Update language to comply with Android's inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for reference Bug: 161896447 Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
This commit is contained in:
parent
bbc3cc33fc
commit
a0e7a6da28
67 changed files with 150 additions and 150 deletions
|
@ -494,7 +494,7 @@ neverallow appdomain {
|
|||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Blacklist app domains not allowed to execute from /data
|
||||
# Denylist app domains not allowed to execute from /data
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
|
@ -515,7 +515,7 @@ neverallow {
|
|||
-shell # bugreport
|
||||
} input_device:chr_file ~getattr;
|
||||
|
||||
# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
|
||||
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
|
||||
# neverallow rules for access to Bluetooth-related data files are above.
|
||||
neverallow {
|
||||
appdomain
|
||||
|
|
|
@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump);
|
|||
allow domain crash_dump:process sigchld;
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these whitelisted domains.
|
||||
# with other UIDs to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
|
|
|
@ -66,7 +66,7 @@ allow incidentd shell_exec:file rx_file_perms;
|
|||
# TODO control_logd(incidentd)
|
||||
|
||||
# Allow incidentd to find these standard groups of services.
|
||||
# Others can be whitelisted individually.
|
||||
# Others can be allowlisted individually.
|
||||
allow incidentd {
|
||||
system_server_service
|
||||
app_api_service
|
||||
|
|
|
@ -50,7 +50,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
|
|||
|
||||
# system server gets network and bluetooth permissions.
|
||||
net_domain(system_server)
|
||||
# in addition to ioctls whitelisted for all domains, also allow system_server
|
||||
# in addition to ioctls allowlisted for all domains, also allow system_server
|
||||
# to use privileged ioctls commands. Needed to set up VPNs.
|
||||
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
||||
bluetooth_domain(system_server)
|
||||
|
@ -92,7 +92,7 @@ allow system_server config_gz:file { read open };
|
|||
# Use generic "sockets" where the address family is not known
|
||||
# to the kernel. The ioctl permission is specifically omitted here, but may
|
||||
# be added to device specific policy along with the ioctl commands to be
|
||||
# whitelisted.
|
||||
# allowlisted.
|
||||
allow system_server self:socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Set and get routes directly via netlink.
|
||||
|
|
|
@ -195,19 +195,19 @@ allow domain debugfs_trace_marker:file w_file_perms;
|
|||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# Restrict all domains to a whitelist for common socket types. Additional
|
||||
# Restrict all domains to a allowlist for common socket types. Additional
|
||||
# ioctl commands may be added to individual domains, but this sets safe
|
||||
# defaults for all processes. Note that granting this whitelist to domain does
|
||||
# defaults for all processes. Note that granting this allowlist to domain does
|
||||
# not grant the ioctl permission on these socket types. That must be granted
|
||||
# separately.
|
||||
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
|
||||
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
||||
# default whitelist for unix sockets.
|
||||
# default allowlist for unix sockets.
|
||||
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
|
||||
ioctl unpriv_unix_sock_ioctls;
|
||||
|
||||
# Restrict PTYs to only whitelisted ioctls.
|
||||
# Note that granting this whitelist to domain does
|
||||
# Restrict PTYs to only allowlisted ioctls.
|
||||
# Note that granting this allowlist to domain does
|
||||
# not grant the wider ioctl permission. That must be granted
|
||||
# separately.
|
||||
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
||||
|
@ -223,7 +223,7 @@ allow { domain -domain } vndservice_manager_type:service_manager { add find };
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
# All socket ioctls must be restricted to a whitelist.
|
||||
# All socket ioctls must be restricted to a allowlist.
|
||||
neverallowxperm domain domain:socket_class_set ioctl { 0 };
|
||||
|
||||
# TIOCSTI is only ever used for exploits. Block it.
|
||||
|
@ -234,7 +234,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
|||
# Do not allow any domain other than init or recovery to create unlabeled files.
|
||||
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||
|
||||
# Limit device node creation to these whitelisted domains.
|
||||
# Limit device node creation to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-kernel
|
||||
|
@ -243,7 +243,7 @@ neverallow {
|
|||
-vold
|
||||
} self:capability mknod;
|
||||
|
||||
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
|
||||
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`-domain')
|
||||
|
@ -343,7 +343,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
|
|||
|
||||
#
|
||||
# Assert that, to the extent possible, we're not loading executable content from
|
||||
# outside the rootfs or /system partition except for a few whitelisted domains.
|
||||
# outside the rootfs or /system partition except for a few allowlisted domains.
|
||||
#
|
||||
neverallow {
|
||||
domain
|
||||
|
@ -445,7 +445,7 @@ neverallow { domain -init } default_prop:property_service set;
|
|||
neverallow { domain -init } mmc_prop:property_service set;
|
||||
|
||||
# Do not allow reading device's serial number from system properties except form
|
||||
# a few whitelisted domains.
|
||||
# a few allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-adbd
|
||||
|
@ -668,7 +668,7 @@ full_treble_only(`
|
|||
')
|
||||
|
||||
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
||||
# only a few whitelisted coredomains to keep system/vendor separation.
|
||||
# only a few allowlisted coredomains to keep system/vendor separation.
|
||||
full_treble_only(`
|
||||
# Limit access to /vendor/app
|
||||
neverallow {
|
||||
|
@ -722,7 +722,7 @@ full_treble_only(`
|
|||
} vendor_shell_exec:file { execute execute_no_trans };
|
||||
|
||||
# Do not allow vendor components to execute files from system
|
||||
# except for the ones whitelist here.
|
||||
# except for the ones allowlist here.
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
|
@ -923,7 +923,7 @@ neverallow {
|
|||
|
||||
# In addition to the symlink reading restrictions above, restrict
|
||||
# write access to shell owned directories. The /data/local/tmp
|
||||
# directory is untrustworthy, and non-whitelisted domains should
|
||||
# directory is untrustworthy, and non-allowlisted domains should
|
||||
# not be trusting any content in those directories.
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
|
|||
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
|
||||
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
|
||||
|
||||
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(hal_wifi_supplicant, sysfs_type)
|
||||
|
|
|
@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
|
|||
type netd_exec, exec_type, file_type;
|
||||
|
||||
net_domain(netd)
|
||||
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
|
||||
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(netd, cgroup)
|
||||
|
|
|
@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|||
# or read, execute the vendor_toolbox file.
|
||||
full_treble_only(`
|
||||
# Do not allow non-vendor domains to transition
|
||||
# to vendor toolbox except for the whitelisted domains.
|
||||
# to vendor toolbox except for the allowlisted domains.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
|
|
@ -512,7 +512,7 @@ neverallow appdomain {
|
|||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Blacklist app domains not allowed to execute from /data
|
||||
# Denylist app domains not allowed to execute from /data
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
|
@ -533,7 +533,7 @@ neverallow {
|
|||
-shell # bugreport
|
||||
} input_device:chr_file ~getattr;
|
||||
|
||||
# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
|
||||
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
|
||||
# neverallow rules for access to Bluetooth-related data files are above.
|
||||
neverallow {
|
||||
appdomain
|
||||
|
|
|
@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump);
|
|||
allow domain crash_dump:process sigchld;
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these whitelisted domains.
|
||||
# with other UIDs to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
|
|
|
@ -66,7 +66,7 @@ allow incidentd shell_exec:file rx_file_perms;
|
|||
# TODO control_logd(incidentd)
|
||||
|
||||
# Allow incidentd to find these standard groups of services.
|
||||
# Others can be whitelisted individually.
|
||||
# Others can be allowlisted individually.
|
||||
allow incidentd {
|
||||
system_server_service
|
||||
app_api_service
|
||||
|
|
|
@ -74,7 +74,7 @@ neverallow isolated_app *:hwservice_manager *;
|
|||
neverallow isolated_app vndbinder_device:chr_file *;
|
||||
|
||||
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
|
||||
# except the find actions for services whitelisted below.
|
||||
# except the find actions for services allowlisted below.
|
||||
neverallow isolated_app *:service_manager ~find;
|
||||
|
||||
# b/17487348
|
||||
|
|
|
@ -50,7 +50,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
|
|||
|
||||
# system server gets network and bluetooth permissions.
|
||||
net_domain(system_server)
|
||||
# in addition to ioctls whitelisted for all domains, also allow system_server
|
||||
# in addition to ioctls allowlisted for all domains, also allow system_server
|
||||
# to use privileged ioctls commands. Needed to set up VPNs.
|
||||
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
||||
bluetooth_domain(system_server)
|
||||
|
@ -95,7 +95,7 @@ allow system_server config_gz:file { read open };
|
|||
# Use generic "sockets" where the address family is not known
|
||||
# to the kernel. The ioctl permission is specifically omitted here, but may
|
||||
# be added to device specific policy along with the ioctl commands to be
|
||||
# whitelisted.
|
||||
# allowlisted.
|
||||
allow system_server self:socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Set and get routes directly via netlink.
|
||||
|
|
|
@ -195,19 +195,19 @@ allow domain debugfs_trace_marker:file w_file_perms;
|
|||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# Restrict all domains to a whitelist for common socket types. Additional
|
||||
# Restrict all domains to a allowlist for common socket types. Additional
|
||||
# ioctl commands may be added to individual domains, but this sets safe
|
||||
# defaults for all processes. Note that granting this whitelist to domain does
|
||||
# defaults for all processes. Note that granting this allowlist to domain does
|
||||
# not grant the ioctl permission on these socket types. That must be granted
|
||||
# separately.
|
||||
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
|
||||
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
||||
# default whitelist for unix sockets.
|
||||
# default allowlist for unix sockets.
|
||||
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
|
||||
ioctl unpriv_unix_sock_ioctls;
|
||||
|
||||
# Restrict PTYs to only whitelisted ioctls.
|
||||
# Note that granting this whitelist to domain does
|
||||
# Restrict PTYs to only allowlisted ioctls.
|
||||
# Note that granting this allowlist to domain does
|
||||
# not grant the wider ioctl permission. That must be granted
|
||||
# separately.
|
||||
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
||||
|
@ -226,7 +226,7 @@ with_asan(`allow domain system_data_file:dir getattr;')
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
# All socket ioctls must be restricted to a whitelist.
|
||||
# All socket ioctls must be restricted to a allowlist.
|
||||
neverallowxperm domain domain:socket_class_set ioctl { 0 };
|
||||
|
||||
# TIOCSTI is only ever used for exploits. Block it.
|
||||
|
@ -237,7 +237,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
|||
# Do not allow any domain other than init or recovery to create unlabeled files.
|
||||
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||
|
||||
# Limit device node creation to these whitelisted domains.
|
||||
# Limit device node creation to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-kernel
|
||||
|
@ -246,7 +246,7 @@ neverallow {
|
|||
-vold
|
||||
} self:capability mknod;
|
||||
|
||||
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
|
||||
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`-domain')
|
||||
|
@ -347,7 +347,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
|
|||
|
||||
#
|
||||
# Assert that, to the extent possible, we're not loading executable content from
|
||||
# outside the rootfs or /system partition except for a few whitelisted domains.
|
||||
# outside the rootfs or /system partition except for a few allowlisted domains.
|
||||
#
|
||||
neverallow {
|
||||
domain
|
||||
|
@ -448,7 +448,7 @@ neverallow { domain -init } default_prop:property_service set;
|
|||
neverallow { domain -init } mmc_prop:property_service set;
|
||||
|
||||
# Do not allow reading device's serial number from system properties except form
|
||||
# a few whitelisted domains.
|
||||
# a few allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-adbd
|
||||
|
@ -664,7 +664,7 @@ full_treble_only(`
|
|||
')
|
||||
|
||||
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
||||
# only a few whitelisted coredomains to keep system/vendor separation.
|
||||
# only a few allowlisted coredomains to keep system/vendor separation.
|
||||
full_treble_only(`
|
||||
# Limit access to /vendor/app
|
||||
neverallow {
|
||||
|
@ -718,7 +718,7 @@ full_treble_only(`
|
|||
} vendor_shell_exec:file { execute execute_no_trans };
|
||||
|
||||
# Do not allow vendor components to execute files from system
|
||||
# except for the ones whitelist here.
|
||||
# except for the ones allowlist here.
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
|
@ -916,7 +916,7 @@ neverallow {
|
|||
|
||||
# In addition to the symlink reading restrictions above, restrict
|
||||
# write access to shell owned directories. The /data/local/tmp
|
||||
# directory is untrustworthy, and non-whitelisted domains should
|
||||
# directory is untrustworthy, and non-allowlisted domains should
|
||||
# not be trusting any content in those directories.
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
|
|||
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
|
||||
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
|
||||
|
||||
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(hal_wifi_supplicant, sysfs_type)
|
||||
|
|
|
@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
|
|||
type netd_exec, exec_type, file_type;
|
||||
|
||||
net_domain(netd)
|
||||
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
|
||||
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(netd, cgroup)
|
||||
|
|
|
@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|||
# or read, execute the vendor_toolbox file.
|
||||
full_treble_only(`
|
||||
# Do not allow non-vendor domains to transition
|
||||
# to vendor toolbox except for the whitelisted domains.
|
||||
# to vendor toolbox except for the allowlisted domains.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
|
|
@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump);
|
|||
allow domain crash_dump:process sigchld;
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these whitelisted domains.
|
||||
# with other UIDs to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
|
|
|
@ -115,7 +115,7 @@ userdebug_or_eng(`read_logd(incidentd)')
|
|||
# TODO control_logd(incidentd)
|
||||
|
||||
# Allow incidentd to find these standard groups of services.
|
||||
# Others can be whitelisted individually.
|
||||
# Others can be allowlisted individually.
|
||||
allow incidentd {
|
||||
system_server_service
|
||||
app_api_service
|
||||
|
|
|
@ -77,7 +77,7 @@ neverallow isolated_app *:hwservice_manager *;
|
|||
neverallow isolated_app vndbinder_device:chr_file *;
|
||||
|
||||
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
|
||||
# except the find actions for services whitelisted below.
|
||||
# except the find actions for services allowlisted below.
|
||||
neverallow isolated_app *:service_manager ~find;
|
||||
|
||||
# b/17487348
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Perfetto command-line client. Can be used only from the domains that are
|
||||
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# This command line client accesses the privileged socket of the traced
|
||||
# daemon.
|
||||
|
||||
|
|
|
@ -46,7 +46,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
|
|||
|
||||
# system server gets network and bluetooth permissions.
|
||||
net_domain(system_server)
|
||||
# in addition to ioctls whitelisted for all domains, also allow system_server
|
||||
# in addition to ioctls allowlisted for all domains, also allow system_server
|
||||
# to use privileged ioctls commands. Needed to set up VPNs.
|
||||
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
||||
bluetooth_domain(system_server)
|
||||
|
@ -91,7 +91,7 @@ allow system_server config_gz:file { read open };
|
|||
# Use generic "sockets" where the address family is not known
|
||||
# to the kernel. The ioctl permission is specifically omitted here, but may
|
||||
# be added to device specific policy along with the ioctl commands to be
|
||||
# whitelisted.
|
||||
# allowlisted.
|
||||
allow system_server self:socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Set and get routes directly via netlink.
|
||||
|
|
|
@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms;
|
|||
allow traced_probes debugfs_trace_marker:file getattr;
|
||||
|
||||
# TODO(primiano): temporarily I/O tracing categories are still
|
||||
# userdebug only until we nail down the blacklist/whitelist.
|
||||
# userdebug only until we nail down the denylist/allowlist.
|
||||
userdebug_or_eng(`
|
||||
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
||||
')
|
||||
|
|
|
@ -530,7 +530,7 @@ neverallow appdomain {
|
|||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Blacklist app domains not allowed to execute from /data
|
||||
# Denylist app domains not allowed to execute from /data
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
|
@ -551,7 +551,7 @@ neverallow {
|
|||
-shell # bugreport
|
||||
} input_device:chr_file ~getattr;
|
||||
|
||||
# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
|
||||
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
|
||||
# neverallow rules for access to Bluetooth-related data files are above.
|
||||
neverallow {
|
||||
appdomain
|
||||
|
|
|
@ -257,19 +257,19 @@ allow domain debugfs_trace_marker:file w_file_perms;
|
|||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# Restrict all domains to a whitelist for common socket types. Additional
|
||||
# Restrict all domains to a allowlist for common socket types. Additional
|
||||
# ioctl commands may be added to individual domains, but this sets safe
|
||||
# defaults for all processes. Note that granting this whitelist to domain does
|
||||
# defaults for all processes. Note that granting this allowlist to domain does
|
||||
# not grant the ioctl permission on these socket types. That must be granted
|
||||
# separately.
|
||||
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
|
||||
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
||||
# default whitelist for unix sockets.
|
||||
# default allowlist for unix sockets.
|
||||
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
|
||||
ioctl unpriv_unix_sock_ioctls;
|
||||
|
||||
# Restrict PTYs to only whitelisted ioctls.
|
||||
# Note that granting this whitelist to domain does
|
||||
# Restrict PTYs to only allowlisted ioctls.
|
||||
# Note that granting this allowlist to domain does
|
||||
# not grant the wider ioctl permission. That must be granted
|
||||
# separately.
|
||||
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
||||
|
@ -288,7 +288,7 @@ with_asan(`allow domain system_data_file:dir getattr;')
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
# All socket ioctls must be restricted to a whitelist.
|
||||
# All socket ioctls must be restricted to a allowlist.
|
||||
neverallowxperm domain domain:socket_class_set ioctl { 0 };
|
||||
|
||||
# b/68014825 and https://android-review.googlesource.com/516535
|
||||
|
@ -303,7 +303,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
|||
# Do not allow any domain other than init to create unlabeled files.
|
||||
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||
|
||||
# Limit device node creation to these whitelisted domains.
|
||||
# Limit device node creation to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-kernel
|
||||
|
@ -312,7 +312,7 @@ neverallow {
|
|||
-vold
|
||||
} self:global_capability_class_set mknod;
|
||||
|
||||
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
|
||||
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`-domain')
|
||||
|
@ -424,7 +424,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
|
|||
|
||||
#
|
||||
# Assert that, to the extent possible, we're not loading executable content from
|
||||
# outside the rootfs or /system partition except for a few whitelisted domains.
|
||||
# outside the rootfs or /system partition except for a few allowlisted domains.
|
||||
#
|
||||
neverallow {
|
||||
domain
|
||||
|
@ -552,7 +552,7 @@ compatible_property_only(`
|
|||
')
|
||||
|
||||
# Do not allow reading device's serial number from system properties except form
|
||||
# a few whitelisted domains.
|
||||
# a few allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-adbd
|
||||
|
@ -928,7 +928,7 @@ full_treble_only(`
|
|||
')
|
||||
|
||||
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
||||
# only a few whitelisted coredomains to keep system/vendor separation.
|
||||
# only a few allowlisted coredomains to keep system/vendor separation.
|
||||
full_treble_only(`
|
||||
# Limit access to /vendor/app
|
||||
neverallow {
|
||||
|
@ -997,7 +997,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow vendor components to execute files from system
|
||||
# except for the ones whitelist here.
|
||||
# except for the ones allowlist here.
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
|
@ -1014,7 +1014,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow system components to execute files from vendor
|
||||
# except for the ones whitelisted here.
|
||||
# except for the ones allowlisted here.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
@ -1224,7 +1224,7 @@ neverallow {
|
|||
|
||||
# In addition to the symlink reading restrictions above, restrict
|
||||
# write access to shell owned directories. The /data/local/tmp
|
||||
# directory is untrustworthy, and non-whitelisted domains should
|
||||
# directory is untrustworthy, and non-allowlisted domains should
|
||||
# not be trusting any content in those directories.
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
|
|||
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
|
||||
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
|
||||
|
||||
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(hal_wifi_supplicant, sysfs_type)
|
||||
|
|
|
@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
|
|||
type netd_exec, exec_type, file_type;
|
||||
|
||||
net_domain(netd)
|
||||
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
|
||||
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(netd, cgroup)
|
||||
|
|
|
@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|||
# or read, execute the vendor_toolbox file.
|
||||
full_treble_only(`
|
||||
# Do not allow non-vendor domains to transition
|
||||
# to vendor toolbox except for the whitelisted domains.
|
||||
# to vendor toolbox except for the allowlisted domains.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
|
|
@ -15,7 +15,7 @@ neverallow {
|
|||
')
|
||||
|
||||
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
||||
# only a few whitelisted coredomains to keep system/vendor separation.
|
||||
# only a few allowlisted coredomains to keep system/vendor separation.
|
||||
full_treble_only(`
|
||||
# Limit access to /vendor/app
|
||||
neverallow {
|
||||
|
|
|
@ -83,7 +83,7 @@ userdebug_or_eng(`
|
|||
')
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these whitelisted domains.
|
||||
# with other UIDs to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
|
@ -185,7 +185,7 @@ neverallow {
|
|||
|
||||
#
|
||||
# Assert that, to the extent possible, we're not loading executable content from
|
||||
# outside the rootfs or /system partition except for a few whitelisted domains.
|
||||
# outside the rootfs or /system partition except for a few allowlisted domains.
|
||||
# Executable files loaded from /data is a persistence vector
|
||||
# we want to avoid. See
|
||||
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
||||
|
@ -299,7 +299,7 @@ neverallow {
|
|||
-zygote
|
||||
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
||||
|
||||
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
|
||||
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`-domain')
|
||||
|
|
|
@ -29,7 +29,7 @@ typeattribute heapprofd mlstrustedsubject;
|
|||
allow heapprofd self:capability kill;
|
||||
|
||||
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
|
||||
# profiling, only whitelisted domains will be allowed by SELinux. Avoid
|
||||
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
|
||||
# spamming logs with denials for entries that we can not access.
|
||||
dontaudit heapprofd domain:dir { search open };
|
||||
|
||||
|
|
|
@ -126,7 +126,7 @@ userdebug_or_eng(`read_logd(incidentd)')
|
|||
# TODO control_logd(incidentd)
|
||||
|
||||
# Allow incidentd to find these standard groups of services.
|
||||
# Others can be whitelisted individually.
|
||||
# Others can be allowlisted individually.
|
||||
allow incidentd {
|
||||
system_server_service
|
||||
app_api_service
|
||||
|
|
|
@ -87,7 +87,7 @@ neverallow isolated_app *:hwservice_manager *;
|
|||
neverallow isolated_app vndbinder_device:chr_file *;
|
||||
|
||||
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
|
||||
# except the find actions for services whitelisted below.
|
||||
# except the find actions for services allowlisted below.
|
||||
neverallow isolated_app *:service_manager ~find;
|
||||
|
||||
# b/17487348
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Perfetto command-line client. Can be used only from the domains that are
|
||||
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# This command line client accesses the privileged socket of the traced
|
||||
# daemon.
|
||||
|
||||
|
|
|
@ -50,14 +50,14 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
|
|||
|
||||
# system server gets network and bluetooth permissions.
|
||||
net_domain(system_server)
|
||||
# in addition to ioctls whitelisted for all domains, also allow system_server
|
||||
# in addition to ioctls allowlisted for all domains, also allow system_server
|
||||
# to use privileged ioctls commands. Needed to set up VPNs.
|
||||
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
||||
bluetooth_domain(system_server)
|
||||
|
||||
# Allow setup of tcp keepalive offload. This gives system_server the permission to
|
||||
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
|
||||
# be granted individually, except for a small set of safe values whitelisted in
|
||||
# be granted individually, except for a small set of safe values allowlisted in
|
||||
# public/domain.te.
|
||||
allow system_server appdomain:tcp_socket ioctl;
|
||||
|
||||
|
@ -102,7 +102,7 @@ allow system_server config_gz:file { read open };
|
|||
# Use generic "sockets" where the address family is not known
|
||||
# to the kernel. The ioctl permission is specifically omitted here, but may
|
||||
# be added to device specific policy along with the ioctl commands to be
|
||||
# whitelisted.
|
||||
# allowlisted.
|
||||
allow system_server self:socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Set and get routes directly via netlink.
|
||||
|
|
|
@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms;
|
|||
allow traced_probes debugfs_trace_marker:file getattr;
|
||||
|
||||
# TODO(primiano): temporarily I/O tracing categories are still
|
||||
# userdebug only until we nail down the blacklist/whitelist.
|
||||
# userdebug only until we nail down the denylist/allowlist.
|
||||
userdebug_or_eng(`
|
||||
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
|
||||
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
||||
|
|
|
@ -537,7 +537,7 @@ neverallow appdomain {
|
|||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Blacklist app domains not allowed to execute from /data
|
||||
# Denylist app domains not allowed to execute from /data
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
|
@ -558,7 +558,7 @@ neverallow {
|
|||
-shell # bugreport
|
||||
} input_device:chr_file ~getattr;
|
||||
|
||||
# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
|
||||
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
|
||||
# neverallow rules for access to Bluetooth-related data files are above.
|
||||
neverallow {
|
||||
appdomain
|
||||
|
|
|
@ -260,19 +260,19 @@ allow domain debugfs_trace_marker:file w_file_perms;
|
|||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# Restrict all domains to a whitelist for common socket types. Additional
|
||||
# Restrict all domains to a allowlist for common socket types. Additional
|
||||
# ioctl commands may be added to individual domains, but this sets safe
|
||||
# defaults for all processes. Note that granting this whitelist to domain does
|
||||
# defaults for all processes. Note that granting this allowlist to domain does
|
||||
# not grant the ioctl permission on these socket types. That must be granted
|
||||
# separately.
|
||||
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
|
||||
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
||||
# default whitelist for unix sockets.
|
||||
# default allowlist for unix sockets.
|
||||
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
|
||||
ioctl unpriv_unix_sock_ioctls;
|
||||
|
||||
# Restrict PTYs to only whitelisted ioctls.
|
||||
# Note that granting this whitelist to domain does
|
||||
# Restrict PTYs to only allowlisted ioctls.
|
||||
# Note that granting this allowlist to domain does
|
||||
# not grant the wider ioctl permission. That must be granted
|
||||
# separately.
|
||||
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
||||
|
@ -288,7 +288,7 @@ allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
|
|||
|
||||
# Allow a process to make a determination whether a file descriptor
|
||||
# for a plain file or pipe (fifo_file) is a tty. Note that granting
|
||||
# this whitelist to domain does not grant the ioctl permission to
|
||||
# this allowlist to domain does not grant the ioctl permission to
|
||||
# these files. That must be granted separately.
|
||||
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
|
||||
allowxperm domain domain:fifo_file ioctl { TCGETS };
|
||||
|
@ -331,7 +331,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
|
|||
###
|
||||
|
||||
# All ioctls on file-like objects (except chr_file and blk_file) and
|
||||
# sockets must be restricted to a whitelist.
|
||||
# sockets must be restricted to a allowlist.
|
||||
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
|
||||
|
||||
# b/68014825 and https://android-review.googlesource.com/516535
|
||||
|
@ -346,7 +346,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
|||
# Do not allow any domain other than init to create unlabeled files.
|
||||
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||
|
||||
# Limit device node creation to these whitelisted domains.
|
||||
# Limit device node creation to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-kernel
|
||||
|
@ -544,7 +544,7 @@ compatible_property_only(`
|
|||
')
|
||||
|
||||
# Do not allow reading device's serial number from system properties except form
|
||||
# a few whitelisted domains.
|
||||
# a few allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-adbd
|
||||
|
@ -951,7 +951,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow vendor components to execute files from system
|
||||
# except for the ones whitelist here.
|
||||
# except for the ones allowlist here.
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
|
@ -970,7 +970,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow system components to execute files from vendor
|
||||
# except for the ones whitelisted here.
|
||||
# except for the ones allowlisted here.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
@ -998,7 +998,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow system components access to /vendor files except for the
|
||||
# ones whitelisted here.
|
||||
# ones allowlisted here.
|
||||
neverallow {
|
||||
coredomain
|
||||
# TODO(b/37168747): clean up fwk access to /vendor
|
||||
|
@ -1028,7 +1028,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow vendor components access to /system files except for the
|
||||
# ones whitelisted here.
|
||||
# ones allowlisted here.
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
|
@ -1215,7 +1215,7 @@ neverallow {
|
|||
|
||||
# In addition to the symlink reading restrictions above, restrict
|
||||
# write access to shell owned directories. The /data/local/tmp
|
||||
# directory is untrustworthy, and non-whitelisted domains should
|
||||
# directory is untrustworthy, and non-allowlisted domains should
|
||||
# not be trusting any content in those directories.
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -4,7 +4,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
|
|||
|
||||
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
|
||||
|
||||
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(hal_wifi_supplicant, sysfs_type)
|
||||
|
|
|
@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
|
|||
type netd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
net_domain(netd)
|
||||
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
|
||||
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(netd, cgroup)
|
||||
|
|
|
@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|||
# or read, execute the vendor_toolbox file.
|
||||
full_treble_only(`
|
||||
# Do not allow non-vendor domains to transition
|
||||
# to vendor toolbox except for the whitelisted domains.
|
||||
# to vendor toolbox except for the allowlisted domains.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
|
|
@ -59,7 +59,7 @@ userdebug_or_eng(`
|
|||
hal_client_domain(atrace, hal_vibrator)
|
||||
')
|
||||
|
||||
# Remove logspam from notification attempts to non-whitelisted services.
|
||||
# Remove logspam from notification attempts to non-allowlisted services.
|
||||
dontaudit atrace hwservice_manager_type:hwservice_manager find;
|
||||
dontaudit atrace service_manager_type:service_manager find;
|
||||
dontaudit atrace domain:binder call;
|
||||
|
|
|
@ -15,7 +15,7 @@ neverallow {
|
|||
')
|
||||
|
||||
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
||||
# only a few whitelisted coredomains to keep system/vendor separation.
|
||||
# only a few allowlisted coredomains to keep system/vendor separation.
|
||||
full_treble_only(`
|
||||
# Limit access to /vendor/app
|
||||
neverallow {
|
||||
|
|
|
@ -122,7 +122,7 @@ allow domain linkerconfig_file:file r_file_perms;
|
|||
allow domain boringssl_self_test_marker:dir search;
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these whitelisted domains.
|
||||
# with other UIDs to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
|
@ -225,7 +225,7 @@ neverallow {
|
|||
|
||||
#
|
||||
# Assert that, to the extent possible, we're not loading executable content from
|
||||
# outside the rootfs or /system partition except for a few whitelisted domains.
|
||||
# outside the rootfs or /system partition except for a few allowlisted domains.
|
||||
# Executable files loaded from /data is a persistence vector
|
||||
# we want to avoid. See
|
||||
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
||||
|
@ -342,7 +342,7 @@ neverallow {
|
|||
-zygote
|
||||
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
||||
|
||||
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
|
||||
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`-domain')
|
||||
|
|
|
@ -29,7 +29,7 @@ typeattribute heapprofd mlstrustedsubject;
|
|||
allow heapprofd self:capability kill;
|
||||
|
||||
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
|
||||
# profiling, only whitelisted domains will be allowed by SELinux. Avoid
|
||||
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
|
||||
# spamming logs with denials for entries that we can not access.
|
||||
dontaudit heapprofd domain:dir { search open };
|
||||
|
||||
|
|
|
@ -145,7 +145,7 @@ userdebug_or_eng(`read_logd(incidentd)')
|
|||
r_dir_file(incidentd, misc_logd_file)
|
||||
|
||||
# Allow incidentd to find these standard groups of services.
|
||||
# Others can be whitelisted individually.
|
||||
# Others can be allowlisted individually.
|
||||
allow incidentd {
|
||||
system_server_service
|
||||
app_api_service
|
||||
|
|
|
@ -88,7 +88,7 @@ neverallow isolated_app *:hwservice_manager *;
|
|||
neverallow isolated_app vndbinder_device:chr_file *;
|
||||
|
||||
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
|
||||
# except the find actions for services whitelisted below.
|
||||
# except the find actions for services allowlisted below.
|
||||
neverallow isolated_app *:service_manager ~find;
|
||||
|
||||
# b/17487348
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Perfetto command-line client. Can be used only from the domains that are
|
||||
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# This command line client accesses the privileged socket of the traced
|
||||
# daemon.
|
||||
|
||||
|
|
|
@ -66,14 +66,14 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
|
|||
|
||||
# system server gets network and bluetooth permissions.
|
||||
net_domain(system_server)
|
||||
# in addition to ioctls whitelisted for all domains, also allow system_server
|
||||
# in addition to ioctls allowlisted for all domains, also allow system_server
|
||||
# to use privileged ioctls commands. Needed to set up VPNs.
|
||||
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
||||
bluetooth_domain(system_server)
|
||||
|
||||
# Allow setup of tcp keepalive offload. This gives system_server the permission to
|
||||
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
|
||||
# be granted individually, except for a small set of safe values whitelisted in
|
||||
# be granted individually, except for a small set of safe values allowlisted in
|
||||
# public/domain.te.
|
||||
allow system_server appdomain:tcp_socket ioctl;
|
||||
|
||||
|
@ -118,7 +118,7 @@ allow system_server config_gz:file { read open };
|
|||
# Use generic "sockets" where the address family is not known
|
||||
# to the kernel. The ioctl permission is specifically omitted here, but may
|
||||
# be added to device specific policy along with the ioctl commands to be
|
||||
# whitelisted.
|
||||
# allowlisted.
|
||||
allow system_server self:socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Set and get routes directly via netlink.
|
||||
|
|
|
@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms;
|
|||
allow traced_probes debugfs_trace_marker:file getattr;
|
||||
|
||||
# TODO(primiano): temporarily I/O tracing categories are still
|
||||
# userdebug only until we nail down the blacklist/whitelist.
|
||||
# userdebug only until we nail down the denylist/allowlist.
|
||||
userdebug_or_eng(`
|
||||
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
|
||||
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
||||
|
|
|
@ -537,7 +537,7 @@ neverallow appdomain {
|
|||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Blacklist app domains not allowed to execute from /data
|
||||
# Denylist app domains not allowed to execute from /data
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
|
@ -558,7 +558,7 @@ neverallow {
|
|||
-shell # bugreport
|
||||
} input_device:chr_file ~getattr;
|
||||
|
||||
# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
|
||||
# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
|
||||
# neverallow rules for access to Bluetooth-related data files are above.
|
||||
neverallow {
|
||||
appdomain
|
||||
|
|
|
@ -260,19 +260,19 @@ allow domain debugfs_trace_marker:file w_file_perms;
|
|||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# Restrict all domains to a whitelist for common socket types. Additional
|
||||
# Restrict all domains to a allowlist for common socket types. Additional
|
||||
# ioctl commands may be added to individual domains, but this sets safe
|
||||
# defaults for all processes. Note that granting this whitelist to domain does
|
||||
# defaults for all processes. Note that granting this allowlist to domain does
|
||||
# not grant the ioctl permission on these socket types. That must be granted
|
||||
# separately.
|
||||
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
|
||||
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
||||
# default whitelist for unix sockets.
|
||||
# default allowlist for unix sockets.
|
||||
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
|
||||
ioctl unpriv_unix_sock_ioctls;
|
||||
|
||||
# Restrict PTYs to only whitelisted ioctls.
|
||||
# Note that granting this whitelist to domain does
|
||||
# Restrict PTYs to only allowlisted ioctls.
|
||||
# Note that granting this allowlist to domain does
|
||||
# not grant the wider ioctl permission. That must be granted
|
||||
# separately.
|
||||
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
||||
|
@ -288,7 +288,7 @@ allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
|
|||
|
||||
# Allow a process to make a determination whether a file descriptor
|
||||
# for a plain file or pipe (fifo_file) is a tty. Note that granting
|
||||
# this whitelist to domain does not grant the ioctl permission to
|
||||
# this allowlist to domain does not grant the ioctl permission to
|
||||
# these files. That must be granted separately.
|
||||
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
|
||||
allowxperm domain domain:fifo_file ioctl { TCGETS };
|
||||
|
@ -331,7 +331,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
|
|||
###
|
||||
|
||||
# All ioctls on file-like objects (except chr_file and blk_file) and
|
||||
# sockets must be restricted to a whitelist.
|
||||
# sockets must be restricted to a allowlist.
|
||||
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
|
||||
|
||||
# b/68014825 and https://android-review.googlesource.com/516535
|
||||
|
@ -346,7 +346,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
|||
# Do not allow any domain other than init to create unlabeled files.
|
||||
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||
|
||||
# Limit device node creation to these whitelisted domains.
|
||||
# Limit device node creation to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-kernel
|
||||
|
@ -544,7 +544,7 @@ compatible_property_only(`
|
|||
')
|
||||
|
||||
# Do not allow reading device's serial number from system properties except form
|
||||
# a few whitelisted domains.
|
||||
# a few allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-adbd
|
||||
|
@ -934,7 +934,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow vendor components to execute files from system
|
||||
# except for the ones whitelist here.
|
||||
# except for the ones allowlist here.
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
|
@ -955,7 +955,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow system components to execute files from vendor
|
||||
# except for the ones whitelisted here.
|
||||
# except for the ones allowlisted here.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
@ -984,7 +984,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow system components access to /vendor files except for the
|
||||
# ones whitelisted here.
|
||||
# ones allowlisted here.
|
||||
neverallow {
|
||||
coredomain
|
||||
# TODO(b/37168747): clean up fwk access to /vendor
|
||||
|
@ -1019,7 +1019,7 @@ full_treble_only(`
|
|||
|
||||
full_treble_only(`
|
||||
# Do not allow vendor components access to /system files except for the
|
||||
# ones whitelisted here.
|
||||
# ones allowlisted here.
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
|
@ -1212,7 +1212,7 @@ neverallow {
|
|||
|
||||
# In addition to the symlink reading restrictions above, restrict
|
||||
# write access to shell owned directories. The /data/local/tmp
|
||||
# directory is untrustworthy, and non-whitelisted domains should
|
||||
# directory is untrustworthy, and non-allowlisted domains should
|
||||
# not be trusting any content in those directories.
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -4,7 +4,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
|
|||
|
||||
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
|
||||
|
||||
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(hal_wifi_supplicant, sysfs_type)
|
||||
|
|
|
@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
|
|||
type netd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
net_domain(netd)
|
||||
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
|
||||
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(netd, cgroup)
|
||||
|
|
|
@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|||
# or read, execute the vendor_toolbox file.
|
||||
full_treble_only(`
|
||||
# Do not allow non-vendor domains to transition
|
||||
# to vendor toolbox except for the whitelisted domains.
|
||||
# to vendor toolbox except for the allowlisted domains.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
|
|
@ -59,7 +59,7 @@ userdebug_or_eng(`
|
|||
hal_client_domain(atrace, hal_vibrator)
|
||||
')
|
||||
|
||||
# Remove logspam from notification attempts to non-whitelisted services.
|
||||
# Remove logspam from notification attempts to non-allowlisted services.
|
||||
dontaudit atrace hwservice_manager_type:hwservice_manager find;
|
||||
dontaudit atrace service_manager_type:service_manager find;
|
||||
dontaudit atrace domain:binder call;
|
||||
|
|
|
@ -34,7 +34,7 @@ neverallow {
|
|||
')
|
||||
|
||||
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
||||
# only a few whitelisted coredomains to keep system/vendor separation.
|
||||
# only a few allowlisted coredomains to keep system/vendor separation.
|
||||
full_treble_only(`
|
||||
# Limit access to /vendor/app
|
||||
neverallow {
|
||||
|
|
|
@ -109,7 +109,7 @@ allow domain linkerconfig_file:file r_file_perms;
|
|||
allow domain boringssl_self_test_marker:dir search;
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these whitelisted domains.
|
||||
# with other UIDs to these allowlisted domains.
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
|
@ -212,7 +212,7 @@ neverallow {
|
|||
|
||||
#
|
||||
# Assert that, to the extent possible, we're not loading executable content from
|
||||
# outside the rootfs or /system partition except for a few whitelisted domains.
|
||||
# outside the rootfs or /system partition except for a few allowlisted domains.
|
||||
# Executable files loaded from /data is a persistence vector
|
||||
# we want to avoid. See
|
||||
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
||||
|
@ -329,7 +329,7 @@ neverallow {
|
|||
-zygote
|
||||
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
||||
|
||||
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
|
||||
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`-domain')
|
||||
|
|
|
@ -29,7 +29,7 @@ typeattribute heapprofd mlstrustedsubject;
|
|||
allow heapprofd self:capability kill;
|
||||
|
||||
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
|
||||
# profiling, only whitelisted domains will be allowed by SELinux. Avoid
|
||||
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
|
||||
# spamming logs with denials for entries that we can not access.
|
||||
dontaudit heapprofd domain:dir { search open };
|
||||
|
||||
|
|
|
@ -145,7 +145,7 @@ userdebug_or_eng(`read_logd(incidentd)')
|
|||
r_dir_file(incidentd, misc_logd_file)
|
||||
|
||||
# Allow incidentd to find these standard groups of services.
|
||||
# Others can be whitelisted individually.
|
||||
# Others can be allowlisted individually.
|
||||
allow incidentd {
|
||||
system_server_service
|
||||
app_api_service
|
||||
|
|
|
@ -91,7 +91,7 @@ neverallow isolated_app *:hwservice_manager *;
|
|||
neverallow isolated_app vndbinder_device:chr_file *;
|
||||
|
||||
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
|
||||
# except the find actions for services whitelisted below.
|
||||
# except the find actions for services allowlisted below.
|
||||
neverallow isolated_app *:service_manager ~find;
|
||||
|
||||
# b/17487348
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Perfetto command-line client. Can be used only from the domains that are
|
||||
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# This command line client accesses the privileged socket of the traced
|
||||
# daemon.
|
||||
|
||||
|
|
|
@ -66,14 +66,14 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
|
|||
|
||||
# system server gets network and bluetooth permissions.
|
||||
net_domain(system_server)
|
||||
# in addition to ioctls whitelisted for all domains, also allow system_server
|
||||
# in addition to ioctls allowlisted for all domains, also allow system_server
|
||||
# to use privileged ioctls commands. Needed to set up VPNs.
|
||||
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
||||
bluetooth_domain(system_server)
|
||||
|
||||
# Allow setup of tcp keepalive offload. This gives system_server the permission to
|
||||
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
|
||||
# be granted individually, except for a small set of safe values whitelisted in
|
||||
# be granted individually, except for a small set of safe values allowlisted in
|
||||
# public/domain.te.
|
||||
allow system_server appdomain:tcp_socket ioctl;
|
||||
|
||||
|
@ -118,7 +118,7 @@ allow system_server config_gz:file { read open };
|
|||
# Use generic "sockets" where the address family is not known
|
||||
# to the kernel. The ioctl permission is specifically omitted here, but may
|
||||
# be added to device specific policy along with the ioctl commands to be
|
||||
# whitelisted.
|
||||
# allowlisted.
|
||||
allow system_server self:socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Set and get routes directly via netlink.
|
||||
|
|
|
@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms;
|
|||
allow traced_probes debugfs_trace_marker:file getattr;
|
||||
|
||||
# TODO(primiano): temporarily I/O tracing categories are still
|
||||
# userdebug only until we nail down the blacklist/whitelist.
|
||||
# userdebug only until we nail down the denylist/allowlist.
|
||||
userdebug_or_eng(`
|
||||
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
|
||||
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
||||
|
|
|
@ -4,7 +4,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
|
|||
|
||||
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
|
||||
|
||||
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
||||
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(hal_wifi_supplicant, sysfs_type)
|
||||
|
|
|
@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject;
|
|||
type netd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
net_domain(netd)
|
||||
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
|
||||
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
|
||||
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
r_dir_file(netd, cgroup)
|
||||
|
|
|
@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|||
# or read, execute the vendor_toolbox file.
|
||||
full_treble_only(`
|
||||
# Do not allow non-vendor domains to transition
|
||||
# to vendor toolbox except for the whitelisted domains.
|
||||
# to vendor toolbox except for the allowlisted domains.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
|
|
Loading…
Reference in a new issue