow system to talk to sensors
allow system sensors_device:chr_file rw_file_perms;
# Allow system to search the /sys/devices/system/cpu directory
allow system sysfs_devices_system_cpu:dir search;
# Allow system to write to the adbd_socket
allow system adbd_socket:sock_file write;

8
tee.te
View file

@ -2,14 +2,10 @@
# trusted execution environment (tee) daemon
#
type tee, domain;
permissive tee;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
permissive tee;
unconfined_domain(netd)
init_daemon_domain(tee)
allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir { getattr write add_name };
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket { create bind read };

View file

@ -3,21 +3,5 @@
type ueventd, domain;
permissive ueventd;
tmpfs_domain(ueventd)
write_klog(ueventd)
security_access_policy(ueventd)
unconfined_domain(ueventd)
allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
allow ueventd sysfs:file setattr;
allow ueventd sysfs_type:file { relabelfrom relabelto };
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { create setattr unlink };
allow ueventd dev_type:blk_file { create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket *;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;

View file

@ -19,5 +19,5 @@ allow unconfineddomain netif_type:netif *;
allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain domain:binder { call transfer };
allow unconfineddomain domain:binder { call transfer set_context_mgr };
allow unconfineddomain property_type:property_service set;

69
vold.te
View file

@ -4,71 +4,4 @@ permissive vold;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
typeattribute vold mlstrustedsubject;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold block_device:blk_file create_file_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton;
allow vold sdcard_type:filesystem { mount remount unmount };
allow vold sdcard_type:dir create_dir_perms;
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket *;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
allow vold loop_device:blk_file rw_file_perms;
allow vold dm_device:chr_file rw_file_perms;
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace };
# Grant vold the capability to reboot the system
allow vold self:capability { sys_boot };
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
write_klog(vold)
#
# Rules to support encrypted fs support.
#
# Set property.
unix_socket_connect(vold, property, init)
# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount remount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
# Request AES module.
allow vold kernel:system module_request;
# Write to /proc/sysrq-trigger
# XXX Label with a distinct type?
allow vold proc:file write;
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { create rw_dir_perms mounton };
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
# Property Service
allow vold vold_prop:property_service set;
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
security_access_policy(vold)
allow vold asec_apk_file:dir { rw_dir_perms setattr };
allow vold asec_apk_file:file { r_file_perms setattr };
unconfined_domain(vold)

View file

@ -1,9 +1,4 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
permissive watchdogd;
allow watchdogd rootfs:file { entrypoint r_file_perms };
allow watchdogd self:capability mknod;
allow watchdogd device:dir { add_name write remove_name };
allow watchdogd watchdog_device:chr_file rw_file_perms;
# because of /dev/__kmsg__ and /dev/__null__
allow watchdogd device:chr_file create_file_perms;
unconfined_domain(watchdogd)

View file

@ -4,18 +4,5 @@ permissive wpa;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
allow wpa self:netlink_route_socket *;
allow wpa self:netlink_socket *;
allow wpa self:packet_socket *;
allow wpa self:udp_socket *;
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system)
allow wpa random_device:chr_file r_file_perms;
# Create a socket for receiving info from wpa
unconfined_domain(wpa)
type_transition wpa wifi_data_file:sock_file wpa_socket;
allow wpa wpa_socket:sock_file create_file_perms;

View file

@ -1,44 +1,7 @@
# zygote
type zygote, domain;
permissive zygote;
type zygote_exec, exec_type, file_type;
permissive zygote;
init_daemon_domain(zygote)
typeattribute zygote mlstrustedsubject;
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
allow zygote system:process dyntransition;
allow zygote appdomain:process dyntransition;
# Move children into the peer process group.
allow zygote system:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
allow zygote dalvikcache_data_file:dir rw_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
# Execute dexopt.
allow zygote system_file:file x_file_perms;
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(zygote)
# Setting up /storage/emulated.
allow zygote rootfs:dir mounton;
allow zygote sdcard_type:dir { write search setattr create add_name mounton };
dontaudit zygote self:capability fsetid;
allow zygote tmpfs:dir { write create add_name setattr mounton search };
allow zygote tmpfs:filesystem mount;
allow zygote labeledfs:filesystem remount;
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file { execute_no_trans open };
unconfined_domain(zygote)