platform_system_sepolicy/public/file.te
Narayan Kamath f194aad208 SEPolicy: Changes for new stack dumping scheme.
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e96)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f
2017-05-31 10:01:48 +00:00

342 lines
15 KiB
Text

# Filesystem types
type labeledfs, fs_type;
type pipefs, fs_type;
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type;
type proc_drop_caches, fs_type;
type proc_overcommit_memory, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
type proc_cpuinfo, fs_type;
type proc_interrupts, fs_type;
type proc_iomem, fs_type;
type proc_meminfo, fs_type;
type proc_misc, fs_type;
type proc_modules, fs_type;
type proc_net, fs_type;
type proc_perf, fs_type;
type proc_stat, fs_type;
type proc_sysrq, fs_type;
type proc_timer, fs_type;
type proc_tty_drivers, fs_type;
type proc_uid_cputime_showstat, fs_type;
type proc_uid_cputime_removeuid, fs_type;
type proc_uid_io_stats, fs_type;
type proc_uid_procstat_set, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
type sysfs_lowmemorykiller, fs_type, sysfs_type;
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type;
type sysfs_zram_uevent, fs_type, sysfs_type;
type inotify, fs_type, mlstrustedobject;
type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type tracing_shell_writable, fs_type, debugfs_type;
type tracing_shell_writable_debug, fs_type, debugfs_type;
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
type app_fusefs, fs_type, contextmount_type;
# File types
type unlabeled, file_type;
# Default type for anything under /system.
type system_file, file_type;
# Default type for directories search for
# HAL implementations
type vendor_hal_file, vendor_file_type, file_type;
# Default type for under /vendor or /system/vendor
type vendor_file, vendor_file_type, file_type;
# Default type for everything in /vendor/app
type vendor_app_file, vendor_file_type, file_type;
# Default type for everything under /vendor/etc/
type vendor_configs_file, vendor_file_type, file_type;
# Default type for all *same process* HALs.
# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
type same_process_hal_file, vendor_file_type, file_type;
# Default type for vndk-sp libs. /vendor/lib/vndk-sp
type vndk_sp_file, vendor_file_type, file_type;
# Default type for everything in /vendor/framework
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, exec_type, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
# are created in a system_data_file directory.
type install_data_file, file_type, data_file_type, core_data_file_type;
# /data/drm - DRM plugin data
type drm_data_file, file_type, data_file_type, core_data_file_type;
# /data/adb - adb debugging files
type adb_data_file, file_type, data_file_type, core_data_file_type;
# /data/anr - ANR traces
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type, core_data_file_type;
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
type apk_private_data_file, file_type, data_file_type, core_data_file_type;
type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/property
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
type preloads_media_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dhcp and /data/misc/dhcp-6.8.2
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
type mnt_expand_file, file_type;
type storage_file, file_type;
# Label for storage dirs which are just mount stubs
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audiohal_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
type keystore_data_file, file_type, data_file_type, core_data_file_type;
type media_data_file, file_type, data_file_type, core_data_file_type;
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type reboot_data_file, file_type, data_file_type, core_data_file_type;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
type cache_private_backup_file, file_type;
# Type for anything under /cache/recovery
type cache_recovery_file, file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for shortcut manager icon file.
type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for user icon file.
type icon_file, file_type, data_file_type, core_data_file_type;
# /mnt/asec
type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
type asec_public_file, file_type, data_file_type, core_data_file_type;
# /data/app-asec
type asec_image_file, file_type, data_file_type, core_data_file_type;
# /data/backup and /data/secure/backup
type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
# Type for appfuse file.
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Socket types
type adbd_socket, file_type, coredomain_socket;
type bluetooth_socket, file_type, coredomain_socket;
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
type dumpstate_socket, file_type, coredomain_socket;
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
type lmkd_socket, file_type, coredomain_socket;
type logd_socket, file_type, coredomain_socket, mlstrustedobject;
type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
type mdns_socket, file_type, coredomain_socket;
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type;
type mtpd_socket, file_type, coredomain_socket;
type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
type system_wpa_socket, file_type, coredomain_socket;
type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
# PDX endpoint types
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
pdx_service_socket_types(display_client, pdx_display_dir)
pdx_service_socket_types(display_manager, pdx_display_dir)
pdx_service_socket_types(display_screenshot, pdx_display_dir)
pdx_service_socket_types(display_vsync, pdx_display_dir)
pdx_service_socket_types(performance_client, pdx_performance_dir)
pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
# file_contexts files
type file_contexts_file, file_type;
# mac_permissions file
type mac_perms_file, file_type;
# property_contexts file
type property_contexts_file, file_type;
# seapp_contexts file
type seapp_contexts_file, file_type;
# sepolicy files binary and others
type sepolicy_file, file_type;
# service_contexts file
type service_contexts_file, file_type;
# hwservice_contexts file
type hwservice_contexts_file, file_type;
# vndservice_contexts file
type vndservice_contexts_file, file_type;
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
# For example, the following is a bug:
# type apk_data_file, file_type, data_file_type, fs_type;
# Should be:
# type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;