Merge "Remove 26.0 and 27.0 compat support" am: 26950bb361
am: f4d3471aac
am: cc93d7690f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903972 Change-Id: I6608f3a2e3cda124893e42aef86e7c63783b6853
This commit is contained in:
commit
471829bb7b
620 changed files with 0 additions and 63157 deletions
124
Android.bp
124
Android.bp
|
@ -44,20 +44,6 @@ license {
|
|||
|
||||
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
|
||||
|
||||
se_filegroup {
|
||||
name: "26.0.board.compat.map",
|
||||
srcs: [
|
||||
"compat/26.0/26.0.cil",
|
||||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "27.0.board.compat.map",
|
||||
srcs: [
|
||||
"compat/27.0/27.0.cil",
|
||||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "28.0.board.compat.map",
|
||||
srcs: [
|
||||
|
@ -93,20 +79,6 @@ se_filegroup {
|
|||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "26.0.board.compat.cil",
|
||||
srcs: [
|
||||
"compat/26.0/26.0.compat.cil",
|
||||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "27.0.board.compat.cil",
|
||||
srcs: [
|
||||
"compat/27.0/27.0.compat.cil",
|
||||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "28.0.board.compat.cil",
|
||||
srcs: [
|
||||
|
@ -142,20 +114,6 @@ se_filegroup {
|
|||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "26.0.board.ignore.map",
|
||||
srcs: [
|
||||
"compat/26.0/26.0.ignore.cil",
|
||||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "27.0.board.ignore.map",
|
||||
srcs: [
|
||||
"compat/27.0/27.0.ignore.cil",
|
||||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "28.0.board.ignore.map",
|
||||
srcs: [
|
||||
|
@ -191,20 +149,6 @@ se_filegroup {
|
|||
],
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "plat_26.0.cil",
|
||||
stem: "26.0.cil",
|
||||
bottom_half: [":26.0.board.compat.map"],
|
||||
top_half: "plat_27.0.cil",
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "plat_27.0.cil",
|
||||
stem: "27.0.cil",
|
||||
bottom_half: [":27.0.board.compat.map"],
|
||||
top_half: "plat_28.0.cil",
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "plat_28.0.cil",
|
||||
stem: "28.0.cil",
|
||||
|
@ -240,22 +184,6 @@ se_cil_compat_map {
|
|||
// top_half: "plat_33.0.cil",
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "system_ext_26.0.cil",
|
||||
stem: "26.0.cil",
|
||||
bottom_half: [":26.0.board.compat.map"],
|
||||
top_half: "system_ext_27.0.cil",
|
||||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "system_ext_27.0.cil",
|
||||
stem: "27.0.cil",
|
||||
bottom_half: [":27.0.board.compat.map"],
|
||||
top_half: "system_ext_28.0.cil",
|
||||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "system_ext_28.0.cil",
|
||||
stem: "28.0.cil",
|
||||
|
@ -296,22 +224,6 @@ se_cil_compat_map {
|
|||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "product_26.0.cil",
|
||||
stem: "26.0.cil",
|
||||
bottom_half: [":26.0.board.compat.map"],
|
||||
top_half: "product_27.0.cil",
|
||||
product_specific: true,
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "product_27.0.cil",
|
||||
stem: "27.0.cil",
|
||||
bottom_half: [":27.0.board.compat.map"],
|
||||
top_half: "product_28.0.cil",
|
||||
product_specific: true,
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "product_28.0.cil",
|
||||
stem: "28.0.cil",
|
||||
|
@ -352,18 +264,6 @@ se_cil_compat_map {
|
|||
product_specific: true,
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "26.0.ignore.cil",
|
||||
bottom_half: [":26.0.board.ignore.map"],
|
||||
top_half: "27.0.ignore.cil",
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "27.0.ignore.cil",
|
||||
bottom_half: [":27.0.board.ignore.map"],
|
||||
top_half: "28.0.ignore.cil",
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "28.0.ignore.cil",
|
||||
bottom_half: [":28.0.board.ignore.map"],
|
||||
|
@ -436,16 +336,6 @@ se_cil_compat_map {
|
|||
product_specific: true,
|
||||
}
|
||||
|
||||
se_compat_cil {
|
||||
name: "26.0.compat.cil",
|
||||
srcs: [":26.0.board.compat.cil"],
|
||||
}
|
||||
|
||||
se_compat_cil {
|
||||
name: "27.0.compat.cil",
|
||||
srcs: [":27.0.board.compat.cil"],
|
||||
}
|
||||
|
||||
se_compat_cil {
|
||||
name: "28.0.compat.cil",
|
||||
srcs: [":28.0.board.compat.cil"],
|
||||
|
@ -471,20 +361,6 @@ se_compat_cil {
|
|||
srcs: [":32.0.board.compat.cil"],
|
||||
}
|
||||
|
||||
se_compat_cil {
|
||||
name: "system_ext_26.0.compat.cil",
|
||||
srcs: [":26.0.board.compat.cil"],
|
||||
stem: "26.0.compat.cil",
|
||||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
se_compat_cil {
|
||||
name: "system_ext_27.0.compat.cil",
|
||||
srcs: [":27.0.board.compat.cil"],
|
||||
stem: "27.0.compat.cil",
|
||||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
se_compat_cil {
|
||||
name: "system_ext_28.0.compat.cil",
|
||||
srcs: [":28.0.board.compat.cil"],
|
||||
|
|
|
@ -1296,10 +1296,6 @@ base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_
|
|||
base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
|
||||
base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
|
||||
|
||||
version_under_treble_tests := 26.0
|
||||
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
|
||||
version_under_treble_tests := 27.0
|
||||
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
|
||||
version_under_treble_tests := 28.0
|
||||
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
|
||||
version_under_treble_tests := 29.0
|
||||
|
@ -1312,10 +1308,6 @@ version_under_treble_tests := 32.0
|
|||
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
|
||||
endif # PRODUCT_SEPOLICY_SPLIT
|
||||
|
||||
version_under_treble_tests := 26.0
|
||||
include $(LOCAL_PATH)/compat.mk
|
||||
version_under_treble_tests := 27.0
|
||||
include $(LOCAL_PATH)/compat.mk
|
||||
version_under_treble_tests := 28.0
|
||||
include $(LOCAL_PATH)/compat.mk
|
||||
version_under_treble_tests := 29.0
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,710 +0,0 @@
|
|||
#
|
||||
# Define common prefixes for access vectors
|
||||
#
|
||||
# common common_name { permission_name ... }
|
||||
|
||||
|
||||
#
|
||||
# Define a common prefix for file access vectors.
|
||||
#
|
||||
|
||||
common file
|
||||
{
|
||||
ioctl
|
||||
read
|
||||
write
|
||||
create
|
||||
getattr
|
||||
setattr
|
||||
lock
|
||||
relabelfrom
|
||||
relabelto
|
||||
append
|
||||
unlink
|
||||
link
|
||||
rename
|
||||
execute
|
||||
quotaon
|
||||
mounton
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Define a common prefix for socket access vectors.
|
||||
#
|
||||
|
||||
common socket
|
||||
{
|
||||
# inherited from file
|
||||
ioctl
|
||||
read
|
||||
write
|
||||
create
|
||||
getattr
|
||||
setattr
|
||||
lock
|
||||
relabelfrom
|
||||
relabelto
|
||||
append
|
||||
# socket-specific
|
||||
bind
|
||||
connect
|
||||
listen
|
||||
accept
|
||||
getopt
|
||||
setopt
|
||||
shutdown
|
||||
recvfrom
|
||||
sendto
|
||||
name_bind
|
||||
}
|
||||
|
||||
#
|
||||
# Define a common prefix for ipc access vectors.
|
||||
#
|
||||
|
||||
common ipc
|
||||
{
|
||||
create
|
||||
destroy
|
||||
getattr
|
||||
setattr
|
||||
read
|
||||
write
|
||||
associate
|
||||
unix_read
|
||||
unix_write
|
||||
}
|
||||
|
||||
#
|
||||
# Define a common for capability access vectors.
|
||||
#
|
||||
common cap
|
||||
{
|
||||
# The capabilities are defined in include/linux/capability.h
|
||||
# Capabilities >= 32 are defined in the cap2 common.
|
||||
# Care should be taken to ensure that these are consistent with
|
||||
# those definitions. (Order matters)
|
||||
|
||||
chown
|
||||
dac_override
|
||||
dac_read_search
|
||||
fowner
|
||||
fsetid
|
||||
kill
|
||||
setgid
|
||||
setuid
|
||||
setpcap
|
||||
linux_immutable
|
||||
net_bind_service
|
||||
net_broadcast
|
||||
net_admin
|
||||
net_raw
|
||||
ipc_lock
|
||||
ipc_owner
|
||||
sys_module
|
||||
sys_rawio
|
||||
sys_chroot
|
||||
sys_ptrace
|
||||
sys_pacct
|
||||
sys_admin
|
||||
sys_boot
|
||||
sys_nice
|
||||
sys_resource
|
||||
sys_time
|
||||
sys_tty_config
|
||||
mknod
|
||||
lease
|
||||
audit_write
|
||||
audit_control
|
||||
setfcap
|
||||
}
|
||||
|
||||
common cap2
|
||||
{
|
||||
mac_override # unused by SELinux
|
||||
mac_admin # unused by SELinux
|
||||
syslog
|
||||
wake_alarm
|
||||
block_suspend
|
||||
audit_read
|
||||
}
|
||||
|
||||
#
|
||||
# Define the access vectors.
|
||||
#
|
||||
# class class_name [ inherits common_name ] { permission_name ... }
|
||||
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for file-related objects.
|
||||
#
|
||||
|
||||
class filesystem
|
||||
{
|
||||
mount
|
||||
remount
|
||||
unmount
|
||||
getattr
|
||||
relabelfrom
|
||||
relabelto
|
||||
associate
|
||||
quotamod
|
||||
quotaget
|
||||
}
|
||||
|
||||
class dir
|
||||
inherits file
|
||||
{
|
||||
add_name
|
||||
remove_name
|
||||
reparent
|
||||
search
|
||||
rmdir
|
||||
open
|
||||
audit_access
|
||||
execmod
|
||||
}
|
||||
|
||||
class file
|
||||
inherits file
|
||||
{
|
||||
execute_no_trans
|
||||
entrypoint
|
||||
execmod
|
||||
open
|
||||
audit_access
|
||||
}
|
||||
|
||||
class lnk_file
|
||||
inherits file
|
||||
{
|
||||
open
|
||||
audit_access
|
||||
execmod
|
||||
}
|
||||
|
||||
class chr_file
|
||||
inherits file
|
||||
{
|
||||
execute_no_trans
|
||||
entrypoint
|
||||
execmod
|
||||
open
|
||||
audit_access
|
||||
}
|
||||
|
||||
class blk_file
|
||||
inherits file
|
||||
{
|
||||
open
|
||||
audit_access
|
||||
execmod
|
||||
}
|
||||
|
||||
class sock_file
|
||||
inherits file
|
||||
{
|
||||
open
|
||||
audit_access
|
||||
execmod
|
||||
}
|
||||
|
||||
class fifo_file
|
||||
inherits file
|
||||
{
|
||||
open
|
||||
audit_access
|
||||
execmod
|
||||
}
|
||||
|
||||
class fd
|
||||
{
|
||||
use
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for network-related objects.
|
||||
#
|
||||
|
||||
class socket
|
||||
inherits socket
|
||||
|
||||
class tcp_socket
|
||||
inherits socket
|
||||
{
|
||||
node_bind
|
||||
name_connect
|
||||
}
|
||||
|
||||
class udp_socket
|
||||
inherits socket
|
||||
{
|
||||
node_bind
|
||||
}
|
||||
|
||||
class rawip_socket
|
||||
inherits socket
|
||||
{
|
||||
node_bind
|
||||
}
|
||||
|
||||
class node
|
||||
{
|
||||
recvfrom
|
||||
sendto
|
||||
}
|
||||
|
||||
class netif
|
||||
{
|
||||
ingress
|
||||
egress
|
||||
}
|
||||
|
||||
class netlink_socket
|
||||
inherits socket
|
||||
|
||||
class packet_socket
|
||||
inherits socket
|
||||
|
||||
class key_socket
|
||||
inherits socket
|
||||
|
||||
class unix_stream_socket
|
||||
inherits socket
|
||||
{
|
||||
connectto
|
||||
}
|
||||
|
||||
class unix_dgram_socket
|
||||
inherits socket
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for process-related objects
|
||||
#
|
||||
|
||||
class process
|
||||
{
|
||||
fork
|
||||
transition
|
||||
sigchld # commonly granted from child to parent
|
||||
sigkill # cannot be caught or ignored
|
||||
sigstop # cannot be caught or ignored
|
||||
signull # for kill(pid, 0)
|
||||
signal # all other signals
|
||||
ptrace
|
||||
getsched
|
||||
setsched
|
||||
getsession
|
||||
getpgid
|
||||
setpgid
|
||||
getcap
|
||||
setcap
|
||||
share
|
||||
getattr
|
||||
setexec
|
||||
setfscreate
|
||||
noatsecure
|
||||
siginh
|
||||
setrlimit
|
||||
rlimitinh
|
||||
dyntransition
|
||||
setcurrent
|
||||
execmem
|
||||
execstack
|
||||
execheap
|
||||
setkeycreate
|
||||
setsockcreate
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for ipc-related objects
|
||||
#
|
||||
|
||||
class ipc
|
||||
inherits ipc
|
||||
|
||||
class sem
|
||||
inherits ipc
|
||||
|
||||
class msgq
|
||||
inherits ipc
|
||||
{
|
||||
enqueue
|
||||
}
|
||||
|
||||
class msg
|
||||
{
|
||||
send
|
||||
receive
|
||||
}
|
||||
|
||||
class shm
|
||||
inherits ipc
|
||||
{
|
||||
lock
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for the security server.
|
||||
#
|
||||
|
||||
class security
|
||||
{
|
||||
compute_av
|
||||
compute_create
|
||||
compute_member
|
||||
check_context
|
||||
load_policy
|
||||
compute_relabel
|
||||
compute_user
|
||||
setenforce # was avc_toggle in system class
|
||||
setbool
|
||||
setsecparam
|
||||
setcheckreqprot
|
||||
read_policy
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for system operations.
|
||||
#
|
||||
|
||||
class system
|
||||
{
|
||||
ipc_info
|
||||
syslog_read
|
||||
syslog_mod
|
||||
syslog_console
|
||||
module_request
|
||||
module_load
|
||||
}
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for controlling capabilities
|
||||
#
|
||||
|
||||
class capability
|
||||
inherits cap
|
||||
|
||||
class capability2
|
||||
inherits cap2
|
||||
|
||||
#
|
||||
# Extended Netlink classes
|
||||
#
|
||||
class netlink_route_socket
|
||||
inherits socket
|
||||
{
|
||||
nlmsg_read
|
||||
nlmsg_write
|
||||
}
|
||||
|
||||
class netlink_tcpdiag_socket
|
||||
inherits socket
|
||||
{
|
||||
nlmsg_read
|
||||
nlmsg_write
|
||||
}
|
||||
|
||||
class netlink_nflog_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_xfrm_socket
|
||||
inherits socket
|
||||
{
|
||||
nlmsg_read
|
||||
nlmsg_write
|
||||
}
|
||||
|
||||
class netlink_selinux_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_audit_socket
|
||||
inherits socket
|
||||
{
|
||||
nlmsg_read
|
||||
nlmsg_write
|
||||
nlmsg_relay
|
||||
nlmsg_readpriv
|
||||
nlmsg_tty_audit
|
||||
}
|
||||
|
||||
class netlink_dnrt_socket
|
||||
inherits socket
|
||||
|
||||
# Define the access vector interpretation for controlling
|
||||
# access to IPSec network data by association
|
||||
#
|
||||
class association
|
||||
{
|
||||
sendto
|
||||
recvfrom
|
||||
setcontext
|
||||
polmatch
|
||||
}
|
||||
|
||||
# Updated Netlink class for KOBJECT_UEVENT family.
|
||||
class netlink_kobject_uevent_socket
|
||||
inherits socket
|
||||
|
||||
class appletalk_socket
|
||||
inherits socket
|
||||
|
||||
class packet
|
||||
{
|
||||
send
|
||||
recv
|
||||
relabelto
|
||||
flow_in # deprecated
|
||||
flow_out # deprecated
|
||||
forward_in
|
||||
forward_out
|
||||
}
|
||||
|
||||
class key
|
||||
{
|
||||
view
|
||||
read
|
||||
write
|
||||
search
|
||||
link
|
||||
setattr
|
||||
create
|
||||
}
|
||||
|
||||
class dccp_socket
|
||||
inherits socket
|
||||
{
|
||||
node_bind
|
||||
name_connect
|
||||
}
|
||||
|
||||
class memprotect
|
||||
{
|
||||
mmap_zero
|
||||
}
|
||||
|
||||
# network peer labels
|
||||
class peer
|
||||
{
|
||||
recv
|
||||
}
|
||||
|
||||
class kernel_service
|
||||
{
|
||||
use_as_override
|
||||
create_files_as
|
||||
}
|
||||
|
||||
class tun_socket
|
||||
inherits socket
|
||||
{
|
||||
attach_queue
|
||||
}
|
||||
|
||||
class binder
|
||||
{
|
||||
impersonate
|
||||
call
|
||||
set_context_mgr
|
||||
transfer
|
||||
}
|
||||
|
||||
class netlink_iscsi_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_fib_lookup_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_connector_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_netfilter_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_generic_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_scsitransport_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_rdma_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_crypto_socket
|
||||
inherits socket
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for controlling capabilities
|
||||
# in user namespaces
|
||||
#
|
||||
|
||||
class cap_userns
|
||||
inherits cap
|
||||
|
||||
class cap2_userns
|
||||
inherits cap2
|
||||
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for the new socket classes
|
||||
# enabled by the extended_socket_class policy capability.
|
||||
#
|
||||
|
||||
#
|
||||
# The next two classes were previously mapped to rawip_socket and therefore
|
||||
# have the same definition as rawip_socket (until further permissions
|
||||
# are defined).
|
||||
#
|
||||
class sctp_socket
|
||||
inherits socket
|
||||
{
|
||||
node_bind
|
||||
}
|
||||
|
||||
class icmp_socket
|
||||
inherits socket
|
||||
{
|
||||
node_bind
|
||||
}
|
||||
|
||||
#
|
||||
# The remaining network socket classes were previously
|
||||
# mapped to the socket class and therefore have the
|
||||
# same definition as socket.
|
||||
#
|
||||
|
||||
class ax25_socket
|
||||
inherits socket
|
||||
|
||||
class ipx_socket
|
||||
inherits socket
|
||||
|
||||
class netrom_socket
|
||||
inherits socket
|
||||
|
||||
class atmpvc_socket
|
||||
inherits socket
|
||||
|
||||
class x25_socket
|
||||
inherits socket
|
||||
|
||||
class rose_socket
|
||||
inherits socket
|
||||
|
||||
class decnet_socket
|
||||
inherits socket
|
||||
|
||||
class atmsvc_socket
|
||||
inherits socket
|
||||
|
||||
class rds_socket
|
||||
inherits socket
|
||||
|
||||
class irda_socket
|
||||
inherits socket
|
||||
|
||||
class pppox_socket
|
||||
inherits socket
|
||||
|
||||
class llc_socket
|
||||
inherits socket
|
||||
|
||||
class can_socket
|
||||
inherits socket
|
||||
|
||||
class tipc_socket
|
||||
inherits socket
|
||||
|
||||
class bluetooth_socket
|
||||
inherits socket
|
||||
|
||||
class iucv_socket
|
||||
inherits socket
|
||||
|
||||
class rxrpc_socket
|
||||
inherits socket
|
||||
|
||||
class isdn_socket
|
||||
inherits socket
|
||||
|
||||
class phonet_socket
|
||||
inherits socket
|
||||
|
||||
class ieee802154_socket
|
||||
inherits socket
|
||||
|
||||
class caif_socket
|
||||
inherits socket
|
||||
|
||||
class alg_socket
|
||||
inherits socket
|
||||
|
||||
class nfc_socket
|
||||
inherits socket
|
||||
|
||||
class vsock_socket
|
||||
inherits socket
|
||||
|
||||
class kcm_socket
|
||||
inherits socket
|
||||
|
||||
class qipcrtr_socket
|
||||
inherits socket
|
||||
|
||||
class property_service
|
||||
{
|
||||
set
|
||||
}
|
||||
|
||||
class service_manager
|
||||
{
|
||||
add
|
||||
find
|
||||
list
|
||||
}
|
||||
|
||||
class hwservice_manager
|
||||
{
|
||||
add
|
||||
find
|
||||
list
|
||||
}
|
||||
|
||||
class keystore_key
|
||||
{
|
||||
get_state
|
||||
get
|
||||
insert
|
||||
delete
|
||||
exist
|
||||
list
|
||||
reset
|
||||
password
|
||||
lock
|
||||
unlock
|
||||
is_empty
|
||||
sign
|
||||
verify
|
||||
grant
|
||||
duplicate
|
||||
clear_uid
|
||||
add_auth
|
||||
user_changed
|
||||
gen_unique_id
|
||||
}
|
||||
|
||||
class drmservice {
|
||||
consumeRights
|
||||
setPlaybackStatus
|
||||
openDecryptSession
|
||||
closeDecryptSession
|
||||
initializeDecryptUnit
|
||||
decrypt
|
||||
finalizeDecryptUnit
|
||||
pread
|
||||
}
|
|
@ -1,141 +0,0 @@
|
|||
### ADB daemon
|
||||
|
||||
typeattribute adbd coredomain;
|
||||
typeattribute adbd mlstrustedsubject;
|
||||
|
||||
domain_auto_trans(adbd, shell_exec, shell)
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow adbd self:process setcurrent;
|
||||
allow adbd su:process dyntransition;
|
||||
')
|
||||
|
||||
# Do not sanitize the environment or open fds of the shell. Allow signaling
|
||||
# created processes.
|
||||
allow adbd shell:process { noatsecure signal };
|
||||
|
||||
# Set UID and GID to shell. Set supplementary groups.
|
||||
allow adbd self:capability { setuid setgid };
|
||||
|
||||
# Drop capabilities from bounding set on user builds.
|
||||
allow adbd self:capability setpcap;
|
||||
|
||||
# Create and use network sockets.
|
||||
net_domain(adbd)
|
||||
|
||||
# Access /dev/usb-ffs/adb/ep0
|
||||
allow adbd functionfs:dir search;
|
||||
allow adbd functionfs:file rw_file_perms;
|
||||
|
||||
# Use a pseudo tty.
|
||||
allow adbd devpts:chr_file rw_file_perms;
|
||||
|
||||
# adb push/pull /data/local/tmp.
|
||||
allow adbd shell_data_file:dir create_dir_perms;
|
||||
allow adbd shell_data_file:file create_file_perms;
|
||||
|
||||
# adb pull /data/misc/profman.
|
||||
allow adbd profman_dump_data_file:dir r_dir_perms;
|
||||
allow adbd profman_dump_data_file:file r_file_perms;
|
||||
|
||||
# adb push/pull sdcard.
|
||||
allow adbd tmpfs:dir search;
|
||||
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
|
||||
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
|
||||
allow adbd sdcard_type:dir create_dir_perms;
|
||||
allow adbd sdcard_type:file create_file_perms;
|
||||
|
||||
# adb pull /data/anr/traces.txt
|
||||
allow adbd anr_data_file:dir r_dir_perms;
|
||||
allow adbd anr_data_file:file r_file_perms;
|
||||
|
||||
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
|
||||
set_prop(adbd, shell_prop)
|
||||
set_prop(adbd, powerctl_prop)
|
||||
set_prop(adbd, ffs_prop)
|
||||
|
||||
# Access device logging gating property
|
||||
get_prop(adbd, device_logging_prop)
|
||||
|
||||
# Read device's serial number from system properties
|
||||
get_prop(adbd, serialno_prop)
|
||||
|
||||
# Run /system/bin/bu
|
||||
allow adbd system_file:file rx_file_perms;
|
||||
|
||||
# Perform binder IPC to surfaceflinger (screencap)
|
||||
# XXX Run screencap in a separate domain?
|
||||
binder_use(adbd)
|
||||
binder_call(adbd, surfaceflinger)
|
||||
# b/13188914
|
||||
allow adbd gpu_device:chr_file rw_file_perms;
|
||||
allow adbd ion_device:chr_file rw_file_perms;
|
||||
r_dir_file(adbd, system_file)
|
||||
|
||||
# Needed for various screenshots
|
||||
hal_client_domain(adbd, hal_graphics_allocator)
|
||||
|
||||
# Read /data/misc/adb/adb_keys.
|
||||
allow adbd adb_keys_file:dir search;
|
||||
allow adbd adb_keys_file:file r_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
# Write debugging information to /data/adb
|
||||
# when persist.adb.trace_mask is set
|
||||
# https://code.google.com/p/android/issues/detail?id=72895
|
||||
allow adbd adb_data_file:dir rw_dir_perms;
|
||||
allow adbd adb_data_file:file create_file_perms;
|
||||
')
|
||||
|
||||
# ndk-gdb invokes adb forward to forward the gdbserver socket.
|
||||
allow adbd app_data_file:dir search;
|
||||
allow adbd app_data_file:sock_file write;
|
||||
allow adbd appdomain:unix_stream_socket connectto;
|
||||
|
||||
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
|
||||
allow adbd zygote_exec:file r_file_perms;
|
||||
allow adbd system_file:file r_file_perms;
|
||||
|
||||
# Allow pulling the SELinux policy for CTS purposes
|
||||
allow adbd selinuxfs:dir r_dir_perms;
|
||||
allow adbd selinuxfs:file r_file_perms;
|
||||
allow adbd kernel:security read_policy;
|
||||
allow adbd service_contexts_file:file r_file_perms;
|
||||
allow adbd file_contexts_file:file r_file_perms;
|
||||
allow adbd seapp_contexts_file:file r_file_perms;
|
||||
allow adbd property_contexts_file:file r_file_perms;
|
||||
allow adbd sepolicy_file:file r_file_perms;
|
||||
|
||||
# Allow pulling config.gz for CTS purposes
|
||||
allow adbd config_gz:file r_file_perms;
|
||||
|
||||
allow adbd surfaceflinger_service:service_manager find;
|
||||
allow adbd bootchart_data_file:dir search;
|
||||
allow adbd bootchart_data_file:file r_file_perms;
|
||||
|
||||
# Allow access to external storage; we have several visible mount points under /storage
|
||||
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
|
||||
allow adbd storage_file:dir r_dir_perms;
|
||||
allow adbd storage_file:lnk_file r_file_perms;
|
||||
allow adbd mnt_user_file:dir r_dir_perms;
|
||||
allow adbd mnt_user_file:lnk_file r_file_perms;
|
||||
|
||||
# Access to /data/media.
|
||||
# This should be removed if sdcardfs is modified to alter the secontext for its
|
||||
# accesses to the underlying FS.
|
||||
allow adbd media_rw_data_file:dir create_dir_perms;
|
||||
allow adbd media_rw_data_file:file create_file_perms;
|
||||
|
||||
r_dir_file(adbd, apk_data_file)
|
||||
|
||||
allow adbd rootfs:dir r_dir_perms;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
||||
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
|
||||
# transitions to the shell domain (except when it crashes). In particular, we
|
||||
# never want to see a transition from adbd to su (aka "adb root")
|
||||
neverallow adbd { domain -crash_dump -shell }:process transition;
|
||||
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
|
|
@ -1,524 +0,0 @@
|
|||
###
|
||||
### Domain for all zygote spawned apps
|
||||
###
|
||||
### This file is the base policy for all zygote spawned apps.
|
||||
### Other policy files, such as isolated_app.te, untrusted_app.te, etc
|
||||
### extend from this policy. Only policies which should apply to ALL
|
||||
### zygote spawned apps should be added here.
|
||||
###
|
||||
|
||||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
# Read system properties managed by zygote.
|
||||
allow appdomain zygote_tmpfs:file read;
|
||||
|
||||
# WebView and other application-specific JIT compilers
|
||||
allow appdomain self:process execmem;
|
||||
|
||||
allow appdomain ashmem_device:chr_file execute;
|
||||
|
||||
# Receive and use open file descriptors inherited from zygote.
|
||||
allow appdomain zygote:fd use;
|
||||
|
||||
# gdbserver for ndk-gdb reads the zygote.
|
||||
# valgrind needs mmap exec for zygote
|
||||
allow appdomain zygote_exec:file rx_file_perms;
|
||||
|
||||
# Notify zygote of death;
|
||||
allow appdomain zygote:process sigchld;
|
||||
|
||||
# Place process into foreground / background
|
||||
allow appdomain cgroup:dir { search write };
|
||||
allow appdomain cgroup:file rw_file_perms;
|
||||
|
||||
# Read /data/dalvik-cache.
|
||||
allow appdomain dalvikcache_data_file:dir { search getattr };
|
||||
allow appdomain dalvikcache_data_file:file r_file_perms;
|
||||
|
||||
# Read the /sdcard and /mnt/sdcard symlinks
|
||||
allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
|
||||
|
||||
# Search /storage/emulated tmpfs mount.
|
||||
allow appdomain tmpfs:dir r_dir_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
# Notify zygote of the wrapped process PID when using --invoke-with.
|
||||
allow appdomain zygote:fifo_file write;
|
||||
|
||||
# Allow apps to create and write method traces in /data/misc/trace.
|
||||
allow appdomain method_trace_data_file:dir w_dir_perms;
|
||||
allow appdomain method_trace_data_file:file { create w_file_perms };
|
||||
')
|
||||
|
||||
# Notify shell and adbd of death when spawned via runas for ndk-gdb.
|
||||
allow appdomain shell:process sigchld;
|
||||
allow appdomain adbd:process sigchld;
|
||||
|
||||
# child shell or gdbserver pty access for runas.
|
||||
allow appdomain devpts:chr_file { getattr read write ioctl };
|
||||
|
||||
# Use pipes and sockets provided by system_server via binder or local socket.
|
||||
allow appdomain system_server:fd use;
|
||||
allow appdomain system_server:fifo_file rw_file_perms;
|
||||
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
|
||||
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
|
||||
|
||||
# Communication with other apps via fifos
|
||||
allow appdomain appdomain:fifo_file rw_file_perms;
|
||||
|
||||
# Communicate with surfaceflinger.
|
||||
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
|
||||
|
||||
# Query whether a Surface supports wide color
|
||||
allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
|
||||
|
||||
# App sandbox file accesses.
|
||||
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
# Traverse into expanded storage
|
||||
allow appdomain mnt_expand_file:dir r_dir_perms;
|
||||
|
||||
# Keychain and user-trusted credentials
|
||||
r_dir_file(appdomain, keychain_data_file)
|
||||
allow appdomain misc_user_data_file:dir r_dir_perms;
|
||||
allow appdomain misc_user_data_file:file r_file_perms;
|
||||
|
||||
# TextClassifier
|
||||
r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
|
||||
|
||||
# Access to OEM provided data and apps
|
||||
allow appdomain oemfs:dir r_dir_perms;
|
||||
allow appdomain oemfs:file rx_file_perms;
|
||||
|
||||
# Execute the shell or other system executables.
|
||||
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
|
||||
allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
|
||||
not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
|
||||
|
||||
# Renderscript needs the ability to read directories on /system
|
||||
allow appdomain system_file:dir r_dir_perms;
|
||||
allow appdomain system_file:lnk_file { getattr open read };
|
||||
# Renderscript specific permissions to open /system/vendor/lib64.
|
||||
not_full_treble(`
|
||||
allow appdomain vendor_file_type:dir r_dir_perms;
|
||||
allow appdomain vendor_file_type:lnk_file { getattr open read };
|
||||
')
|
||||
|
||||
full_treble_only(`
|
||||
# For looking up Renderscript vendor drivers
|
||||
allow { appdomain -isolated_app } vendor_file:dir { open read };
|
||||
')
|
||||
|
||||
# Allow apps access to /vendor/app except for privileged
|
||||
# apps which cannot be in /vendor.
|
||||
r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
|
||||
allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
|
||||
|
||||
# Allow apps access to /vendor/overlay
|
||||
r_dir_file(appdomain, vendor_overlay_file)
|
||||
|
||||
# Allow apps access to /vendor/framework
|
||||
# for vendor provided libraries.
|
||||
r_dir_file(appdomain, vendor_framework_file)
|
||||
|
||||
# Execute dex2oat when apps call dexclassloader
|
||||
allow appdomain dex2oat_exec:file rx_file_perms;
|
||||
|
||||
# Read/write wallpaper file (opened by system).
|
||||
allow appdomain wallpaper_file:file { getattr read write };
|
||||
|
||||
# Read/write cached ringtones (opened by system).
|
||||
allow appdomain ringtone_file:file { getattr read write };
|
||||
|
||||
# Read ShortcutManager icon files (opened by system).
|
||||
allow appdomain shortcut_manager_icons:file { getattr read };
|
||||
|
||||
# Read icon file (opened by system).
|
||||
allow appdomain icon_file:file { getattr read };
|
||||
|
||||
# Write to /data/anr/traces.txt.
|
||||
allow appdomain anr_data_file:dir search;
|
||||
allow appdomain anr_data_file:file { open append };
|
||||
|
||||
# Allow apps to send dump information to dumpstate
|
||||
allow appdomain dumpstate:fd use;
|
||||
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
|
||||
allow appdomain dumpstate:fifo_file { write getattr };
|
||||
allow appdomain shell_data_file:file { write getattr };
|
||||
|
||||
# Write profiles /data/misc/profiles
|
||||
allow appdomain user_profile_data_file:dir { search write add_name };
|
||||
allow appdomain user_profile_data_file:file create_file_perms;
|
||||
|
||||
# Send heap dumps to system_server via an already open file descriptor
|
||||
# % adb shell am set-watch-heap com.android.systemui 1048576
|
||||
# % adb shell dumpsys procstats --start-testing
|
||||
# debuggable builds only.
|
||||
userdebug_or_eng(`
|
||||
allow appdomain heapdump_data_file:file append;
|
||||
')
|
||||
|
||||
# Write to /proc/net/xt_qtaguid/ctrl file.
|
||||
allow appdomain qtaguid_proc:file rw_file_perms;
|
||||
# read /proc/net/xt_qtguid/stats
|
||||
r_dir_file({ appdomain -ephemeral_app}, proc_net)
|
||||
# Everybody can read the xt_qtaguid resource tracking misc dev.
|
||||
# So allow all apps to read from /dev/xt_qtaguid.
|
||||
allow appdomain qtaguid_device:chr_file r_file_perms;
|
||||
|
||||
# Grant GPU access to all processes started by Zygote.
|
||||
# They need that to render the standard UI.
|
||||
allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
|
||||
|
||||
# Use the Binder.
|
||||
binder_use(appdomain)
|
||||
# Perform binder IPC to binder services.
|
||||
binder_call(appdomain, binderservicedomain)
|
||||
# Perform binder IPC to other apps.
|
||||
binder_call(appdomain, appdomain)
|
||||
# Perform binder IPC to ephemeral apps.
|
||||
binder_call(appdomain, ephemeral_app)
|
||||
|
||||
# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
|
||||
# as OMX HAL
|
||||
hwbinder_use({ appdomain -isolated_app })
|
||||
allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
|
||||
allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
|
||||
|
||||
# Talk with graphics composer fences
|
||||
allow appdomain hal_graphics_composer:fd use;
|
||||
|
||||
# Already connected, unnamed sockets being passed over some other IPC
|
||||
# hence no sock_file or connectto permission. This appears to be how
|
||||
# Chrome works, may need to be updated as more apps using isolated services
|
||||
# are examined.
|
||||
allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
|
||||
|
||||
# Backup ability for every app. BMS opens and passes the fd
|
||||
# to any app that has backup ability. Hence, no open permissions here.
|
||||
allow appdomain backup_data_file:file { read write getattr };
|
||||
allow appdomain cache_backup_file:file { read write getattr };
|
||||
allow appdomain cache_backup_file:dir getattr;
|
||||
# Backup ability using 'adb backup'
|
||||
allow appdomain system_data_file:lnk_file r_file_perms;
|
||||
allow appdomain system_data_file:file { getattr read };
|
||||
|
||||
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
|
||||
allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
|
||||
|
||||
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
|
||||
allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
|
||||
|
||||
# Allow access to external storage; we have several visible mount points under /storage
|
||||
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
|
||||
allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
|
||||
|
||||
# Read/write visible storage
|
||||
allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
|
||||
# This should be removed if sdcardfs is modified to alter the secontext for its
|
||||
# accesses to the underlying FS.
|
||||
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
|
||||
|
||||
# Access OBBs (vfat images) mounted by vold (b/17633509)
|
||||
# File write access allowed for FDs returned through Storage Access Framework
|
||||
allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
|
||||
|
||||
# Allow apps to use the USB Accessory interface.
|
||||
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
|
||||
#
|
||||
# USB devices are first opened by the system server (USBDeviceManagerService)
|
||||
# and the file descriptor is passed to the right Activity via binder.
|
||||
allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
|
||||
allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
|
||||
|
||||
# For art.
|
||||
allow appdomain dalvikcache_data_file:file execute;
|
||||
allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
|
||||
|
||||
# Allow any app to read shared RELRO files.
|
||||
allow appdomain shared_relro_file:dir search;
|
||||
allow appdomain shared_relro_file:file r_file_perms;
|
||||
|
||||
# Allow apps to read/execute installed binaries
|
||||
allow appdomain apk_data_file:dir r_dir_perms;
|
||||
allow appdomain apk_data_file:file rx_file_perms;
|
||||
|
||||
# /data/resource-cache
|
||||
allow appdomain resourcecache_data_file:file r_file_perms;
|
||||
allow appdomain resourcecache_data_file:dir r_dir_perms;
|
||||
|
||||
# logd access
|
||||
read_logd(appdomain)
|
||||
control_logd({ appdomain -ephemeral_app untrusted_v2_app })
|
||||
# application inherit logd write socket (urge is to deprecate this long term)
|
||||
allow appdomain zygote:unix_dgram_socket write;
|
||||
|
||||
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
|
||||
use_keystore({ appdomain -isolated_app -ephemeral_app })
|
||||
|
||||
allow appdomain console_device:chr_file { read write };
|
||||
|
||||
# only allow unprivileged socket ioctl commands
|
||||
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
|
||||
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
||||
|
||||
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
|
||||
# TODO is write really necessary ?
|
||||
auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
|
||||
|
||||
# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
|
||||
get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
|
||||
|
||||
# Allow app access to mediacodec (IOMX HAL)
|
||||
binder_call({ appdomain -isolated_app }, mediacodec)
|
||||
|
||||
# Allow AAudio apps to use shared memory file descriptors from the HAL
|
||||
allow { appdomain -isolated_app } hal_audio:fd use;
|
||||
|
||||
# Allow app to access shared memory created by camera HAL1
|
||||
allow { appdomain -isolated_app } hal_camera:fd use;
|
||||
|
||||
# RenderScript always-passthrough HAL
|
||||
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
|
||||
|
||||
# TODO: switch to meminfo service
|
||||
allow appdomain proc_meminfo:file r_file_perms;
|
||||
|
||||
# For app fuse.
|
||||
allow appdomain app_fuse_file:file { getattr read append write };
|
||||
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
|
||||
# Apps do not directly open the IPC socket for bufferhubd.
|
||||
pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
|
||||
|
||||
###
|
||||
### CTS-specific rules
|
||||
###
|
||||
|
||||
# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
|
||||
# testRunAsHasCorrectCapabilities
|
||||
allow appdomain runas_exec:file getattr;
|
||||
# Others are either allowed elsewhere or not desired.
|
||||
|
||||
# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
|
||||
# Check SELinux policy and contexts.
|
||||
selinux_check_access(appdomain)
|
||||
selinux_check_context(appdomain)
|
||||
|
||||
# Apps receive an open tun fd from the framework for
|
||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
|
||||
|
||||
# Connect to adbd and use a socket transferred from it.
|
||||
# This is used for e.g. adb backup/restore.
|
||||
allow appdomain adbd:unix_stream_socket connectto;
|
||||
allow appdomain adbd:fd use;
|
||||
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
|
||||
|
||||
allow appdomain cache_file:dir getattr;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### These are things that Android apps should NEVER be able to do
|
||||
###
|
||||
|
||||
# Superuser capabilities.
|
||||
# bluetooth requires net_admin and wake_alarm.
|
||||
neverallow { appdomain -bluetooth } self:capability *;
|
||||
neverallow { appdomain -bluetooth } self:capability2 *;
|
||||
|
||||
# Block device access.
|
||||
neverallow appdomain dev_type:blk_file { read write };
|
||||
|
||||
# Access to any of the following character devices.
|
||||
neverallow appdomain {
|
||||
audio_device
|
||||
camera_device
|
||||
dm_device
|
||||
radio_device
|
||||
rpmsg_device
|
||||
video_device
|
||||
}:chr_file { read write };
|
||||
|
||||
# Note: Try expanding list of app domains in the future.
|
||||
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
|
||||
|
||||
neverallow { appdomain -nfc } nfc_device:chr_file
|
||||
{ read write };
|
||||
neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
|
||||
{ read write };
|
||||
neverallow appdomain tee_device:chr_file { read write };
|
||||
|
||||
# Privileged netlink socket interfaces.
|
||||
neverallow appdomain
|
||||
domain:{
|
||||
netlink_tcpdiag_socket
|
||||
netlink_nflog_socket
|
||||
netlink_xfrm_socket
|
||||
netlink_audit_socket
|
||||
netlink_dnrt_socket
|
||||
} *;
|
||||
|
||||
# These messages are broadcast messages from the kernel to userspace.
|
||||
# Do not allow the writing of netlink messages, which has been a source
|
||||
# of rooting vulns in the past.
|
||||
neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
|
||||
|
||||
# Sockets under /dev/socket that are not specifically typed.
|
||||
neverallow appdomain socket_device:sock_file write;
|
||||
|
||||
# Unix domain sockets.
|
||||
neverallow appdomain adbd_socket:sock_file write;
|
||||
neverallow { appdomain -radio } rild_socket:sock_file write;
|
||||
neverallow appdomain vold_socket:sock_file write;
|
||||
neverallow appdomain zygote_socket:sock_file write;
|
||||
|
||||
# ptrace access to non-app domains.
|
||||
neverallow appdomain { domain -appdomain }:process ptrace;
|
||||
|
||||
# Write access to /proc/pid entries for any non-app domain.
|
||||
neverallow appdomain { domain -appdomain }:file write;
|
||||
|
||||
# signal access to non-app domains.
|
||||
# sigchld allowed for parent death notification.
|
||||
# signull allowed for kill(pid, 0) existence test.
|
||||
# All others prohibited.
|
||||
neverallow appdomain { domain -appdomain }:process
|
||||
{ sigkill sigstop signal };
|
||||
|
||||
# Transition to a non-app domain.
|
||||
# Exception for the shell and su domains, can transition to runas, etc.
|
||||
# Exception for crash_dump.
|
||||
neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
|
||||
{ transition };
|
||||
neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
|
||||
{ dyntransition };
|
||||
|
||||
# Write to rootfs.
|
||||
neverallow appdomain rootfs:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Write to /system.
|
||||
neverallow appdomain system_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Write to entrypoint executables.
|
||||
neverallow appdomain exec_type:file
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Write to system-owned parts of /data.
|
||||
# This is the default type for anything under /data not otherwise
|
||||
# specified in file_contexts. Define a different type for portions
|
||||
# that should be writable by apps.
|
||||
neverallow appdomain system_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Write to various other parts of /data.
|
||||
neverallow appdomain drm_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_tmp_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_private_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_private_tmp_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -shell }
|
||||
shell_data_file:dir_file_class_set
|
||||
{ create setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -bluetooth }
|
||||
bluetooth_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow appdomain
|
||||
keystore_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow appdomain
|
||||
systemkeys_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow appdomain
|
||||
wifi_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow appdomain
|
||||
dhcp_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# access tmp apk files
|
||||
neverallow { appdomain -platform_app -priv_app }
|
||||
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
|
||||
|
||||
# Access to factory files.
|
||||
neverallow appdomain efs_file:dir_file_class_set write;
|
||||
neverallow { appdomain -shell } efs_file:dir_file_class_set read;
|
||||
|
||||
# Write to various pseudo file systems.
|
||||
neverallow { appdomain -bluetooth -nfc }
|
||||
sysfs:dir_file_class_set write;
|
||||
neverallow appdomain
|
||||
proc:dir_file_class_set write;
|
||||
|
||||
# Access to syslog(2) or /proc/kmsg.
|
||||
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
|
||||
|
||||
# Ability to perform any filesystem operation other than statfs(2).
|
||||
# i.e. no mount(2), unmount(2), etc.
|
||||
neverallow appdomain fs_type:filesystem ~getattr;
|
||||
|
||||
# prevent creation/manipulation of globally readable symlinks
|
||||
neverallow appdomain {
|
||||
apk_data_file
|
||||
cache_file
|
||||
cache_recovery_file
|
||||
dev_type
|
||||
rootfs
|
||||
system_file
|
||||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Denylist app domains not allowed to execute from /data
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
nfc
|
||||
radio
|
||||
shared_relro
|
||||
system_app
|
||||
} {
|
||||
data_file_type
|
||||
-dalvikcache_data_file
|
||||
-system_data_file # shared libs in apks
|
||||
-apk_data_file
|
||||
}:file no_x_file_perms;
|
||||
|
||||
# Applications should use the activity model for receiving events
|
||||
neverallow {
|
||||
appdomain
|
||||
-shell # bugreport
|
||||
} input_device:chr_file ~getattr;
|
||||
|
||||
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
|
||||
# neverallow rules for access to Bluetooth-related data files are above.
|
||||
neverallow {
|
||||
appdomain
|
||||
-bluetooth
|
||||
-system_app
|
||||
} bluetooth_prop:file create_file_perms;
|
|
@ -1,215 +0,0 @@
|
|||
###
|
||||
### neverallow rules for untrusted app domains
|
||||
###
|
||||
|
||||
# Only allow domains in AOSP to use the untrusted_app_all attribute.
|
||||
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
|
||||
|
||||
define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
|
||||
# Receive or send uevent messages.
|
||||
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Receive or send generic netlink messages
|
||||
neverallow all_untrusted_apps domain:netlink_socket *;
|
||||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow all_untrusted_apps debugfs_type:file read;
|
||||
|
||||
# Do not allow untrusted apps to register services.
|
||||
# Only trusted components of Android should be registering
|
||||
# services.
|
||||
neverallow all_untrusted_apps service_manager_type:service_manager add;
|
||||
|
||||
# Do not allow untrusted apps to use VendorBinder
|
||||
neverallow all_untrusted_apps vndbinder_device:chr_file *;
|
||||
neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
|
||||
|
||||
# Do not allow untrusted apps to connect to the property service
|
||||
# or set properties. b/10243159
|
||||
neverallow all_untrusted_apps property_socket:sock_file write;
|
||||
neverallow all_untrusted_apps init:unix_stream_socket connectto;
|
||||
neverallow all_untrusted_apps property_type:property_service set;
|
||||
|
||||
# Do not allow untrusted apps to be assigned mlstrustedsubject.
|
||||
# This would undermine the per-user isolation model being
|
||||
# enforced via levelFrom=user in seapp_contexts and the mls
|
||||
# constraints. As there is no direct way to specify a neverallow
|
||||
# on attribute assignment, this relies on the fact that fork
|
||||
# permission only makes sense within a domain (hence should
|
||||
# never be granted to any other domain within mlstrustedsubject)
|
||||
# and an untrusted app is allowed fork permission to itself.
|
||||
neverallow all_untrusted_apps mlstrustedsubject:process fork;
|
||||
|
||||
# Do not allow untrusted apps to hard link to any files.
|
||||
# In particular, if an untrusted app links to other app data
|
||||
# files, installd will not be able to guarantee the deletion
|
||||
# of the linked to file. Hard links also contribute to security
|
||||
# bugs, so we want to ensure untrusted apps never have this
|
||||
# capability.
|
||||
neverallow all_untrusted_apps file_type:file link;
|
||||
|
||||
# Do not allow untrusted apps to access network MAC address file
|
||||
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
|
||||
|
||||
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
|
||||
# ioctl permission, or 3. disallow the socket class.
|
||||
neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
||||
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
|
||||
neverallow all_untrusted_apps *:{
|
||||
socket netlink_socket packet_socket key_socket appletalk_socket
|
||||
netlink_tcpdiag_socket netlink_nflog_socket
|
||||
netlink_xfrm_socket netlink_audit_socket
|
||||
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
|
||||
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
|
||||
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
|
||||
netlink_rdma_socket netlink_crypto_socket
|
||||
} *;
|
||||
|
||||
# Do not allow untrusted apps access to /cache
|
||||
neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
|
||||
neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
|
||||
|
||||
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
|
||||
# internal storage or sdcard.
|
||||
# World accessible data locations allow application to fill the device
|
||||
# with unaccounted for data. This data will not get removed during
|
||||
# application un-installation.
|
||||
neverallow all_untrusted_apps {
|
||||
fs_type
|
||||
-fuse # sdcard
|
||||
-sdcardfs # sdcard
|
||||
-vfat
|
||||
file_type
|
||||
-app_data_file # The apps sandbox itself
|
||||
-media_rw_data_file # Internal storage. Known that apps can
|
||||
# leave artfacts here after uninstall.
|
||||
-user_profile_data_file # Access to profile files
|
||||
userdebug_or_eng(`
|
||||
-method_trace_data_file # only on ro.debuggable=1
|
||||
-coredump_file # userdebug/eng only
|
||||
')
|
||||
}:dir_file_class_set { create unlink };
|
||||
|
||||
# No untrusted component should be touching /dev/fuse
|
||||
neverallow all_untrusted_apps fuse_device:chr_file *;
|
||||
|
||||
# Do not allow untrusted apps to directly open tun_device
|
||||
neverallow all_untrusted_apps tun_device:chr_file open;
|
||||
|
||||
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
|
||||
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
|
||||
neverallow all_untrusted_apps anr_data_file:dir ~search;
|
||||
|
||||
# Avoid reads from generically labeled /proc files
|
||||
# Create a more specific label if needed
|
||||
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Avoid all access to kernel configuration
|
||||
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Do not allow untrusted apps access to preloads data files
|
||||
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
|
||||
|
||||
# Locking of files on /system could lead to denial of service attacks
|
||||
# against privileged system components
|
||||
neverallow all_untrusted_apps system_file:file lock;
|
||||
|
||||
# Do not permit untrusted apps to perform actions on HwBinder service_manager
|
||||
# other than find actions for services listed below
|
||||
neverallow all_untrusted_apps *:hwservice_manager ~find;
|
||||
|
||||
# Do not permit access from apps which host arbitrary code to HwBinder services,
|
||||
# except those considered sufficiently safe for access from such apps.
|
||||
# The two main reasons for this are:
|
||||
# 1. HwBinder servers do not perform client authentication because HIDL
|
||||
# currently does not expose caller UID information and, even if it did, many
|
||||
# HwBinder services either operate at a level below that of apps (e.g., HALs)
|
||||
# or must not rely on app identity for authorization. Thus, to be safe, the
|
||||
# default assumption is that every HwBinder service treats all its clients as
|
||||
# equally authorized to perform operations offered by the service.
|
||||
# 2. HAL servers (a subset of HwBinder services) contain code with higher
|
||||
# incidence rate of security issues than system/core components and have
|
||||
# access to lower layes of the stack (all the way down to hardware) thus
|
||||
# increasing opportunities for bypassing the Android security model.
|
||||
#
|
||||
# Safe services include:
|
||||
# - same process services: because they by definition run in the process
|
||||
# of the client and thus have the same access as the client domain in which
|
||||
# the process runs
|
||||
# - coredomain_hwservice: are considered safe because they do not pose risks
|
||||
# associated with reason #2 above.
|
||||
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
|
||||
# designed for use by any domain.
|
||||
# - hal_graphics_allocator_hwservice: because these operations are also offered
|
||||
# by surfaceflinger Binder service, which apps are permitted to access
|
||||
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
|
||||
# Binder service which apps were permitted to access.
|
||||
neverallow all_untrusted_apps {
|
||||
hwservice_manager_type
|
||||
-same_process_hwservice
|
||||
-coredomain_hwservice
|
||||
-hal_configstore_ISurfaceFlingerConfigs
|
||||
-hal_graphics_allocator_hwservice
|
||||
-hal_omx_hwservice
|
||||
-untrusted_app_visible_hwservice
|
||||
}:hwservice_manager find;
|
||||
neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
|
||||
# Make sure that the following services are never accessible by untrusted_apps
|
||||
neverallow all_untrusted_apps {
|
||||
default_android_hwservice
|
||||
hal_audio_hwservice
|
||||
hal_bluetooth_hwservice
|
||||
hal_bootctl_hwservice
|
||||
hal_camera_hwservice
|
||||
hal_contexthub_hwservice
|
||||
hal_drm_hwservice
|
||||
hal_dumpstate_hwservice
|
||||
hal_fingerprint_hwservice
|
||||
hal_gatekeeper_hwservice
|
||||
hal_gnss_hwservice
|
||||
hal_graphics_composer_hwservice
|
||||
hal_health_hwservice
|
||||
hal_ir_hwservice
|
||||
hal_keymaster_hwservice
|
||||
hal_light_hwservice
|
||||
hal_memtrack_hwservice
|
||||
hal_nfc_hwservice
|
||||
hal_oemlock_hwservice
|
||||
hal_power_hwservice
|
||||
hal_sensors_hwservice
|
||||
hal_telephony_hwservice
|
||||
hal_thermal_hwservice
|
||||
hal_tv_cec_hwservice
|
||||
hal_tv_input_hwservice
|
||||
hal_usb_hwservice
|
||||
hal_vibrator_hwservice
|
||||
hal_vr_hwservice
|
||||
hal_weaver_hwservice
|
||||
hal_wifi_hwservice
|
||||
hal_wifi_supplicant_hwservice
|
||||
hidl_base_hwservice
|
||||
}:hwservice_manager find;
|
||||
# HwBinder services offered by core components (as opposed to vendor components)
|
||||
# are considered somewhat safer due to point #2 above.
|
||||
neverallow all_untrusted_apps {
|
||||
coredomain_hwservice
|
||||
-same_process_hwservice
|
||||
-hidl_allocator_hwservice # Designed for use by any domain
|
||||
-hidl_manager_hwservice # Designed for use by any domain
|
||||
-hidl_memory_hwservice # Designed for use by any domain
|
||||
-hidl_token_hwservice # Designed for use by any domain
|
||||
}:hwservice_manager find;
|
||||
|
||||
# Restrict *Binder access from apps to HAL domains. We can only do this on full
|
||||
# Treble devices where *Binder communications between apps and HALs are tightly
|
||||
# restricted.
|
||||
full_treble_only(`
|
||||
neverallow all_untrusted_apps {
|
||||
halserverdomain
|
||||
-coredomain
|
||||
-hal_configstore_server
|
||||
-hal_graphics_allocator_server
|
||||
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
|
||||
}:binder { call transfer };
|
||||
')
|
|
@ -1,8 +0,0 @@
|
|||
# type_transition must be private policy the domain_trans rules could stay
|
||||
# public, but conceptually should go with this
|
||||
# Technically not a daemon but we do want the transition from init domain to
|
||||
# asan_extract to occur.
|
||||
with_asan(`
|
||||
typeattribute asan_extract coredomain;
|
||||
init_daemon_domain(asan_extract)
|
||||
')
|
|
@ -1,24 +0,0 @@
|
|||
# Domain for atrace process spawned by boottrace service.
|
||||
|
||||
type atrace_exec, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
type atrace, domain, coredomain, domain_deprecated;
|
||||
|
||||
init_daemon_domain(atrace)
|
||||
|
||||
# boottrace services uses /data/misc/boottrace/categories
|
||||
allow atrace boottrace_data_file:dir search;
|
||||
allow atrace boottrace_data_file:file r_file_perms;
|
||||
|
||||
# atrace reads the files in /sys/kernel/debug/tracing/
|
||||
allow atrace debugfs_tracing:file r_file_perms;
|
||||
|
||||
# atrace sets debug.atrace.* properties
|
||||
set_prop(atrace, debug_prop)
|
||||
|
||||
# atrace pokes all the binder-enabled processes at startup.
|
||||
binder_use(atrace)
|
||||
allow atrace healthd:binder call;
|
||||
allow atrace surfaceflinger:binder call;
|
||||
')
|
|
@ -1,9 +0,0 @@
|
|||
# Temporary attribute used for migrating permissions out of domain.
|
||||
# Motivation: Domain is overly permissive. Start removing permissions
|
||||
# from domain and assign them to the domain_deprecated attribute.
|
||||
# Domain_deprecated and domain can initially be assigned to all
|
||||
# domains. The goal is to not assign domain_deprecated to new domains
|
||||
# and to start removing domain_deprecated where it's not required or
|
||||
# reassigning the appropriate permissions to the inheriting domain
|
||||
# when necessary.
|
||||
attribute domain_deprecated;
|
|
@ -1,66 +0,0 @@
|
|||
# audioserver - audio services daemon
|
||||
|
||||
typeattribute audioserver coredomain;
|
||||
|
||||
type audioserver_exec, exec_type, file_type;
|
||||
init_daemon_domain(audioserver)
|
||||
|
||||
r_dir_file(audioserver, sdcard_type)
|
||||
|
||||
binder_use(audioserver)
|
||||
binder_call(audioserver, binderservicedomain)
|
||||
binder_call(audioserver, appdomain)
|
||||
binder_service(audioserver)
|
||||
|
||||
hal_client_domain(audioserver, hal_allocator)
|
||||
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
|
||||
r_dir_file(audioserver, system_file)
|
||||
|
||||
hal_client_domain(audioserver, hal_audio)
|
||||
|
||||
userdebug_or_eng(`
|
||||
# used for TEE sink - pcm capture for debug.
|
||||
allow audioserver media_data_file:dir create_dir_perms;
|
||||
allow audioserver audioserver_data_file:dir create_dir_perms;
|
||||
allow audioserver audioserver_data_file:file create_file_perms;
|
||||
|
||||
# ptrace to processes in the same domain for memory leak detection
|
||||
allow audioserver self:process ptrace;
|
||||
')
|
||||
|
||||
add_service(audioserver, audioserver_service)
|
||||
allow audioserver appops_service:service_manager find;
|
||||
allow audioserver batterystats_service:service_manager find;
|
||||
allow audioserver permission_service:service_manager find;
|
||||
allow audioserver power_service:service_manager find;
|
||||
allow audioserver scheduling_policy_service:service_manager find;
|
||||
|
||||
# Grant access to audio files to audioserver
|
||||
allow audioserver audio_data_file:dir ra_dir_perms;
|
||||
allow audioserver audio_data_file:file create_file_perms;
|
||||
|
||||
# allow access to ALSA MMAP FDs for AAudio API
|
||||
allow audioserver audio_device:chr_file { read write };
|
||||
|
||||
# For A2DP bridge which is loaded directly into audioserver
|
||||
unix_socket_connect(audioserver, bluetooth, bluetooth)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# audioserver should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow audioserver { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# The goal of the mediaserver split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
@ -1 +0,0 @@
|
|||
allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
|
|
@ -1,22 +0,0 @@
|
|||
# Rules common to all binder service domains
|
||||
|
||||
# Allow dumpstate and incidentd to collect information from binder services
|
||||
allow binderservicedomain { dumpstate incidentd }:fd use;
|
||||
allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
|
||||
allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
|
||||
allow binderservicedomain shell_data_file:file { getattr write };
|
||||
|
||||
# Allow dumpsys to work from adb shell or the serial console
|
||||
allow binderservicedomain devpts:chr_file rw_file_perms;
|
||||
allow binderservicedomain console_device:chr_file rw_file_perms;
|
||||
|
||||
# Receive and write to a pipe received over Binder from an app.
|
||||
allow binderservicedomain appdomain:fd use;
|
||||
allow binderservicedomain appdomain:fifo_file write;
|
||||
|
||||
# allow all services to run permission checks
|
||||
allow binderservicedomain permission_service:service_manager find;
|
||||
|
||||
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
|
||||
use_keystore(binderservicedomain)
|
|
@ -1,22 +0,0 @@
|
|||
# blkid called from vold
|
||||
|
||||
typeattribute blkid coredomain;
|
||||
|
||||
type blkid_exec, exec_type, file_type;
|
||||
|
||||
# Allowed read-only access to encrypted devices to extract UUID/label
|
||||
allow blkid block_device:dir search;
|
||||
allow blkid userdata_block_device:blk_file r_file_perms;
|
||||
allow blkid dm_device:blk_file r_file_perms;
|
||||
|
||||
# Allow stdin/out back to vold
|
||||
allow blkid vold:fd use;
|
||||
allow blkid vold:fifo_file { read write getattr };
|
||||
|
||||
# For blkid launched through popen()
|
||||
allow blkid blkid_exec:file rx_file_perms;
|
||||
|
||||
# Only allow entry from vold
|
||||
neverallow { domain -vold } blkid:process transition;
|
||||
neverallow * blkid:process dyntransition;
|
||||
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
|
|
@ -1,37 +0,0 @@
|
|||
# blkid for untrusted block devices
|
||||
|
||||
typeattribute blkid_untrusted coredomain;
|
||||
|
||||
# Allowed read-only access to vold block devices to extract UUID/label
|
||||
allow blkid_untrusted block_device:dir search;
|
||||
allow blkid_untrusted vold_device:blk_file r_file_perms;
|
||||
|
||||
# Allow stdin/out back to vold
|
||||
allow blkid_untrusted vold:fd use;
|
||||
allow blkid_untrusted vold:fifo_file { read write getattr };
|
||||
|
||||
# For blkid launched through popen()
|
||||
allow blkid_untrusted blkid_exec:file rx_file_perms;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# Untrusted blkid should never be run on block devices holding sensitive data
|
||||
neverallow blkid_untrusted {
|
||||
boot_block_device
|
||||
frp_block_device
|
||||
metadata_block_device
|
||||
recovery_block_device
|
||||
root_block_device
|
||||
swap_block_device
|
||||
system_block_device
|
||||
userdata_block_device
|
||||
cache_block_device
|
||||
dm_device
|
||||
}:blk_file no_rw_file_perms;
|
||||
|
||||
# Only allow entry from vold via blkid binary
|
||||
neverallow { domain -vold } blkid_untrusted:process transition;
|
||||
neverallow * blkid_untrusted:process dyntransition;
|
||||
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
|
|
@ -1,77 +0,0 @@
|
|||
# bluetooth subsystem
|
||||
|
||||
typeattribute bluetooth coredomain;
|
||||
typeattribute bluetooth domain_deprecated;
|
||||
|
||||
app_domain(bluetooth)
|
||||
net_domain(bluetooth)
|
||||
|
||||
# Socket creation under /data/misc/bluedroid.
|
||||
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
|
||||
|
||||
# Allow access to net_admin ioctls
|
||||
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
wakelock_use(bluetooth);
|
||||
|
||||
# Data file accesses.
|
||||
allow bluetooth bluetooth_data_file:dir create_dir_perms;
|
||||
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
|
||||
allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
|
||||
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
|
||||
|
||||
# Socket creation under /data/misc/bluedroid.
|
||||
allow bluetooth bluetooth_socket:sock_file create_file_perms;
|
||||
|
||||
allow bluetooth self:capability net_admin;
|
||||
allow bluetooth self:capability2 wake_alarm;
|
||||
|
||||
# tethering
|
||||
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow bluetooth self:capability { net_admin net_raw net_bind_service };
|
||||
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
|
||||
allow bluetooth tun_device:chr_file rw_file_perms;
|
||||
allow bluetooth efs_file:dir search;
|
||||
|
||||
# allow Bluetooth to access uhid device for HID profile
|
||||
allow bluetooth uhid_device:chr_file rw_file_perms;
|
||||
|
||||
# proc access.
|
||||
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
|
||||
|
||||
# Allow write access to bluetooth specific properties
|
||||
set_prop(bluetooth, bluetooth_prop)
|
||||
set_prop(bluetooth, pan_result_prop)
|
||||
|
||||
allow bluetooth audioserver_service:service_manager find;
|
||||
allow bluetooth bluetooth_service:service_manager find;
|
||||
allow bluetooth drmserver_service:service_manager find;
|
||||
allow bluetooth mediaserver_service:service_manager find;
|
||||
allow bluetooth radio_service:service_manager find;
|
||||
allow bluetooth surfaceflinger_service:service_manager find;
|
||||
allow bluetooth app_api_service:service_manager find;
|
||||
allow bluetooth system_api_service:service_manager find;
|
||||
|
||||
# already open bugreport file descriptors may be shared with
|
||||
# the bluetooth process, from a file in
|
||||
# /data/data/com.android.shell/files/bugreports/bugreport-*.
|
||||
allow bluetooth shell_data_file:file read;
|
||||
|
||||
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
|
||||
allow bluetooth self:capability sys_nice;
|
||||
|
||||
hal_client_domain(bluetooth, hal_bluetooth)
|
||||
hal_client_domain(bluetooth, hal_telephony)
|
||||
|
||||
read_runtime_log_tags(bluetooth)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### These are things that the bluetooth app should NEVER be able to do
|
||||
###
|
||||
|
||||
# Superuser capabilities.
|
||||
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
|
||||
neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
|
||||
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
|
|
@ -1,2 +0,0 @@
|
|||
# Allow clients to use a socket provided by the bluetooth app.
|
||||
allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute bootanim coredomain;
|
||||
|
||||
init_daemon_domain(bootanim)
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute bootstat coredomain;
|
||||
|
||||
init_daemon_domain(bootstat)
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute bufferhubd coredomain;
|
||||
|
||||
init_daemon_domain(bufferhubd)
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute cameraserver coredomain;
|
||||
|
||||
init_daemon_domain(cameraserver)
|
|
@ -1 +0,0 @@
|
|||
typeattribute charger coredomain;
|
|
@ -1,2 +0,0 @@
|
|||
typeattribute clatd coredomain;
|
||||
typeattribute clatd domain_deprecated;
|
|
@ -1,6 +0,0 @@
|
|||
typeattribute cppreopts coredomain;
|
||||
|
||||
# Technically not a daemon but we do want the transition from init domain to
|
||||
# cppreopts to occur.
|
||||
init_daemon_domain(cppreopts)
|
||||
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
|
|
@ -1 +0,0 @@
|
|||
typeattribute crash_dump coredomain;
|
|
@ -1,2 +0,0 @@
|
|||
typeattribute dex2oat coredomain;
|
||||
typeattribute dex2oat domain_deprecated;
|
|
@ -1,26 +0,0 @@
|
|||
# dexoptanalyzer
|
||||
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
|
||||
type dexoptanalyzer_exec, exec_type, file_type;
|
||||
|
||||
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
||||
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
|
||||
# own label, which differs from other labels created by other processes.
|
||||
# This allows to distinguish in policy files created by dexoptanalyzer vs other
|
||||
#processes.
|
||||
tmpfs_domain(dexoptanalyzer)
|
||||
|
||||
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
|
||||
# app_data_file the oat file is symlinked to the original file in /system.
|
||||
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
|
||||
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
|
||||
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
|
||||
|
||||
allow dexoptanalyzer installd:fd use;
|
||||
|
||||
# Allow reading secondary dex files that were reported by the app to the
|
||||
# package manager.
|
||||
allow dexoptanalyzer app_data_file:dir { getattr search };
|
||||
allow dexoptanalyzer app_data_file:file r_file_perms;
|
||||
|
||||
# Allow testing /data/user/0 which symlinks to /data/data
|
||||
allow dexoptanalyzer system_data_file:lnk_file { getattr };
|
|
@ -1,5 +0,0 @@
|
|||
typeattribute dhcp coredomain;
|
||||
typeattribute dhcp domain_deprecated;
|
||||
|
||||
init_daemon_domain(dhcp)
|
||||
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
|
|
@ -1 +0,0 @@
|
|||
typeattribute dnsmasq coredomain;
|
|
@ -1,18 +0,0 @@
|
|||
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
||||
# This occurs when the process crashes.
|
||||
domain_auto_trans(domain, crash_dump_exec, crash_dump);
|
||||
allow domain crash_dump:process sigchld;
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
-dumpstate
|
||||
-storaged
|
||||
-system_server
|
||||
userdebug_or_eng(`-perfprofd')
|
||||
} self:capability sys_ptrace;
|
||||
|
||||
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
||||
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
|
@ -1,311 +0,0 @@
|
|||
# rules removed from the domain attribute
|
||||
|
||||
# Search /storage/emulated tmpfs mount.
|
||||
allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-installd
|
||||
-sdcardd
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-vold
|
||||
-zygote
|
||||
} tmpfs:dir r_dir_perms;
|
||||
')
|
||||
|
||||
# Inherit or receive open files from others.
|
||||
allow domain_deprecated system_server:fd use;
|
||||
userdebug_or_eng(`
|
||||
auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
|
||||
')
|
||||
|
||||
# Connect to adbd and use a socket transferred from it.
|
||||
# This is used for e.g. adb backup/restore.
|
||||
allow domain_deprecated adbd:fd use;
|
||||
userdebug_or_eng(`
|
||||
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
|
||||
')
|
||||
|
||||
# Root fs.
|
||||
allow domain_deprecated rootfs:dir r_dir_perms;
|
||||
allow domain_deprecated rootfs:file r_file_perms;
|
||||
allow domain_deprecated rootfs:lnk_file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-fsck
|
||||
-healthd
|
||||
-installd
|
||||
-servicemanager
|
||||
-system_server
|
||||
-ueventd
|
||||
-uncrypt
|
||||
-vold
|
||||
-zygote
|
||||
} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-healthd
|
||||
-installd
|
||||
-servicemanager
|
||||
-system_server
|
||||
-ueventd
|
||||
-uncrypt
|
||||
-vold
|
||||
-zygote
|
||||
} rootfs:file r_file_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-healthd
|
||||
-installd
|
||||
-servicemanager
|
||||
-system_server
|
||||
-ueventd
|
||||
-uncrypt
|
||||
-vold
|
||||
-zygote
|
||||
} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
|
||||
')
|
||||
|
||||
# System file accesses.
|
||||
allow domain_deprecated system_file:dir r_dir_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-fingerprintd
|
||||
-installd
|
||||
-keystore
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-update_engine
|
||||
-vold
|
||||
-zygote
|
||||
} system_file:dir { open read ioctl lock }; # search getattr in domain
|
||||
')
|
||||
|
||||
# Read files already opened under /data.
|
||||
allow domain_deprecated system_data_file:file { getattr read };
|
||||
allow domain_deprecated system_data_file:lnk_file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-sdcardd
|
||||
-system_server
|
||||
-tee
|
||||
} system_data_file:file { getattr read };
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-system_server
|
||||
-tee
|
||||
} system_data_file:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
# Read apk files under /data/app.
|
||||
allow domain_deprecated apk_data_file:dir { getattr search };
|
||||
allow domain_deprecated apk_data_file:file r_file_perms;
|
||||
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-dex2oat
|
||||
-installd
|
||||
-system_server
|
||||
} apk_data_file:dir { getattr search };
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-dex2oat
|
||||
-installd
|
||||
-system_server
|
||||
} apk_data_file:file r_file_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-dex2oat
|
||||
-installd
|
||||
-system_server
|
||||
} apk_data_file:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
# Read already opened /cache files.
|
||||
allow domain_deprecated cache_file:dir r_dir_perms;
|
||||
allow domain_deprecated cache_file:file { getattr read };
|
||||
allow domain_deprecated cache_file:lnk_file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-system_server
|
||||
-vold
|
||||
} cache_file:dir { open read search ioctl lock };
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-system_server
|
||||
-vold
|
||||
} cache_file:dir getattr;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-system_server
|
||||
-vold
|
||||
} cache_file:file { getattr read };
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-system_server
|
||||
-vold
|
||||
} cache_file:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
# Allow access to ion memory allocation device
|
||||
allow domain_deprecated ion_device:chr_file rw_file_perms;
|
||||
# split this auditallow into read and write perms since most domains seem to
|
||||
# only require read
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-fingerprintd
|
||||
-keystore
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-tee
|
||||
-vold
|
||||
-zygote
|
||||
} ion_device:chr_file r_file_perms;
|
||||
auditallow domain_deprecated ion_device:chr_file { write append };
|
||||
')
|
||||
|
||||
# Read access to pseudo filesystems.
|
||||
r_dir_file(domain_deprecated, proc)
|
||||
r_dir_file(domain_deprecated, sysfs)
|
||||
r_dir_file(domain_deprecated, cgroup)
|
||||
allow domain_deprecated proc_meminfo:file r_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-fsck
|
||||
-fsck_untrusted
|
||||
-sdcardd
|
||||
-system_server
|
||||
-update_engine
|
||||
-vold
|
||||
} proc:file r_file_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-fsck
|
||||
-fsck_untrusted
|
||||
-system_server
|
||||
-vold
|
||||
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-bluetooth
|
||||
-fingerprintd
|
||||
-healthd
|
||||
-netd
|
||||
-system_app
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-tee
|
||||
-ueventd
|
||||
-vold
|
||||
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-bluetooth
|
||||
-fingerprintd
|
||||
-healthd
|
||||
-netd
|
||||
-system_app
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-tee
|
||||
-ueventd
|
||||
-vold
|
||||
} sysfs:file r_file_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-bluetooth
|
||||
-fingerprintd
|
||||
-healthd
|
||||
-netd
|
||||
-system_app
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-tee
|
||||
-ueventd
|
||||
-vold
|
||||
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-dumpstate
|
||||
-fingerprintd
|
||||
-healthd
|
||||
-inputflinger
|
||||
-installd
|
||||
-keystore
|
||||
-netd
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} cgroup:dir r_dir_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-dumpstate
|
||||
-fingerprintd
|
||||
-healthd
|
||||
-inputflinger
|
||||
-installd
|
||||
-keystore
|
||||
-netd
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} cgroup:{ file lnk_file } r_file_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-vold
|
||||
} proc_meminfo:file r_file_perms;
|
||||
')
|
||||
|
||||
# Get SELinux enforcing status.
|
||||
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
||||
allow domain_deprecated selinuxfs:file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-installd
|
||||
-keystore
|
||||
-postinstall_dexopt
|
||||
-runas
|
||||
-servicemanager
|
||||
-system_server
|
||||
-ueventd
|
||||
-zygote
|
||||
} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-installd
|
||||
-keystore
|
||||
-postinstall_dexopt
|
||||
-runas
|
||||
-servicemanager
|
||||
-system_server
|
||||
-ueventd
|
||||
-zygote
|
||||
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
|
||||
')
|
|
@ -1,7 +0,0 @@
|
|||
typeattribute drmserver coredomain;
|
||||
|
||||
init_daemon_domain(drmserver)
|
||||
|
||||
type_transition drmserver apk_data_file:sock_file drmserver_socket;
|
||||
|
||||
typeattribute drmserver_socket coredomain_socket;
|
|
@ -1,26 +0,0 @@
|
|||
typeattribute dumpstate coredomain;
|
||||
typeattribute dumpstate domain_deprecated;
|
||||
|
||||
init_daemon_domain(dumpstate)
|
||||
|
||||
# Execute and transition to the vdc domain
|
||||
domain_auto_trans(dumpstate, vdc_exec, vdc)
|
||||
|
||||
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
|
||||
allow dumpstate system_file:file lock;
|
||||
|
||||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
allow dumpstate dumpstate_tmpfs:file execute;
|
||||
|
||||
# systrace support - allow atrace to run
|
||||
allow dumpstate debugfs_tracing:dir r_dir_perms;
|
||||
allow dumpstate debugfs_tracing:file rw_file_perms;
|
||||
allow dumpstate debugfs_trace_marker:file getattr;
|
||||
allow dumpstate atrace_exec:file rx_file_perms;
|
||||
allow dumpstate storaged_exec:file rx_file_perms;
|
||||
|
||||
# Allow dumpstate to make binder calls to storaged service
|
||||
binder_call(dumpstate, storaged)
|
||||
|
||||
# Collect metrics on boot time created by init
|
||||
get_prop(dumpstate, boottime_prop)
|
|
@ -1,68 +0,0 @@
|
|||
###
|
||||
### Ephemeral apps.
|
||||
###
|
||||
### This file defines the security policy for apps with the ephemeral
|
||||
### feature.
|
||||
###
|
||||
### The ephemeral_app domain is a reduced permissions sandbox allowing
|
||||
### ephemeral applications to be safely installed and run. Non ephemeral
|
||||
### applications may also opt-in to ephemeral to take advantage of the
|
||||
### additional security features.
|
||||
###
|
||||
### PackageManager flags an app as ephemeral at install time.
|
||||
|
||||
typeattribute ephemeral_app coredomain;
|
||||
|
||||
net_domain(ephemeral_app)
|
||||
app_domain(ephemeral_app)
|
||||
|
||||
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
||||
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
|
||||
|
||||
# services
|
||||
allow ephemeral_app audioserver_service:service_manager find;
|
||||
allow ephemeral_app cameraserver_service:service_manager find;
|
||||
allow ephemeral_app mediaserver_service:service_manager find;
|
||||
allow ephemeral_app mediaextractor_service:service_manager find;
|
||||
allow ephemeral_app mediacodec_service:service_manager find;
|
||||
allow ephemeral_app mediametrics_service:service_manager find;
|
||||
allow ephemeral_app mediadrmserver_service:service_manager find;
|
||||
allow ephemeral_app mediacasserver_service:service_manager find;
|
||||
allow ephemeral_app surfaceflinger_service:service_manager find;
|
||||
allow ephemeral_app radio_service:service_manager find;
|
||||
allow ephemeral_app ephemeral_app_api_service:service_manager find;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# Executable content should never be loaded from an ephemeral app home directory.
|
||||
neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
|
||||
|
||||
# Receive or send uevent messages.
|
||||
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Receive or send generic netlink messages
|
||||
neverallow ephemeral_app domain:netlink_socket *;
|
||||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow ephemeral_app debugfs:file read;
|
||||
|
||||
# execute gpu_device
|
||||
neverallow ephemeral_app gpu_device:chr_file execute;
|
||||
|
||||
# access files in /sys with the default sysfs label
|
||||
neverallow ephemeral_app sysfs:file *;
|
||||
|
||||
# Avoid reads from generically labeled /proc files
|
||||
# Create a more specific label if needed
|
||||
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Directly access external storage
|
||||
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
|
||||
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
|
||||
|
||||
# Avoid reads to proc_net, it contains too much device wide information about
|
||||
# ongoing connections.
|
||||
neverallow ephemeral_app proc_net:file no_rw_file_perms;
|
|
@ -1,7 +0,0 @@
|
|||
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
|
||||
typealias audio_data_file alias audio_firmware_file;
|
||||
typealias app_data_file alias platform_app_data_file;
|
||||
typealias app_data_file alias download_file;
|
||||
|
||||
# /proc/config.gz
|
||||
type config_gz, fs_type;
|
|
@ -1,539 +0,0 @@
|
|||
###########################################
|
||||
# Root
|
||||
/ u:object_r:rootfs:s0
|
||||
|
||||
# Data files
|
||||
/adb_keys u:object_r:adb_keys_file:s0
|
||||
/build\.prop u:object_r:rootfs:s0
|
||||
/default\.prop u:object_r:rootfs:s0
|
||||
/fstab\..* u:object_r:rootfs:s0
|
||||
/init\..* u:object_r:rootfs:s0
|
||||
/res(/.*)? u:object_r:rootfs:s0
|
||||
/selinux_version u:object_r:rootfs:s0
|
||||
/ueventd\..* u:object_r:rootfs:s0
|
||||
/verity_key u:object_r:rootfs:s0
|
||||
|
||||
# Executables
|
||||
/charger u:object_r:rootfs:s0
|
||||
/init u:object_r:init_exec:s0
|
||||
/sbin(/.*)? u:object_r:rootfs:s0
|
||||
|
||||
# For kernel modules
|
||||
/lib(/.*)? u:object_r:rootfs:s0
|
||||
|
||||
# Empty directories
|
||||
/lost\+found u:object_r:rootfs:s0
|
||||
/acct u:object_r:cgroup:s0
|
||||
/config u:object_r:rootfs:s0
|
||||
/mnt u:object_r:tmpfs:s0
|
||||
/postinstall u:object_r:postinstall_mnt_dir:s0
|
||||
/proc u:object_r:rootfs:s0
|
||||
/root u:object_r:rootfs:s0
|
||||
/sys u:object_r:sysfs:s0
|
||||
|
||||
# Symlinks
|
||||
/bugreports u:object_r:rootfs:s0
|
||||
/d u:object_r:rootfs:s0
|
||||
/etc u:object_r:rootfs:s0
|
||||
/sdcard u:object_r:rootfs:s0
|
||||
|
||||
# SELinux policy files
|
||||
/nonplat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/plat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
|
||||
/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
|
||||
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
|
||||
/plat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/nonplat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/sepolicy u:object_r:sepolicy_file:s0
|
||||
/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/nonplat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
|
||||
|
||||
##########################
|
||||
# Devices
|
||||
#
|
||||
/dev(/.*)? u:object_r:device:s0
|
||||
/dev/akm8973.* u:object_r:sensors_device:s0
|
||||
/dev/accelerometer u:object_r:sensors_device:s0
|
||||
/dev/adf[0-9]* u:object_r:graphics_device:s0
|
||||
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
|
||||
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
|
||||
/dev/alarm u:object_r:alarm_device:s0
|
||||
/dev/ashmem u:object_r:ashmem_device:s0
|
||||
/dev/audio.* u:object_r:audio_device:s0
|
||||
/dev/binder u:object_r:binder_device:s0
|
||||
/dev/block(/.*)? u:object_r:block_device:s0
|
||||
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
|
||||
/dev/block/loop[0-9]* u:object_r:loop_device:s0
|
||||
/dev/block/vold/.+ u:object_r:vold_device:s0
|
||||
/dev/block/ram[0-9]* u:object_r:ram_device:s0
|
||||
/dev/block/zram[0-9]* u:object_r:ram_device:s0
|
||||
/dev/bus/usb(.*)? u:object_r:usb_device:s0
|
||||
/dev/cam u:object_r:camera_device:s0
|
||||
/dev/console u:object_r:console_device:s0
|
||||
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
|
||||
/dev/device-mapper u:object_r:dm_device:s0
|
||||
/dev/eac u:object_r:audio_device:s0
|
||||
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
|
||||
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
|
||||
/dev/full u:object_r:full_device:s0
|
||||
/dev/fuse u:object_r:fuse_device:s0
|
||||
/dev/graphics(/.*)? u:object_r:graphics_device:s0
|
||||
/dev/hw_random u:object_r:hw_random_device:s0
|
||||
/dev/hwbinder u:object_r:hwbinder_device:s0
|
||||
/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
|
||||
/dev/input(/.*) u:object_r:input_device:s0
|
||||
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
|
||||
/dev/ion u:object_r:ion_device:s0
|
||||
/dev/keychord u:object_r:keychord_device:s0
|
||||
/dev/kmem u:object_r:kmem_device:s0
|
||||
/dev/log(/.*)? u:object_r:log_device:s0
|
||||
/dev/loop-control u:object_r:loop_control_device:s0
|
||||
/dev/mem u:object_r:kmem_device:s0
|
||||
/dev/modem.* u:object_r:radio_device:s0
|
||||
/dev/mtd(/.*)? u:object_r:mtd_device:s0
|
||||
/dev/mtp_usb u:object_r:mtp_device:s0
|
||||
/dev/pmsg0 u:object_r:pmsg_device:s0
|
||||
/dev/pn544 u:object_r:nfc_device:s0
|
||||
/dev/port u:object_r:port_device:s0
|
||||
/dev/ppp u:object_r:ppp_device:s0
|
||||
/dev/ptmx u:object_r:ptmx_device:s0
|
||||
/dev/pvrsrvkm u:object_r:gpu_device:s0
|
||||
/dev/kmsg u:object_r:kmsg_device:s0
|
||||
/dev/null u:object_r:null_device:s0
|
||||
/dev/nvhdcp1 u:object_r:video_device:s0
|
||||
/dev/random u:object_r:random_device:s0
|
||||
/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
|
||||
/dev/rproc_user u:object_r:rpmsg_device:s0
|
||||
/dev/rtc[0-9] u:object_r:rtc_device:s0
|
||||
/dev/snd(/.*)? u:object_r:audio_device:s0
|
||||
/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
|
||||
/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
|
||||
/dev/socket(/.*)? u:object_r:socket_device:s0
|
||||
/dev/socket/adbd u:object_r:adbd_socket:s0
|
||||
/dev/socket/cryptd u:object_r:vold_socket:s0
|
||||
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
|
||||
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
|
||||
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
|
||||
/dev/socket/lmkd u:object_r:lmkd_socket:s0
|
||||
/dev/socket/logd u:object_r:logd_socket:s0
|
||||
/dev/socket/logdr u:object_r:logdr_socket:s0
|
||||
/dev/socket/logdw u:object_r:logdw_socket:s0
|
||||
/dev/socket/mdns u:object_r:mdns_socket:s0
|
||||
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
|
||||
/dev/socket/mtpd u:object_r:mtpd_socket:s0
|
||||
/dev/socket/netd u:object_r:netd_socket:s0
|
||||
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
|
||||
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
|
||||
/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
|
||||
/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
|
||||
/dev/socket/property_service u:object_r:property_socket:s0
|
||||
/dev/socket/racoon u:object_r:racoon_socket:s0
|
||||
/dev/socket/rild u:object_r:rild_socket:s0
|
||||
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
|
||||
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
|
||||
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
|
||||
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
|
||||
/dev/socket/vold u:object_r:vold_socket:s0
|
||||
/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
|
||||
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
|
||||
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
|
||||
/dev/socket/zygote u:object_r:zygote_socket:s0
|
||||
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
|
||||
/dev/spdif_out.* u:object_r:audio_device:s0
|
||||
/dev/tegra.* u:object_r:video_device:s0
|
||||
/dev/tty u:object_r:owntty_device:s0
|
||||
/dev/tty[0-9]* u:object_r:tty_device:s0
|
||||
/dev/ttyS[0-9]* u:object_r:serial_device:s0
|
||||
/dev/tun u:object_r:tun_device:s0
|
||||
/dev/uhid u:object_r:uhid_device:s0
|
||||
/dev/uinput u:object_r:uhid_device:s0
|
||||
/dev/uio[0-9]* u:object_r:uio_device:s0
|
||||
/dev/urandom u:object_r:random_device:s0
|
||||
/dev/usb_accessory u:object_r:usbaccessory_device:s0
|
||||
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
|
||||
/dev/video[0-9]* u:object_r:video_device:s0
|
||||
/dev/vndbinder u:object_r:vndbinder_device:s0
|
||||
/dev/watchdog u:object_r:watchdog_device:s0
|
||||
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
|
||||
/dev/zero u:object_r:zero_device:s0
|
||||
/dev/__properties__ u:object_r:properties_device:s0
|
||||
#############################
|
||||
# System files
|
||||
#
|
||||
/system(/.*)? u:object_r:system_file:s0
|
||||
/system/bin/atrace u:object_r:atrace_exec:s0
|
||||
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
|
||||
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
|
||||
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
|
||||
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
|
||||
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
|
||||
/system/bin/toybox -- u:object_r:toolbox_exec:s0
|
||||
/system/bin/logcat -- u:object_r:logcat_exec:s0
|
||||
/system/bin/logcatd -- u:object_r:logcat_exec:s0
|
||||
/system/bin/sh -- u:object_r:shell_exec:s0
|
||||
/system/bin/run-as -- u:object_r:runas_exec:s0
|
||||
/system/bin/bootanimation u:object_r:bootanim_exec:s0
|
||||
/system/bin/bootstat u:object_r:bootstat_exec:s0
|
||||
/system/bin/app_process32 u:object_r:zygote_exec:s0
|
||||
/system/bin/app_process64 u:object_r:zygote_exec:s0
|
||||
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
|
||||
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
|
||||
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
|
||||
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
|
||||
/system/bin/performanced u:object_r:performanced_exec:s0
|
||||
/system/bin/drmserver u:object_r:drmserver_exec:s0
|
||||
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
|
||||
/system/bin/incident u:object_r:incident_exec:s0
|
||||
/system/bin/incidentd u:object_r:incidentd_exec:s0
|
||||
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
|
||||
/system/bin/vold u:object_r:vold_exec:s0
|
||||
/system/bin/netd u:object_r:netd_exec:s0
|
||||
/system/bin/wificond u:object_r:wificond_exec:s0
|
||||
/system/bin/audioserver u:object_r:audioserver_exec:s0
|
||||
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
|
||||
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
|
||||
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
|
||||
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
|
||||
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
|
||||
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
|
||||
/system/bin/installd u:object_r:installd_exec:s0
|
||||
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
|
||||
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
|
||||
/system/bin/keystore u:object_r:keystore_exec:s0
|
||||
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
|
||||
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
|
||||
/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
|
||||
/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
|
||||
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
|
||||
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
|
||||
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
|
||||
/system/bin/sdcard u:object_r:sdcardd_exec:s0
|
||||
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
|
||||
/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
|
||||
/system/bin/mtpd u:object_r:mtp_exec:s0
|
||||
/system/bin/pppd u:object_r:ppp_exec:s0
|
||||
/system/bin/racoon u:object_r:racoon_exec:s0
|
||||
/system/xbin/su u:object_r:su_exec:s0
|
||||
/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
|
||||
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
|
||||
/system/bin/healthd u:object_r:healthd_exec:s0
|
||||
/system/bin/clatd u:object_r:clatd_exec:s0
|
||||
/system/bin/lmkd u:object_r:lmkd_exec:s0
|
||||
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
|
||||
/system/bin/logd u:object_r:logd_exec:s0
|
||||
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
|
||||
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
|
||||
/system/bin/logwrapper u:object_r:system_file:s0
|
||||
/system/bin/vdc u:object_r:vdc_exec:s0
|
||||
/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
|
||||
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
|
||||
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
|
||||
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
|
||||
/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
|
||||
# patchoat executable has (essentially) the same requirements as dex2oat.
|
||||
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
|
||||
/system/bin/profman u:object_r:profman_exec:s0
|
||||
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
|
||||
/system/bin/blkid u:object_r:blkid_exec:s0
|
||||
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
|
||||
/system/bin/idmap u:object_r:idmap_exec:s0
|
||||
/system/bin/update_engine u:object_r:update_engine_exec:s0
|
||||
/system/bin/bspatch u:object_r:update_engine_exec:s0
|
||||
/system/bin/storaged u:object_r:storaged_exec:s0
|
||||
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
|
||||
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
|
||||
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
|
||||
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
|
||||
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
|
||||
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
|
||||
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
#
|
||||
/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
|
||||
/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
|
||||
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
|
||||
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
|
||||
|
||||
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
|
||||
|
||||
/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
|
||||
|
||||
# TODO: b/36790901 move this to /vendor/etc
|
||||
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
|
||||
/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
|
||||
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
|
||||
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
|
||||
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
|
||||
|
||||
# HAL location
|
||||
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
|
||||
|
||||
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
|
||||
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
|
||||
|
||||
#############################
|
||||
# OEM and ODM files
|
||||
#
|
||||
/odm(/.*)? u:object_r:system_file:s0
|
||||
/oem(/.*)? u:object_r:oemfs:s0
|
||||
|
||||
|
||||
#############################
|
||||
# Data files
|
||||
#
|
||||
# NOTE: When modifying existing label rules, changes may also need to
|
||||
# propagate to the "Expanded data files" section.
|
||||
#
|
||||
/data(/.*)? u:object_r:system_data_file:s0
|
||||
/data/.layout_version u:object_r:install_data_file:s0
|
||||
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
|
||||
/data/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
|
||||
/data/drm(/.*)? u:object_r:drm_data_file:s0
|
||||
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
|
||||
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
/data/ota(/.*)? u:object_r:ota_data_file:s0
|
||||
/data/ota_package(/.*)? u:object_r:ota_package_file:s0
|
||||
/data/adb(/.*)? u:object_r:adb_data_file:s0
|
||||
/data/anr(/.*)? u:object_r:anr_data_file:s0
|
||||
/data/app(/.*)? u:object_r:apk_data_file:s0
|
||||
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
|
||||
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
|
||||
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
|
||||
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
|
||||
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
|
||||
/data/media(/.*)? u:object_r:media_rw_data_file:s0
|
||||
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
|
||||
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
|
||||
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
|
||||
/data/property(/.*)? u:object_r:property_data_file:s0
|
||||
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
|
||||
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
|
||||
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
|
||||
|
||||
# Misc data
|
||||
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
|
||||
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
|
||||
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
|
||||
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
|
||||
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
|
||||
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
|
||||
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
|
||||
/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
|
||||
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
|
||||
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
|
||||
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
|
||||
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
|
||||
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
|
||||
/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
|
||||
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
|
||||
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
|
||||
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
|
||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
|
||||
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
||||
/data/misc/net(/.*)? u:object_r:net_data_file:s0
|
||||
/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
|
||||
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
|
||||
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
|
||||
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
|
||||
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
|
||||
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
|
||||
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
|
||||
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
|
||||
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
|
||||
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
|
||||
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
|
||||
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
|
||||
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
|
||||
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
|
||||
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
|
||||
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
|
||||
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
|
||||
# TODO(calin) label profile reference differently so that only
|
||||
# profman run as a special user can write to them
|
||||
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
|
||||
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
|
||||
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
|
||||
|
||||
# Fingerprint data
|
||||
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
|
||||
|
||||
# Bootchart data
|
||||
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
|
||||
|
||||
#############################
|
||||
# Expanded data files
|
||||
#
|
||||
/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
|
||||
/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
|
||||
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
|
||||
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
|
||||
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
|
||||
/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
|
||||
/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
|
||||
|
||||
# coredump directory for userdebug/eng devices
|
||||
/cores(/.*)? u:object_r:coredump_file:s0
|
||||
|
||||
# Wallpaper files
|
||||
/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
|
||||
/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
|
||||
/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
|
||||
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
|
||||
|
||||
# Ringtone files
|
||||
/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
|
||||
|
||||
# ShortcutManager icons, e.g.
|
||||
# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
|
||||
/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
|
||||
|
||||
# User icon files
|
||||
/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
|
||||
|
||||
#############################
|
||||
# efs files
|
||||
#
|
||||
/efs(/.*)? u:object_r:efs_file:s0
|
||||
|
||||
#############################
|
||||
# Cache files
|
||||
#
|
||||
/cache(/.*)? u:object_r:cache_file:s0
|
||||
/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
|
||||
# General backup/restore interchange with apps
|
||||
/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
|
||||
# LocalTransport (backup) uses this subtree
|
||||
/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
|
||||
|
||||
/data/cache(/.*)? u:object_r:cache_file:s0
|
||||
/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
|
||||
# General backup/restore interchange with apps
|
||||
/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
|
||||
# LocalTransport (backup) uses this subtree
|
||||
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
|
||||
|
||||
#############################
|
||||
# sysfs files
|
||||
#
|
||||
/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
|
||||
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
|
||||
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
|
||||
/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
|
||||
/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
|
||||
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
|
||||
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
|
||||
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
|
||||
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
|
||||
/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
|
||||
/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
|
||||
|
||||
#############################
|
||||
# debugfs files
|
||||
#
|
||||
/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
|
||||
|
||||
#############################
|
||||
# tracefs files
|
||||
#
|
||||
/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
|
||||
/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
|
||||
/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
|
||||
/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
|
||||
/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
|
||||
/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
|
||||
/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
|
||||
|
||||
###########################################
|
||||
# debug-only tracing
|
||||
#
|
||||
/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
|
||||
/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
|
||||
/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
|
||||
/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:tracing_shell_writable_debug:s0
|
||||
|
||||
#############################
|
||||
# asec containers
|
||||
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
||||
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
|
||||
/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
|
||||
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
|
||||
|
||||
#############################
|
||||
# external storage
|
||||
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
|
||||
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
|
||||
/mnt/runtime(/.*)? u:object_r:storage_file:s0
|
||||
/storage(/.*)? u:object_r:storage_file:s0
|
|
@ -1,5 +0,0 @@
|
|||
/data/asan/system/lib(/.*)? u:object_r:system_file:s0
|
||||
/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
|
||||
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
|
||||
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
|
||||
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
|
|
@ -1,4 +0,0 @@
|
|||
typeattribute fingerprintd coredomain;
|
||||
typeattribute fingerprintd domain_deprecated;
|
||||
|
||||
init_daemon_domain(fingerprintd)
|
|
@ -1,23 +0,0 @@
|
|||
# Label inodes via getxattr.
|
||||
fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
|
||||
fs_use_xattr jffs2 u:object_r:labeledfs:s0;
|
||||
fs_use_xattr ext2 u:object_r:labeledfs:s0;
|
||||
fs_use_xattr ext3 u:object_r:labeledfs:s0;
|
||||
fs_use_xattr ext4 u:object_r:labeledfs:s0;
|
||||
fs_use_xattr xfs u:object_r:labeledfs:s0;
|
||||
fs_use_xattr btrfs u:object_r:labeledfs:s0;
|
||||
fs_use_xattr f2fs u:object_r:labeledfs:s0;
|
||||
fs_use_xattr squashfs u:object_r:labeledfs:s0;
|
||||
|
||||
# Label inodes from task label.
|
||||
fs_use_task pipefs u:object_r:pipefs:s0;
|
||||
fs_use_task sockfs u:object_r:sockfs:s0;
|
||||
|
||||
# Label inodes from combination of task label and fs label.
|
||||
# Define type_transition rules if you want per-domain types.
|
||||
fs_use_trans devpts u:object_r:devpts:s0;
|
||||
fs_use_trans tmpfs u:object_r:tmpfs:s0;
|
||||
fs_use_trans devtmpfs u:object_r:device:s0;
|
||||
fs_use_trans shm u:object_r:shm:s0;
|
||||
fs_use_trans mqueue u:object_r:mqueue:s0;
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
typeattribute fsck coredomain;
|
||||
typeattribute fsck domain_deprecated;
|
||||
|
||||
init_daemon_domain(fsck)
|
|
@ -1,2 +0,0 @@
|
|||
typeattribute fsck_untrusted coredomain;
|
||||
typeattribute fsck_untrusted domain_deprecated;
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute gatekeeperd coredomain;
|
||||
|
||||
init_daemon_domain(gatekeeperd)
|
|
@ -1,61 +0,0 @@
|
|||
# Label inodes with the fs label.
|
||||
genfscon rootfs / u:object_r:rootfs:s0
|
||||
# proc labeling can be further refined (longest matching prefix).
|
||||
genfscon proc / u:object_r:proc:s0
|
||||
genfscon proc /config.gz u:object_r:config_gz:s0
|
||||
genfscon proc /interrupts u:object_r:proc_interrupts:s0
|
||||
genfscon proc /iomem u:object_r:proc_iomem:s0
|
||||
genfscon proc /meminfo u:object_r:proc_meminfo:s0
|
||||
genfscon proc /misc u:object_r:proc_misc:s0
|
||||
genfscon proc /modules u:object_r:proc_modules:s0
|
||||
genfscon proc /net u:object_r:proc_net:s0
|
||||
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
|
||||
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
|
||||
genfscon proc /softirqs u:object_r:proc_timer:s0
|
||||
genfscon proc /stat u:object_r:proc_stat:s0
|
||||
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
|
||||
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
|
||||
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
|
||||
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
|
||||
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
|
||||
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
|
||||
genfscon proc /timer_list u:object_r:proc_timer:s0
|
||||
genfscon proc /timer_stats u:object_r:proc_timer:s0
|
||||
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
|
||||
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
|
||||
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
|
||||
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
|
||||
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
|
||||
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
|
||||
|
||||
# selinuxfs booleans can be individually labeled.
|
||||
genfscon selinuxfs / u:object_r:selinuxfs:s0
|
||||
genfscon cgroup / u:object_r:cgroup:s0
|
||||
# sysfs labels can be set by userspace.
|
||||
genfscon sysfs / u:object_r:sysfs:s0
|
||||
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
|
||||
genfscon inotifyfs / u:object_r:inotify:s0
|
||||
genfscon vfat / u:object_r:vfat:s0
|
||||
genfscon debugfs / u:object_r:debugfs:s0
|
||||
genfscon tracefs / u:object_r:debugfs_tracing:s0
|
||||
genfscon fuse / u:object_r:fuse:s0
|
||||
genfscon configfs / u:object_r:configfs:s0
|
||||
genfscon sdcardfs / u:object_r:sdcardfs:s0
|
||||
genfscon pstore / u:object_r:pstorefs:s0
|
||||
genfscon functionfs / u:object_r:functionfs:s0
|
||||
genfscon usbfs / u:object_r:usbfs:s0
|
||||
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
|
|
@ -1,5 +0,0 @@
|
|||
type hal_allocator_default, domain, coredomain;
|
||||
hal_server_domain(hal_allocator_default, hal_allocator)
|
||||
|
||||
type hal_allocator_default_exec, exec_type, file_type;
|
||||
init_daemon_domain(hal_allocator_default)
|
|
@ -1,13 +0,0 @@
|
|||
###
|
||||
### Rules for all domains which are clients of a HAL
|
||||
###
|
||||
|
||||
# Find out whether a HAL in passthrough/in-process mode or
|
||||
# binderized/out-of-process mode
|
||||
hwbinder_use(halclientdomain)
|
||||
|
||||
# Used to wait for hwservicemanager
|
||||
get_prop(halclientdomain, hwservicemanager_prop)
|
||||
|
||||
# Wait for HAL server to be up (used by getService)
|
||||
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
|
|
@ -1,12 +0,0 @@
|
|||
###
|
||||
### Rules for all domains which offer a HAL service over HwBinder
|
||||
###
|
||||
|
||||
# Register the HAL service with hwservicemanager
|
||||
hwbinder_use(halserverdomain)
|
||||
|
||||
# Find HAL implementations
|
||||
allow halserverdomain system_file:dir r_dir_perms;
|
||||
|
||||
# Used to wait for hwservicemanager
|
||||
get_prop(halserverdomain, hwservicemanager_prop)
|
|
@ -1,6 +0,0 @@
|
|||
typeattribute healthd coredomain;
|
||||
|
||||
init_daemon_domain(healthd)
|
||||
|
||||
# Allow callback to storaged batteryproperties listener
|
||||
binder_call(healthd, storaged)
|
|
@ -1,52 +0,0 @@
|
|||
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
|
||||
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
|
||||
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
|
||||
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
|
||||
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
|
||||
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
|
||||
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
|
||||
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
|
||||
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
|
||||
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
|
||||
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
|
||||
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
|
||||
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
|
||||
android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
|
||||
android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
|
||||
android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
|
||||
android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
|
||||
android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
|
||||
android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
|
||||
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
|
||||
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
|
||||
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
|
||||
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
|
||||
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
|
||||
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
|
||||
android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
|
||||
android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
|
||||
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
|
||||
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
|
||||
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
|
||||
android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
|
||||
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
|
||||
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
|
||||
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
|
||||
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
|
||||
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
|
||||
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
|
||||
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
|
||||
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
|
||||
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
|
||||
android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
|
||||
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
|
||||
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
|
||||
android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
|
||||
android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
|
||||
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
|
||||
android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
|
||||
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
|
||||
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
|
||||
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
|
||||
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
|
||||
* u:object_r:default_android_hwservice:s0
|
|
@ -1,6 +0,0 @@
|
|||
typeattribute hwservicemanager coredomain;
|
||||
|
||||
init_daemon_domain(hwservicemanager)
|
||||
|
||||
add_hwservice(hwservicemanager, hidl_manager_hwservice)
|
||||
add_hwservice(hwservicemanager, hidl_token_hwservice)
|
|
@ -1 +0,0 @@
|
|||
typeattribute idmap coredomain;
|
|
@ -1,25 +0,0 @@
|
|||
typeattribute incident coredomain;
|
||||
|
||||
type incident_exec, exec_type, file_type;
|
||||
|
||||
# switch to incident domain for incident command
|
||||
domain_auto_trans(shell, incident_exec, incident)
|
||||
|
||||
# allow incident access to stdout from its parent shell.
|
||||
allow incident shell:fd use;
|
||||
|
||||
# allow incident to communicate use, read and write over the adb
|
||||
# connection.
|
||||
allow incident adbd:fd use;
|
||||
allow incident adbd:unix_stream_socket { read write };
|
||||
|
||||
# allow adbd to reap incident
|
||||
allow incident adbd:process { sigchld };
|
||||
|
||||
# Allow the incident command to talk to the incidentd over the binder, and get
|
||||
# back the incident report data from a ParcelFileDescriptor.
|
||||
binder_use(incident)
|
||||
allow incident incident_service:service_manager find;
|
||||
binder_call(incident, incidentd)
|
||||
allow incident incidentd:fifo_file write;
|
||||
|
|
@ -1,110 +0,0 @@
|
|||
typeattribute incidentd coredomain;
|
||||
|
||||
init_daemon_domain(incidentd)
|
||||
type incidentd_exec, exec_type, file_type;
|
||||
binder_use(incidentd)
|
||||
wakelock_use(incidentd)
|
||||
|
||||
# Allow setting process priority, protect from OOM killer, and dropping
|
||||
# privileges by switching UID / GID
|
||||
# TODO allow incidentd self:capability { setuid setgid sys_resource };
|
||||
|
||||
# Allow incidentd to scan through /proc/pid for all processes
|
||||
r_dir_file(incidentd, domain)
|
||||
|
||||
allow incidentd self:capability {
|
||||
# Send signals to processes
|
||||
kill
|
||||
};
|
||||
|
||||
# Allow executing files on system, such as:
|
||||
# /system/bin/toolbox
|
||||
# /system/bin/logcat
|
||||
# /system/bin/dumpsys
|
||||
allow incidentd system_file:file execute_no_trans;
|
||||
allow incidentd toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Create and write into /data/misc/incidents
|
||||
allow incidentd incident_data_file:dir rw_dir_perms;
|
||||
allow incidentd incident_data_file:file create_file_perms;
|
||||
|
||||
# Get process attributes
|
||||
# TODO allow incidentd domain:process getattr;
|
||||
|
||||
# Signal java processes to dump their stack and get the results
|
||||
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
|
||||
# TODO allow incidentd anr_data_file:dir rw_dir_perms;
|
||||
# TODO allow incidentd anr_data_file:file create_file_perms;
|
||||
|
||||
# Signal native processes to dump their stack.
|
||||
# This list comes from native_processes_to_dump in incidentd/utils.c
|
||||
allow incidentd {
|
||||
audioserver
|
||||
cameraserver
|
||||
drmserver
|
||||
inputflinger
|
||||
mediacodec
|
||||
mediadrmserver
|
||||
mediaextractor
|
||||
mediaserver
|
||||
sdcardd
|
||||
surfaceflinger
|
||||
}:process signal;
|
||||
|
||||
# Allow incidentd to make binder calls to any binder service
|
||||
binder_call(incidentd, binderservicedomain)
|
||||
binder_call(incidentd, appdomain)
|
||||
|
||||
# Reading /proc/PID/maps of other processes
|
||||
# TODO allow incidentd self:capability sys_ptrace;
|
||||
|
||||
# Run a shell.
|
||||
allow incidentd shell_exec:file rx_file_perms;
|
||||
|
||||
# logd access - work to be done is a PII safe log (possibly an event log?)
|
||||
# TODO read_logd(incidentd)
|
||||
# TODO control_logd(incidentd)
|
||||
|
||||
# Allow incidentd to find these standard groups of services.
|
||||
# Others can be allowlisted individually.
|
||||
allow incidentd {
|
||||
system_server_service
|
||||
app_api_service
|
||||
system_api_service
|
||||
}:service_manager find;
|
||||
|
||||
# Only incidentd can publish the binder service
|
||||
add_service(incidentd, incident_service)
|
||||
|
||||
# Allow pipes from (and only from) incident
|
||||
allow incidentd incident:fd use;
|
||||
allow incidentd incident:fifo_file write;
|
||||
|
||||
# Allow incident to call back to incident with status updates.
|
||||
binder_call(incidentd, incident)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# only system_server, system_app and incident command can find the incident service
|
||||
neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
|
||||
|
||||
# only incidentd and the other root services in limited circumstances
|
||||
# can get to the files in /data/misc/incidents
|
||||
#
|
||||
# write, execute, append are forbidden almost everywhere
|
||||
neverallow { domain -incidentd -init -vold } incident_data_file:file {
|
||||
w_file_perms
|
||||
x_file_perms
|
||||
create
|
||||
rename
|
||||
setattr
|
||||
unlink
|
||||
append
|
||||
};
|
||||
# read is also allowed by system_server, for when the file is handed to dropbox
|
||||
neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
|
||||
# limited access to the directory itself
|
||||
neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
typeattribute init coredomain;
|
||||
|
||||
tmpfs_domain(init)
|
||||
|
||||
# Transitions to seclabel processes in init.rc
|
||||
domain_trans(init, rootfs, adbd)
|
||||
domain_trans(init, rootfs, charger)
|
||||
domain_trans(init, rootfs, healthd)
|
||||
domain_trans(init, rootfs, slideshow)
|
||||
recovery_only(`
|
||||
domain_trans(init, rootfs, recovery)
|
||||
')
|
||||
domain_trans(init, shell_exec, shell)
|
||||
domain_trans(init, init_exec, ueventd)
|
||||
domain_trans(init, init_exec, watchdogd)
|
||||
domain_trans(init, { rootfs toolbox_exec }, modprobe)
|
||||
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
|
||||
userdebug_or_eng(`
|
||||
domain_auto_trans(init, logcat_exec, logpersist)
|
||||
')
|
||||
|
||||
# Creating files on sysfs is impossible so this isn't a threat
|
||||
# Sometimes we have to write to non-existent files to avoid conditional
|
||||
# init behavior. See b/35303861 for an example.
|
||||
dontaudit init sysfs:dir write;
|
|
@ -1,27 +0,0 @@
|
|||
sid kernel u:r:kernel:s0
|
||||
sid security u:object_r:kernel:s0
|
||||
sid unlabeled u:object_r:unlabeled:s0
|
||||
sid fs u:object_r:labeledfs:s0
|
||||
sid file u:object_r:unlabeled:s0
|
||||
sid file_labels u:object_r:unlabeled:s0
|
||||
sid init u:object_r:unlabeled:s0
|
||||
sid any_socket u:object_r:unlabeled:s0
|
||||
sid port u:object_r:port:s0
|
||||
sid netif u:object_r:netif:s0
|
||||
sid netmsg u:object_r:unlabeled:s0
|
||||
sid node u:object_r:node:s0
|
||||
sid igmp_packet u:object_r:unlabeled:s0
|
||||
sid icmp_socket u:object_r:unlabeled:s0
|
||||
sid tcp_socket u:object_r:unlabeled:s0
|
||||
sid sysctl_modprobe u:object_r:unlabeled:s0
|
||||
sid sysctl u:object_r:proc:s0
|
||||
sid sysctl_fs u:object_r:unlabeled:s0
|
||||
sid sysctl_kernel u:object_r:unlabeled:s0
|
||||
sid sysctl_net u:object_r:unlabeled:s0
|
||||
sid sysctl_net_unix u:object_r:unlabeled:s0
|
||||
sid sysctl_vm u:object_r:unlabeled:s0
|
||||
sid sysctl_dev u:object_r:unlabeled:s0
|
||||
sid kmod u:object_r:unlabeled:s0
|
||||
sid policy u:object_r:unlabeled:s0
|
||||
sid scmp_packet u:object_r:unlabeled:s0
|
||||
sid devnull u:object_r:null_device:s0
|
|
@ -1,35 +0,0 @@
|
|||
# FLASK
|
||||
|
||||
#
|
||||
# Define initial security identifiers
|
||||
#
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
sid unlabeled
|
||||
sid fs
|
||||
sid file
|
||||
sid file_labels
|
||||
sid init
|
||||
sid any_socket
|
||||
sid port
|
||||
sid netif
|
||||
sid netmsg
|
||||
sid node
|
||||
sid igmp_packet
|
||||
sid icmp_socket
|
||||
sid tcp_socket
|
||||
sid sysctl_modprobe
|
||||
sid sysctl
|
||||
sid sysctl_fs
|
||||
sid sysctl_kernel
|
||||
sid sysctl_net
|
||||
sid sysctl_net_unix
|
||||
sid sysctl_vm
|
||||
sid sysctl_dev
|
||||
sid kmod
|
||||
sid policy
|
||||
sid scmp_packet
|
||||
sid devnull
|
||||
|
||||
# FLASK
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute inputflinger coredomain;
|
||||
|
||||
init_daemon_domain(inputflinger)
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute install_recovery coredomain;
|
||||
|
||||
init_daemon_domain(install_recovery)
|
|
@ -1,19 +0,0 @@
|
|||
typeattribute installd coredomain;
|
||||
typeattribute installd domain_deprecated;
|
||||
|
||||
init_daemon_domain(installd)
|
||||
|
||||
# Run dex2oat in its own sandbox.
|
||||
domain_auto_trans(installd, dex2oat_exec, dex2oat)
|
||||
|
||||
# Run dexoptanalyzer in its own sandbox.
|
||||
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
|
||||
|
||||
# Run profman in its own sandbox.
|
||||
domain_auto_trans(installd, profman_exec, profman)
|
||||
|
||||
# Run idmap in its own sandbox.
|
||||
domain_auto_trans(installd, idmap_exec, idmap)
|
||||
|
||||
# Create /data/.layout_version.* file
|
||||
type_transition installd system_data_file:file install_data_file;
|
|
@ -1,93 +0,0 @@
|
|||
###
|
||||
### Services with isolatedProcess=true in their manifest.
|
||||
###
|
||||
### This file defines the rules for isolated apps. An "isolated
|
||||
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
||||
### and AID_ISOLATED_END (99999).
|
||||
###
|
||||
|
||||
typeattribute isolated_app coredomain;
|
||||
|
||||
app_domain(isolated_app)
|
||||
|
||||
# Access already open app data files received over Binder or local socket IPC.
|
||||
allow isolated_app app_data_file:file { append read write getattr lock };
|
||||
|
||||
allow isolated_app activity_service:service_manager find;
|
||||
allow isolated_app display_service:service_manager find;
|
||||
allow isolated_app webviewupdate_service:service_manager find;
|
||||
|
||||
# Google Breakpad (crash reporter for Chrome) relies on ptrace
|
||||
# functionality. Without the ability to ptrace, the crash reporter
|
||||
# tool is broken.
|
||||
# b/20150694
|
||||
# https://code.google.com/p/chromium/issues/detail?id=475270
|
||||
allow isolated_app self:process ptrace;
|
||||
|
||||
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
|
||||
# by other processes. Open should never be allowed, and is blocked by
|
||||
# neverallow rules below.
|
||||
# TODO: consider removing write/append. We want to limit isolated_apps
|
||||
# ability to mutate files of any type.
|
||||
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
|
||||
# is modified to change the secontext when accessing the lower filesystem.
|
||||
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
|
||||
auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
|
||||
|
||||
# For webviews, isolated_app processes can be forked from the webview_zygote
|
||||
# in addition to the zygote. Allow access to resources inherited from the
|
||||
# webview_zygote process. These rules are specialized copies of the ones in app.te.
|
||||
# Inherit FDs from the webview_zygote.
|
||||
allow isolated_app webview_zygote:fd use;
|
||||
# Notify webview_zygote of child death.
|
||||
allow isolated_app webview_zygote:process sigchld;
|
||||
# Inherit logd write socket.
|
||||
allow isolated_app webview_zygote:unix_dgram_socket write;
|
||||
# Read system properties managed by webview_zygote.
|
||||
allow isolated_app webview_zygote_tmpfs:file read;
|
||||
|
||||
#####
|
||||
##### Neverallow
|
||||
#####
|
||||
|
||||
# Do not allow isolated_app to directly open tun_device
|
||||
neverallow isolated_app tun_device:chr_file open;
|
||||
|
||||
# Isolated apps should not directly open app data files themselves.
|
||||
neverallow isolated_app app_data_file:file open;
|
||||
|
||||
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
|
||||
# TODO: are there situations where isolated_apps write to this file?
|
||||
# TODO: should we tighten these restrictions further?
|
||||
neverallow isolated_app anr_data_file:file ~{ open append };
|
||||
neverallow isolated_app anr_data_file:dir ~search;
|
||||
|
||||
# b/17487348
|
||||
# Isolated apps can only access three services,
|
||||
# activity_service, display_service and webviewupdate_service.
|
||||
neverallow isolated_app {
|
||||
service_manager_type
|
||||
-activity_service
|
||||
-display_service
|
||||
-webviewupdate_service
|
||||
}:service_manager find;
|
||||
|
||||
# Isolated apps shouldn't be able to access the driver directly.
|
||||
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
|
||||
|
||||
# Do not allow isolated_app access to /cache
|
||||
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
|
||||
neverallow isolated_app cache_file:file ~{ read getattr };
|
||||
|
||||
# Do not allow isolated_app to access external storage, except for files passed
|
||||
# via file descriptors (b/32896414).
|
||||
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
|
||||
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
|
||||
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
|
||||
neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
|
||||
|
||||
# Do not allow USB access
|
||||
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
|
||||
|
||||
# Restrict the webview_zygote control socket.
|
||||
neverallow isolated_app webview_zygote_socket:sock_file write;
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute kernel coredomain;
|
||||
|
||||
domain_auto_trans(kernel, init_exec, init)
|
|
@ -1,25 +0,0 @@
|
|||
#
|
||||
# Maps an arbitrary tag [TAGNAME] with the string contents found in
|
||||
# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
|
||||
# name it after the base file name of the pem file.
|
||||
#
|
||||
# Each tag (section) then allows one to specify any string found in
|
||||
# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
|
||||
# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
|
||||
#
|
||||
|
||||
[@PLATFORM]
|
||||
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
|
||||
|
||||
[@MEDIA]
|
||||
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
|
||||
|
||||
[@SHARED]
|
||||
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
|
||||
|
||||
# Example of ALL TARGET_BUILD_VARIANTS
|
||||
[@RELEASE]
|
||||
ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
|
||||
USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
|
||||
USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
typeattribute keystore coredomain;
|
||||
typeattribute keystore domain_deprecated;
|
||||
|
||||
init_daemon_domain(keystore)
|
||||
|
||||
# talk to keymaster
|
||||
hal_client_domain(keystore, hal_keymaster)
|
||||
|
||||
# Offer the Wifi Keystore HwBinder service
|
||||
typeattribute keystore wifi_keystore_service_server;
|
||||
add_hwservice(keystore, system_wifi_keystore_hwservice)
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute lmkd coredomain;
|
||||
|
||||
init_daemon_domain(lmkd)
|
|
@ -1,39 +0,0 @@
|
|||
typeattribute logd coredomain;
|
||||
|
||||
init_daemon_domain(logd)
|
||||
|
||||
# logd is not allowed to write anywhere other than /data/misc/logd, and then
|
||||
# only on userdebug or eng builds
|
||||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
neverallow logd {
|
||||
file_type
|
||||
-logd_tmpfs
|
||||
-runtime_event_log_tags_file
|
||||
userdebug_or_eng(`-coredump_file -misc_logd_file')
|
||||
}:file { create write append };
|
||||
|
||||
# protect the event-log-tags file
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain # covered below
|
||||
-bootstat
|
||||
-dumpstate
|
||||
-init
|
||||
-logd
|
||||
userdebug_or_eng(`-logpersist')
|
||||
-servicemanager
|
||||
-system_server
|
||||
-surfaceflinger
|
||||
-zygote
|
||||
} runtime_event_log_tags_file:file no_rw_file_perms;
|
||||
|
||||
neverallow {
|
||||
appdomain
|
||||
-bluetooth
|
||||
-platform_app
|
||||
-priv_app
|
||||
-radio
|
||||
-shell
|
||||
userdebug_or_eng(`-su')
|
||||
-system_app
|
||||
} runtime_event_log_tags_file:file no_rw_file_perms;
|
|
@ -1,24 +0,0 @@
|
|||
typeattribute logpersist coredomain;
|
||||
|
||||
# android debug log storage in logpersist domains (eng and userdebug only)
|
||||
userdebug_or_eng(`
|
||||
|
||||
r_dir_file(logpersist, cgroup)
|
||||
|
||||
allow logpersist misc_logd_file:file create_file_perms;
|
||||
allow logpersist misc_logd_file:dir rw_dir_perms;
|
||||
|
||||
allow logpersist self:capability sys_nice;
|
||||
allow logpersist pstorefs:dir search;
|
||||
allow logpersist pstorefs:file r_file_perms;
|
||||
|
||||
control_logd(logpersist)
|
||||
unix_socket_connect(logpersist, logdr, logd)
|
||||
read_runtime_log_tags(logpersist)
|
||||
|
||||
')
|
||||
|
||||
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
|
||||
neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
|
||||
neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
|
||||
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
|
|
@ -1,59 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<policy>
|
||||
|
||||
<!--
|
||||
|
||||
* A signature is a hex encoded X.509 certificate or a tag defined in
|
||||
keys.conf and is required for each signer tag. The signature can
|
||||
either appear as a set of attached cert child tags or as an attribute.
|
||||
* A signer tag must contain a seinfo tag XOR multiple package stanzas.
|
||||
* Each signer/package tag is allowed to contain one seinfo tag. This tag
|
||||
represents additional info that each app can use in setting a SELinux security
|
||||
context on the eventual process as well as the apps data directory.
|
||||
* seinfo assignments are made according to the following rules:
|
||||
- Stanzas with package name refinements will be checked first.
|
||||
- Stanzas w/o package name refinements will be checked second.
|
||||
- The "default" seinfo label is automatically applied.
|
||||
|
||||
* valid stanzas can take one of the following forms:
|
||||
|
||||
// single cert protecting seinfo
|
||||
<signer signature="@PLATFORM" >
|
||||
<seinfo value="platform" />
|
||||
</signer>
|
||||
|
||||
// multiple certs protecting seinfo (all contained certs must match)
|
||||
<signer>
|
||||
<cert signature="@PLATFORM1"/>
|
||||
<cert signature="@PLATFORM2"/>
|
||||
<seinfo value="platform" />
|
||||
</signer>
|
||||
|
||||
// single cert protecting explicitly named app
|
||||
<signer signature="@PLATFORM" >
|
||||
<package name="com.android.foo">
|
||||
<seinfo value="bar" />
|
||||
</package>
|
||||
</signer>
|
||||
|
||||
// multiple certs protecting explicitly named app (all certs must match)
|
||||
<signer>
|
||||
<cert signature="@PLATFORM1"/>
|
||||
<cert signature="@PLATFORM2"/>
|
||||
<package name="com.android.foo">
|
||||
<seinfo value="bar" />
|
||||
</package>
|
||||
</signer>
|
||||
-->
|
||||
|
||||
<!-- Platform dev key in AOSP -->
|
||||
<signer signature="@PLATFORM" >
|
||||
<seinfo value="platform" />
|
||||
</signer>
|
||||
|
||||
<!-- Media key in AOSP -->
|
||||
<signer signature="@MEDIA" >
|
||||
<seinfo value="media" />
|
||||
</signer>
|
||||
|
||||
</policy>
|
|
@ -1,12 +0,0 @@
|
|||
# mdns daemon
|
||||
|
||||
typeattribute mdnsd coredomain;
|
||||
typeattribute mdnsd mlstrustedsubject;
|
||||
|
||||
type mdnsd_exec, exec_type, file_type;
|
||||
init_daemon_domain(mdnsd)
|
||||
|
||||
net_domain(mdnsd)
|
||||
|
||||
# Read from /proc/net
|
||||
r_dir_file(mdnsd, proc_net)
|
|
@ -1,8 +0,0 @@
|
|||
typeattribute mediadrmserver coredomain;
|
||||
|
||||
init_daemon_domain(mediadrmserver)
|
||||
|
||||
# allocate and use graphic buffers
|
||||
hal_client_domain(mediadrmserver, hal_graphics_allocator)
|
||||
auditallow mediadrmserver hal_graphics_allocator_server:binder call;
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute mediaextractor coredomain;
|
||||
|
||||
init_daemon_domain(mediaextractor)
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute mediametrics coredomain;
|
||||
|
||||
init_daemon_domain(mediametrics)
|
|
@ -1,10 +0,0 @@
|
|||
typeattribute mediaserver coredomain;
|
||||
|
||||
init_daemon_domain(mediaserver)
|
||||
|
||||
# allocate and use graphic buffers
|
||||
hal_client_domain(mediaserver, hal_graphics_allocator)
|
||||
|
||||
# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
|
||||
# of OMX HAL.
|
||||
allow mediaserver hal_omx_hwservice:hwservice_manager find;
|
|
@ -1,100 +0,0 @@
|
|||
#################################################
|
||||
# MLS policy constraints
|
||||
#
|
||||
|
||||
#
|
||||
# Process constraints
|
||||
#
|
||||
|
||||
# Process transition: Require equivalence unless the subject is trusted.
|
||||
mlsconstrain process { transition dyntransition }
|
||||
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
|
||||
|
||||
# Process read operations: No read up unless trusted.
|
||||
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
|
||||
(l1 dom l2 or t1 == mlstrustedsubject);
|
||||
|
||||
# Process write operations: Require equivalence unless trusted.
|
||||
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
|
||||
(l1 eq l2 or t1 == mlstrustedsubject);
|
||||
|
||||
#
|
||||
# Socket constraints
|
||||
#
|
||||
|
||||
# Create/relabel operations: Subject must be equivalent to object unless
|
||||
# the subject is trusted. Sockets inherit the range of their creator.
|
||||
mlsconstrain socket_class_set { create relabelfrom relabelto }
|
||||
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
|
||||
|
||||
# Datagram send: Sender must be equivalent to the receiver unless one of them
|
||||
# is trusted.
|
||||
mlsconstrain unix_dgram_socket { sendto }
|
||||
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
||||
|
||||
# Stream connect: Client must be equivalent to server unless one of them
|
||||
# is trusted.
|
||||
mlsconstrain unix_stream_socket { connectto }
|
||||
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
||||
|
||||
#
|
||||
# Directory/file constraints
|
||||
#
|
||||
|
||||
# Create/relabel operations: Subject must be equivalent to object unless
|
||||
# the subject is trusted. Also, files should always be single-level.
|
||||
# Do NOT exempt mlstrustedobject types from this constraint.
|
||||
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
|
||||
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
|
||||
|
||||
#
|
||||
# Constraints for app data files only.
|
||||
#
|
||||
|
||||
# Only constrain open, not read/write.
|
||||
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
|
||||
# Subject must be equivalent to object unless the subject is trusted.
|
||||
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
|
||||
(t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
|
||||
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
|
||||
(t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
|
||||
|
||||
#
|
||||
# Constraints for file types other than app data files.
|
||||
#
|
||||
|
||||
# Read operations: Subject must dominate object unless the subject
|
||||
# or the object is trusted.
|
||||
mlsconstrain dir { read getattr search }
|
||||
(t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
|
||||
(t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
# Write operations: Subject must be equivalent to the object unless the
|
||||
# subject or the object is trusted.
|
||||
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
|
||||
(t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
|
||||
(t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
||||
|
||||
# Special case for FIFOs.
|
||||
# These can be unnamed pipes, in which case they will be labeled with the
|
||||
# creating process' label. Thus we also have an exemption when the "object"
|
||||
# is a domain type, so that processes can communicate via unnamed pipes
|
||||
# passed by binder or local socket IPC.
|
||||
mlsconstrain fifo_file { read getattr }
|
||||
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
|
||||
|
||||
mlsconstrain fifo_file { write setattr append unlink link rename }
|
||||
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
|
||||
|
||||
#
|
||||
# Binder IPC constraints
|
||||
#
|
||||
# Presently commented out, as apps are expected to call one another.
|
||||
# This would only make sense if apps were assigned categories
|
||||
# based on allowable communications rather than per-app categories.
|
||||
#mlsconstrain binder call
|
||||
# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
|
@ -1,10 +0,0 @@
|
|||
#########################################
|
||||
# MLS declarations
|
||||
#
|
||||
|
||||
# Generate the desired number of sensitivities and categories.
|
||||
gen_sens(mls_num_sens)
|
||||
gen_cats(mls_num_cats)
|
||||
|
||||
# Generate level definitions for each sensitivity and category.
|
||||
gen_levels(mls_num_sens,mls_num_cats)
|
|
@ -1,54 +0,0 @@
|
|||
########################################
|
||||
#
|
||||
# gen_cats(N)
|
||||
#
|
||||
# declares categores c0 to c(N-1)
|
||||
#
|
||||
define(`decl_cats',`dnl
|
||||
category c$1;
|
||||
ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
|
||||
')
|
||||
|
||||
define(`gen_cats',`decl_cats(0,decr($1))')
|
||||
|
||||
########################################
|
||||
#
|
||||
# gen_sens(N)
|
||||
#
|
||||
# declares sensitivites s0 to s(N-1) with dominance
|
||||
# in increasing numeric order with s0 lowest, s(N-1) highest
|
||||
#
|
||||
define(`decl_sens',`dnl
|
||||
sensitivity s$1;
|
||||
ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
|
||||
')
|
||||
|
||||
define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
|
||||
|
||||
define(`gen_sens',`
|
||||
# Each sensitivity has a name and zero or more aliases.
|
||||
decl_sens(0,decr($1))
|
||||
|
||||
# Define the ordering of the sensitivity levels (least to greatest)
|
||||
dominance { gen_dominance(0,decr($1)) }
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# gen_levels(N,M)
|
||||
#
|
||||
# levels from s0 to (N-1) with categories c0 to (M-1)
|
||||
#
|
||||
define(`decl_levels',`dnl
|
||||
level s$1:c0.c$3;
|
||||
ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
|
||||
')
|
||||
|
||||
define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Basic level names for system low and high
|
||||
#
|
||||
define(`mls_systemlow',`s0')
|
||||
define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
|
|
@ -1 +0,0 @@
|
|||
typeattribute modprobe coredomain;
|
|
@ -1,4 +0,0 @@
|
|||
typeattribute mtp coredomain;
|
||||
typeattribute mtp domain_deprecated;
|
||||
|
||||
init_daemon_domain(mtp)
|
|
@ -1,24 +0,0 @@
|
|||
###
|
||||
### Domain with network access
|
||||
###
|
||||
|
||||
# Use network sockets.
|
||||
allow netdomain self:tcp_socket create_stream_socket_perms;
|
||||
allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
|
||||
# Connect to ports.
|
||||
allow netdomain port_type:tcp_socket name_connect;
|
||||
# Bind to ports.
|
||||
allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
|
||||
allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
|
||||
# See changes to the routing table.
|
||||
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
|
||||
|
||||
# Talks to netd via dnsproxyd socket.
|
||||
unix_socket_connect(netdomain, dnsproxyd, netd)
|
||||
|
||||
# Talks to netd via fwmarkd socket.
|
||||
unix_socket_connect(netdomain, fwmarkd, netd)
|
||||
|
||||
# Connect to mdnsd via mdnsd socket.
|
||||
unix_socket_connect(netdomain, mdnsd, mdnsd)
|
|
@ -1,10 +0,0 @@
|
|||
typeattribute netd coredomain;
|
||||
typeattribute netd domain_deprecated;
|
||||
|
||||
init_daemon_domain(netd)
|
||||
|
||||
# Allow netd to spawn dnsmasq in it's own domain
|
||||
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
|
||||
|
||||
# Allow netd to start clatd in its own domain
|
||||
domain_auto_trans(netd, clatd_exec, clatd)
|
|
@ -1,28 +0,0 @@
|
|||
typeattribute netutils_wrapper coredomain;
|
||||
|
||||
r_dir_file(netutils_wrapper, system_file);
|
||||
|
||||
# For netutils (ip, iptables, tc)
|
||||
allow netutils_wrapper self:capability net_raw;
|
||||
|
||||
allow netutils_wrapper system_file:file { execute execute_no_trans };
|
||||
allow netutils_wrapper proc_net:file { open read getattr };
|
||||
allow netutils_wrapper self:rawip_socket create_socket_perms;
|
||||
allow netutils_wrapper self:udp_socket create_socket_perms;
|
||||
allow netutils_wrapper self:capability net_admin;
|
||||
# ip utils need everything but ioctl
|
||||
allow netutils_wrapper self:netlink_route_socket ~ioctl;
|
||||
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
|
||||
|
||||
# For netutils (ndc) to be able to talk to netd
|
||||
allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
|
||||
allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
|
||||
|
||||
# For /data/misc/net access to ndc and ip
|
||||
r_dir_file(netutils_wrapper, net_data_file)
|
||||
|
||||
domain_auto_trans({
|
||||
domain
|
||||
-coredomain
|
||||
-appdomain
|
||||
}, netutils_wrapper_exec, netutils_wrapper)
|
|
@ -1,31 +0,0 @@
|
|||
# nfc subsystem
|
||||
typeattribute nfc coredomain;
|
||||
app_domain(nfc)
|
||||
net_domain(nfc)
|
||||
|
||||
binder_service(nfc)
|
||||
add_service(nfc, nfc_service)
|
||||
|
||||
hal_client_domain(nfc, hal_nfc)
|
||||
|
||||
# Data file accesses.
|
||||
allow nfc nfc_data_file:dir create_dir_perms;
|
||||
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
# SoundPool loading and playback
|
||||
allow nfc audioserver_service:service_manager find;
|
||||
allow nfc drmserver_service:service_manager find;
|
||||
allow nfc mediacodec_service:service_manager find;
|
||||
allow nfc mediametrics_service:service_manager find;
|
||||
allow nfc mediaextractor_service:service_manager find;
|
||||
allow nfc mediaserver_service:service_manager find;
|
||||
|
||||
allow nfc radio_service:service_manager find;
|
||||
allow nfc surfaceflinger_service:service_manager find;
|
||||
allow nfc app_api_service:service_manager find;
|
||||
allow nfc system_api_service:service_manager find;
|
||||
|
||||
# already open bugreport file descriptors may be shared with
|
||||
# the nfc process, from a file in
|
||||
# /data/data/com.android.shell/files/bugreports/bugreport-*.
|
||||
allow nfc shell_data_file:file read;
|
|
@ -1,4 +0,0 @@
|
|||
typeattribute otapreopt_chroot coredomain;
|
||||
|
||||
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
|
||||
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
|
@ -1,5 +0,0 @@
|
|||
typeattribute otapreopt_slot coredomain;
|
||||
|
||||
# Technically not a daemon but we do want the transition from init domain to
|
||||
# cppreopts to occur.
|
||||
init_daemon_domain(otapreopt_slot)
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute performanced coredomain;
|
||||
|
||||
init_daemon_domain(performanced)
|
|
@ -1,5 +0,0 @@
|
|||
userdebug_or_eng(`
|
||||
typeattribute perfprofd coredomain;
|
||||
typeattribute perfprofd domain_deprecated;
|
||||
init_daemon_domain(perfprofd)
|
||||
')
|
|
@ -1,70 +0,0 @@
|
|||
###
|
||||
### Apps signed with the platform key.
|
||||
###
|
||||
|
||||
typeattribute platform_app coredomain;
|
||||
typeattribute platform_app domain_deprecated;
|
||||
|
||||
app_domain(platform_app)
|
||||
|
||||
# Access the network.
|
||||
net_domain(platform_app)
|
||||
# Access bluetooth.
|
||||
bluetooth_domain(platform_app)
|
||||
# Read from /data/local/tmp or /data/data/com.android.shell.
|
||||
allow platform_app shell_data_file:dir search;
|
||||
allow platform_app shell_data_file:file { open getattr read };
|
||||
allow platform_app icon_file:file { open getattr read };
|
||||
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
||||
# created by system server.
|
||||
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
|
||||
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
|
||||
allow platform_app apk_private_data_file:dir search;
|
||||
# ASEC
|
||||
allow platform_app asec_apk_file:dir create_dir_perms;
|
||||
allow platform_app asec_apk_file:file create_file_perms;
|
||||
|
||||
# Access to /data/media.
|
||||
allow platform_app media_rw_data_file:dir create_dir_perms;
|
||||
allow platform_app media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Write to /cache.
|
||||
allow platform_app cache_file:dir create_dir_perms;
|
||||
allow platform_app cache_file:file create_file_perms;
|
||||
|
||||
# Direct access to vold-mounted storage under /mnt/media_rw
|
||||
# This is a performance optimization that allows platform apps to bypass the FUSE layer
|
||||
allow platform_app mnt_media_rw_file:dir r_dir_perms;
|
||||
allow platform_app vfat:dir create_dir_perms;
|
||||
allow platform_app vfat:file create_file_perms;
|
||||
|
||||
allow platform_app audioserver_service:service_manager find;
|
||||
allow platform_app cameraserver_service:service_manager find;
|
||||
allow platform_app drmserver_service:service_manager find;
|
||||
allow platform_app mediaserver_service:service_manager find;
|
||||
allow platform_app mediametrics_service:service_manager find;
|
||||
allow platform_app mediaextractor_service:service_manager find;
|
||||
allow platform_app mediacodec_service:service_manager find;
|
||||
allow platform_app mediadrmserver_service:service_manager find;
|
||||
allow platform_app mediacasserver_service:service_manager find;
|
||||
allow platform_app persistent_data_block_service:service_manager find;
|
||||
allow platform_app radio_service:service_manager find;
|
||||
allow platform_app surfaceflinger_service:service_manager find;
|
||||
allow platform_app app_api_service:service_manager find;
|
||||
allow platform_app system_api_service:service_manager find;
|
||||
allow platform_app vr_manager_service:service_manager find;
|
||||
|
||||
# Access to /data/preloads
|
||||
allow platform_app preloads_data_file:file r_file_perms;
|
||||
allow platform_app preloads_data_file:dir r_dir_perms;
|
||||
allow platform_app preloads_media_file:file r_file_perms;
|
||||
allow platform_app preloads_media_file:dir r_dir_perms;
|
||||
|
||||
read_runtime_log_tags(platform_app)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
||||
# app domains which access /dev/fuse should not run as platform_app
|
||||
neverallow platform_app fuse_device:chr_file *;
|
|
@ -1,13 +0,0 @@
|
|||
# Enable new networking controls.
|
||||
policycap network_peer_controls;
|
||||
|
||||
# Enable open permission check.
|
||||
policycap open_perms;
|
||||
|
||||
# Enable separate security classes for
|
||||
# all network address families previously
|
||||
# mapped to the socket class and for
|
||||
# ICMP and SCTP sockets previously mapped
|
||||
# to the rawip_socket class.
|
||||
policycap extended_socket_class;
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# portcon statements go here, e.g.
|
||||
# portcon tcp 80 u:object_r:http_port:s0
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute postinstall coredomain;
|
||||
|
||||
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
|
|
@ -1,5 +0,0 @@
|
|||
typeattribute postinstall_dexopt coredomain;
|
||||
|
||||
# Run dex2oat/patchoat in its own sandbox.
|
||||
# We have to manually transition, as we don't have an entrypoint.
|
||||
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
|
|
@ -1,4 +0,0 @@
|
|||
typeattribute ppp coredomain;
|
||||
typeattribute ppp domain_deprecated;
|
||||
|
||||
domain_auto_trans(mtp, ppp_exec, ppp)
|
|
@ -1 +0,0 @@
|
|||
typeattribute preopt2cachename coredomain;
|
|
@ -1,168 +0,0 @@
|
|||
###
|
||||
### A domain for further sandboxing privileged apps.
|
||||
###
|
||||
|
||||
typeattribute priv_app coredomain;
|
||||
app_domain(priv_app)
|
||||
|
||||
# Access the network.
|
||||
net_domain(priv_app)
|
||||
# Access bluetooth.
|
||||
bluetooth_domain(priv_app)
|
||||
|
||||
# Allow the allocation and use of ptys
|
||||
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
|
||||
create_pty(priv_app)
|
||||
|
||||
# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
|
||||
allow priv_app self:process ptrace;
|
||||
|
||||
# Some apps ship with shared libraries that they write out
|
||||
# to their sandbox directory and then dlopen().
|
||||
allow priv_app app_data_file:file execute;
|
||||
|
||||
allow priv_app audioserver_service:service_manager find;
|
||||
allow priv_app cameraserver_service:service_manager find;
|
||||
allow priv_app drmserver_service:service_manager find;
|
||||
allow priv_app mediacodec_service:service_manager find;
|
||||
allow priv_app mediametrics_service:service_manager find;
|
||||
allow priv_app mediadrmserver_service:service_manager find;
|
||||
allow priv_app mediacasserver_service:service_manager find;
|
||||
allow priv_app mediaextractor_service:service_manager find;
|
||||
allow priv_app mediaserver_service:service_manager find;
|
||||
allow priv_app nfc_service:service_manager find;
|
||||
allow priv_app oem_lock_service:service_manager find;
|
||||
allow priv_app radio_service:service_manager find;
|
||||
allow priv_app surfaceflinger_service:service_manager find;
|
||||
allow priv_app app_api_service:service_manager find;
|
||||
allow priv_app system_api_service:service_manager find;
|
||||
allow priv_app persistent_data_block_service:service_manager find;
|
||||
allow priv_app recovery_service:service_manager find;
|
||||
|
||||
# Write to /cache.
|
||||
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
|
||||
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
|
||||
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
|
||||
allow priv_app cache_file:lnk_file r_file_perms;
|
||||
|
||||
# Write to /data/ota_package for OTA packages.
|
||||
allow priv_app ota_package_file:dir rw_dir_perms;
|
||||
allow priv_app ota_package_file:file create_file_perms;
|
||||
|
||||
# Access to /data/media.
|
||||
allow priv_app media_rw_data_file:dir create_dir_perms;
|
||||
allow priv_app media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Used by Finsky / Android "Verify Apps" functionality when
|
||||
# running "adb install foo.apk".
|
||||
allow priv_app shell_data_file:file r_file_perms;
|
||||
allow priv_app shell_data_file:dir r_dir_perms;
|
||||
|
||||
# Allow verifier to access staged apks.
|
||||
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
||||
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
||||
|
||||
# b/18504118: Allow reads from /data/anr/traces.txt
|
||||
allow priv_app anr_data_file:file r_file_perms;
|
||||
|
||||
# Allow GMS core to access perfprofd output, which is stored
|
||||
# in /data/misc/perfprofd/. GMS core will need to list all
|
||||
# data stored in that directory to process them one by one.
|
||||
userdebug_or_eng(`
|
||||
allow priv_app perfprofd_data_file:file r_file_perms;
|
||||
allow priv_app perfprofd_data_file:dir r_dir_perms;
|
||||
')
|
||||
|
||||
# For AppFuse.
|
||||
allow priv_app vold:fd use;
|
||||
allow priv_app fuse_device:chr_file { read write };
|
||||
|
||||
# /sys and /proc access
|
||||
r_dir_file(priv_app, sysfs_type)
|
||||
r_dir_file(priv_app, proc)
|
||||
r_dir_file(priv_app, rootfs)
|
||||
|
||||
# Allow GMS core to open kernel config for OTA matching through libvintf
|
||||
allow priv_app config_gz:file { open read getattr };
|
||||
|
||||
# access the mac address
|
||||
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
|
||||
|
||||
# Allow GMS core to communicate with update_engine for A/B update.
|
||||
binder_call(priv_app, update_engine)
|
||||
allow priv_app update_engine_service:service_manager find;
|
||||
|
||||
# Allow GMS core to communicate with dumpsys storaged.
|
||||
binder_call(priv_app, storaged)
|
||||
allow priv_app storaged_service:service_manager find;
|
||||
|
||||
# Allow Phone to read/write cached ringtones (opened by system).
|
||||
allow priv_app ringtone_file:file { getattr read write };
|
||||
|
||||
# Access to /data/preloads
|
||||
allow priv_app preloads_data_file:file r_file_perms;
|
||||
allow priv_app preloads_data_file:dir r_dir_perms;
|
||||
allow priv_app preloads_media_file:file r_file_perms;
|
||||
allow priv_app preloads_media_file:dir r_dir_perms;
|
||||
|
||||
# TODO: revert this as part of fixing 33574909
|
||||
# android.process.media uses /dev/mtp_usb
|
||||
allow priv_app mtp_device:chr_file rw_file_perms;
|
||||
|
||||
# TODO: revert this as part of fixing 33574909
|
||||
# MtpServer uses /dev/usb-ffs/mtp
|
||||
allow priv_app functionfs:dir search;
|
||||
allow priv_app functionfs:file rw_file_perms;
|
||||
|
||||
# TODO: revert this as part of fixing 33574909
|
||||
# Traverse into /mnt/media_rw for bypassing FUSE daemon
|
||||
# TODO: narrow this to just MediaProvider
|
||||
allow priv_app mnt_media_rw_file:dir search;
|
||||
|
||||
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
|
||||
allow priv_app keystore:keystore_key gen_unique_id;
|
||||
|
||||
read_runtime_log_tags(priv_app)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# Receive or send uevent messages.
|
||||
neverallow priv_app domain:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Receive or send generic netlink messages
|
||||
neverallow priv_app domain:netlink_socket *;
|
||||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow priv_app debugfs:file read;
|
||||
|
||||
# Do not allow privileged apps to register services.
|
||||
# Only trusted components of Android should be registering
|
||||
# services.
|
||||
neverallow priv_app service_manager_type:service_manager add;
|
||||
|
||||
# Do not allow privileged apps to connect to the property service
|
||||
# or set properties. b/10243159
|
||||
neverallow priv_app property_socket:sock_file write;
|
||||
neverallow priv_app init:unix_stream_socket connectto;
|
||||
neverallow priv_app property_type:property_service set;
|
||||
|
||||
# Do not allow priv_app to be assigned mlstrustedsubject.
|
||||
# This would undermine the per-user isolation model being
|
||||
# enforced via levelFrom=user in seapp_contexts and the mls
|
||||
# constraints. As there is no direct way to specify a neverallow
|
||||
# on attribute assignment, this relies on the fact that fork
|
||||
# permission only makes sense within a domain (hence should
|
||||
# never be granted to any other domain within mlstrustedsubject)
|
||||
# and priv_app is allowed fork permission to itself.
|
||||
neverallow priv_app mlstrustedsubject:process fork;
|
||||
|
||||
# Do not allow priv_app to hard link to any files.
|
||||
# In particular, if priv_app links to other app data
|
||||
# files, installd will not be able to guarantee the deletion
|
||||
# of the linked to file. Hard links also contribute to security
|
||||
# bugs, so we want to ensure priv_app never has this
|
||||
# capability.
|
||||
neverallow priv_app file_type:file link;
|
|
@ -1 +0,0 @@
|
|||
typeattribute profman coredomain;
|
|
@ -1,116 +0,0 @@
|
|||
##########################
|
||||
# property service keys
|
||||
#
|
||||
#
|
||||
net.rmnet u:object_r:net_radio_prop:s0
|
||||
net.gprs u:object_r:net_radio_prop:s0
|
||||
net.ppp u:object_r:net_radio_prop:s0
|
||||
net.qmi u:object_r:net_radio_prop:s0
|
||||
net.lte u:object_r:net_radio_prop:s0
|
||||
net.cdma u:object_r:net_radio_prop:s0
|
||||
net.dns u:object_r:net_dns_prop:s0
|
||||
sys.usb.config u:object_r:system_radio_prop:s0
|
||||
ril. u:object_r:radio_prop:s0
|
||||
ro.ril. u:object_r:radio_prop:s0
|
||||
gsm. u:object_r:radio_prop:s0
|
||||
persist.radio u:object_r:radio_prop:s0
|
||||
|
||||
net. u:object_r:system_prop:s0
|
||||
dev. u:object_r:system_prop:s0
|
||||
ro.runtime. u:object_r:system_prop:s0
|
||||
ro.runtime.firstboot u:object_r:firstboot_prop:s0
|
||||
hw. u:object_r:system_prop:s0
|
||||
ro.hw. u:object_r:system_prop:s0
|
||||
sys. u:object_r:system_prop:s0
|
||||
sys.cppreopt u:object_r:cppreopt_prop:s0
|
||||
sys.powerctl u:object_r:powerctl_prop:s0
|
||||
sys.usb.ffs. u:object_r:ffs_prop:s0
|
||||
service. u:object_r:system_prop:s0
|
||||
dhcp. u:object_r:dhcp_prop:s0
|
||||
dhcp.bt-pan.result u:object_r:pan_result_prop:s0
|
||||
bluetooth. u:object_r:bluetooth_prop:s0
|
||||
|
||||
debug. u:object_r:debug_prop:s0
|
||||
debug.db. u:object_r:debuggerd_prop:s0
|
||||
dumpstate. u:object_r:dumpstate_prop:s0
|
||||
dumpstate.options u:object_r:dumpstate_options_prop:s0
|
||||
log. u:object_r:log_prop:s0
|
||||
log.tag u:object_r:log_tag_prop:s0
|
||||
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
|
||||
security.perf_harden u:object_r:shell_prop:s0
|
||||
service.adb.root u:object_r:shell_prop:s0
|
||||
service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.bluetooth. u:object_r:bluetooth_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
persist.logd.security u:object_r:device_logging_prop:s0
|
||||
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
|
||||
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
|
||||
persist.log.tag u:object_r:log_tag_prop:s0
|
||||
persist.mmc. u:object_r:mmc_prop:s0
|
||||
persist.sys. u:object_r:system_prop:s0
|
||||
persist.sys.safemode u:object_r:safemode_prop:s0
|
||||
ro.sys.safemode u:object_r:safemode_prop:s0
|
||||
persist.sys.audit_safemode u:object_r:safemode_prop:s0
|
||||
persist.service. u:object_r:system_prop:s0
|
||||
persist.service.bdroid. u:object_r:bluetooth_prop:s0
|
||||
persist.security. u:object_r:system_prop:s0
|
||||
persist.vendor.overlay. u:object_r:overlay_prop:s0
|
||||
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
|
||||
ro.boottime. u:object_r:boottime_prop:s0
|
||||
ro.serialno u:object_r:serialno_prop:s0
|
||||
ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
|
||||
ro.boot.serialno u:object_r:serialno_prop:s0
|
||||
ro.bt. u:object_r:bluetooth_prop:s0
|
||||
|
||||
# Boolean property set by system server upon boot indicating
|
||||
# if device owner is provisioned.
|
||||
ro.device_owner u:object_r:device_logging_prop:s0
|
||||
|
||||
# selinux non-persistent properties
|
||||
selinux.restorecon_recursive u:object_r:restorecon_prop:s0
|
||||
|
||||
# default property context
|
||||
* u:object_r:default_prop:s0
|
||||
|
||||
# data partition encryption properties
|
||||
vold. u:object_r:vold_prop:s0
|
||||
ro.crypto. u:object_r:vold_prop:s0
|
||||
|
||||
# ro.build.fingerprint is either set in /system/build.prop, or is
|
||||
# set at runtime by system_server.
|
||||
ro.build.fingerprint u:object_r:fingerprint_prop:s0
|
||||
|
||||
ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
|
||||
|
||||
# ctl properties
|
||||
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
|
||||
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
|
||||
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
|
||||
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
|
||||
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
|
||||
ctl.bugreport u:object_r:ctl_bugreport_prop:s0
|
||||
ctl.console u:object_r:ctl_console_prop:s0
|
||||
ctl. u:object_r:ctl_default_prop:s0
|
||||
|
||||
# NFC properties
|
||||
nfc. u:object_r:nfc_prop:s0
|
||||
|
||||
# These properties are not normally set by processes other than init.
|
||||
# They are only distinguished here for setting by qemu-props on the
|
||||
# emulator/goldfish.
|
||||
config. u:object_r:config_prop:s0
|
||||
ro.config. u:object_r:config_prop:s0
|
||||
dalvik. u:object_r:dalvik_prop:s0
|
||||
ro.dalvik. u:object_r:dalvik_prop:s0
|
||||
|
||||
# Shared between system server and wificond
|
||||
wlan. u:object_r:wifi_prop:s0
|
||||
|
||||
# hwservicemanager properties
|
||||
hwservicemanager. u:object_r:hwservicemanager_prop:s0
|
||||
|
||||
# ASAN install trigger
|
||||
asan.restore_reboot u:object_r:asan_reboot_prop:s0
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute racoon coredomain;
|
||||
|
||||
init_daemon_domain(racoon)
|
|
@ -1,6 +0,0 @@
|
|||
typeattribute radio coredomain;
|
||||
typeattribute radio domain_deprecated;
|
||||
|
||||
app_domain(radio)
|
||||
|
||||
read_runtime_log_tags(radio)
|
|
@ -1,2 +0,0 @@
|
|||
typeattribute recovery coredomain;
|
||||
typeattribute recovery domain_deprecated;
|
|
@ -1,7 +0,0 @@
|
|||
typeattribute recovery_persist coredomain;
|
||||
|
||||
init_daemon_domain(recovery_persist)
|
||||
|
||||
# recovery_persist is not allowed to write anywhere other than recovery_data_file
|
||||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
|
|
@ -1,7 +0,0 @@
|
|||
typeattribute recovery_refresh coredomain;
|
||||
|
||||
init_daemon_domain(recovery_refresh)
|
||||
|
||||
# recovery_refresh is not allowed to write anywhere
|
||||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
|
|
@ -1 +0,0 @@
|
|||
role r;
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue