platform_system_sepolicy/private/domain.te

# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;

# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
  domain
  -vold
  userdebug_or_eng(`-llkd')
  -dumpstate
  userdebug_or_eng(`-incidentd')
  -storaged
  -system_server
  userdebug_or_eng(`-perfprofd')
} self:global_capability_class_set sys_ptrace;

# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;

neverallow {
  domain
  -init
  -vendor_init
  userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;

# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
  # /proc
  neverallow {
    coredomain
    -vold
  } proc:file no_rw_file_perms;

  # /sys
  neverallow {
    coredomain
    -init
    -ueventd
    -vold
  } sysfs:file no_rw_file_perms;

  # /dev
  neverallow {
    coredomain
    -fsck
    -init
    -ueventd
  } device:{ blk_file file } no_rw_file_perms;

  # debugfs
  neverallow {
    coredomain
    -dumpstate
    -init
    -system_server
  } debugfs:file no_rw_file_perms;

  # tracefs
  neverallow {
    coredomain
    -atrace
    -dumpstate
    -init
    userdebug_or_eng(`-perfprofd')
    -traced_probes
    -shell
    -traceur_app
  } debugfs_tracing:file no_rw_file_perms;

  # inotifyfs
  neverallow {
    coredomain
    -init
  } inotify:file no_rw_file_perms;

  # pstorefs
  neverallow {
    coredomain
    -bootstat
    -charger
    -dumpstate
    -healthd
    userdebug_or_eng(`-incidentd')
    -init
    -logd
    -logpersist
    -recovery_persist
    -recovery_refresh
    -shell
    -system_server
  } pstorefs:file no_rw_file_perms;

  # configfs
  neverallow {
    coredomain
    -init
    -system_server
  } configfs:file no_rw_file_perms;

  # functionfs
  neverallow {
    coredomain
    -adbd
    -init
    -mediaprovider
    -system_server
  } functionfs:file no_rw_file_perms;

  # usbfs and binfmt_miscfs
  neverallow {
    coredomain
    -init
  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')

# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };

###
# Services should respect app sandboxes
neverallow {
  domain
  -appdomain
  -installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

# Only the following processes should be directly accessing private app
# directories.
neverallow {
  domain
  -adbd
  -appdomain
  -dexoptanalyzer
  -init
  -installd
  userdebug_or_eng(`-perfprofd')
  -profman
  -runas
  -system_server
} { privapp_data_file app_data_file }:dir *;

# Only apps should be modifying app data. init and installd are exempted for
# restorecon and package install/uninstall.
neverallow {
  domain
  -appdomain
  -init
  -installd
} { privapp_data_file app_data_file }:dir ~r_dir_perms;

neverallow {
  domain
  -appdomain
  -installd
  userdebug_or_eng(`-perfprofd')
} { privapp_data_file app_data_file }:file_class_set open;

neverallow {
  domain
  -appdomain
  -installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

neverallow {
  domain
  -init
  -installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };