# Transition to crash_dump when /system/bin/crash_dump* is executed. # This occurs when the process crashes. domain_auto_trans(domain, crash_dump_exec, crash_dump); allow domain crash_dump:process sigchld; # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these whitelisted domains. neverallow { domain -vold -dumpstate userdebug_or_eng(`-incidentd') -storaged -system_server userdebug_or_eng(`-perfprofd') } self:global_capability_class_set sys_ptrace; # Limit ability to generate hardware unique device ID attestations to priv_apps neverallow { domain -priv_app } *:keystore_key gen_unique_id; neverallow { domain -init -vendor_init userdebug_or_eng(`-domain') } debugfs_tracing_debug:file no_rw_file_perms; # Core domains are not permitted to use kernel interfaces which are not # explicitly labeled. # TODO(b/65643247): Apply these neverallow rules to all coredomain. full_treble_only(` # /proc neverallow { coredomain -vold } proc:file no_rw_file_perms; # /sys neverallow { coredomain -init -ueventd -vold } sysfs:file no_rw_file_perms; # /dev neverallow { coredomain -fsck -init -ueventd } device:{ blk_file file } no_rw_file_perms; # debugfs neverallow { coredomain -dumpstate -init -system_server } debugfs:file no_rw_file_perms; # tracefs neverallow { coredomain -atrace -dumpstate -init userdebug_or_eng(`-perfprofd') -traced_probes -shell -traceur_app } debugfs_tracing:file no_rw_file_perms; # inotifyfs neverallow { coredomain -init } inotify:file no_rw_file_perms; # pstorefs neverallow { coredomain -bootstat -charger -dumpstate -healthd userdebug_or_eng(`-incidentd') -init -logd -logpersist -recovery_persist -recovery_refresh -shell -system_server } pstorefs:file no_rw_file_perms; # configfs neverallow { coredomain -init -system_server } configfs:file no_rw_file_perms; # functionfs neverallow { coredomain -adbd -init -mediaprovider -system_server } functionfs:file no_rw_file_perms; # usbfs and binfmt_miscfs neverallow { coredomain -init }{ usbfs binfmt_miscfs }:file no_rw_file_perms; ') # System_server owns dropbox data, and init creates/restorecons the directory # Disallow direct access by other processes. neverallow { domain -init -system_server } dropbox_data_file:dir *; neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; ### # Services should respect app sandboxes neverallow { domain -appdomain -installd # creation of sandbox } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; # Only the following processes should be directly accessing private app # directories. neverallow { domain -adbd -appdomain -dexoptanalyzer -init -installd -mediaserver # b/80300620 userdebug_or_eng(`-perfprofd') -profman -runas -system_server -vold } { privapp_data_file app_data_file }:dir *; # Only apps should be modifying app data. init and installd are exempted for # restorecon and package install/uninstall. neverallow { domain -appdomain -init -installd } { privapp_data_file app_data_file }:dir ~r_dir_perms; neverallow { domain -appdomain -installd -mediaserver # b/80300620 userdebug_or_eng(`-perfprofd') -vold # b/80418809 } { privapp_data_file app_data_file }:file_class_set open; neverallow { domain -appdomain -installd # creation of sandbox } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; neverallow { domain -init -installd } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };