# Transition to crash_dump when /system/bin/crash_dump* is executed. # This occurs when the process crashes. # We do not apply this to the su domain to avoid interfering with # tests (b/114136122) domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); allow domain crash_dump:process sigchld; # Allow every process to check the heapprofd.enable properties to determine # whether to load the heap profiling library. This does not necessarily enable # heap profiling, as initialization will fail if it does not have the # necessary SELinux permissions. get_prop(domain, heapprofd_prop); # Allow heap profiling on debug builds. userdebug_or_eng(`can_profile_heap({ domain -bpfloader -init -kernel -keystore -llkd -logd -logpersist -recovery -recovery_persist -recovery_refresh -ueventd -vendor_init -vold })') # As above, allow perf profiling most processes on debug builds. # zygote is excluded as system-wide profiling could end up with it # (unexpectedly) holding an open fd across a fork. userdebug_or_eng(`can_profile_perf({ domain -bpfloader -init -kernel -keystore -llkd -logd -logpersist -recovery -recovery_persist -recovery_refresh -ueventd -vendor_init -vold -zygote })') # Path resolution access in cgroups. allow domain cgroup:dir search; allow { domain -appdomain -rs } cgroup:dir w_dir_perms; allow { domain -appdomain -rs } cgroup:file w_file_perms; allow domain cgroup_v2:dir search; allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; allow domain cgroup_rc_file:dir search; allow domain cgroup_rc_file:file r_file_perms; allow domain task_profiles_file:file r_file_perms; allow domain task_profiles_api_file:file r_file_perms; allow domain vendor_task_profiles_file:file r_file_perms; # Allow all domains to read sys.use_memfd to determine # if memfd support can be used if device supports it get_prop(domain, use_memfd_prop); # Read access to sdkextensions props get_prop(domain, module_sdkextensions_prop) # Read access to bq configuration values get_prop(domain, bq_config_prop); # For now, everyone can access core property files # Device specific properties are not granted by default not_compatible_property(` # DO NOT ADD ANY PROPERTIES HERE get_prop(domain, core_property_type) get_prop(domain, exported3_system_prop) get_prop(domain, vendor_default_prop) ') compatible_property_only(` # DO NOT ADD ANY PROPERTIES HERE get_prop({coredomain appdomain shell}, core_property_type) get_prop({coredomain appdomain shell}, exported3_system_prop) get_prop({coredomain appdomain shell}, exported_camera_prop) get_prop({coredomain shell}, userspace_reboot_exported_prop) get_prop({coredomain shell}, userspace_reboot_log_prop) get_prop({coredomain shell}, userspace_reboot_test_prop) get_prop({domain -coredomain -appdomain}, vendor_default_prop) ') # Allow access to fsverity keyring. allow domain kernel:key search; # Allow access to keys in the fsverity keyring that were installed at boot. allow domain fsverity_init:key search; # For testing purposes, allow access to keys installed with su. userdebug_or_eng(` allow domain su:key search; ') # Allow access to linkerconfig file allow domain linkerconfig_file:dir search; allow domain linkerconfig_file:file r_file_perms; # Allow all processes to check for the existence of the boringssl_self_test_marker files. allow domain boringssl_self_test_marker:dir search; # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these allowlisted domains. neverallow { domain -vold userdebug_or_eng(`-llkd') -dumpstate userdebug_or_eng(`-incidentd') userdebug_or_eng(`-profcollectd') -storaged -system_server } self:global_capability_class_set sys_ptrace; # Limit ability to generate hardware unique device ID attestations to priv_apps neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id; neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; neverallow { domain -system_server } *:keystore2_key use_dev_id; neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; neverallow { domain -init -vendor_init userdebug_or_eng(`-domain') } debugfs_tracing_debug:file no_rw_file_perms; # System_server owns dropbox data, and init creates/restorecons the directory # Disallow direct access by other processes. neverallow { domain -init -system_server } dropbox_data_file:dir *; neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; ### # Services should respect app sandboxes neverallow { domain -appdomain -installd # creation of sandbox } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; # Only the following processes should be directly accessing private app # directories. neverallow { domain -adbd -appdomain -app_zygote -dexoptanalyzer -installd -iorap_inode2filename -iorap_prefetcherd -profman -rs # spawned by appdomain, so carryover the exception above -runas -system_server -viewcompiler -zygote } { privapp_data_file app_data_file }:dir *; # Only apps should be modifying app data. installd is exempted for # restorecon and package install/uninstall. neverallow { domain -appdomain -installd -rs # spawned by appdomain, so carryover the exception above } { privapp_data_file app_data_file }:dir ~r_dir_perms; neverallow { domain -appdomain -app_zygote -installd -iorap_prefetcherd -rs # spawned by appdomain, so carryover the exception above } { privapp_data_file app_data_file }:file_class_set open; neverallow { domain -appdomain -installd # creation of sandbox } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; neverallow { domain -installd } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; # The staging directory contains APEX and APK files. It is important to ensure # that these files cannot be accessed by other domains to ensure that the files # do not change between system_server staging the files and apexd processing # the files. neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *; neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *; neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; # apexd needs the link and unlink permissions, so list every `no_w_file_perms` # except for `link` and `unlink`. neverallow { domain -init -system_server } staging_data_file:file { append create relabelfrom rename setattr write no_x_file_perms }; neverallow { domain -appdomain # for oemfs -bootanim # for oemfs -recovery # for /tmp/update_binary in tmpfs } { fs_type -rootfs }:file execute; # # Assert that, to the extent possible, we're not loading executable content from # outside the rootfs or /system partition except for a few allowlisted domains. # Executable files loaded from /data is a persistence vector # we want to avoid. See # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. # neverallow { domain -appdomain with_asan(`-asan_extract') -iorap_prefetcherd -shell userdebug_or_eng(`-su') -system_server_startup # for memfd backed executable regions -app_zygote -webview_zygote -zygote userdebug_or_eng(`-mediaextractor') userdebug_or_eng(`-mediaswcodec') } { file_type -system_file_type -system_lib_file -system_linker_exec -vendor_file_type -exec_type -postinstall_file }:file execute; # Only init is allowed to write cgroup.rc file neverallow { domain -init -vendor_init } cgroup_rc_file:file no_w_file_perms; # Only authorized processes should be writing to files in /data/dalvik-cache neverallow { domain -init # TODO: limit init to relabelfrom for files -zygote -installd -postinstall_dexopt -cppreopts -dex2oat -otapreopt_slot } dalvikcache_data_file:file no_w_file_perms; neverallow { domain -init -installd -postinstall_dexopt -cppreopts -dex2oat -zygote -otapreopt_slot } dalvikcache_data_file:dir no_w_dir_perms; # Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it # contains boot class path and system server AOT artifacts following an ART APEX Mainline update. neverallow { domain # art processes -odrefresh -odsign # others -apexd -init -vold_prepare_subdirs } apex_art_data_file:file no_w_file_perms; neverallow { domain # art processes -odrefresh -odsign # others -apexd -init -vold_prepare_subdirs } apex_art_data_file:dir no_w_dir_perms; # Protect most domains from executing arbitrary content from /data. neverallow { domain -appdomain } { data_file_type -apex_art_data_file -dalvikcache_data_file -system_data_file # shared libs in apks -apk_data_file }:file no_x_file_perms; # Minimize dac_override and dac_read_search. # Instead of granting them it is usually better to add the domain to # a Unix group or change the permissions of a file. define(`dac_override_allowed', `{ apexd dnsmasq dumpstate init installd userdebug_or_eng(`llkd') lmkd migrate_legacy_obb_data netd postinstall_dexopt recovery rss_hwm_reset sdcardd tee ueventd uncrypt vendor_init vold vold_prepare_subdirs zygote }') neverallow ~dac_override_allowed self:global_capability_class_set dac_override; # Since the kernel checks dac_read_search before dac_override, domains that # have dac_override should also have dac_read_search to eliminate spurious # denials. Some domains have dac_read_search without having dac_override, so # this list should be a superset of the one above. neverallow ~{ dac_override_allowed iorap_inode2filename iorap_prefetcherd traced_perf traced_probes heapprofd } self:global_capability_class_set dac_read_search; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need # this capability, including device-specific domains. neverallow { domain -apexd recovery_only(`userdebug_or_eng(`-fastbootd')') -init -kernel -otapreopt_chroot -recovery -update_engine -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; # Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain userdebug_or_eng(`-domain') -kernel -gsid -init -recovery -ueventd -healthd -uncrypt -tee -hal_bootctl_server -fastbootd } self:global_capability_class_set sys_rawio; # Limit directory operations that doesn't need to do app data isolation. neverallow { domain -init -installd -zygote } mirror_data_file:dir *; # This property is being removed. Remove remaining access. neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; # Only core domains are allowed to access package_manager properties neverallow { domain -init -system_server } pm_prop:property_service set; neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; # Do not allow reading the last boot timestamp from system properties neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; # Kprobes should only be used by adb root neverallow { domain -init -vendor_init } debugfs_kprobes:file *; # On TREBLE devices, most coredomains should not access vendor_files. # TODO(b/71553434): Remove exceptions here. full_treble_only(` neverallow { coredomain -appdomain -bootanim -crash_dump -heapprofd userdebug_or_eng(`-profcollectd') -init -iorap_inode2filename -iorap_prefetcherd -kernel -traced_perf -ueventd } vendor_file:file { no_w_file_perms no_x_file_perms open }; ') # Vendor domains are not permitted to initiate communications to core domain sockets full_treble_only(` neverallow_establish_socket_comms({ domain -coredomain -appdomain -socket_between_core_and_vendor_violators }, { coredomain -logd # Logging by writing to logd Unix domain socket is public API -netd # netdomain needs this -mdnsd # netdomain needs this userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds -init -tombstoned # linker to tombstoned userdebug_or_eng(`-heapprofd') userdebug_or_eng(`-traced_perf') }); ') full_treble_only(` # Do not allow system components access to /vendor files except for the # ones allowed here. neverallow { coredomain # TODO(b/37168747): clean up fwk access to /vendor -crash_dump -init # starts vendor executables -iorap_inode2filename -iorap_prefetcherd -kernel # loads /vendor/firmware -heapprofd userdebug_or_eng(`-profcollectd') -shell -system_executes_vendor_violators -traced_perf # library/binary access for symbolization -ueventd # reads /vendor/ueventd.rc -vold # loads incremental fs driver } { vendor_file_type -same_process_hal_file -vendor_app_file -vendor_apex_file -vendor_configs_file -vendor_service_contexts_file -vendor_framework_file -vendor_idc_file -vendor_keychars_file -vendor_keylayout_file -vendor_overlay_file -vendor_public_framework_file -vendor_public_lib_file -vendor_task_profiles_file -vndk_sp_file }:file *; ') # mlsvendorcompat is only for compatibility support for older vendor # images, and should not be granted to any domain in current policy. # (Every domain is allowed self:fork, so this will trigger if the # intsersection of domain & mlsvendorcompat is not empty.) neverallow domain mlsvendorcompat:process fork; # Only init and otapreopt_chroot should be mounting filesystems on locations # labeled system or vendor (/product and /vendor respectively). neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton; # Only allow init and vendor_init to read/write mm_events properties # NOTE: dumpstate is allowed to read any system property neverallow { domain -init -vendor_init -dumpstate } mm_events_config_prop:file no_rw_file_perms; # Allow the tracing daemon and callstack sampler to use kallsyms to symbolize # kernel traces. Addresses are not disclosed, they are repalced with symbol # names (if available). Traces don't disclose KASLR. neverallow { domain -init userdebug_or_eng(`-profcollectd') -vendor_init -traced_probes -traced_perf } proc_kallsyms:file { open read };