tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Vendor API level 202404 is now frozen" into main

Browse source
This commit is contained in:
Devin Moore 2024-02-29 00:22:11 +00:00 committed by Android (Google) Code Review
commit bdf057818d
486 changed files with 49744 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
prebuilts/api/202404/Android.bp Normal file
View file

@ -0,0 +1,71 @@
// Automatically generated file, do not edit!
se_policy_conf {
name: "202404_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_202404}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "202404_plat_pub_policy.cil",
src: ":202404_plat_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "202404_product_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_202404}",
":se_build_files{.system_ext_public_202404}",
":se_build_files{.product_public_202404}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "202404_product_pub_policy.cil",
src: ":202404_product_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "202404_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_202404}",
":se_build_files{.plat_private_202404}",
":se_build_files{.system_ext_public_202404}",
":se_build_files{.system_ext_private_202404}",
":se_build_files{.product_public_202404}",
":se_build_files{.product_private_202404}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "202404_plat_policy.cil",
src: ":202404_plat_policy.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_202404}"],
installable: false,
}
se_policy_binary {
name: "202404_plat_policy",
srcs: [":202404_plat_policy.cil"],
installable: false,
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
}

799
prebuilts/api/202404/private/access_vectors Normal file
View file

@ -0,0 +1,799 @@
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
unlink
link
rename
execute
quotaon
mounton
audit_access
open
execmod
watch
watch_mount
watch_sb
watch_with_perm
watch_reads
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common for capability access vectors.
#
common cap
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the cap2 common.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
common cap2
{
mac_override # unused by SELinux
mac_admin
syslog
wake_alarm
block_suspend
audit_read
perfmon
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
associate
quotamod
quotaget
watch
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
}
class anon_inode
inherits file
class lnk_file
inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
}
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
recvfrom
sendto
}
class netif
{
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
getrlimit
}
class process2
{
nnp_transition
nosuid_transition
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
read_policy
validate_trans
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
module_load
}
#
# Define the access vector interpretation for controlling capabilities
#
class capability
inherits cap
class capability2
inherits cap2
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_readpriv
nlmsg_getneigh
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
# network peer labels
class peer
{
recv
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
inherits socket
{
attach_queue
}
class binder
{
impersonate
call
set_context_mgr
transfer
}
class netlink_iscsi_socket
inherits socket
class netlink_fib_lookup_socket
inherits socket
class netlink_connector_socket
inherits socket
class netlink_netfilter_socket
inherits socket
class netlink_generic_socket
inherits socket
class netlink_scsitransport_socket
inherits socket
class netlink_rdma_socket
inherits socket
class netlink_crypto_socket
inherits socket
class infiniband_pkey
{
access
}
class infiniband_endport
{
manage_subnet
}
#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#
class cap_userns
inherits cap
class cap2_userns
inherits cap2
#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#
#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
node_bind
name_connect
association
}
class icmp_socket
inherits socket
{
node_bind
}
#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#
class ax25_socket
inherits socket
class ipx_socket
inherits socket
class netrom_socket
inherits socket
class atmpvc_socket
inherits socket
class x25_socket
inherits socket
class rose_socket
inherits socket
class decnet_socket
inherits socket
class atmsvc_socket
inherits socket
class rds_socket
inherits socket
class irda_socket
inherits socket
class pppox_socket
inherits socket
class llc_socket
inherits socket
class can_socket
inherits socket
class tipc_socket
inherits socket
class bluetooth_socket
inherits socket
class iucv_socket
inherits socket
class rxrpc_socket
inherits socket
class isdn_socket
inherits socket
class phonet_socket
inherits socket
class ieee802154_socket
inherits socket
class caif_socket
inherits socket
class alg_socket
inherits socket
class nfc_socket
inherits socket
class vsock_socket
inherits socket
class kcm_socket
inherits socket
class qipcrtr_socket
inherits socket
class smc_socket
inherits socket
class bpf
{
map_create
map_read
map_write
prog_load
prog_run
}
class property_service
{
set
}
class service_manager
{
add
find
list
}
class hwservice_manager
{
add
find
list
}
class keystore_key
{
get_state
get
insert
delete
exist
list
reset
password
lock
unlock
is_empty
sign
verify
grant
duplicate
clear_uid
add_auth
user_changed
gen_unique_id
}
class keystore2
{
add_auth
change_password
change_user
clear_ns
clear_uid
delete_all_keys
early_boot_ended
get_attestation_key
get_auth_token
get_last_auth_time
get_state
list
lock
pull_metrics
report_off_body
reset
unlock
}
class keystore2_key
{
convert_storage_key_to_ephemeral
delete
gen_unique_id
get_info
grant
manage_blob
rebind
req_forced_op
update
use
use_dev_id
}
class diced
{
demote
demote_self
derive
get_attestation_chain
use_seal
use_sign
}
class drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
}
class xdp_socket
inherits socket
class perf_event
{
open
cpu
kernel
tracepoint
read
write
}
class lockdown
{
integrity
confidentiality
}
class io_uring
{
override_creds
sqpoll
cmd
}

237
prebuilts/api/202404/private/adbd.te Normal file
View file

@ -0,0 +1,237 @@
### ADB daemon
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
init_daemon_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
# is not labeled as shell but as rootfs.
recovery_only(`
domain_trans(adbd, rootfs, shell)
allow adbd shell:process dyntransition;
# Allows reboot fastboot to enter fastboot directly
unix_socket_connect(adbd, recovery, recovery)
')
# Control Perfetto traced and obtain traces from it.
# Needed to allow port forwarding directly to traced.
unix_socket_connect(adbd, traced_consumer, traced)
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
# Allow adbd inside vm to forward vm's vsock.
allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Create and use network sockets.
net_domain(adbd)
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(adbd, mdnsd, mdnsd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
allowxperm adbd functionfs:file ioctl {
FUNCTIONFS_ENDPOINT_DESC
FUNCTIONFS_CLEAR_HALT
};
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
# adb pull /data/local/traces/*
allow adbd trace_data_file:dir r_dir_perms;
allow adbd trace_data_file:file r_file_perms;
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
allow adbd { sdcard_type fuse }:dir create_dir_perms;
allow adbd { sdcard_type fuse }:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
# adb pull /vendor/framework/*
allow adbd vendor_framework_file:dir r_dir_perms;
allow adbd vendor_framework_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
set_prop(adbd, adbd_config_prop)
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
# Read device's serial number from system properties
get_prop(adbd, serialno_prop)
# Read whether or not Test Harness Mode is enabled
get_prop(adbd, test_harness_prop)
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
r_dir_file(adbd, sysfs_dt_firmware_android)
')
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd gpu_device:dir r_dir_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;
userdebug_or_eng(`
# Write debugging information to /data/adb
# when persist.adb.trace_mask is set
# https://code.google.com/p/android/issues/detail?id=72895
allow adbd adb_data_file:dir rw_dir_perms;
allow adbd adb_data_file:file create_file_perms;
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file r_file_perms;
allow adbd file_contexts_file:file r_file_perms;
allow adbd seapp_contexts_file:file r_file_perms;
allow adbd property_contexts_file:file r_file_perms;
allow adbd sepolicy_file:file r_file_perms;
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
# For CTS listening ports test.
allow adbd proc_net_tcp_udp:file r_file_perms;
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;
r_dir_file(adbd, apk_data_file)
allow adbd rootfs:dir r_dir_perms;
# Allow killing child "perfetto" binary processes, which auto-transition to
# their own domain. Allows propagating termination of "adb shell perfetto ..."
# invocations.
allow adbd perfetto:process signal;
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
# Allow to push and manage configs in /data/misc/perfetto-configs.
allow adbd perfetto_configs_data_file:dir rw_dir_perms;
allow adbd perfetto_configs_data_file:file create_file_perms;
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
# Allow pull /vendor/apex files for CTS tests
allow adbd vendor_apex_file:dir search;
allow adbd vendor_apex_file:file r_file_perms;
# Allow adb pull of updated apex files in /data/apex/active.
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file r_file_perms;
# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
allow adbd apex_info_file:file r_file_perms;
###
### Neverallow rules
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;

5
prebuilts/api/202404/private/aidl_lazy_test_server.te Normal file
View file

@ -0,0 +1,5 @@
userdebug_or_eng(`
typeattribute aidl_lazy_test_server coredomain;
init_daemon_domain(aidl_lazy_test_server)
')

20
prebuilts/api/202404/private/apex_test_prepostinstall.te Normal file
View file

@ -0,0 +1,20 @@
# APEX pre- & post-install test.
#
# Allow to run pre- and post-install hooks for APEX test modules
# in debuggable builds.
type apex_test_prepostinstall, domain, coredomain;
type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
# /dev/zero
allow apex_test_prepostinstall apexd:fd use;
# Logwrapper.
create_pty(apex_test_prepostinstall)
# Logwrapper executing sh.
allow apex_test_prepostinstall shell_exec:file rx_file_perms;
# Logwrapper exec.
allow apex_test_prepostinstall system_file:file execute_no_trans;
# Ls.
allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
')

206
prebuilts/api/202404/private/apexd.te Normal file
View file

@ -0,0 +1,206 @@
typeattribute apexd coredomain;
init_daemon_domain(apexd)
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
# Allow relabeling file created in /data/apex/decompressed
allow apexd apex_data_file:file relabelfrom;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
allow apexd apex_data_file_type:dir { create_dir_perms relabelto };
allow apexd apex_data_file_type:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
# Allow apexd to read /data/misc_de and the directories under it, in order to
# snapshot and restore apex data for all users.
allow apexd {
system_userdir_file
system_data_file
}:dir r_dir_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
allow apexd loop_device:blk_file rw_file_perms;
allowxperm apexd loop_device:blk_file ioctl {
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
LOOP_CONFIGURE
};
# Allow apexd to access /dev/block
allow apexd dev_type:dir r_dir_perms;
allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
allow apexd dm_device:blk_file rw_file_perms;
# sys_admin is required to access the device-mapper and mount
# dac_override, chown, and fowner are needed for snapshot and restore
allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for apexd to operate.
dontaudit apexd self:global_capability_class_set fsetid;
# allow apexd to create a mount point in /apex
allow apexd apex_mnt_dir:dir create_dir_perms;
# allow apexd to mount in /apex
allow apexd apex_mnt_dir:filesystem { mount unmount };
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
# # Allow relabeling file created in /data/apex/decompressed
allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
r_dir_file(apexd, vendor_apex_file)
r_dir_file(apexd, vendor_apex_metadata_file)
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
# Access to /sys/class/block
allow apexd sysfs_type:dir r_dir_perms;
allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
allow apexd sysfs_dm:file rw_file_perms;
# for loopX
allow apexd sysfs_loop:dir r_dir_perms;
allow apexd sysfs_loop:file rw_file_perms;
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
# Allow apexd to reboot device. Required for rollbacks of apexes that are
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
# Allow apexd to send control messages to load/unload apex from init
set_prop(apexd, ctl_apex_load_prop)
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
# apexd is using bootstrap bionic
use_bootstrap_libs(apexd)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
# other processes
create_pty(apexd)
# Allow apexd to read file contexts when performing restorecon of snapshots.
allow apexd file_contexts_file:file r_file_perms;
# Allow apexd to execute toybox for snapshot & restore
allow apexd toolbox_exec:file rx_file_perms;
# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs.
allowxperm apexd staging_data_file:file ioctl {
FS_IOC_GETFLAGS
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
};
# Allow apexd to read ro.cold_boot_done prop.
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
get_prop(apexd, cold_boot_done_prop)
# Allow apexd to read per-device configuration properties.
get_prop(apexd, apexd_config_prop)
# Allow apexd to read apex selection properties.
# These are used to choose between multi-installed APEXes at activation time.
get_prop(apexd, apexd_select_prop)
#
# Allow apexd to read apexd_payload_metadata_prop
get_prop(apexd, apexd_payload_metadata_prop)
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
# only apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
neverallow { domain -apexd -init } apexd_prop:property_service set;
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
# Only apexd and init should be allowed to manage /apex mounts
# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
# Allow calling derive_classpath to gather BCP information for staged sessions
domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
# Allow set apex ready property
set_prop(apexd, apex_ready_prop)

9
prebuilts/api/202404/private/apexd_derive_classpath.te Normal file
View file

@ -0,0 +1,9 @@
# Exclusive domain for apexd calling into derive_classpath binary
type apexd_derive_classpath, domain, coredomain;
# Allow the binary to write into output file at location /apex/derive_classpath_temp
allow apexd_derive_classpath apexd:fd use;
allow apexd_derive_classpath apex_mnt_dir:file { write open };
# Allow the binary to log using logwrap
allow apexd_derive_classpath apexd_devpts:chr_file { read write };

558
prebuilts/api/202404/private/app.te Normal file
View file

@ -0,0 +1,558 @@
# /proc/net access.
# TODO(b/9496886) Audit access for removal.
# proc_net access for the negated domains below is granted (or not) in their
# individual .te files.
r_dir_file({
appdomain
-ephemeral_app
-isolated_app_all
-platform_app
-priv_app
-shell
-sdk_sandbox_all
-system_app
-untrusted_app_all
}, proc_net_type)
# audit access for all these non-core app domains.
userdebug_or_eng(`
auditallow {
appdomain
-ephemeral_app
-isolated_app_all
-platform_app
-priv_app
-shell
-su
-sdk_sandbox_all
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
')
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
get_prop(appdomain, boot_status_prop)
get_prop(appdomain, dalvik_config_prop_type)
get_prop(appdomain, media_config_prop)
get_prop(appdomain, packagemanager_config_prop)
get_prop(appdomain, radio_control_prop)
get_prop(appdomain, surfaceflinger_color_prop)
get_prop(appdomain, systemsound_config_prop)
get_prop(appdomain, telephony_config_prop)
get_prop(appdomain, userspace_reboot_config_prop)
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
get_prop(appdomain, dck_prop)
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
get_prop(appdomain, persist_sysui_ranking_update_prop)
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
# Allow to read ro.vendor.camera.extensions.enabled
get_prop(appdomain, camera2_extensions_prop)
# Allow to ro.camerax.extensions.enabled
get_prop(appdomain, camerax_extensions_prop)
# Prevent apps from causing presubmit failures.
# Apps can cause selinux denials by accessing CE storage
# and/or external storage. In either case, the selinux denial is
# not the cause of the failure, but just a symptom that
# storage isn't ready. Many apps handle the failure appropriately.
#
# Apps cannot access external storage before it becomes available.
dontaudit appdomain storage_stub_file:dir getattr;
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
# allowed to write to CE storage before it's available.
# Attempting to do so will be blocked by both selinux and unix
# permissions.
dontaudit appdomain system_data_file:dir write;
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow appdomain system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
# Transition to a non-app domain.
# Exception for the shell and su domains, can transition to runas, etc.
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
# Exception for virtualizationmanager to allow running VMs as child processes.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
# Don't allow apps reading /system/etc/font_fallback.xml
dontaudit appdomain system_font_fallback_file:file no_rw_file_perms;
neverallow appdomain system_font_fallback_file:file no_rw_file_perms;
# Allow to read sendbug.preferred.domain
get_prop(appdomain, sendbug_config_prop)
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
# Allow to read persist.config.calibration_fac
get_prop(appdomain, camera_calibration_prop)
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
# Allow to read system_user_mode_emulation_prop, which is used by UserManager.java
userdebug_or_eng(`get_prop(appdomain, system_user_mode_emulation_prop)')
# Allow font file read by apps.
allow appdomain font_data_file:file r_file_perms;
allow appdomain font_data_file:dir r_dir_perms;
# Enter /data/misc/apexdata/
allow appdomain apex_module_data_file:dir search;
# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
allow appdomain apex_art_data_file:dir r_dir_perms;
allow appdomain apex_art_data_file:file rx_file_perms;
# Allow access to tombstones if an fd to one is given to you.
# This is restricted by unix permissions, so an app must go through system_server to get one.
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Allow apps to read microdroid related files in vendor partition for CTS purpose.
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_microdroid_file)
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox_all)
# Allow apps to communicate via binder with virtual camera service.
binder_call(appdomain, virtual_camera)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# For app fuse.
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
# Receive and use open file descriptors inherited from app zygote.
allow appdomain app_zygote:fd use;
# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file rx_file_perms;
# Notify zygote of death;
allow appdomain zygote:process sigchld;
# Read /data/dalvik-cache.
allow appdomain dalvikcache_data_file:dir { search getattr };
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
userdebug_or_eng(`
# Allow apps to create and write method traces in /data/misc/trace.
allow appdomain method_trace_data_file:dir w_dir_perms;
allow appdomain method_trace_data_file:file { create w_file_perms };
')
# Notify shell and adbd of death when spawned via runas for ndk-gdb.
allow appdomain shell:process sigchld;
allow appdomain adbd:process sigchld;
# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };
# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
# For AppFuse.
allow appdomain vold:fd use;
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl FS_IOC_MEASURE_VERITY;
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Access open fds from SDK sandbox
allow appdomain sdk_sandbox_data_file:file { getattr read };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
# Keychain and user-trusted credentials
r_dir_file(appdomain, keychain_data_file)
allow appdomain misc_user_data_file:dir r_dir_perms;
allow appdomain misc_user_data_file:file r_file_perms;
# TextClassifier
r_dir_file({ appdomain -isolated_app_all }, textclassifier_data_file)
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
allow appdomain system_file:file x_file_perms;
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read };
# Renderscript specific permissions to open /system/vendor/lib64.
not_full_treble(`
allow appdomain vendor_file_type:dir r_dir_perms;
allow appdomain vendor_file_type:lnk_file { getattr open read };
')
full_treble_only(`
# For looking up Renderscript vendor drivers
allow { appdomain -isolated_app_all } vendor_file:dir { open read };
')
# Allow apps access to /vendor/overlay
r_dir_file(appdomain, vendor_overlay_file)
# Allow apps access to /vendor/framework
# for vendor provided libraries.
r_dir_file(appdomain, vendor_framework_file)
# Allow apps read / execute access to vendor public libraries.
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
# TODO: All of these permissions except for anr_data_file:file append can be
# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
# and the rules below.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
# New stack dumping scheme : request an output FD from tombstoned via a unix
# domain socket.
#
# Allow apps to connect and write to the tombstoned java trace socket in
# order to dump their traces. Also allow them to append traces to pipes
# created by dumptrace. (Also see the rules below where they are given
# additional permissions to dumpstate pipes for other aspects of bug report
# creation).
unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
allow appdomain tombstoned:fd use;
allow appdomain dumpstate:fifo_file append;
allow appdomain incidentd:fifo_file append;
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain dumpstate:fifo_file { write getattr };
allow appdomain shell_data_file:file { write getattr };
# Allow apps to send dump information to incidentd
allow appdomain incidentd:fd use;
allow appdomain incidentd:fifo_file { write getattr };
# Allow apps to send information to statsd socket.
unix_socket_send(appdomain, statsdw, statsd)
# Write profiles /data/misc/profiles
allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir w_dir_perms;
allow appdomain user_profile_data_file:file create_file_perms;
# Allow writing performance tracing data into the perfetto traced daemon.
# Needed for java heap graph ART plugin (perfetto_hprof).
# The perfetto profiling daemon will check for the specific application's
# opt-in/opt-out.
perfetto_producer(appdomain)
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
# debuggable builds only.
userdebug_or_eng(`
allow appdomain heapdump_data_file:file append;
')
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow { appdomain -isolated_app_all } gpu_device:chr_file rw_file_perms;
allow { appdomain -isolated_app_all } gpu_device:dir r_dir_perms;
allow { appdomain -isolated_app_all } sysfs_gpu:file r_file_perms;
# Use the Binder.
binder_use(appdomain)
# Perform binder IPC to binder services.
binder_call(appdomain, binderservicedomain)
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
# Perform binder IPC to gpuservice.
binder_call({ appdomain -isolated_app_all }, gpuservice)
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
allow appdomain backup_data_file:file { read write getattr map };
allow appdomain cache_backup_file:file { read write getattr map };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file r_file_perms;
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
# Allow any app to read shared RELRO files.
allow appdomain shared_relro_file:dir search;
allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
allow appdomain resourcecache_data_file:dir r_dir_perms;
# logd access
read_logd(appdomain)
allow appdomain zygote:unix_dgram_socket write;
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app_all } ion_device:chr_file r_file_perms;
allow { appdomain -isolated_app_all } dmabuf_system_heap_device:chr_file r_file_perms;
allow { appdomain -isolated_app_all } dmabuf_system_secure_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app_all } hal_audio:fd use;
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app_all } hal_camera:fd use;
# Allow apps to access shared memory file descriptor from the tuner HAL
allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use;
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write map };
###
### CTS-specific rules
###
# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
# testRunAsHasCorrectCapabilities
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow appdomain adbd:unix_stream_socket connectto;
allow appdomain adbd:fd use;
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
allow appdomain cache_file:dir getattr;
# Allow apps to run with asanwrapper.
with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
# Read access to FDs from the DropboxManagerService.
allow appdomain dropbox_data_file:file { getattr read };
# Read tmpfs types from these processes.
allow appdomain audioserver_tmpfs:file { getattr map read write };
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
neverallow {
bluetooth
isolated_app_all
nfc
radio
shared_relro
sdk_sandbox_all
system_app
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# Don't allow apps access to any of the following character devices.
neverallow appdomain {
audio_device
camera_device
dm_device
radio_device
rpmsg_device
}:chr_file { read write };
# Block video device access for all apps except the DeviceAsWebcam Service which
# needs access to /dev/video* for interfacing with the host
neverallow {
appdomain
-device_as_webcam
} video_device:chr_file { read write };
# Prevent calling inotify on APKs. This can be used as a side channel
# to observer app launches, so it must be disallowed. b/231587164
# Gate by targetSdkVersion to avoid breaking existing apps.
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:dir { watch watch_reads };
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:file { watch watch_reads };

303
prebuilts/api/202404/private/app_neverallows.te Normal file
View file

@ -0,0 +1,303 @@
###
### neverallow rules for untrusted app domains
###
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
isolated_app_all
isolated_compute_app
mediaprovider
mediaprovider_app
untrusted_app
untrusted_app_25
untrusted_app_27
untrusted_app_29
untrusted_app_30
untrusted_app_all
}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow all_untrusted_apps domain:netlink_socket *;
# Read or write kernel printk buffer
neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
# Do not allow untrusted apps to use VendorBinder
neverallow all_untrusted_apps vndbinder_device:chr_file *;
neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} dex2oat_exec:file no_x_file_perms;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
neverallow all_untrusted_apps mlstrustedsubject:process fork;
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
# Do not allow any write access to files in /sys
neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
# Apps may never access the default sysfs label.
neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
} domain:netlink_route_socket nlmsg_getneigh;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
-fuse
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
-app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
}:dir_file_class_set { create unlink };
# No untrusted component except mediaprovider_app should be touching /dev/fuse
neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
neverallow all_untrusted_apps anr_data_file:dir ~search;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
proc_asound
proc_kmsg
proc_loadavg
proc_mounts
proc_pagetypeinfo
proc_slabinfo
proc_stat
proc_swaps
proc_uptime
proc_version
proc_vmallocinfo
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
# /proc/filesystems is accessible to mediaprovider_app only since it handles
# external storage
neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
# Do not permit access from apps which host arbitrary code to the protected services
# The two main reasons for this are:
# 1. Protected HwBinder servers do not perform client authentication because
# vendor code does not have a way to understand apps or their relation to
# caller UID information and, even if it did, those services either operate
# at a level below that of apps (e.g., HALs) or must not rely on app identity
# for authorization. Thus, to be safe, the default assumption for all added
# vendor services is that they treat all their clients as equally authorized
# to perform operations offered by the service.
# 2. HAL servers contain code with higher incidence rate of security issues
# than system/core components and have access to lower layes of the stack
# (all the way down to hardware) thus increasing opportunities for bypassing
# the Android security model.
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
neverallow all_untrusted_apps protected_service:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} mnt_sdcard_file:lnk_file *;
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
# Only privileged apps may find stats service
neverallow all_untrusted_apps stats_service:service_manager find;
# Do not allow untrusted app to read hidden system proprerties.
# We do not include in the exclusions other normally untrusted applications such as mediaprovider
# due to the specific logging use cases.
# Context: b/193912100
neverallow {
all_untrusted_apps
-mediaprovider
-mediaprovider_app
} { userdebug_or_eng_prop }:file read;
# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
# used to communicate to the mdnsd responder. The mdnsd responder will be
# replaced by a java implementation which is integrated into the system server.
# For untrusted apps running with API level 33-, they still have access to
# /dev/socket/mdnsd for backward compatibility.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} mdnsd_socket:sock_file write;
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} mdnsd:unix_stream_socket connectto;
# Do not allow untrusted apps to use anonymous inodes. At the moment,
# type transitions are the only way to distinguish between different
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *;
# Do not allow untrusted app access to hidraw devices.
neverallow all_untrusted_apps hidraw_device:chr_file *;

178
prebuilts/api/202404/private/app_zygote.te Normal file
View file

@ -0,0 +1,178 @@
typeattribute app_zygote coredomain;
######
###### Policy below is different from regular zygote-spawned apps
######
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
# Set the UID/GID of the process.
# This will be further limited to a range of isolated UIDs with seccomp.
allow app_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
allow app_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to isolated app domain.
allow app_zygote self:process setcurrent;
allow app_zygote isolated_app:process dyntransition;
# For JIT
allow app_zygote self:process execmem;
# Allow exec mapping from tmpfs (memfds) for binary translation
allow app_zygote app_zygote_tmpfs:file execute;
# Allow app_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow app_zygote debugfs_trace_marker:file getattr;
# get system_server process group
allow app_zygote system_server:process getpgid;
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
# Get seapp_contexts
allow app_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(app_zygote)
# Check SELinux permissions.
selinux_check_access(app_zygote)
# Read and inspect temporary files managed by zygote.
allow app_zygote zygote_tmpfs:file { read getattr };
######
###### Policy below is shared with regular zygote-spawned apps
######
# Child of zygote.
allow app_zygote zygote:fd use;
allow app_zygote zygote:process sigchld;
# For ART (read /data/dalvik-cache).
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
# For ART (allow userfaultfd and related ioctls)
userfaultfd_use(app_zygote)
# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
allow app_zygote apex_module_data_file:dir search;
# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
r_dir_file(app_zygote, apex_art_data_file)
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir r_dir_perms;
allow app_zygote apk_data_file:file { r_file_perms execute };
# /oem accesses.
allow app_zygote oemfs:dir search;
# Allow app_zygote access to /vendor/overlay
r_dir_file(app_zygote, vendor_overlay_file)
# Allow app_zygote to read vendor_overlay_file from vendor apex as well
allow app_zygote vendor_apex_metadata_file:dir { getattr search };
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
# Send unsolicited message to system_server
unix_socket_send(app_zygote, system_unsolzygote, system_server)
# Allow the app_zygote to access the runtime feature flag properties.
get_prop(app_zygote, device_config_runtime_native_prop)
get_prop(app_zygote, device_config_runtime_native_boot_prop)
# Allow app_zygote to access odsign verification status
get_prop(app_zygote, odsign_prop)
#####
##### Neverallow
#####
# Only permit transition to isolated_app.
neverallow app_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow app_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow app_zygote *:file execute_no_trans;
# The only way to enter this domain is for the zygote to fork a new
# app_zygote child.
neverallow { domain -zygote } app_zygote:process dyntransition;
# Disallow write access to properties.
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
# Should not have any access to data files.
neverallow app_zygote app_data_file_type:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
-activity_service
-webviewupdate_service
}:service_manager find;
# Isolated apps should not be able to access the driver directly.
neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
# Do not allow app_zygote access to /cache.
neverallow app_zygote cache_file:dir ~{ r_dir_perms };
neverallow app_zygote cache_file:file ~{ read getattr };
# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow app_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
appletalk_socket netlink_route_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Only allow app_zygote to talk to the logd socket, and su on eng/userdebug.
# This is because cap_setuid/cap_setgid allow to forge uid/gid in
# SCM_CREDENTIALS. Think twice before changing.
neverallow app_zygote {
domain
-app_zygote
-logd
-system_server
userdebug_or_eng(`-su')
}:unix_dgram_socket *;
neverallow app_zygote {
domain
-app_zygote
-prng_seeder
userdebug_or_eng(`-su')
}:unix_stream_socket *;
# Never allow ptrace
neverallow app_zygote *:process ptrace;
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
bluetooth_a2dp_offload_prop
bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;

13
prebuilts/api/202404/private/art_boot.te Normal file
View file

@ -0,0 +1,13 @@
# ART boot oneshot service
type art_boot, domain, coredomain;
type art_boot_exec, exec_type, file_type, system_file_type;
init_daemon_domain(art_boot)
# Allow query of device config properties, typically experiment flags.
get_prop(art_boot, device_config_runtime_native_boot_prop)
get_prop(art_boot, device_config_runtime_native_prop)
# Allow ART to set its config properties at boot, mainly to be able to propagate
# experiment flags to properties that only may change at boot.
set_prop(art_boot, dalvik_config_prop_type)

145
prebuilts/api/202404/private/artd.te Normal file
View file

@ -0,0 +1,145 @@
# ART service daemon.
typeattribute artd coredomain;
typeattribute artd mlstrustedsubject;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
add_service(artd, artd_pre_reboot_service)
allow artd dumpstate:fifo_file { getattr write };
allow artd dumpstate:fd use;
init_daemon_domain(artd)
# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)
# Access to "odsign.verification.success" for deciding whether to deny files in
# the ART APEX data directory.
get_prop(artd, odsign_prop)
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by artd their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by artd vs other
# processes.
tmpfs_domain(artd)
# Allow testing userfaultfd support.
userfaultfd_use(artd)
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
# Also allow creating the "oat" directory before restorecon.
allow artd mnt_expand_file:dir { getattr search };
allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
allow artd apk_data_file:file r_file_perms;
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
allow artd oemfs:dir { getattr search };
r_dir_file(artd, vendor_overlay_file)
# Vendor overlay can be found in vendor apex
allow artd vendor_apex_metadata_file:dir { getattr search };
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
r_dir_file(artd, vendor_framework_file)
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
allow artd dalvikcache_data_file:file { create_file_perms relabelto };
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
allow artd apex_module_data_file:dir { getattr search };
r_dir_file(artd, apex_art_data_file)
# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file r_file_perms;
# Allow getting root capabilities to bypass permission checks.
# - "dac_override" and "dac_read_search" are for
# - reading secondary dex'es in app data directories (reading primary dex'es
# doesn't need root capabilities)
# - managing (CRUD) compilation artifacts in both APK directories for primary
# dex'es and in app data directories for secondary dex'es
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
# profile files based on whether they include user data or not.
# - "chown" is for transferring the ownership of compilation artifacts and
# profile files to the system or apps.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
allow artd user_profile_root_file:dir r_dir_perms;
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
# Read/write access to secondary dex files, their profiles, and their
# compilation artifacts
# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
# Allow symlinks for secondary dex files. This has be to restricted because
# symlinks can cause various security issues. We allow "privapp_data_file" just
# for GMS because so far we only see GMS using symlinks.
allow artd privapp_data_file:lnk_file { getattr read };
# Read access to SELinux context files, for restorecon.
allow artd file_contexts_file:file r_file_perms;
allow artd seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context, for restorecon.
selinux_check_context(artd)
# Allow scanning /, for cleaning up obsolete managed files.
allow artd rootfs:dir r_dir_perms;
# Allow scanning /data, for cleaning up obsolete managed files.
allow artd system_data_root_file:dir r_dir_perms;
# Allow scanning /mnt, for cleaning up obsolete managed files.
allow artd tmpfs:dir r_dir_perms;
# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
allow artd mnt_expand_file:dir r_dir_perms;
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
# up obsolete managed files.
allow artd system_userdir_file:dir r_dir_perms;
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
allow artd system_data_file:dir r_dir_perms;
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
allow artd art_exec_exec:file rx_file_perms;
# Allow running other binaries in their own domains.
domain_auto_trans(artd, profman_exec, profman)
domain_auto_trans(artd, dex2oat_exec, dex2oat)
# Allow sending sigkill to subprocesses.
allow artd { profman dex2oat }:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
r_dir_file(artd, profman);
r_dir_file(artd, dex2oat);
# Allow artd to reopen its own memfd.
# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
# that don't have write permissions on memfds.
allow artd artd_tmpfs:file open;

11
prebuilts/api/202404/private/asan_extract.te Normal file
View file

@ -0,0 +1,11 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
with_asan(`
typeattribute asan_extract coredomain;
init_daemon_domain(asan_extract)
# We need to signal a reboot when done.
set_prop(asan_extract, powerctl_prop)
')

81
prebuilts/api/202404/private/atrace.te Normal file
View file

@ -0,0 +1,81 @@
# Domain for atrace process.
# It is spawned either by traced_probes or by init for the boottrace service.
type atrace_exec, exec_type, file_type, system_file_type;
# boottrace services uses /data/misc/boottrace/categories
allow atrace boottrace_data_file:dir search;
allow atrace boottrace_data_file:file r_file_perms;
# Allow atrace to access tracefs.
allow atrace debugfs_tracing:dir r_dir_perms;
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
# Allow atrace to write data when a pipe is used for stdout/stderr.
# This is used by Perfetto to capture atrace stdout/stderr.
allow atrace traced_probes:fd use;
allow atrace traced_probes:fifo_file { getattr write };
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
-dnsresolver_service
-dumpstate_service
-incident_service
-installd_service
-lpdump_service
-mdns_service
-netd_service
-stats_service
-tracingproxy_service
-vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
# Allow notifying the processes hosting specific binder services that
# trace-related system properties have changed.
binder_use(atrace)
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
allow atrace cameraserver:binder call;
# Similarly, on debug builds, allow specific HALs to be notified that
# trace-related system properties have changed.
userdebug_or_eng(`
# List HAL interfaces.
allow atrace hwservicemanager:hwservice_manager list;
# Notify the camera HAL.
hal_client_domain(atrace, hal_camera)
hal_client_domain(atrace, hal_vibrator)
')
# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
# atrace can call atrace HAL
hal_client_domain(atrace, hal_atrace)
get_prop(atrace, hwservicemanager_prop)
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
# a further option to run atrace as an init daemon for boot tracing.
init_daemon_domain(atrace)
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
')
dontaudit atrace debugfs_tracing_debug:file audit_access;

17
prebuilts/api/202404/private/attributes Normal file
View file

@ -0,0 +1,17 @@
hal_attribute(lazy_test);
# This is applied to apps on vendor images with SDK <=30 only,
# to exempt them from recent mls changes. It must not be applied
# to any domain on newer system or vendor image.
attribute mlsvendorcompat;
# Attributes for property types having both system_property_type
# and vendor_property_type. Such types are ill-formed because
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;

108
prebuilts/api/202404/private/audioserver.te Normal file
View file

@ -0,0 +1,108 @@
# audioserver - audio services daemon
typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
r_dir_file(audioserver, fuse)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
binder_call(audioserver, appdomain)
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
r_dir_file(audioserver, system_file)
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
# used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:file create_file_perms;
# ptrace to processes in the same domain for memory leak detection
allow audioserver self:process ptrace;
')
add_service(audioserver, audioserver_service)
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver permission_checker_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
allow audioserver soundtrigger_middleware_service:service_manager find;
allow audioserver audio_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
set_prop(audioserver, bluetooth_audio_hal_prop)
set_prop(audioserver, bluetooth_prop)
set_prop(audioserver, exported_bluetooth_prop)
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
# Allow shell commands from ADB and shell for CTS testing/dumping
allow audioserver adbd:fd use;
allow audioserver adbd:unix_stream_socket { read write };
allow audioserver shell:fifo_file { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow audioserver su:fd use;
allow audioserver su:fifo_file { read write };
allow audioserver su:unix_stream_socket { read write };
')
# Allow write access to log tag property
set_prop(audioserver, log_tag_prop);
###
### neverallow rules
###
# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ udp_socket rawip_socket } *;
neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow using wake locks
wakelock_use(audioserver)
# Allow reading audio config props, e.g. af.fast_track_multiplier
get_prop(audioserver, audio_config_prop)
get_prop(audioserver, system_audio_config_prop)

18
prebuilts/api/202404/private/auditctl.te Normal file
View file

@ -0,0 +1,18 @@
#
# /system/bin/auditctl executed for logd
#
# Performs maintenance of the kernel auditing system, including
# setting rate limits on SELinux denials.
#
type auditctl, domain, coredomain;
type auditctl_exec, file_type, system_file_type, exec_type;
# Uncomment the line below to put this domain into permissive
# mode. This helps speed SELinux policy development.
# userdebug_or_eng(`permissive auditctl;')
init_daemon_domain(auditctl)
allow auditctl self:global_capability_class_set audit_control;
allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };

44
prebuilts/api/202404/private/automotive_display_service.te Normal file
View file

@ -0,0 +1,44 @@
# Display proxy service for Automotive
type automotive_display_service, domain, coredomain;
type automotive_display_service_exec, system_file_type, exec_type, file_type;
typeattribute automotive_display_service automotive_display_service_server;
# Allow to add a display service to the hwservicemanager
add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
# Allow init to launch automotive display service
init_daemon_domain(automotive_display_service)
# Allow to use Binder IPC for SurfaceFlinger.
binder_use(automotive_display_service)
# Allow to use HwBinder IPC for HAL implementations.
hwbinder_use(automotive_display_service)
hal_client_domain(automotive_display_service, hal_graphics_composer)
hal_client_domain(automotive_display_service, hal_graphics_allocator)
# Allow to read the target property.
get_prop(automotive_display_service, hwservicemanager_prop)
# Allow to find SurfaceFlinger.
allow automotive_display_service surfaceflinger_service:service_manager find;
# Allow client domain to do binder IPC to serverdomain.
binder_call(automotive_display_service, surfaceflinger)
# Allow to use a graphics mapper
allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
# Allow to use hidl token service
allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
# Allow to access EGL files
allow automotive_display_service gpu_device:chr_file rw_file_perms;
allow automotive_display_service gpu_device:dir search;
# Allow to add a service to the servicemanager
add_service(automotive_display_service, fwk_automotive_display_service);
# Allow to communicate with EVS services
binder_call(automotive_display_service, hal_evs)

25
prebuilts/api/202404/private/binderservicedomain.te Normal file
View file

@ -0,0 +1,25 @@
# Rules common to some specific binder service domains.
# Deprecated. Consider granting the exact permissions required by your service.
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
allow binderservicedomain devpts:chr_file rw_file_perms;
allow binderservicedomain console_device:chr_file rw_file_perms;
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
# binderservicedomain is using apex_info via libvintf
use_apex_info(binderservicedomain)

7
prebuilts/api/202404/private/blank_screen.te Normal file
View file

@ -0,0 +1,7 @@
type blank_screen, domain, coredomain;
type blank_screen_exec, exec_type, file_type, system_file_type;
init_daemon_domain(blank_screen)
# hal_light_client has access to hal_light_server
hal_client_domain(blank_screen, hal_light)

22
prebuilts/api/202404/private/blkid.te Normal file
View file

@ -0,0 +1,22 @@
# blkid called from vold
typeattribute blkid coredomain;
type blkid_exec, system_file_type, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search;
allow blkid userdata_block_device:blk_file r_file_perms;
allow blkid dm_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow * blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

37
prebuilts/api/202404/private/blkid_untrusted.te Normal file
View file

@ -0,0 +1,37 @@
# blkid for untrusted block devices
typeattribute blkid_untrusted coredomain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file rx_file_perms;
###
### neverallow rules
###
# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow * blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

98
prebuilts/api/202404/private/bluetooth.te Normal file
View file

@ -0,0 +1,98 @@
# bluetooth app
typeattribute bluetooth coredomain, mlstrustedsubject;
app_domain(bluetooth)
net_domain(bluetooth)
# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
wakelock_use(bluetooth);
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
allow bluetooth bluetooth_data_file:notdevfile_class_set { create_file_perms link };
allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
allow bluetooth self:global_capability_class_set net_admin;
allow bluetooth self:global_capability2_class_set wake_alarm;
# tethering
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
allow bluetooth efs_file:dir search;
# allow Bluetooth to access uhid device for HID profile
allow bluetooth uhid_device:chr_file rw_file_perms;
allow bluetooth gpu_device:chr_file rw_file_perms;
allow bluetooth gpu_device:dir r_dir_perms;
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# For Bluetooth to check what profile are available
allow bluetooth proc_filesystems:file r_file_perms;
get_prop(bluetooth, incremental_prop)
# For Bluetooth to check security logging state
get_prop(bluetooth, device_logging_prop)
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
binder_cache_bluetooth_server_prop:property_service set;
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
set_prop(bluetooth, exported_bluetooth_prop)
set_prop(bluetooth, pan_result_prop)
allow bluetooth audioserver_service:service_manager find;
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
allow bluetooth system_suspend_control_service:service_manager find;
allow bluetooth hal_audio_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
allow bluetooth self:global_capability_class_set sys_nice;
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
# Bluetooth A2DP offload requires binding with audio HAL
hal_client_domain(bluetooth, hal_audio)
read_runtime_log_tags(bluetooth)
###
### Neverallow rules
###
### These are things that the bluetooth app should NEVER be able to do
###
# Superuser capabilities.
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };

2
prebuilts/api/202404/private/bluetoothdomain.te Normal file
View file

@ -0,0 +1,2 @@
# Allow clients to use a socket provided by the bluetooth app.
allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };

23
prebuilts/api/202404/private/bootanim.te Normal file
View file

@ -0,0 +1,23 @@
typeattribute bootanim coredomain;
init_daemon_domain(bootanim)
# b/68864350
dontaudit bootanim unlabeled:dir search;
# Bootanim should not be reading default vendor-defined properties.
dontaudit bootanim vendor_default_prop:file read;
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
get_prop(bootanim, bootanim_config_prop)
# Allow updating boot animation status.
set_prop(bootanim, bootanim_system_prop)
# Allow accessing /data/misc/bootanim
r_dir_file(bootanim, bootanim_data_file)
# Allow accessing vendor apex for EGL/GLES
allow bootanim vendor_apex_metadata_file:dir r_dir_perms;

35
prebuilts/api/202404/private/bootstat.te Normal file
View file

@ -0,0 +1,35 @@
typeattribute bootstat coredomain;
init_daemon_domain(bootstat)
# Collect metrics on boot time created by init
get_prop(bootstat, boottime_prop)
# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
set_prop(bootstat, bootloader_boot_reason_prop)
set_prop(bootstat, system_boot_reason_prop)
set_prop(bootstat, last_boot_reason_prop)
neverallow {
domain
-bootanim
-bootstat
-dumpstate
userdebug_or_eng(`-incidentd')
-init
-platform_app
-recovery
-shell
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
# ... and refine, as these components should not set the last boot reason
neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
neverallow {
domain
-bootstat
-init
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
# ... and refine ... for a ro propertly no less ... keep this _tight_
neverallow system_server bootloader_boot_reason_prop:property_service set;

74
prebuilts/api/202404/private/boringssl_self_test.te Normal file
View file

@ -0,0 +1,74 @@
# System and vendor domains for BoringSSL self test binaries.
#
# For FIPS compliance, all processes linked against libcrypto perform a startup
# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
#
# The KATs are expensive, and to ensure they are run as few times as possible, they
# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
# the hash of the BCM that was computed earlier. The files are zero length and their contents
# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
# to create these marker files, there are dedicated self test binaries which this policy
# gives access to and which are run during early-init.
#
# Due to build skew, the version of libcrypto in /vendor may have a different hash than
# the system one. To cater for this there are vendor variants of the self test binaries
# which also have permission to write to the same files in /dev/boringssl. In the case where
# vendor and system libcrypto have the same hash, there will be a race to create the file,
# but this is harmless.
#
# If the self tests fail, then the device should reboot into firmware and for this reason
# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
# reboot. However every binary linked against the vendor libcrypto will abort on startup,
# so in practice the device will crash anyway in this unlikely scenario.
# System boringssl_self_test domain
type boringssl_self_test, domain, coredomain;
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
# Vendor boringssl_self_test domain
type vendor_boringssl_self_test, domain;
type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
init_daemon_domain(boringssl_self_test)
# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
init_daemon_domain(vendor_boringssl_self_test)
# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
#
# The files are zero length so there is no issue if both vendor and system code
# try to create the same file simultaneously. One will succeed and the other will fail
# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
# system domain e.g. when system and APEX copies of libcrypto are identical.
type boringssl_self_test_marker, file_type;
# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
allow { boringssl_self_test vendor_boringssl_self_test }
boringssl_self_test_marker:file create_file_perms;
allow { boringssl_self_test vendor_boringssl_self_test }
boringssl_self_test_marker:dir ra_dir_perms;
# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
allow { boringssl_self_test vendor_boringssl_self_test }
kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
# No other process should be able to create marker files because their existence causes the
# boringssl KAT to be skipped.
neverallow {
domain
-vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
} boringssl_self_test_marker:file no_rw_file_perms;
neverallow {
domain
-vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
} boringssl_self_test_marker:dir write;

25
prebuilts/api/202404/private/bpfdomain.te Normal file
View file

@ -0,0 +1,25 @@
# platform should have ownership of network attachpoints for BPF
neverallow {
bpfdomain
-bpfloader
-netd
-netutils_wrapper
-network_stack
-system_server
} self:global_capability_class_set { net_admin net_raw };
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;
allow bpfdomain fs_bpf:dir search;
# genfscon doesn't seem to trigger during symlink creation,
# and thus any created symlinks end up as 'fs_bpf:lnk_type',
# however this feels like a kernel bug / missing feature,
# so let's allow all bpffs_type's instead,
# this will keep things working even if this is fixed.
allow bpfdomain bpffs_type:lnk_file read;
# Needed for //frameworks/libs/net:
# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
get_prop(bpfdomain, bpf_progs_loaded_prop)

78
prebuilts/api/202404/private/bpfloader.te Normal file
View file

@ -0,0 +1,78 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader bpfdomain;
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin net_admin };
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
allow bpfloader proc_bpf:file w_file_perms;
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
###
### Neverallow rules
###
# Note: we don't care about getattr/mounton/search
neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read };
neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read };
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read };
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
neverallow {
domain
-bpfloader
-gpuservice
-hal_health_server
-mediaprovider_app
-netd
-netutils_wrapper
-network_stack
-system_server
-uprobestats
} *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
neverallow { domain -bpfloader } proc_bpf:file write;

3
prebuilts/api/202404/private/bufferhubd.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute bufferhubd coredomain;
init_daemon_domain(bufferhubd)

33
prebuilts/api/202404/private/bug_map Normal file
View file

@ -0,0 +1,33 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
gmscore_app kernel security b/303319090
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
init nativetest_data_file dir b/77873135
init pstorefs dir b/77873135
init shell_data_file dir b/77873135
init shell_data_file file b/77873135
init shell_data_file lnk_file b/77873135
init shell_data_file sock_file b/77873135
init system_data_file chr_file b/77873135
isolated_app privapp_data_file dir b/119596573
isolated_app app_data_file dir b/120394782
mediaextractor app_data_file file b/77923736
mediaextractor radio_data_file file b/77923736
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
mediaswcodec ashmem_device chr_file b/142679232
platform_app nfc_data_file dir b/74331887
platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
system_server zygote process b/77856826
tombstone_transmit tombstone_transmit capability b/264420112
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
zygote labeledfs filesystem b/170748799

10
prebuilts/api/202404/private/cameraserver.te Normal file
View file

@ -0,0 +1,10 @@
typeattribute cameraserver coredomain;
typeattribute cameraserver camera_service_server;
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver gpu_device:dir r_dir_perms;
allow cameraserver virtual_camera:binder call;

10
prebuilts/api/202404/private/canhalconfigurator.te Normal file
View file

@ -0,0 +1,10 @@
type canhalconfigurator, domain, coredomain;
type canhalconfigurator_exec, exec_type, system_file_type, file_type;
init_daemon_domain(canhalconfigurator)
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
hal_client_domain(canhalconfigurator, hal_can_controller)
binder_use(canhalconfigurator)
binder_call(hal_can_controller, canhalconfigurator)

20
prebuilts/api/202404/private/charger.te Normal file
View file

@ -0,0 +1,20 @@
typeattribute charger coredomain;
# charger needs to tell init to continue the boot
# process when running in charger mode.
# The system charger needs to be allowed to set these properties on legacy devices.
set_prop(charger, system_prop)
set_prop(charger, exported_system_prop)
set_prop(charger, exported3_system_prop)
# The system charger can read ro.charger.*
get_prop(charger, charger_prop)
compatible_property_only(`
neverallow {
domain
-init
-dumpstate
-charger
} charger_prop:file no_rw_file_perms;
')

38
prebuilts/api/202404/private/charger_type.te Normal file
View file

@ -0,0 +1,38 @@
# charger needs to tell init to continue the boot
# process when running in charger mode.
set_prop(charger_type, charger_status_prop)
get_prop(charger_type, charger_config_prop)
# get minui properties
get_prop(charger_type, recovery_config_prop)
### Neverallow rules for charger properties
# charger_config_prop: Only init and vendor_init is allowed to set it
neverallow {
domain
-init
-vendor_init
} charger_config_prop:property_service set;
# charger_status_prop: Only init, vendor_init, charger, and charger_vendor
# are allowed to set it
neverallow {
domain
-init
-vendor_init
-charger
-charger_vendor
} charger_status_prop:property_service set;
# Both charger_config_prop and charger_status_prop:
# Only init, vendor_init, dumpstate, charger, and charger_vendor
# are allowed to read it
neverallow {
domain
-init
-dumpstate
-vendor_init
-charger
-charger_vendor
} { charger_config_prop charger_status_prop }:file no_rw_file_perms;

12
prebuilts/api/202404/private/clatd.te Normal file
View file

@ -0,0 +1,12 @@
# 464xlat daemon
type clatd, domain, coredomain;
type clatd_exec, system_file_type, exec_type, file_type;
net_domain(clatd)
# Access objects inherited from system_server.
allow clatd system_server:fd use;
allow clatd system_server:packet_socket { read write };
allow clatd system_server:rawip_socket { read write };
allow clatd tun_device:chr_file rw_file_perms;

1987
prebuilts/api/202404/private/compat/29.0/29.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

13
prebuilts/api/202404/private/compat/29.0/29.0.compat.cil Normal file
View file

@ -0,0 +1,13 @@
;; complement CIL file for compatibility between ToT policy and 29.0 vendors.
;; will be compiled along with other normal policy files, on 29.0 vendors.
;;
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
(typeattributeset mlsvendorcompat (and appdomain vendordomain))
(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))

130
prebuilts/api/202404/private/compat/29.0/29.0.ignore.cil Normal file
View file

@ -0,0 +1,130 @@
;; new_objects - a collection of types that have been introduced with ToT policy
;; that have no analogue in 29.0 policy. Thus, we do not need to map
;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
aidl_lazy_test_server
aidl_lazy_test_server_exec
aidl_lazy_test_service
adbd_prop
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
apex_wifi_data_file
app_integrity_service
app_search_service
auth_service
automotive_display_service
automotive_display_service_exec
ashmem_libcutils_device
blob_store_service
binder_cache_bluetooth_server_prop
binder_cache_system_server_prop
binder_cache_telephony_server_prop
binderfs
binderfs_logs
binderfs_logs_proc
boringssl_self_test
bq_config_prop
cacheinfo_service
charger_prop
cold_boot_done_prop
credstore
credstore_data_file
credstore_exec
credstore_service
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
device_config_configuration_prop
emergency_affordance_service
exported_camera_prop
fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
fusectlfs
gmscore_app
gnss_device
graphics_config_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_identity_service
hal_light_service
hal_power_service
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
incremental_control_file
incremental_prop
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_inode2filename
iorap_inode2filename_data_file
iorap_inode2filename_exec
iorap_inode2filename_tmpfs
iorap_prefetcherd
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
iorap_prefetcherd_tmpfs
mediatranscoding_service
mediatranscoding
mediatranscoding_exec
mediatranscoding_tmpfs
mirror_data_file
light_service
linkerconfig_file
lmkd_prop
media_variant_prop
metadata_bootstat_file
mnt_pass_through_file
mock_ota_prop
module_sdkextensions_prop
ota_metadata_file
ota_prop
prereboot_data_file
art_apex_dir
rebootescrow_hal_prop
securityfs
service_manager_service
service_manager_vndservice
simpleperf
snapshotctl_log_data_file
socket_hook_prop
soundtrigger_middleware_service
staged_install_file
storage_config_prop
surfaceflinger_display_prop
sysfs_dm_verity
system_adbd_prop
system_config_service
system_group_file
system_jvmti_agent_prop
system_passwd_file
system_unsolzygote_socket
tethering_service
traced_perf
traced_perf_enabled_prop
traced_perf_socket
timezonedetector_service
untrusted_app_29
usb_serial_device
userspace_reboot_config_prop
userspace_reboot_exported_prop
userspace_reboot_log_prop
userspace_reboot_test_prop
vehicle_hal_prop
tv_tuner_resource_mgr_service
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
vendor_service_contexts_file
vendor_socket_hook_prop
vendor_socket_hook_prop
virtual_ab_prop))

2284
prebuilts/api/202404/private/compat/30.0/30.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

14
prebuilts/api/202404/private/compat/30.0/30.0.compat.cil Normal file
View file

@ -0,0 +1,14 @@
;; complement CIL file for compatibility between ToT policy and 30.0 vendors.
;; will be compiled along with other normal policy files, on 30.0 vendors.
;;
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
;; TODO: Once 30.0 is no longer supported for vendor images,
;; mlsvendorcompat can be completely from the system policy.
(typeattributeset mlsvendorcompat (and appdomain vendordomain))
(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))

156
prebuilts/api/202404/private/compat/30.0/30.0.ignore.cil Normal file
View file

@ -0,0 +1,156 @@
;; new_objects - a collection of types that have been introduced with ToT policy
;; that have no analogue in 30.0 policy. Thus, we do not need to map
;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
ab_update_gki_prop
adbd_config_prop
apc_service
apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_info_file
apex_ota_reserved_file
apex_scheduling_data_file
apex_system_server_data_file
apexd_config_prop
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
artd
artd_exec
artd_service
authorization_service
bootanim_config_prop
camerax_extensions_prop
cgroup_desc_api_file
cgroup_v2
codec2_config_prop
ctl_snapuserd_prop
dck_prop
debugfs_kprobes
debugfs_mm_events_tracing
debugfs_bootreceiver_tracing
debugfs_restriction_prop
device_config_profcollect_native_boot_prop
device_config_connectivity_prop
device_config_swcodec_native_prop
device_state_service
dm_user_device
dmabuf_heap_device
dmabuf_system_heap_device
dmabuf_system_secure_heap_device
domain_verification_service
dumpstate_tmpfs
framework_watchdog_config_prop
fs_bpf_tethering
fwk_stats_service
game_service
font_data_file
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_audio_service
hal_authsecret_service
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
hal_health_storage_service
hal_memtrack_service
hal_oemlock_service
hint_service
gnss_device
gnss_time_update_service
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
hal_neuralnetworks_service
hal_power_stats_service
hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
hal_uwb_service
hal_weaver_service
hw_timeout_multiplier_prop
keystore_compat_hal_service
keystore_maintenance_service
keystore_metrics_service
keystore2_key_contexts_file
legacy_permission_service
legacykeystore_service
location_time_zone_manager_service
media_communication_service
media_metrics_service
mediatuner_exec
mediatuner_service
mediatuner
mediatranscoding_tmpfs
memtrackproxy_service
mm_events_config_prop
music_recognition_service
nfc_logs_data_file
odrefresh
odrefresh_exec
odsign
odsign_data_file
odsign_exec
pac_proxy_service
permission_checker_service
people_service
persist_vendor_debug_wifi_prop
postinstall_dexopt_exec
postinstall_device_mnt_dir
postinstall_product_mnt_dir
postinstall_vendor_mnt_dir
power_debug_prop
powerstats_service
proc_kallsyms
proc_locks
profcollectd
profcollectd_data_file
profcollectd_exec
profcollectd_node_id_prop
profcollectd_service
qemu_hw_prop
qemu_sf_lcd_density_prop
radio_core_data_file
reboot_readiness_service
remote_prov_app
remoteprovisioning_service
resolver_service
search_ui_service
shell_test_data_file
smartspace_service
snapuserd
snapuserd_exec
snapuserd_socket
soc_prop
speech_recognition_service
sysfs_block
sysfs_devfreq_cur
sysfs_devfreq_dir
sysfs_devices_cs_etm
sysfs_dma_heap
sysfs_dmabuf_stats
sysfs_uhid
system_server_dumper_service
system_suspend_control_internal_service
task_profiles_api_file
texttospeech_service
translation_service
update_engine_stable_service
userdata_sysdev
userspace_reboot_metadata_file
uwb_service
vcn_management_service
vd_device
vendor_kernel_modules
vendor_modprobe
vendor_uuid_mapping_config_file
vibrator_manager_service
virtualization_service
vpn_management_service
watchdog_metadata_file
wifi_key
zygote_config_prop))

2490
prebuilts/api/202404/private/compat/31.0/31.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

3
prebuilts/api/202404/private/compat/31.0/31.0.compat.cil Normal file
View file

@ -0,0 +1,3 @@
;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
;; will be compiled along with other normal policy files, on 31.0 vendors.
;;

52
prebuilts/api/202404/private/compat/31.0/31.0.ignore.cil Normal file
View file

@ -0,0 +1,52 @@
;; new_objects - a collection of types that have been introduced with ToT policy
;; that have no analogue in 31.0 policy. Thus, we do not need to map
;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
apexd_select_prop
artd_service
attestation_verification_service
camera2_extensions_prop
communal_service
device_config_nnapi_native_prop
dice_maintenance_service
dice_node_service
diced
diced_exec
extra_free_kbytes
extra_free_kbytes_exec
hal_contexthub_service
hal_dice_service
hal_dumpstate_service
hal_graphics_composer_service
hal_health_service
hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
hal_uwb_service
hal_uwb_vendor_service
hal_wifi_hostapd_service
hal_wifi_supplicant_service
hal_nlinterceptor_service
hypervisor_prop
locale_service
power_stats_service
snapuserd_prop
snapuserd_proxy_socket
tare_service
transformer_service
proc_watermark_boost_factor
untrusted_app_30
proc_vendor_sched
sdk_sandbox_service
sysfs_fs_fuse_bpf
sysfs_vendor_sched
tv_iapp_service
vendor_uuid_mapping_config_file
vendor_vm_file
vendor_vm_data_file
virtual_device_service
))

2487
prebuilts/api/202404/private/compat/32.0/32.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

3
prebuilts/api/202404/private/compat/32.0/32.0.compat.cil Normal file
View file

@ -0,0 +1,3 @@
;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
;; will be compiled along with other normal policy files, on 32.0 vendors.
;;

84
prebuilts/api/202404/private/compat/32.0/32.0.ignore.cil Normal file
View file

@ -0,0 +1,84 @@
;; new_objects - a collection of types that have been introduced with ToT policy
;; that have no analogue in 32.0 policy. Thus, we do not need to map
;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
adaptive_haptics_prop
adservices_manager_service
apexd_select_prop
artd_service
attestation_verification_service
bluetooth_config_prop
binderfs_features
charger_vendor
cloudsearch
cloudsearch_service
connectivity_native_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diced_exec
fwk_automotive_display_service
evsmanagerd
evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
framework_status_prop
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
gwp_asan_prop
hal_contexthub_service
hal_camera_service
hal_evs_service
hal_dice_service
hal_drm_service
hal_dumpstate_service
hal_graphics_allocator_service
hal_graphics_composer_service
hal_health_service
hal_input_processor_service
hal_ir_service
hal_nfc_service
hal_nlinterceptor_service
hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
hal_usb_service
hal_uwb_service
hal_vehicle_service
hal_wifi_hostapd_service
hal_wifi_supplicant_service
locale_service
mdns_service
nearby_service
persist_wm_debug_prop
proc_watermark_boost_factor
remotelyprovisionedkeypool_service
resources_manager_service
rootdisk_sysdev
sdk_sandbox_service
selection_toolbar_service
smart_idle_maint_enabled_prop
snapuserd_proxy_socket
sysfs_fs_fuse_bpf
sysfs_gpu
sysfs_lru_gen_enabled
system_dlkm_file
system_user_mode_emulation_prop
tare_service
tv_iapp_service
untrusted_app_30
vendor_uuid_mapping_config_file
vendor_vm_data_file
vendor_vm_file
virtual_device_service
wallpaper_effects_generation_service
))

2649
prebuilts/api/202404/private/compat/33.0/33.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

3
prebuilts/api/202404/private/compat/33.0/33.0.compat.cil Normal file
View file

@ -0,0 +1,3 @@
;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
;; will be compiled along with other normal policy files, on 33.0 vendors.
;;

92
prebuilts/api/202404/private/compat/33.0/33.0.ignore.cil Normal file
View file

@ -0,0 +1,92 @@
;; new_objects - a collection of types that have been introduced with ToT policy
;; that have no analogue in 33.0 policy. Thus, we do not need to map
;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
adaptive_haptics_prop
apex_ready_prop
art_boot
art_boot_exec
artd
bt_device
build_attestation_prop
composd_vm_art_prop
composd_vm_vendor_prop
cpu_monitor_service
credential_service
device_as_webcam
device_config_camera_native_prop
device_config_core_experiments_team_internal_prop
device_config_edgetpu_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
device_config_updatable_service
device_config_vendor_system_native_prop
device_config_aconfig_flags_prop
devicelock_service
fwk_altitude_service
fwk_camera_service
fwk_sensor_service
game_manager_config_prop
grammatical_inflection_service
graphics_config_writable_prop
hal_bluetooth_service
hal_bootctl_service
hal_cas_service
hal_ivn_service
hal_remoteaccess_service
hal_secure_element_service
hal_tetheroffload_service
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
hal_tv_hdmi_cec_service
hal_tv_hdmi_connection_service
hal_tv_hdmi_earc_service
hal_wifi_service
healthconnect_service
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
fuseblkd_untrusted_exec
fuseblkd
fuseblkd_exec
ota_build_prop
permissive_mte_prop
persist_sysui_builder_extras_prop
persist_sysui_ranking_update_prop
prng_seeder
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
snapuserd_log_data_file
stats_config_data_file
sysfs_fs_fuse_features
system_net_netd_service
timezone_metadata_prop
traced_oome_heap_session_count_prop
tuner_config_prop
tuner_server_ctl_prop
ublk_block_device
ublk_control_device
usb_uvc_enabled_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
hal_gatekeeper_service
hal_broadcastradio_service
hal_confirmationui_service
hal_fastboot_service
hal_can_controller_service
zoned_block_device
future_pm_prop
vfio_device
))

2716
prebuilts/api/202404/private/compat/34.0/34.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

3
prebuilts/api/202404/private/compat/34.0/34.0.compat.cil Normal file
View file

@ -0,0 +1,3 @@
;; complement CIL file for compatibility between ToT policy and 34.0 vendors.
;; will be compiled along with other normal policy files, on 34.0 vendors.
;;

48
prebuilts/api/202404/private/compat/34.0/34.0.ignore.cil Normal file
View file

@ -0,0 +1,48 @@
;; new_objects - a collection of types that have been introduced with ToT policy
;; that have no analogue in 34.0 policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
archive_service
artd_pre_reboot_service
contextual_search_service
dexopt_chroot_setup_service
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
fwk_vibrator_control_service
ecm_enhanced_confirmation_service
hal_authgraph_service
hal_graphics_mapper_service
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
hidl_memory_prop
hidraw_device
virtual_camera_service
ot_daemon_service
ot_daemon_socket
pm_archiving_enabled_prop
remote_auth_service
security_state_service
sensitive_content_protection_service
setupwizard_mode_prop
sysfs_sync_on_suspend
tv_ad_service
threadnetwork_service
device_config_aconfig_flags_prop
virtual_device_native_service
next_boot_prop
binderfs_logs_stats
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
vendor_microdroid_file
threadnetwork_config_prop
profiling_service
aconfig_storage_metadata_file
aconfig_storage_flags_metadata_file
))

26
prebuilts/api/202404/private/compos_fd_server.te Normal file
View file

@ -0,0 +1,26 @@
# Make ART inputs and outputs available to the CompOS VM
type compos_fd_server, domain, coredomain;
# Allow access to open fds inherited from composd
allow compos_fd_server composd:fd use;
# Allow creating new files and directories in the staging directory.
allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
# Allow creating new files and directories in the artifacts directory.
allow compos_fd_server apex_art_data_file:dir create_dir_perms;
allow compos_fd_server apex_art_data_file:file create_file_perms;
# Use a pipe to signal readiness
allow compos_fd_server composd:fifo_file write;
# TODO(b/196109647) - remove this when no longer needed by minijail
allow compos_fd_server composd:fifo_file read;
# Create a listening vsock for the VM to connect back to
allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Only composd can enter the domain via exec
neverallow { domain -composd } compos_fd_server:process transition;
neverallow * compos_fd_server:process dyntransition;

24
prebuilts/api/202404/private/compos_verify.te Normal file
View file

@ -0,0 +1,24 @@
# Run by odsign to verify a CompOS signature
type compos_verify, domain, coredomain;
type compos_verify_exec, exec_type, file_type, system_file_type;
# Start a VM
binder_use(compos_verify);
virtualizationservice_use(compos_verify);
# Read instance image & write VM logs
allow compos_verify apex_module_data_file:dir search;
allow compos_verify apex_compos_data_file:dir rw_dir_perms;
allow compos_verify apex_compos_data_file:file { rw_file_perms create };
# Read CompOS info & signature files
allow compos_verify apex_art_data_file:dir search;
allow compos_verify apex_art_data_file:file r_file_perms;
# Allow odsign to redirect our stdout/stderr to log
allow compos_verify odsign:fd use;
allow compos_verify odsign_devpts:chr_file { read write };
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify:process transition;
neverallow * compos_verify:process dyntransition;

45
prebuilts/api/202404/private/composd.te Normal file
View file

@ -0,0 +1,45 @@
type composd, domain, coredomain;
type composd_exec, system_file_type, exec_type, file_type;
# Host dynamic AIDL services
init_daemon_domain(composd)
binder_use(composd)
add_service(composd, compos_service)
# Call back into system server
binder_call(composd, system_server)
# Start a VM
virtualizationservice_use(composd)
# Prepare staging directory for odrefresh
allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
allow composd apex_art_staging_data_file:file { getattr unlink };
# Delete files or enable fs-verity in the odrefresh target directory
allow composd apex_art_data_file:file { open ioctl read unlink write };
allowxperm composd apex_art_data_file:file ioctl FS_IOC_ENABLE_VERITY;
# Access our APEX data files
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
# Run fd_server in its own domain, and send SIGTERM when finished.
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
# Read properties used to configure the CompOS VM
get_prop(composd, composd_vm_art_prop)
get_prop(composd, composd_vm_vendor_prop)
# Read ART's properties
get_prop(composd, dalvik_config_prop_type)
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file create;
# ART sets these properties via init script, nothing else should
neverallow { domain -init } composd_vm_art_prop:property_service set;

260
prebuilts/api/202404/private/coredomain.te Normal file
View file

@ -0,0 +1,260 @@
get_prop(coredomain, apex_ready_prop)
get_prop(coredomain, boot_status_prop)
get_prop(coredomain, camera_config_prop)
get_prop(coredomain, dalvik_config_prop_type)
get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)
get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, graphics_config_writable_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, setupwizard_mode_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
get_prop(coredomain, telephony_config_prop)
get_prop(coredomain, usb_config_prop)
get_prop(coredomain, usb_control_prop)
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
get_prop(coredomain, zygote_config_prop)
get_prop(coredomain, zygote_wrap_prop)
# TODO(b/170590987): remove this after cleaning up default_prop
get_prop(coredomain, default_prop)
full_treble_only(`
neverallow {
coredomain
# for chowning
-init
# generic access to sysfs_type
-apexd
-ueventd
-vold
} sysfs_leds:file *;
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
coredomain
-appdomain
-artd
-dex2oat
-dexoptanalyzer
-idmap
-init
-installd
-heapprofd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
} vendor_app_file:dir { open read getattr search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-artd
-dex2oat
-dexoptanalyzer
-idmap
-init
-installd
-heapprofd
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-profman
-rs # spawned by appdomain, so carryover the exception above
userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
} vendor_app_file:file r_file_perms;
')
full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
-appdomain
-artd
-dex2oat
-dexoptanalyzer
-idmap
-init
-installd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-app_zygote
-webview_zygote
-zygote
-heapprofd
} vendor_overlay_file:dir { getattr open read search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-artd
-dex2oat
-dexoptanalyzer
-idmap
-init
-installd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-app_zygote
-webview_zygote
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
# /proc
neverallow {
coredomain
-init
-vold
} proc:file no_rw_file_perms;
# /sys
neverallow {
coredomain
-apexd
-init
-ueventd
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
-vold
} sysfs:file no_rw_file_perms;
# /dev
neverallow {
coredomain
-apexd
-fsck
-init
-ueventd
} device:{ blk_file file } no_rw_file_perms;
# debugfs
neverallow {
coredomain
no_debugfs_restriction(`
-dumpstate
-init
-system_server
')
} debugfs:file no_rw_file_perms;
# tracefs
neverallow {
coredomain
-atrace
-dumpstate
-gpuservice
-init
-traced_perf
-traced_probes
-shell
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
} inotify:file no_rw_file_perms;
# pstorefs
neverallow {
coredomain
-bootstat
-charger
-dumpstate
userdebug_or_eng(`-incidentd')
-init
-logd
-logpersist
-recovery_persist
-recovery_refresh
-shell
-system_server
} pstorefs:file no_rw_file_perms;
# configfs
neverallow {
coredomain
-init
-system_server
} configfs:file no_rw_file_perms;
# functionfs
neverallow {
coredomain
-adbd
-init
-mediaprovider
-system_server
} functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
# dmabuf heaps
neverallow {
coredomain
-init
-ueventd
}{
dmabuf_heap_device_type
-dmabuf_system_heap_device
-dmabuf_system_secure_heap_device
}:chr_file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
# instead be wrapped by HALs.
neverallow coredomain {
iio_device
radio_device
}:chr_file { open read append write ioctl };
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')

31
prebuilts/api/202404/private/cppreopts.te Normal file
View file

@ -0,0 +1,31 @@
# cppreopts
#
# This command copies preopted files from the system_b partition to the data
# partition. This domain ensures that we are only copying into specific
# directories.
type cppreopts, domain, mlstrustedsubject, coredomain;
type cppreopts_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow cppreopts shell_exec:file rx_file_perms;
# Allow us to run find on /postinstall
allow cppreopts system_file:dir { open read };
# Allow running the cp command using cppreopts permissions. Needed so we can
# write into dalvik-cache
allow cppreopts toolbox_exec:file rx_file_perms;
# Silence the denial when /postinstall cannot be mounted, e.g., system_other
# is wiped, but cppreopts.sh still runs.
dontaudit cppreopts postinstall_mnt_dir:dir search;

67
prebuilts/api/202404/private/crash_dump.te Normal file
View file

@ -0,0 +1,67 @@
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
-apexd
-bpfloader
-crash_dump
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
allow crash_dump {
apexd
keystore
llkd
logd
vold
}:process { ptrace signal sigchld sigstop sigkill };
')
# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
# Allow crash dump to read bootstrap libraries
allow crash_dump system_bootstrap_lib_file:dir { getattr search };
allow crash_dump system_bootstrap_lib_file:file r_file_perms;
# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };
###
### neverallow assertions
###
# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
bpfloader
init
kernel
keystore
userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
userdebug_or_eng(`-logd')
ueventd
vendor_init
vold
userdebug_or_eng(`-vold')
}:process { ptrace signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;

13
prebuilts/api/202404/private/credstore.te Normal file
View file

@ -0,0 +1,13 @@
typeattribute credstore coredomain;
init_daemon_domain(credstore)
# talk to Identity Credential
hal_client_domain(credstore, hal_identity)
# talk to keymint, specifically for IRemotelyProvisionedComponent/default
hal_client_domain(credstore, hal_keymint)
# credstore needs to get keys from the RKPD
get_prop(credstore, remote_prov_prop)
allow credstore remote_provisioning_service:service_manager find;

158
prebuilts/api/202404/private/crosvm.te Normal file
View file

@ -0,0 +1,158 @@
type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
# Most other domains shouldn't access other vm managers either.
# These restrictions need to be slightly looser than for kvm_device to allow
# for different implementations.
neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationmanager:fd use;
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
privapp_data_file
apex_compos_data_file
apex_virt_data_file
shell_data_file
vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
# When running a VM as root we get spurious capability denials.
# Suppress them.
userdebug_or_eng(`
dontaudit crosvm self:capability ipc_lock;
')
# Allow crosvm to tune for performance.
allow crosvm self:global_capability_class_set sys_nice;
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
allow crosvm shell_data_file:dir search;
allow crosvm shell_data_file:file open;
')
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
virtualizationservice_data_file
app_data_file
privapp_data_file
apex_compos_data_file
apex_virt_data_file
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm devpts:chr_file { read write getattr ioctl };
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
allow crosvm port:tcp_socket name_bind;
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
# Allow crosvm to interact to VFIO device
allow crosvm vfio_device:chr_file rw_file_perms;
allow crosvm vfio_device:dir r_dir_perms;
# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
allow crosvm virtualizationmanager:fd use;
allow crosvm virtualizationservice_data_file:file read;
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
privapp_data_file
userdebug_or_eng(`-shell_data_file')
}:file open;
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
neverallow crosvm {
vendor_file_type
-vendor_vm_file
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
-vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
')
# Only allow crosvm to read app data files for clients that can start
# VMs. Note that the use of app data files is further restricted
# inside the virtualizationservice by checking the label of all disk
# image files.
neverallow crosvm {
app_data_file_type
-app_data_file
-privapp_data_file
-shell_data_file
}:file read;
# Only virtualizationmanager can run crosvm
neverallow {
domain
-crosvm
-virtualizationmanager
} crosvm_exec:file no_x_file_perms;

26
prebuilts/api/202404/private/derive_classpath.te Normal file
View file

@ -0,0 +1,26 @@
# Domain for derive_classpath
type derive_classpath, domain, coredomain;
type derive_classpath_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_classpath)
# Read /apex
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
# Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
allow derive_classpath environ_system_data_file:file create_file_perms;
# b/183079517 fails on gphone targets otherwise
allow derive_classpath unlabeled:dir search;
# Allow derive_classpath to write the classpath into ota dexopt
# - Read the ota's apex dir
allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
# - Report the BCP to the ota's dexopt
allow derive_classpath postinstall_dexopt:dir search;
allow derive_classpath postinstall_dexopt:fd use;
allow derive_classpath postinstall_dexopt:file read;
allow derive_classpath postinstall_dexopt:lnk_file read;
allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;

21
prebuilts/api/202404/private/derive_sdk.te Normal file
View file

@ -0,0 +1,21 @@
# Domain for derive_sdk
type derive_sdk, domain, coredomain;
type derive_sdk_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_sdk)
# Read /apex
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
set_prop(derive_sdk, module_sdkextensions_prop)
neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
# Allow derive_sdk to write data back to dumpstate when forked from dumpstate.
# The shell_data_file permissions are needed when a bugreport is taken:
# dumpstate will redirect its stdout to a temporary shell_data_file:file, and
# this makes derive_sdk append to that file.
allow derive_sdk dumpstate:fd use;
allow derive_sdk dumpstate:unix_stream_socket { read write };
allow derive_sdk shell_data_file:file { getattr append read write };

21
prebuilts/api/202404/private/device_as_webcam.te Normal file
View file

@ -0,0 +1,21 @@
# Domain for DeviceAsWebcam Service
type device_as_webcam, domain, coredomain, mlstrustedsubject;
app_domain(device_as_webcam)
allow device_as_webcam system_app_data_file:dir create_dir_perms;
allow device_as_webcam system_app_data_file:file create_file_perms;
allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
# enale/disable itself
get_prop(device_as_webcam, usb_uvc_enabled_prop)
# need to access /dev to list all devices
allow device_as_webcam device:dir r_dir_perms;
# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
# be accessed by the DeviceAsWebcam Service.
allow device_as_webcam video_device:dir r_dir_perms;
allow device_as_webcam video_device:chr_file rw_file_perms;

115
prebuilts/api/202404/private/dex2oat.te Normal file
View file

@ -0,0 +1,115 @@
# dex2oat
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
userfaultfd_use(dex2oat)
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
allow dex2oat vendor_framework_file:file { getattr open read map };
# Access /vendor/overlay
r_dir_file(dex2oat, vendor_overlay_file);
# Vendor overlay can be found in vendor apex
allow dex2oat vendor_apex_metadata_file:dir { getattr search };
allow dex2oat tmpfs:file { read getattr map };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
allow dex2oat asec_apk_file:file { read map };
allow dex2oat unlabeled:file { read map };
allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file r_file_perms;
allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
# Allow dex2oat to use devpts passed from odsign.
allow dex2oat odsign_devpts:chr_file { read write };
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
# Allow dex2oat to read artifacts from odrefresh.
allow dex2oat apex_art_data_file:dir r_dir_perms;
allow dex2oat apex_art_data_file:file r_file_perms;
# Allow dex2oat to read runtime native flag properties.
get_prop(dex2oat, device_config_runtime_native_prop)
get_prop(dex2oat, device_config_runtime_native_boot_prop)
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
# Allow dex2oat to use file descriptors passed from privileged programs.
allow dex2oat { artd installd odrefresh odsign }:fd use;
# Allow dex2oat to read the /proc filesystem for CPU features, etc.
allow dex2oat proc_filesystems:file r_file_perms;
##################
# A/B OTA Dexopt #
##################
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:dir r_dir_perms;
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
allow dex2oat postinstall_file:file read;
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
allow dex2oat ota_data_file:file r_file_perms;
# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
# where the oat file is symlinked to the original file in /system.
allow dex2oat ota_data_file:lnk_file { create read };
# It would be nice to tie this down, but currently, because of how images are written, we can't
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
# create them itself (and make them world-readable).
allow dex2oat ota_data_file:file { create w_file_perms setattr };
###############
# APEX Update #
###############
# /dev/zero is inherited.
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
##############
# Neverallow #
##############
neverallow dex2oat app_data_file_type:notdevfile_class_set open;

23
prebuilts/api/202404/private/dexopt_chroot_setup.te Normal file
View file

@ -0,0 +1,23 @@
type dexopt_chroot_setup, domain, coredomain;
type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
type dexopt_chroot_setup_tmpfs, file_type;
# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
binder_use(dexopt_chroot_setup)
add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
allow dexopt_chroot_setup dumpstate:fd use;
init_daemon_domain(dexopt_chroot_setup)
# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
# processes.
tmpfs_domain(dexopt_chroot_setup)
# libart (mark_compact.cc) has some intialization code that touches the cache
# info file and userfaultfd.
allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
r_dir_file(dexopt_chroot_setup, apex_art_data_file)
userfaultfd_use(dexopt_chroot_setup)

60
prebuilts/api/202404/private/dexoptanalyzer.te Normal file
View file

@ -0,0 +1,60 @@
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
r_dir_file(dexoptanalyzer, apk_data_file)
# Access to /vendor/app
r_dir_file(dexoptanalyzer, vendor_app_file)
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
# processes.
tmpfs_domain(dexoptanalyzer)
userfaultfd_use(dexoptanalyzer)
# Allow dexoptanalyzer to read files in the dalvik cache.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
# Allow dexoptanalyzer to read files in the ART APEX data directory.
allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
allow dexoptanalyzer apex_art_data_file:file r_file_perms;
# Allow dexoptanalyzer to use file descriptors from odrefresh.
allow dexoptanalyzer odrefresh:fd use;
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow dexoptanalyzer odsign:fd use;
allow dexoptanalyzer odsign_devpts:chr_file { read write };
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
# Acquire advisory lock on /system/framework/arm/*
allow dexoptanalyzer system_file:file lock;
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer checks the DM files next to dex files. We don't need this check
# for secondary dex files, but it's not harmful. Just deny it and ignore it.
dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
# Allow query ART device config properties
get_prop(dexoptanalyzer, device_config_runtime_native_prop)
get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
# Allow dexoptanalyzer to read /apex/apex-info-list.xml
allow dexoptanalyzer apex_info_file:file r_file_perms;

7
prebuilts/api/202404/private/dhcp.te Normal file
View file

@ -0,0 +1,7 @@
typeattribute dhcp coredomain;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)

15
prebuilts/api/202404/private/dmesgd.te Normal file
View file

@ -0,0 +1,15 @@
type dmesgd, domain, coredomain;
type dmesgd_exec, system_file_type, exec_type, file_type;
init_daemon_domain(dmesgd)
allow dmesgd dmesgd_data_file:dir create_dir_perms;
allow dmesgd dmesgd_data_file:file create_file_perms;
allow dmesgd kernel:system syslog_read;
allow dmesgd shell_exec:file rx_file_perms;
allow dmesgd toolbox_exec:file rx_file_perms;
binder_use(dmesgd)
binder_call(dmesgd, system_server)
allow dmesgd dropbox_service:service_manager find;
allow dmesgd proc_version:file r_file_perms;

1
prebuilts/api/202404/private/dnsmasq.te Normal file
View file

@ -0,0 +1 @@
typeattribute dnsmasq coredomain;

780
prebuilts/api/202404/private/domain.te Normal file
View file

@ -0,0 +1,780 @@
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# See private/crash_dump.te
define(`dumpable_domain',`{
domain
-apexd
-bpfloader
-crash_dump
-crosvm # TODO(b/236672526): Remove exception for crosvm
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
}')
# Allow heap profiling by heapprofd.
# Zygotes are excluded due to potential issues with holding open file
# descriptors or other state across forks. Other exclusions conflict with
# neverallows, and are not considered important to profile.
can_profile_heap({
dumpable_domain
-app_zygote
-hal_configstore_server
-logpersist
-recovery
-recovery_persist
-recovery_refresh
-webview_zygote
-zygote
})
# Allow profiling using perf_event_open by traced_perf.
can_profile_perf({
dumpable_domain
-app_zygote
-hal_configstore_server
-webview_zygote
-zygote
})
# Everyone can access the IncFS list of features.
r_dir_file(domain, sysfs_fs_incfs_features);
# Everyone can access the fuse list of features.
r_dir_file(domain, sysfs_fs_fuse_features);
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
allow domain cgroup_v2:dir search;
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
# Read access to bq configuration values
get_prop(domain, bq_config_prop);
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process), and MTE bootloader override to be
# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
get_prop(domain, device_config_runtime_native_boot_prop);
get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({coredomain shell}, userspace_reboot_test_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
# Public readable properties
get_prop(domain, aaudio_config_prop)
get_prop(domain, apexd_select_prop)
get_prop(domain, arm64_memtag_prop)
get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
get_prop(domain, build_vendor_prop)
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, locale_prop)
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
get_prop(domain, property_service_version_prop)
get_prop(domain, soc_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, timezone_prop)
get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
get_prop(domain, vts_config_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
get_prop(domain, binder_cache_telephony_server_prop)
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
')
# Allow access to linkerconfig file
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
# Allow all processes to read the file_logger property that liblog uses to check if file_logger
# should be used.
get_prop(domain, log_file_logger_prop)
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
# this partition for testing purposes.
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
-fastbootd
-hal_bootctl_server
-init
-uncrypt
-update_engine
-vendor_init
-vendor_misc_writer
-vold
-recovery
-ueventd
-mtectrl
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow {
domain
-init
-system_server
userdebug_or_eng(`-dumpstate')
} dropbox_data_file:dir *;
neverallow {
domain
-init
-system_server
userdebug_or_eng(`-dumpstate')
} dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
-app_zygote
-artd # compile secondary dex files
-dexoptanalyzer
-installd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
-viewcompiler
-zygote
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
domain
-appdomain
-app_zygote
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
-artd # compile secondary dex files
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
neverallow {
domain
-init
-system_server
-apexd
-installd
-priv_app
-virtualizationmanager
} staging_data_file:dir *;
neverallow {
domain
-init
-system_app
-system_server
-apexd
-adbd
-kernel
-installd
-priv_app
-shell
-virtualizationmanager
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
{ append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
# Only init is allowed to write cgroup.rc file
neverallow {
domain
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
-artd
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
-artd
} dalvikcache_data_file:dir no_w_dir_perms;
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:file no_w_file_perms;
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:dir no_w_dir_perms;
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-appdomain
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
apexd
artd
dnsmasq
dumpstate
init
installd
userdebug_or_eng(`llkd')
lmkd
migrate_legacy_obb_data
netd
postinstall_dexopt
recovery
rss_hwm_reset
sdcardd
tee
ueventd
uncrypt
vendor_init
vold
vold_prepare_subdirs
zygote
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
# have dac_override should also have dac_read_search to eliminate spurious
# denials. Some domains have dac_read_search without having dac_override, so
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
traced_perf
traced_probes
heapprofd
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type
-sdcard_type
-fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
neverallow {
domain userdebug_or_eng(`-init')
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
')
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
-kernel
-gsid
-init
-recovery
-ueventd
-uncrypt
-tee
-hal_bootctl_server
-fastbootd
} self:global_capability_class_set sys_rawio;
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
-fsck
-init
-installd
-zygote
} mirror_data_file:dir *;
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
# Only core domains are allowed to access package_manager properties
neverallow { domain -init -system_server } pm_prop:property_service set;
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
# Allow ART to set its config properties in its oneshot boot service, in
# addition to the common init and vendor_init access.
neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
# On TREBLE devices, most coredomains should not access vendor_files.
# TODO(b/71553434): Remove exceptions here.
full_treble_only(`
neverallow {
coredomain
-appdomain
-bootanim
-crash_dump
-heapprofd
userdebug_or_eng(`-profcollectd')
-init
-kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
# Vendor domains are not permitted to initiate communications to core domain sockets
full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-appdomain
-socket_between_core_and_vendor_violators
}, {
coredomain
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
-prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
-heapprofd
-traced
-traced_perf
});
')
full_treble_only(`
# Do not allow system components access to /vendor files except for the
# ones allowed here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-crosvm # loads vendor-specific disk images
-init # starts vendor executables
-kernel # loads /vendor/firmware
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
-vold # loads incremental fs driver
} {
vendor_file_type
-same_process_hal_file
-vendor_app_file
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_framework_file
-vendor_public_lib_file
-vendor_task_profiles_file
-vendor_uuid_mapping_config_file
-vndk_sp_file
}:file *;
')
# mlsvendorcompat is only for compatibility support for older vendor
# images, and should not be granted to any domain in current policy.
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
# Only init and otapreopt_chroot should be mounting filesystems on locations
# labeled system or vendor (/product and /vendor respectively).
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Only allow init and vendor_init to read/write mm_events properties
# NOTE: dumpstate is allowed to read any system property
neverallow {
domain
-init
-vendor_init
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
# kernel traces. Addresses are not disclosed, they are repalced with symbol
# names (if available). Traces don't disclose KASLR.
neverallow {
domain
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
# debugfs_kcov type is not included in this neverallow statement since the KCOV
# tool uses it for kernel fuzzing.
# vendor_modprobe is also exempted since the kernel modules it loads may create
# debugfs files in its context.
enforce_debugfs_restriction(`
neverallow {
domain
-vendor_modprobe
userdebug_or_eng(`
-init
-hal_dumpstate
-incidentd
')
} { debugfs_type
userdebug_or_eng(`-debugfs_kcov')
-tracefs_type
}:file no_rw_file_perms;
')
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
# Restrict CAP_PERFMON.
neverallow {
domain
-init
-vendor_modprobe
userdebug_or_eng(`-simpleperf_boot')
-kernel
-uprobestats
} self:capability2 perfmon;
# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
# artd doesn't need to access /data/local/tmp, but it needs to access
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
# dex files.
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
# artd doesn't need to access /data/local/tmp, but it needs to access
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
# dex files.
neverallow {
domain
-adbd
-artd
-dumpstate
-installd
-init
-shell
-vold
} shell_data_file:dir no_w_dir_perms;
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir open;
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
} shell_data_file:dir search;
# respect system_app sandboxes
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
isolated_app_all
ephemeral_app
priv_app
sdk_sandbox_all
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow { domain -init } mtectrl:process { dyntransition transition };
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;

9
prebuilts/api/202404/private/drmserver.te Normal file
View file

@ -0,0 +1,9 @@
typeattribute drmserver coredomain;
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
typeattribute drmserver_socket coredomain_socket;
get_prop(drmserver, drm_service_config_prop)

151
prebuilts/api/202404/private/dumpstate.te Normal file
View file

@ -0,0 +1,151 @@
typeattribute dumpstate coredomain;
type dumpstate_tmpfs, file_type;
init_daemon_domain(dumpstate)
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
# Create tmpfs files for using memfd descriptors to get output from child
# processes.
tmpfs_domain(dumpstate)
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
allow dumpstate storaged_exec:file rx_file_perms;
# /data/misc/a11ytrace for accessibility traces
userdebug_or_eng(`
allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
allow dumpstate accessibility_trace_data_file:file r_file_perms;
')
# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
allow dumpstate wm_trace_data_file:dir r_dir_perms;
allow dumpstate wm_trace_data_file:file r_file_perms;
')
# /data/system/dropbox for dropbox entries
userdebug_or_eng(`
allow dumpstate dropbox_data_file:dir r_dir_perms;
allow dumpstate dropbox_data_file:file r_file_perms;
')
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
# Kill incident in case of a timeout
allow dumpstate incident:process { signal sigkill };
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)
# Allow dumpstate to talk to gpuservice over binder
binder_call(dumpstate, gpuservice);
# Allow dumpstate to talk to idmap over binder
binder_call(dumpstate, idmap);
# Allow dumpstate to talk to profcollectd over binder
userdebug_or_eng(`
binder_call(dumpstate, profcollectd)
')
# Allow dumpstate to talk to automotive_display_service over binder
binder_call(dumpstate, automotive_display_service)
# Allow dumpstate to talk to virtual_camera service over binder
binder_call(dumpstate, virtual_camera)
# Allow dumpstate to talk to ot_daemon service over binder
binder_call(dumpstate, ot_daemon)
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
# Signal native processes to dump their stack.
allow dumpstate {
mediatranscoding
statsd
netd
virtual_camera
ot_daemon
}:process signal;
# Only allow dumpstate to dump Keystore on debuggable builds.
userdebug_or_eng(`
allow dumpstate keystore:process signal;
')
dontaudit dumpstate keystore:process { signal };
# For collecting bugreports.
no_debugfs_restriction(`
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
')
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
dontaudit dumpstate update_engine:binder call;
# Read files in /proc
allow dumpstate {
config_gz
proc_net_tcp_udp
proc_pid_max
}:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
set_prop(dumpstate, exported_dumpstate_prop)
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
# For dumping dynamic partition information.
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)
# For dumping hypervisor information.
get_prop(dumpstate, hypervisor_prop)
# For dumping device-mapper and snapshot information.
allow dumpstate gsid_exec:file rx_file_perms;
set_prop(dumpstate, ctl_gsid_prop)
binder_call(dumpstate, gsid)
r_dir_file(dumpstate, ota_metadata_file)
# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
# is being recorded, the command above will serialize it into
# /data/misc/perfetto-traces/bugreport/*.pftrace .
domain_auto_trans(dumpstate, perfetto_exec, perfetto)
allow dumpstate perfetto:process signal;
allow dumpstate perfetto_traces_data_file:dir { search };
allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
# zip file. These rules are to allow perfetto.te to inherit dumpstate's
# /dev/null.
allow perfetto dumpstate_tmpfs:file rw_file_perms;
allow perfetto dumpstate:fd use;
# system_dlkm_file for /system_dlkm partition
allow dumpstate system_dlkm_file:dir getattr;
# Allow dumpstate to execute derive_sdk in its own domain
domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)

87
prebuilts/api/202404/private/ephemeral_app.te Normal file
View file

@ -0,0 +1,87 @@
###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.
typeattribute ephemeral_app coredomain;
net_domain(ephemeral_app)
app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
allow ephemeral_app app_data_file:file { r_file_perms execute };
# Follow priv-app symlinks. This is used for dynamite functionality.
allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
# Allow loading and deleting shared libraries created by trusted system
# components within an application home directory.
allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
allow ephemeral_app mediaserver_service:service_manager find;
allow ephemeral_app mediaextractor_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
allow ephemeral_app ashmem_device:chr_file rw_file_perms;
###
### neverallow rules
###
neverallow ephemeral_app app_data_file_type:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow ephemeral_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow ephemeral_app debugfs_type:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow ephemeral_app proc_net:file no_rw_file_perms;

39
prebuilts/api/202404/private/evsmanagerd.te Normal file
View file

@ -0,0 +1,39 @@
# evsmanager
typeattribute evsmanagerd coredomain;
typeattribute evsmanagerd evsmanager_service_server;
type evsmanagerd_exec, system_file_type, exec_type, file_type;
init_daemon_domain(evsmanagerd);
# Declares as a binder service
binder_service(evsmanagerd)
# Allows to add a service to service_manager
add_service(evsmanagerd, evsmanagerd_service)
# Allows to use the binder IPC
binder_use(evsmanagerd)
# Allows binder IPCs to the various system services
binder_call(evsmanagerd, system_server)
# Allows to use EVS HAL implementations
hal_client_domain(evsmanagerd, hal_evs)
# Allows to write messages to the shell
allow evsmanagerd shell:fd use;
allow evsmanagerd shell:fifo_file write;
# Allows to use the graphics allocator
allow evsmanagerd hal_graphics_allocator:fd use;
# Allows to use a bootstrap statsd
allow evsmanagerd statsbootstrap_service:service_manager find;
# Allows binder IPCs to the CarService
binder_call(evsmanagerd, appdomain)
# For HIDL evs manager implementation
allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
allow evsmanagerd hidl_base_hwservice:hwservice_manager add;

6
prebuilts/api/202404/private/extra_free_kbytes.te Normal file
View file

@ -0,0 +1,6 @@
typeattribute extra_free_kbytes coredomain;
init_daemon_domain(extra_free_kbytes)
# Only extra_free_kbytes script is allowed to store these properties
set_prop(extra_free_kbytes, init_storage_prop)

57
prebuilts/api/202404/private/fastbootd.te Normal file
View file

@ -0,0 +1,57 @@
typeattribute fastbootd coredomain;
# The allow rules are only included in the recovery policy.
# Otherwise fastbootd is only allowed the domain rules.
recovery_only(`
# Reboot the device
set_prop(fastbootd, powerctl_prop)
# Read serial number of the device from system properties
get_prop(fastbootd, serialno_prop)
# Set sys.usb.ffs.ready.
get_prop(fastbootd, ffs_config_prop)
set_prop(fastbootd, ffs_control_prop)
userdebug_or_eng(`
get_prop(fastbootd, persistent_properties_ready_prop)
')
set_prop(fastbootd, gsid_prop)
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
get_prop(fastbootd, snapuserd_prop)
# Needed for TCP protocol
allow fastbootd node:tcp_socket node_bind;
allow fastbootd port:tcp_socket name_bind;
allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
# Start snapuserd for merging VABC updates
set_prop(fastbootd, ctl_snapuserd_prop)
# Needed to communicate with snapuserd to complete merges.
allow fastbootd snapuserd_socket:sock_file write;
allow fastbootd snapuserd:unix_stream_socket connectto;
allow fastbootd dm_user_device:dir r_dir_perms;
# Get fastbootd protocol property
get_prop(fastbootd, fastbootd_protocol_prop)
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
set_prop(fastbootd, boottime_prop)
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
# Let this domain use the hal fastboot service
binder_use(fastbootd)
hal_client_domain(fastbootd, hal_fastboot)
')
# This capability allows fastbootd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
io_uring_use(fastbootd)

147
prebuilts/api/202404/private/file.te Normal file
View file

@ -0,0 +1,147 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
# /sys/fs/bpf/<dir> for mainline tethering use
# TODO: move S+ fs_bpf_tethering here from public/file.te
type fs_bpf_net_private, fs_type, bpffs_type;
type fs_bpf_net_shared, fs_type, bpffs_type;
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
type fs_bpf_uprobestats, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/a11ytrace for accessibility traces
type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/uprobestats-configs for uprobestats configs
type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
# /apex/com.android.art/bin/oatdump
type oatdump_exec, system_file_type, exec_type, file_type;
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
# App executable files in /data/data directories
type app_exec_data_file, file_type, data_file_type, core_data_file_type;
typealias app_exec_data_file alias rs_data_file;
# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_ce/checkin for checkin apps.
type checkin_data_file, file_type, data_file_type, core_data_file_type;
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
# /data/gsi_persistent_data
type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/emergencynumberdb
type emergency_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/profcollectd
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.art
type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.compos
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.virt
type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.tethering
type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dmesgd
type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odrefresh
type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odsign_metrics
type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
# /data/misc/virtualizationservice
# The type needs to be mlstrustedobject to allow for being accessed from
# virtualizationmanager, which runs at a more constrained MLS level.
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/bootanim
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
# The type needs to be mlstrustedobject to allow for being accessed from
# crosvm, which runs at a more constrained MLS level.
type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
# /apex/com.android.compos/bin/compsvc
type compos_exec, exec_type, file_type, system_file_type;
# /apex/com.android.compos/bin/compos_key_helper
type compos_key_helper_exec, exec_type, file_type, system_file_type;
# /apex/com.android.art/bin/art_exec
# This executable does not have its own domain because it is executed in the caller's domain. For
# example, it is executed in the `artd` domain when artd calls it.
type art_exec_exec, system_file_type, exec_type, file_type;
# Filesystem entry for for PRNG seeder socket. Processes require
# write permission on this to connect, and needs to be mlstrustedobject
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
type proc_dt_avf, fs_type, proc_type;
# Type for /system/fonts/font_fallback.xm
type system_font_fallback_file, system_file_type, file_type;
# Type for /sys/devices/uprobe.
type sysfs_uprobe, fs_type, sysfs_type;

892
prebuilts/api/202404/private/file_contexts Normal file
View file

@ -0,0 +1,892 @@
###########################################
# Entries in this file describe the security context associated with a file
# path. They are used when building the device image, to include the security
# context within the extended file attributes of the file system. They are also
# used at runtime when calling restorecon.
#
# Entries are merged with other file_contexts from other partitions (e.g.,
# vendor or odm, see the full list at libselinux/src/android/android.c).
#
# The entries are evaluated by the following rules:
# - Static entries (that is, not using regular expressions) are always
# evaluated first.
# - The first matching entry is used.
# - Entries are evaluated from the bottom to the top.
#
# Based on these rules, it is recommended that the less specific entries appear
# first. For instance:
# /dev(/.*)? u:object_r:device:s0
# /dev/block(/.*)? u:object_r:block_device:s0
# /dev/block/my_dev u:object_r:my_dev:s0
#
# Root
/ u:object_r:rootfs:s0
# Data files
/adb_keys u:object_r:adb_keys_file:s0
/build\.prop u:object_r:rootfs:s0
/default\.prop u:object_r:rootfs:s0
/fstab\..* u:object_r:rootfs:s0
/init\..* u:object_r:rootfs:s0
/res(/.*)? u:object_r:rootfs:s0
/selinux_version u:object_r:rootfs:s0
/ueventd\..* u:object_r:rootfs:s0
/verity_key u:object_r:rootfs:s0
# Executables
/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/proc u:object_r:rootfs:s0
/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
/bootstrap-apex u:object_r:apex_mnt_dir:s0
/tmp u:object_r:shell_data_file:s0
# Postinstall directories
/postinstall u:object_r:postinstall_mnt_dir:s0
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
# Symlinks
/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
/charger u:object_r:rootfs:s0
/d u:object_r:rootfs:s0
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/product_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/product_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
# Devices
#
/dev(/.*)? u:object_r:device:s0
/dev/adf[0-9]* u:object_r:graphics_device:s0
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
/dev/audio.* u:object_r:audio_device:s0
/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/by-name/zoned_device u:object_r:zoned_block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/ublkb[0-9]+ u:object_r:ublk_block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/ublk-control u:object_r:ublk_control_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hidraw[0-9]+ u:object_r:hidraw_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
/dev/port u:object_r:port_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
/dev/socket/lmkd u:object_r:lmkd_socket:s0
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/ot-daemon(/.*)? u:object_r:ot_daemon_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
/dev/socket/snapuserd_proxy u:object_r:snapuserd_proxy_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/traced_perf u:object_r:traced_perf_socket:s0
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/heapprofd u:object_r:heapprofd_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/sys/block/by-name/rootdisk(/.*)? u:object_r:rootdisk_sysdev:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
/dev/ttyUSB[0-9]* u:object_r:usb_serial_device:s0
/dev/ttyACM[0-9]* u:object_r:usb_serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/vfio(/.*)? u:object_r:vfio_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
#############################
# System files
#
/system(/.*)? u:object_r:system_file:s0
/system/apex/com.android.art u:object_r:art_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/mm_events u:object_r:mm_events_exec:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
/system/bin/resize2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/ld\.mc u:object_r:rs_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logcatd -- u:object_r:logcat_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
/system/bin/bootstat u:object_r:bootstat_exec:s0
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
/system/bin/drmserver32 u:object_r:drmserver_exec:s0
/system/bin/drmserver64 u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/incident_helper u:object_r:incident_helper_exec:s0
/system/bin/iw u:object_r:iw_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/mediaserver32 u:object_r:mediaserver_exec:s0
/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
/system/bin/mediatuner u:object_r:mediatuner_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
/system/bin/remount u:object_r:remount_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/dmesgd u:object_r:dmesgd_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/mtectrl u:object_r:mtectrl_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/heapprofd u:object_r:heapprofd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/profcollectd u:object_r:profcollectd_exec:s0
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/font_fallback.xml u:object_r:system_font_fallback_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
#############################
# Vendor files
#
/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
/(vendor|system/vendor)/manifest\.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
#############################
# OEM and ODM files
#
/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
# secure-element service: vendor uuid mapping config file
/(odm|vendor/odm|vendor|system/vendor)/etc/hal_uuid_map_(.*)?\.xml u:object_r:vendor_uuid_mapping_config_file:s0
# Input configuration
/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/oem/media/bootanimation.zip u:object_r:bootanim_oem_file:s0
/oem/media/shutdownanimation.zip u:object_r:bootanim_oem_file:s0
/oem/media/userspace-reboot.zip u:object_r:bootanim_oem_file:s0
# The precompiled monolithic sepolicy will be under /odm only when
# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_service_contexts u:object_r:vendor_service_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/etc/group u:object_r:system_group_file:s0
/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:system_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
# SystemExt files
#
/(system_ext|system/system_ext)(/.*)? u:object_r:system_file:s0
/(system_ext|system/system_ext)/etc/group u:object_r:system_group_file:s0
/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
# VendorDlkm files
# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
#
/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# OdmDlkm files
# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
#
/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
# NOTE: For additional vendor file contexts for vendor overlay files,
# use device specific file_contexts.
#
/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
#############################
# Data files
#
# NOTE: When modifying existing label rules, changes may also need to
# propagate to the "Expanded data files" section.
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/system/game_mode_intervention\.list u:object_r:game_mode_intervention_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/ota(/.*)? u:object_r:ota_data_file:s0
/data/ota_package(/.*)? u:object_r:ota_package_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
/data/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/media u:object_r:media_userdir_file:s0
/data/media/.* u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
# This directory was removed after Q Beta 2, but we need to preserve labels for upgrading devices.
/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
/data/app-staging(/.*)? u:object_r:staging_data_file:s0
# Ensure we have the same labels as /data/app or /data/apex/active
# to avoid restorecon conflicts
/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
/data/fonts/files(/.*)? u:object_r:font_data_file:s0
/data/misc_ce u:object_r:system_userdir_file:s0
/data/misc_de u:object_r:system_userdir_file:s0
/data/system_ce u:object_r:system_userdir_file:s0
/data/system_de u:object_r:system_userdir_file:s0
/data/user u:object_r:system_userdir_file:s0
/data/user_de u:object_r:system_userdir_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
/data/misc/apexdata/com\.android\.virt(/.*)? u:object_r:apex_virt_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_tethering_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dmesgd(/.*)? u:object_r:dmesgd_data_file:s0
/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/telephonyconfig(/.*)? u:object_r:radio_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/uprobestats-configs(/.*)? u:object_r:uprobestats_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_config_data_file:s0
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/misc/snapuserd_log(/.*)? u:object_r:snapuserd_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
/data/vendor_ce u:object_r:vendor_userdir_file:s0
/data/vendor_ce/.* u:object_r:vendor_data_file:s0
/data/vendor_de u:object_r:vendor_userdir_file:s0
/data/vendor_de/.* u:object_r:vendor_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
# checkin data files
/data/misc_ce/[0-9]+/checkin(/.*)? u:object_r:checkin_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
# Fingerprint vendor data file
/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
# Face vendor data file
/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
# Iris vendor data file
/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
# Sandbox sdk data (managed by installd)
/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
# Incremental directories
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
# Boot animation data
/data/misc/bootanim(/.*)? u:object_r:bootanim_data_file:s0
#############################
# Expanded data files
#
/mnt/expand u:object_r:mnt_expand_file:s0
/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
/mnt/expand/[^/]+/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
/mnt/expand/[^/]+/media u:object_r:media_userdir_file:s0
/mnt/expand/[^/]+/media/.* u:object_r:media_rw_data_file:s0
/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
/mnt/expand/[^/]+/misc_ce u:object_r:system_userdir_file:s0
/mnt/expand/[^/]+/misc_de u:object_r:system_userdir_file:s0
/mnt/expand/[^/]+/user u:object_r:system_userdir_file:s0
/mnt/expand/[^/]+/user_de u:object_r:system_userdir_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
# Wallpaper files
/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
# Ringtone files
/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
# ShortcutManager icons, e.g.
# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
# User icon files
/data/system/users/[0-9]+/photo\.png u:object_r:icon_file:s0
# Shutdown-checkpoints files
/data/system/shutdown-checkpoints(/.*)? u:object_r:shutdown_checkpoints_system_data_file:s0
# vold per-user data
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
# Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps
/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0
#############################
# efs files
#
/efs(/.*)? u:object_r:efs_file:s0
#############################
# Cache files
#
/cache(/.*)? u:object_r:cache_file:s0
/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
# General backup/restore interchange with apps
/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
# LocalTransport (backup) uses this subtree
/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
# Overlayfs support directories
#
/cache/overlay(/.*)? u:object_r:overlayfs_file:s0
/mnt/scratch(/.*)? u:object_r:overlayfs_file:s0
/data/cache(/.*)? u:object_r:cache_file:s0
/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
# General backup/restore interchange with apps
/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
# LocalTransport (backup) uses this subtree
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
# Metadata files
#
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
#############################
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0
/mnt/sdcard u:object_r:mnt_sdcard_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
#############################
# mount point for read-write vendor partitions
/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
#############################
# /postinstall file contexts
/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0

16
prebuilts/api/202404/private/file_contexts_asan Normal file
View file

@ -0,0 +1,16 @@
/data/asan/system/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/system/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/vendor/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/(system_ext|system/system_ext)/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/(system_ext|system/system_ext)/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
/system/bin/asan/app_process u:object_r:zygote_exec:s0
/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
/system/bin/asan/app_process64 u:object_r:zygote_exec:s0

9
prebuilts/api/202404/private/file_contexts_overlayfs Normal file
View file

@ -0,0 +1,9 @@
#############################
# Overlayfs support directories for userdebug/eng devices
#
/cache/overlay/(system|product)/upper u:object_r:system_file:s0
/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
/cache/overlay/oem/upper u:object_r:vendor_file:s0
/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
/mnt/scratch/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
/mnt/scratch/overlay/oem/upper u:object_r:vendor_file:s0

3
prebuilts/api/202404/private/fingerprintd.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute fingerprintd coredomain;
init_daemon_domain(fingerprintd)

48
prebuilts/api/202404/private/flags_health_check.te Normal file
View file

@ -0,0 +1,48 @@
typeattribute flags_health_check coredomain;
init_daemon_domain(flags_health_check)
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_core_experiments_team_internal_prop)
set_prop(flags_health_check, device_config_edgetpu_native_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_lmkd_native_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_nnapi_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_mglru_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
set_prop(flags_health_check, device_config_statsd_native_prop)
set_prop(flags_health_check, device_config_statsd_native_boot_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_swcodec_native_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_aconfig_flags_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_boot_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
set_prop(flags_health_check, next_boot_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
# server configured values of all flags with default values.
neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
# system property device_config_reset_performed_prop is used for indicating whether server
# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;

27
prebuilts/api/202404/private/fs_use Normal file
View file

@ -0,0 +1,27 @@
# Label inodes via getxattr.
fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
fs_use_xattr jffs2 u:object_r:labeledfs:s0;
fs_use_xattr ext2 u:object_r:labeledfs:s0;
fs_use_xattr ext3 u:object_r:labeledfs:s0;
fs_use_xattr ext4 u:object_r:labeledfs:s0;
fs_use_xattr xfs u:object_r:labeledfs:s0;
fs_use_xattr btrfs u:object_r:labeledfs:s0;
fs_use_xattr f2fs u:object_r:labeledfs:s0;
fs_use_xattr squashfs u:object_r:labeledfs:s0;
fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
fs_use_xattr virtiofs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
fs_use_task sockfs u:object_r:sockfs:s0;
# Label inodes from combination of task label and fs label.
# Define type_transition rules if you want per-domain types.
fs_use_trans devpts u:object_r:devpts:s0;
fs_use_trans tmpfs u:object_r:tmpfs:s0;
fs_use_trans devtmpfs u:object_r:device:s0;
fs_use_trans shm u:object_r:shm:s0;
fs_use_trans mqueue u:object_r:mqueue:s0;

5
prebuilts/api/202404/private/fsck.te Normal file
View file

@ -0,0 +1,5 @@
typeattribute fsck coredomain;
init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms;

1
prebuilts/api/202404/private/fsck_untrusted.te Normal file
View file

@ -0,0 +1 @@
typeattribute fsck_untrusted coredomain;

16
prebuilts/api/202404/private/fsverity_init.te Normal file
View file

@ -0,0 +1,16 @@
type fsverity_init, domain, coredomain;
type fsverity_init_exec, exec_type, file_type, system_file_type;
init_daemon_domain(fsverity_init)
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;
# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
dontaudit fsverity_init domain:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };

31
prebuilts/api/202404/private/fuseblkd.te Normal file
View file

@ -0,0 +1,31 @@
# Compartmentalized domain specifically for mounting fuseblk filesystems.
# We need this to not grant fuseblkd_untrusted sys_admin permissions.
type fuseblkd_exec, system_file_type, exec_type, file_type;
type fuseblkd, domain;
typeattribute fuseblkd coredomain;
# Required for mount and unmounting. We can't minimize this permission,
# even though we only allow mount/unmount.
allow fuseblkd self:global_capability_class_set sys_admin;
# Permissions for the fuseblk filesystem.
allow fuseblkd fuse_device:chr_file rw_file_perms;
allow fuseblkd fuseblk:filesystem { mount unmount };
allow fuseblkd fuseblkd_untrusted:fd use;
# Look through block devices to find the correct one.
allow fuseblkd block_device:dir search;
# Permissions to mount on the media_rw directory for USB drives.
allow fuseblkd mnt_media_rw_file:dir search;
allow fuseblkd mnt_media_rw_stub_file:dir mounton;
###
### neverallow rules
###
# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary.
neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition;
neverallow * fuseblkd:process dyntransition;
neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;

82
prebuilts/api/202404/private/fuseblkd_untrusted.te Normal file
View file

@ -0,0 +1,82 @@
# Fuseblk is a Filesystem in USErspace for block device. It should only be used
# to mount untrusted blocks like USB drives.
type fuseblkd_untrusted_exec, system_file_type, exec_type, file_type;
type fuseblkd_untrusted, domain;
typeattribute fuseblkd_untrusted coredomain;
domain_auto_trans(fuseblkd_untrusted, fuseblkd_exec, fuseblkd);
# Allow stdin/out back to vold.
allow fuseblkd_untrusted vold:fd use;
# Allows fuseblk to read block devices.
allow fuseblkd_untrusted block_device:dir search;
# Permissions to read dynamic partitions blocks.
allow fuseblkd_untrusted super_block_device:blk_file getattr;
# Permissions to access FUSE character devices.
allow fuseblkd_untrusted fuse_device:chr_file { getattr open read write };
# Permissions to access /mnt/media_rw/.
allow fuseblkd_untrusted mnt_media_rw_file:dir { getattr search };
allow fuseblkd_untrusted mnt_media_rw_stub_file:dir getattr;
# Permissions to read device mappers.
allow fuseblkd_untrusted sysfs_dm:dir search;
allow fuseblkd_untrusted sysfs_dm:file { getattr open read };
allow fuseblkd_untrusted dm_device:blk_file getattr;
# Permissions to read links in tmpfs.
allow fuseblkd_untrusted tmpfs:lnk_file read;
# Permissions to read loop device blocks.
allow fuseblkd_untrusted loop_device:blk_file getattr;
# Permissions to access the /proc/filesystems file.
allow fuseblkd_untrusted proc_filesystems:file { open read getattr };
###
### dontaudit rules
###
# ntfs-3g wants this permission to read a fork return code, for some reason.
# It's unclear why, because it still reads the fork return code correctly,
# and nothing breaks. If enforce is set to permissive, the audit goes away.
dontaudit fuseblkd_untrusted self:capability sys_admin;
###
### neverallow rules
###
# Fuseblk should never be run on block devices holding sensitive data.
neverallow fuseblkd_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold, and only through fuseblkd_untrusted_exec binaries.
neverallow { domain -vold } fuseblkd_untrusted:process transition;
neverallow * fuseblkd_untrusted:process dyntransition;
neverallow fuseblkd_untrusted { file_type fs_type -fuseblkd_untrusted_exec }:file entrypoint;
# Under no circumstances should fuseblkd_untrusted or any other fuseblk filesystem be
# given sys_admin access. They are fundementally untrusted, insecure filesystems.
# The correct solution here is to compartmentalize permissions correctly so that
# a smaller binary can get the required permissions. See fuseblkd.te.
# Similar to above, we don't need setgid or setuid permissions.
neverallow fuseblkd_untrusted self:capability { setgid setuid sys_admin };
neverallow fuseblkd_untrusted self:global_capability_class_set { setgid setuid sys_admin };
# Since we can't have sys_admin permissions, we definitely can't have mount/unmount
# permissions, since we won't be able to use them. Same with relabel permissions.
neverallow fuseblkd_untrusted fuseblk:filesystem { mount unmount relabelto relabelfrom};

7
prebuilts/api/202404/private/fwk_bufferhub.te Normal file
View file

@ -0,0 +1,7 @@
type fwk_bufferhub, domain, coredomain;
type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
allow fwk_bufferhub ion_device:chr_file r_file_perms;
init_daemon_domain(fwk_bufferhub)

6
prebuilts/api/202404/private/gatekeeperd.te Normal file
View file

@ -0,0 +1,6 @@
typeattribute gatekeeperd coredomain;
init_daemon_domain(gatekeeperd)
# For checking whether GSI is running
get_prop(gatekeeperd, gsid_prop)

422
prebuilts/api/202404/private/genfs_contexts Normal file
View file

@ -0,0 +1,422 @@
# Label inodes with the fs label.
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /swaps u:object_r:proc_swaps:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
genfscon fusectl / u:object_r:fusectlfs:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
genfscon cgroup2 / u:object_r:cgroup_v2:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /fs/fuse/bpf_prog_type_fuse u:object_r:sysfs_fs_fuse_bpf:s0
genfscon sysfs /fs/fuse/features u:object_r:sysfs_fs_fuse_features:s0
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
genfscon sysfs /power/sync_on_suspend u:object_r:sysfs_sync_on_suspend:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
genfscon sysfs /devices/uprobe u:object_r:sysfs_uprobe:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
genfscon tracefs /trace u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/hyp u:object_r:debugfs_tracing:s0
genfscon tracefs /hyp u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0
genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
genfscon tracefs /events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_command/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
genfscon securityfs / u:object_r:securityfs:s0
genfscon binder /binder u:object_r:binder_device:s0
genfscon binder /hwbinder u:object_r:hwbinder_device:s0
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
genfscon fuseblk / u:object_r:fuseblk:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon esdfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0

23
prebuilts/api/202404/private/gki_apex_prepostinstall.te Normal file
View file

@ -0,0 +1,23 @@
# GKI pre- & post-install hooks.
#
# Allow to run pre- and post-install hooks for GKI APEXes
type gki_apex_prepostinstall, domain, coredomain;
type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
# Execute /system/bin/sh.
allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
# Execute various toolsbox utilities.
allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
# Allow preinstall.sh to execute update_engine_stable_client binary.
allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
# Allow preinstall hook to communicate with update_engine to execute update.
binder_use(gki_apex_prepostinstall)
allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
binder_call(gki_apex_prepostinstall, update_engine)
# /dev/zero is inherited although it is not used. See b/126787589.
allow gki_apex_prepostinstall apexd:fd use;

179
prebuilts/api/202404/private/gmscore_app.te Normal file
View file

@ -0,0 +1,179 @@
###
### A domain for further sandboxing the PrebuiltGMSCore app.
###
typeattribute gmscore_app coredomain;
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
r_dir_file(gmscore_app, rootfs)
# Allow GMS core to open kernel config for OTA matching through libvintf
allow gmscore_app config_gz:file { open read getattr };
# Allow GMS core to communicate with update_engine for A/B update.
binder_call(gmscore_app, update_engine)
allow gmscore_app update_engine_service:service_manager find;
# Allow GMS core to communicate with dumpsys storaged.
binder_call(gmscore_app, storaged)
allow gmscore_app storaged_service:service_manager find;
# Allow GMS core to access system_update_service (e.g. to publish pending
# system update info).
allow gmscore_app system_update_service:service_manager find;
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
# Allow GMS core to receive Perfetto traces through the framework
# (i.e. TracingServiceProxy) and sendfile them into its private directory
# for reporting when network and battery conditions are appropriate.
allow gmscore_app perfetto:fd use;
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;
# suppress denials for non-API accesses.
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
dontaudit gmscore_app proc_modules:file r_file_perms;
dontaudit gmscore_app proc_net:file r_file_perms;
dontaudit gmscore_app proc_stat:file r_file_perms;
dontaudit gmscore_app proc_version:file r_file_perms;
dontaudit gmscore_app sysfs:dir r_dir_perms;
dontaudit gmscore_app sysfs:file r_file_perms;
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
dontaudit gmscore_app sysfs_net:file r_file_perms;
dontaudit gmscore_app sysfs_net:dir r_dir_perms;
dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
# Access the network
net_domain(gmscore_app)
# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
allow gmscore_app self:process ptrace;
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
# 1) com.android.opengl.shaders_cache
# 2) com.android.skia.shaders_cache
# 3) com.android.renderscript.cache
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
allow gmscore_app system_linker_exec:file execute_no_trans;
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
allow gmscore_app proc_vmstat:file r_file_perms;
# Allow interaction with gpuservice
binder_call(gmscore_app, gpuservice)
allow gmscore_app gpu_service:service_manager find;
# find services that expose both @SystemAPI and normal APIs.
allow gmscore_app app_api_service:service_manager find;
allow gmscore_app system_api_service:service_manager find;
allow gmscore_app audioserver_service:service_manager find;
allow gmscore_app cameraserver_service:service_manager find;
allow gmscore_app drmserver_service:service_manager find;
allow gmscore_app mediadrmserver_service:service_manager find;
allow gmscore_app mediaextractor_service:service_manager find;
allow gmscore_app mediametrics_service:service_manager find;
allow gmscore_app mediaserver_service:service_manager find;
allow gmscore_app network_watchlist_service:service_manager find;
allow gmscore_app nfc_service:service_manager find;
allow gmscore_app oem_lock_service:service_manager find;
allow gmscore_app persistent_data_block_service:service_manager find;
allow gmscore_app radio_service:service_manager find;
allow gmscore_app recovery_service:service_manager find;
allow gmscore_app stats_service:service_manager find;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
allow gmscore_app shell_data_file:dir r_dir_perms;
# Write to /cache.
allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow gmscore_app cache_file:lnk_file r_file_perms;
# Write to /data/ota_package for OTA packages.
allow gmscore_app ota_package_file:dir create_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
# Write the checkin metadata to /data/misc_ce/<userid>/checkin
allow gmscore_app checkin_data_file:dir rw_dir_perms;
allow gmscore_app checkin_data_file:file create_file_perms;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
allow gmscore_app shell_data_file:dir r_dir_perms;
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
# b/148974132: com.android.vending needs this
allow gmscore_app priv_app:tcp_socket { read write };
# b/168059475 Allow GMSCore to read Virtual AB properties to determine
# if device supports VAB.
get_prop(gmscore_app, virtual_ab_prop)
# b/186488185: Allow GMSCore to read dck properties
get_prop(gmscore_app, dck_prop)
# Allow GMSCore to read RKP properties for the purpose of GTS testing.
get_prop(gmscore_app, remote_prov_prop)
# Allow GmsCore to read Quick Start properties and prevent access from other
# policies.
get_prop(gmscore_app, quick_start_prop)
neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file no_rw_file_perms;
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow gmscore_app *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;

72
prebuilts/api/202404/private/gpuservice.te Normal file
View file

@ -0,0 +1,72 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
typeattribute gpuservice bpfdomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
binder_call(gpuservice, system_server)
binder_use(gpuservice)
# Access the GPU.
allow gpuservice gpu_device:chr_file rw_file_perms;
# GPU service will need to load GPU driver, for example Vulkan driver in order
# to get the capability of the driver.
allow gpuservice same_process_hal_file:file { open read getattr execute map };
allow gpuservice ion_device:chr_file r_file_perms;
get_prop(gpuservice, hwservicemanager_prop)
hwbinder_use(gpuservice)
# Access /dev/graphics/fb0.
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
# Allow shell access
allow gpuservice adbd:fd use;
allow gpuservice adbd:unix_stream_socket { getattr read write };
allow gpuservice shell:fifo_file { getattr read write };
# Needed for perfetto producer.
perfetto_producer(gpuservice)
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
# Needed for dumpstate to dumpsys gpu.
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
# Needed for stats callback registration to statsd.
allow gpuservice stats_service:service_manager find;
allow gpuservice statsmanager_service:service_manager find;
# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
binder_call(gpuservice, statsd);
# Needed for reading tracepoint ids in order to attach bpf programs.
allow gpuservice debugfs_tracing:file r_file_perms;
allow gpuservice self:perf_event { cpu kernel open write };
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
allow gpuservice bpfloader:bpf { map_read map_write prog_run };
add_service(gpuservice, gpu_service)
# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
set_prop(gpuservice, graphics_config_writable_prop)
neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;
# Needed for querying permission
allow gpuservice permission_service:service_manager find;
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')

207
prebuilts/api/202404/private/gsid.te Normal file
View file

@ -0,0 +1,207 @@
# gsid - Manager for GSI Installation
type gsid, domain;
type gsid_exec, exec_type, file_type, system_file_type;
typeattribute gsid coredomain;
init_daemon_domain(gsid)
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
# Manage DSU metadata encryption key through vold.
allow gsid vold_service:service_manager find;
binder_call(gsid, vold)
set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
allow gsid dm_device:chr_file rw_file_perms;
allow gsid dm_device:blk_file rw_file_perms;
allow gsid self:global_capability_class_set sys_admin;
dontaudit gsid self:global_capability_class_set dac_override;
# On FBE devices (not using dm-default-key), gsid will use loop devices to map
# images rather than device-mapper.
allow gsid loop_control_device:chr_file rw_file_perms;
allow gsid loop_device:blk_file rw_file_perms;
allowxperm gsid loop_device:blk_file ioctl {
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
};
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
r_dir_file(gsid, sysfs_dm)
# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
# whether pin_file support is enabled.
r_dir_file(gsid, sysfs_fs_f2fs)
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
read_fstab(gsid)
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
# Allow querying the size of super_block_device_type.
allow gsid super_block_device_type:blk_file r_file_perms;
# liblp queries these block alignment properties.
allowxperm gsid {
userdata_block_device
sdcard_block_device
super_block_device_type
}:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir r_dir_perms;
allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
allow gsid vfat:dir create_dir_perms;
allow gsid vfat:file create_file_perms;
allow gsid sdcard_block_device:blk_file r_file_perms;
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
# requirement, but the kernel does not implement FIEMAP support for VFAT.
allow gsid self:global_capability_class_set sys_rawio;
# Allow rules for gsi_tool.
userdebug_or_eng(`
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
# Needed when running gsi_tool through "su root" rather than adb root.
allow gsid adbd:unix_stream_socket rw_socket_perms;
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
allow gsid { shell su }:fifo_file r_file_perms;
# Allow installing images from /storage/emulated/...
allow gsid { sdcard_type fuse }:file r_file_perms;
')
neverallow {
domain
-gsid
-init
-update_engine_common
-recovery
-fastbootd
} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
# first-stage init. So instead of directly writing to /data, we:
#
# 1. fallocate a file large enough to hold the signed GSI
# 2. extract its block layout with FIEMAP
# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
# 4. write system_gsi into that dm device
#
# To make this process work, we need to unwrap the device-mapper stacking for
# userdata to reach the underlying block device. To verify the result we use
# stat(), which requires read access.
allow gsid userdata_block_device:blk_file r_file_perms;
# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
# init. It cannot use userdata since data cannot be decrypted during this
# stage.
#
# gsid uses /metadata/gsi to store three files:
# install_status - A short string indicating whether a GSI image is bootable.
# lp_metadata - LpMetadata blob describing the block ranges on userdata
# where system_gsi resides.
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
gsi_metadata_file_type
}:dir create_dir_perms;
allow gsid {
ota_metadata_file
}:dir rw_dir_perms;
allow gsid {
gsi_metadata_file_type
ota_metadata_file
}:file create_file_perms;
# Allow restorecon to fix context of gsi_public_metadata_file.
allow gsid file_contexts_file:file r_file_perms;
allow gsid gsi_metadata_file:file relabelfrom;
allow gsid gsi_public_metadata_file:file relabelto;
allow gsid {
gsi_data_file
ota_image_data_file
}:dir create_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
}:file create_file_perms;
allowxperm gsid {
gsi_data_file
ota_image_data_file
}:file ioctl {
FS_IOC_FIEMAP
FS_IOC_GETFLAGS
};
allow gsid system_server:binder call;
# Prevent most processes from writing to gsi_metadata_file_type, but allow
# adding rules for path resolution of gsi_public_metadata_file and reading
# gsi_public_metadata_file.
neverallow {
domain
-init
-gsid
-fastbootd
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
domain
-init
-gsid
-fastbootd
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
domain
-init
-gsid
-fastbootd
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
neverallow {
appdomain
-shell
} gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
-init
-gsid
} gsi_data_file:dir_file_class_set *;
neverallow {
domain
-gsid
} gsi_data_file:file_class_set ~{ relabelto getattr };

8
prebuilts/api/202404/private/hal_allocator_default.te Normal file
View file

@ -0,0 +1,8 @@
type hal_allocator_default, domain, coredomain;
hal_server_domain(hal_allocator_default, hal_allocator)
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
# to force stop the service when it's not supported
set_prop(hal_allocator_default, hidl_memory_prop)

3
prebuilts/api/202404/private/hal_lazy_test.te Normal file
View file

@ -0,0 +1,3 @@
userdebug_or_eng(`
hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
')

13
prebuilts/api/202404/private/halclientdomain.te Normal file
View file

@ -0,0 +1,13 @@
###
### Rules for all domains which are clients of a HAL
###
# Find out whether a HAL in passthrough/in-process mode or
# binderized/out-of-process mode
hwbinder_use(halclientdomain)
# Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop)
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;

Some files were not shown because too many files have changed in this diff Show more