get_prop(coredomain, boot_status_prop) get_prop(coredomain, camera_config_prop) get_prop(coredomain, dalvik_config_prop) get_prop(coredomain, dalvik_runtime_prop) get_prop(coredomain, exported_pm_prop) get_prop(coredomain, ffs_config_prop) get_prop(coredomain, graphics_config_prop) get_prop(coredomain, hdmi_config_prop) get_prop(coredomain, init_service_status_private_prop) get_prop(coredomain, lmkd_config_prop) get_prop(coredomain, localization_prop) get_prop(coredomain, pm_prop) get_prop(coredomain, radio_control_prop) get_prop(coredomain, rollback_test_prop) get_prop(coredomain, setupwizard_prop) get_prop(coredomain, sqlite_log_prop) get_prop(coredomain, storagemanager_config_prop) get_prop(coredomain, surfaceflinger_color_prop) get_prop(coredomain, systemsound_config_prop) get_prop(coredomain, telephony_config_prop) get_prop(coredomain, usb_config_prop) get_prop(coredomain, usb_control_prop) get_prop(coredomain, userspace_reboot_config_prop) get_prop(coredomain, vold_config_prop) get_prop(coredomain, vts_status_prop) get_prop(coredomain, zygote_config_prop) get_prop(coredomain, zygote_wrap_prop) # TODO(b/170590987): remove this after cleaning up default_prop get_prop(coredomain, default_prop) full_treble_only(` neverallow { coredomain # for chowning -init # generic access to sysfs_type -ueventd -vold } sysfs_leds:file *; ') # On TREBLE devices, a limited set of files in /vendor are accessible to # only a few allowlisted coredomains to keep system/vendor separation. full_treble_only(` # Limit access to /vendor/app neverallow { coredomain -appdomain -dex2oat -dexoptanalyzer -idmap -init -installd -heapprofd -postinstall_dexopt -rs # spawned by appdomain, so carryover the exception above -system_server -traced_perf } vendor_app_file:dir { open read getattr search }; ') full_treble_only(` neverallow { coredomain -appdomain -dex2oat -dexoptanalyzer -idmap -init -installd -heapprofd userdebug_or_eng(`-profcollectd') -postinstall_dexopt -rs # spawned by appdomain, so carryover the exception above -system_server -traced_perf -mediaserver } vendor_app_file:file r_file_perms; ') full_treble_only(` # Limit access to /vendor/overlay neverallow { coredomain -appdomain -idmap -init -installd -iorap_inode2filename -iorap_prefetcherd -postinstall_dexopt -rs # spawned by appdomain, so carryover the exception above -system_server -traced_perf -app_zygote -webview_zygote -zygote -heapprofd } vendor_overlay_file:dir { getattr open read search }; ') full_treble_only(` neverallow { coredomain -appdomain -idmap -init -installd -iorap_inode2filename -iorap_prefetcherd -postinstall_dexopt -rs # spawned by appdomain, so carryover the exception above -system_server -traced_perf -app_zygote -webview_zygote -zygote -heapprofd userdebug_or_eng(`-profcollectd') } vendor_overlay_file:file open; ') # Core domains are not permitted to use kernel interfaces which are not # explicitly labeled. # TODO(b/65643247): Apply these neverallow rules to all coredomain. full_treble_only(` # /proc neverallow { coredomain -init -vold } proc:file no_rw_file_perms; # /sys neverallow { coredomain -init -ueventd -vold } sysfs:file no_rw_file_perms; # /dev neverallow { coredomain -fsck -init -ueventd } device:{ blk_file file } no_rw_file_perms; # debugfs neverallow { coredomain no_debugfs_restriction(` -dumpstate -init -system_server ') } debugfs:file no_rw_file_perms; # tracefs neverallow { coredomain -atrace -dumpstate -gpuservice -init -traced_perf -traced_probes -shell -system_server -traceur_app userdebug_or_eng(`-profcollectd') } debugfs_tracing:file no_rw_file_perms; # inotifyfs neverallow { coredomain -init } inotify:file no_rw_file_perms; # pstorefs neverallow { coredomain -bootstat -charger -dumpstate -healthd userdebug_or_eng(`-incidentd') -init -logd -logpersist -recovery_persist -recovery_refresh -shell -system_server } pstorefs:file no_rw_file_perms; # configfs neverallow { coredomain -init -system_server } configfs:file no_rw_file_perms; # functionfs neverallow { coredomain -adbd -init -mediaprovider -system_server } functionfs:file no_rw_file_perms; # usbfs and binfmt_miscfs neverallow { coredomain -init }{ usbfs binfmt_miscfs }:file no_rw_file_perms; # dmabuf heaps neverallow { coredomain -init -ueventd }{ dmabuf_heap_device_type -dmabuf_system_heap_device -dmabuf_system_secure_heap_device }:chr_file no_rw_file_perms; ') # Following /dev nodes must not be directly accessed by coredomain, but should # instead be wrapped by HALs. neverallow coredomain { iio_device radio_device }:chr_file { open read append write ioctl }; # TODO(b/120243891): HAL permission to tee_device is included into coredomain # on non-Treble devices. full_treble_only(` neverallow coredomain tee_device:chr_file { open read append write ioctl }; ')