platform_system_sepolicy/private/domain.te
Tri Vo 06d7dca4a1 Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-20 01:05:21 +00:00

122 lines
2.4 KiB
Text

# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
-dumpstate
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
# /proc
neverallow {
coredomain
-dumpstate
-priv_app
-vold
-vendor_init
} proc:file no_rw_file_perms;
# /sys
neverallow {
coredomain
-dumpstate
-init
-priv_app
-ueventd
-vold
-vendor_init
} sysfs:file no_rw_file_perms;
# /dev
neverallow {
coredomain
-fsck
-init
-ueventd
-vendor_init
} device:{ blk_file file } no_rw_file_perms;
# debugfs
neverallow {
coredomain
-dumpstate
-init
-system_server
-vendor_init
} debugfs:file no_rw_file_perms;
# tracefs
neverallow {
coredomain
userdebug_or_eng(`-atrace')
-dumpstate
-init
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
-vendor_init
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
-vendor_init
} inotify:file no_rw_file_perms;
# pstorefs
neverallow {
coredomain
-bootstat
-charger
-dumpstate
-healthd
-init
-logd
-logpersist
-recovery_persist
-recovery_refresh
-shell
-system_server
-vendor_init
} pstorefs:file no_rw_file_perms;
# configfs
neverallow {
coredomain
-init
-system_server
-vendor_init
} configfs:file no_rw_file_perms;
# functionfs
neverallow {
coredomain
-adbd
-init
-mediaprovider
-vendor_init
}functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
-vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')