# Rules for all domains. # Allow reaping by init. allow domain init:process sigchld; # Read access to properties mapping. allow domain kernel:fd use; allow domain tmpfs:file { read getattr }; # Search /storage/emulated tmpfs mount. allow domain tmpfs:dir r_dir_perms; # Intra-domain accesses. allow domain self:process ~{ execstack execheap ptrace }; allow domain self:fd use; allow domain self:dir r_dir_perms; allow domain self:lnk_file r_file_perms; allow domain self:{ fifo_file file } rw_file_perms; allow domain self:{ unix_dgram_socket unix_stream_socket } *; # Inherit or receive open files from others. allow domain init:fd use; allow domain system_server:fd use; # Connect to adbd and use a socket transferred from it. allow domain adbd:unix_stream_socket connectto; allow domain adbd:fd use; allow domain adbd:unix_stream_socket { getattr read write shutdown }; ### ### Talk to debuggerd. ### allow domain debuggerd:process sigchld; allow domain debuggerd:unix_stream_socket connectto; # b/9858255 - debuggerd sockets are not getting properly labeled. # TODO: Remove this temporary workaround. allow domain init:unix_stream_socket connectto; # Root fs. allow domain rootfs:dir r_dir_perms; allow domain rootfs:file r_file_perms; allow domain rootfs:lnk_file r_file_perms; # Device accesses. allow domain device:dir search; allow domain dev_type:lnk_file r_file_perms; allow domain devpts:dir search; allow domain device:file read; allow domain socket_device:dir search; allow domain owntty_device:chr_file rw_file_perms; allow domain null_device:chr_file rw_file_perms; allow domain zero_device:chr_file r_file_perms; allow domain ashmem_device:chr_file rw_file_perms; allow domain binder_device:chr_file rw_file_perms; allow domain ptmx_device:chr_file rw_file_perms; allow domain powervr_device:chr_file rw_file_perms; allow domain log_device:dir search; allow domain log_device:chr_file rw_file_perms; allow domain alarm_device:chr_file r_file_perms; allow domain urandom_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms; allow domain properties_device:file r_file_perms; # Filesystem accesses. allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; # System file accesses. allow domain system_file:dir r_dir_perms; allow domain system_file:file r_file_perms; allow domain system_file:file execute; allow domain system_file:lnk_file r_file_perms; # Read files already opened under /data. allow domain system_data_file:dir { search getattr }; allow domain system_data_file:file { getattr read }; allow domain system_data_file:lnk_file r_file_perms; # Read apk files under /data/app. allow domain apk_data_file:dir { getattr search }; allow domain apk_data_file:file r_file_perms; # Read /data/dalvik-cache. allow domain dalvikcache_data_file:dir { search getattr }; allow domain dalvikcache_data_file:file r_file_perms; # Read already opened /cache files. allow domain cache_file:dir r_dir_perms; allow domain cache_file:file { getattr read }; allow domain cache_file:lnk_file r_file_perms; # Read timezone related information r_dir_file(domain, zoneinfo_data_file) # For /acct/uid/*/tasks. allow domain cgroup:dir { search write }; allow domain cgroup:file w_file_perms; #Allow access to ion memory allocation device allow domain ion_device:chr_file rw_file_perms; # Read access to pseudo filesystems. r_dir_file(domain, proc) r_dir_file(domain, sysfs) r_dir_file(domain, sysfs_devices_system_cpu) r_dir_file(domain, inotify) r_dir_file(domain, cgroup) # debugfs access allow domain debugfs:dir r_dir_perms; allow domain debugfs:file w_file_perms; # Get SELinux enforcing status. selinux_getenforce(domain) # security files allow domain security_file:dir { search getattr }; allow domain security_file:file getattr; ######## Backwards compatibility - Unlabeled files ############ # Revert to DAC rules when looking at unlabeled files. Over time, the number # of unlabeled files should decrease. # TODO: delete these rules in the future. # # Note on relabelfrom: We allow any app relabelfrom, but without the relabelto # capability, it's essentially useless. This is needed to allow an app with # relabelto to relabel unlabeled files. # allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom }; allow domain unlabeled:dir { create_dir_perms relabelfrom }; allow domain unlabeled:lnk_file { create_file_perms }; neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; ### ### neverallow rules ### # Only init should be able to load SELinux policies. # The first load technically occurs while still in the kernel domain, # but this does not trigger a denial since there is no policy yet. # Policy reload requires allowing this to the init domain. neverallow { domain -init } kernel:security load_policy; # Only init prior to switching context should be able to set enforcing mode. # init starts in kernel domain and switches to init domain via setcon in # the init.rc, so the setenforce occurs while still in kernel. After # switching domains, there is never any need to setenforce again by init. neverallow { domain -kernel } kernel:security setenforce; # Only init, ueventd and system_server should be able to access HW RNG neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; # Ensure that all entrypoint executables are in exec_type. neverallow domain { file_type -exec_type }:file entrypoint; # Ensure that nothing in userspace can access /dev/mem or /dev/kmem neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; # Only init should be able to configure kernel usermodehelpers or # security-sensitive proc settings. neverallow { domain -init } usermodehelper:file { append write }; neverallow { domain -init } proc_security:file { append write }; # No domain should be allowed to ptrace init. neverallow domain init:process ptrace;