85c5fc21c8
* Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b
146 lines
4.8 KiB
Text
146 lines
4.8 KiB
Text
# Rules for all domains.
|
|
|
|
# Allow reaping by init.
|
|
allow domain init:process sigchld;
|
|
|
|
# Read access to properties mapping.
|
|
allow domain kernel:fd use;
|
|
allow domain tmpfs:file { read getattr };
|
|
|
|
# Search /storage/emulated tmpfs mount.
|
|
allow domain tmpfs:dir r_dir_perms;
|
|
|
|
# Intra-domain accesses.
|
|
allow domain self:process ~{ execstack execheap ptrace };
|
|
allow domain self:fd use;
|
|
allow domain self:dir r_dir_perms;
|
|
allow domain self:lnk_file r_file_perms;
|
|
allow domain self:{ fifo_file file } rw_file_perms;
|
|
allow domain self:{ unix_dgram_socket unix_stream_socket } *;
|
|
|
|
# Inherit or receive open files from others.
|
|
allow domain init:fd use;
|
|
allow domain system_server:fd use;
|
|
|
|
# Connect to adbd and use a socket transferred from it.
|
|
allow domain adbd:unix_stream_socket connectto;
|
|
allow domain adbd:fd use;
|
|
allow domain adbd:unix_stream_socket { getattr read write shutdown };
|
|
|
|
###
|
|
### Talk to debuggerd.
|
|
###
|
|
allow domain debuggerd:process sigchld;
|
|
allow domain debuggerd:unix_stream_socket connectto;
|
|
# b/9858255 - debuggerd sockets are not getting properly labeled.
|
|
# TODO: Remove this temporary workaround.
|
|
allow domain init:unix_stream_socket connectto;
|
|
|
|
# Root fs.
|
|
allow domain rootfs:dir r_dir_perms;
|
|
allow domain rootfs:file r_file_perms;
|
|
allow domain rootfs:lnk_file { read getattr };
|
|
|
|
# Device accesses.
|
|
allow domain device:dir search;
|
|
allow domain dev_type:lnk_file read;
|
|
allow domain devpts:dir search;
|
|
allow domain device:file read;
|
|
allow domain socket_device:dir search;
|
|
allow domain owntty_device:chr_file rw_file_perms;
|
|
allow domain null_device:chr_file rw_file_perms;
|
|
allow domain zero_device:chr_file r_file_perms;
|
|
allow domain ashmem_device:chr_file rw_file_perms;
|
|
allow domain binder_device:chr_file rw_file_perms;
|
|
allow domain ptmx_device:chr_file rw_file_perms;
|
|
allow domain powervr_device:chr_file rw_file_perms;
|
|
allow domain log_device:dir search;
|
|
allow domain log_device:chr_file rw_file_perms;
|
|
allow domain nv_device:chr_file rw_file_perms;
|
|
allow domain alarm_device:chr_file r_file_perms;
|
|
allow domain urandom_device:chr_file rw_file_perms;
|
|
allow domain random_device:chr_file rw_file_perms;
|
|
allow domain properties_device:file r_file_perms;
|
|
|
|
# Filesystem accesses.
|
|
allow domain fs_type:filesystem getattr;
|
|
allow domain fs_type:dir getattr;
|
|
|
|
# System file accesses.
|
|
allow domain system_file:dir r_dir_perms;
|
|
allow domain system_file:file r_file_perms;
|
|
allow domain system_file:file execute;
|
|
allow domain system_file:lnk_file read;
|
|
|
|
# Read files already opened under /data.
|
|
allow domain system_data_file:dir { search getattr };
|
|
allow domain system_data_file:file { getattr read };
|
|
allow domain system_data_file:lnk_file read;
|
|
|
|
# Read apk files under /data/app.
|
|
allow domain apk_data_file:dir { getattr search };
|
|
allow domain apk_data_file:file r_file_perms;
|
|
|
|
# Read /data/dalvik-cache.
|
|
allow domain dalvikcache_data_file:dir { search getattr };
|
|
allow domain dalvikcache_data_file:file r_file_perms;
|
|
|
|
# Read already opened /cache files.
|
|
allow domain cache_file:dir r_dir_perms;
|
|
allow domain cache_file:file { getattr read };
|
|
allow domain cache_file:lnk_file read;
|
|
|
|
# For /acct/uid/*/tasks.
|
|
allow domain cgroup:dir { search write };
|
|
allow domain cgroup:file w_file_perms;
|
|
|
|
#Allow access to ion memory allocation device
|
|
allow domain ion_device:chr_file rw_file_perms;
|
|
|
|
# For /sys/qemu_trace files in the emulator.
|
|
bool in_qemu false;
|
|
if (in_qemu) {
|
|
allow domain sysfs_writable:file rw_file_perms;
|
|
}
|
|
|
|
# Read access to pseudo filesystems.
|
|
r_dir_file(domain, proc)
|
|
r_dir_file(domain, sysfs)
|
|
r_dir_file(domain, inotify)
|
|
r_dir_file(domain, cgroup)
|
|
|
|
# debugfs access
|
|
allow domain debugfs:dir r_dir_perms;
|
|
allow domain debugfs:file w_file_perms;
|
|
|
|
# security files
|
|
allow domain security_file:dir { search getattr };
|
|
allow domain security_file:file getattr;
|
|
|
|
######## Backwards compatibility - Unlabeled files ############
|
|
|
|
# Revert to DAC rules when looking at unlabeled files. Over time, the number
|
|
# of unlabeled files should decrease.
|
|
# TODO: delete these rules in the future.
|
|
#
|
|
# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
|
|
# capability, it's essentially useless. This is needed to allow an app with
|
|
# relabelto to relabel unlabeled files.
|
|
#
|
|
allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
|
|
allow domain unlabeled:dir { create_dir_perms relabelfrom };
|
|
allow domain unlabeled:lnk_file { create_file_perms };
|
|
neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# Only init should be able to load SELinux policies
|
|
neverallow { domain -init } kernel:security load_policy;
|
|
|
|
# Only init, ueventd and system_server should be able to access HW RNG
|
|
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
|
|
|
|
# Ensure that all entrypoint executables are in exec_type.
|
|
neverallow domain { file_type -exec_type }:file entrypoint;
|