2238 lines
74 KiB
Text
2238 lines
74 KiB
Text
# Rules for all domains.
|
|
|
|
# Allow reaping by init.
|
|
allow domain init:process sigchld;
|
|
|
|
# Intra-domain accesses.
|
|
allow domain self:process {
|
|
fork
|
|
sigchld
|
|
sigkill
|
|
sigstop
|
|
signull
|
|
signal
|
|
getsched
|
|
setsched
|
|
getsession
|
|
getpgid
|
|
setpgid
|
|
getcap
|
|
setcap
|
|
getattr
|
|
setrlimit
|
|
};
|
|
allow domain self:fd use;
|
|
allow domain proc:dir r_dir_perms;
|
|
allow domain proc_net_type:dir search;
|
|
r_dir_file(domain, self)
|
|
allow domain self:{ fifo_file file } rw_file_perms;
|
|
allow domain self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
# Inherit or receive open files from others.
|
|
allow domain init:fd use;
|
|
|
|
userdebug_or_eng(`
|
|
allow domain su:fd use;
|
|
allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
|
|
allow domain su:unix_dgram_socket sendto;
|
|
|
|
allow { domain -init } su:binder { call transfer };
|
|
|
|
# Running something like "pm dump com.android.bluetooth" requires
|
|
# fifo writes
|
|
allow domain su:fifo_file { write getattr };
|
|
|
|
# allow "gdbserver --attach" to work for su.
|
|
allow domain su:process sigchld;
|
|
|
|
# Allow writing coredumps to /cores/*
|
|
allow domain coredump_file:file create_file_perms;
|
|
allow domain coredump_file:dir ra_dir_perms;
|
|
')
|
|
|
|
with_native_coverage(`
|
|
# Allow writing coverage information to /data/misc/trace
|
|
allow domain method_trace_data_file:dir create_dir_perms;
|
|
allow domain method_trace_data_file:file create_file_perms;
|
|
')
|
|
|
|
# Allow everyone to read aconfig flags
|
|
get_prop(domain, device_config_aconfig_flags_prop);
|
|
|
|
# Root fs.
|
|
allow domain tmpfs:dir { getattr search };
|
|
allow domain rootfs:dir search;
|
|
allow domain rootfs:lnk_file { read getattr };
|
|
|
|
# Device accesses.
|
|
allow domain device:dir search;
|
|
allow domain dev_type:lnk_file r_file_perms;
|
|
allow domain devpts:dir search;
|
|
allow domain dmabuf_heap_device:dir r_dir_perms;
|
|
allow domain socket_device:dir r_dir_perms;
|
|
allow domain owntty_device:chr_file rw_file_perms;
|
|
allow domain null_device:chr_file rw_file_perms;
|
|
allow domain zero_device:chr_file rw_file_perms;
|
|
|
|
# /dev/ashmem is being deprecated by means of constraining and eventually
|
|
# removing all "open" permissions. We preserve the other permissions.
|
|
allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
|
|
# This device is used by libcutils, which is accessible to everyone.
|
|
allow domain ashmem_libcutils_device:chr_file rw_file_perms;
|
|
|
|
# /dev/binder can be accessed by ... everyone! :)
|
|
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
|
|
get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
|
|
|
|
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
|
|
# added to individual domains, but this sets safe defaults for all processes.
|
|
allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
|
|
|
|
# /dev/binderfs needs to be accessed by everyone too!
|
|
allow domain binderfs:dir { getattr search };
|
|
allow domain binderfs_logs_proc:dir search;
|
|
allow domain binderfs_features:dir search;
|
|
allow domain binderfs_features:file r_file_perms;
|
|
|
|
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
|
|
allow domain ptmx_device:chr_file rw_file_perms;
|
|
allow domain random_device:chr_file rw_file_perms;
|
|
allow domain proc_random:dir r_dir_perms;
|
|
allow domain proc_random:file r_file_perms;
|
|
allow domain properties_device:dir { search getattr };
|
|
allow domain properties_serial:file r_file_perms;
|
|
allow domain property_info:file r_file_perms;
|
|
|
|
# Let everyone read log properties, so that liblog can avoid sending unloggable
|
|
# messages to logd.
|
|
get_prop(domain, log_property_type)
|
|
dontaudit domain property_type:file audit_access;
|
|
allow domain property_contexts_file:file r_file_perms;
|
|
|
|
allow domain init:key search;
|
|
allow domain vold:key search;
|
|
|
|
# logd access
|
|
write_logd(domain)
|
|
|
|
# Directory/link file access for path resolution.
|
|
allow domain {
|
|
system_file
|
|
system_lib_file
|
|
system_seccomp_policy_file
|
|
system_security_cacerts_file
|
|
}:dir r_dir_perms;
|
|
allow domain system_file:lnk_file { getattr read };
|
|
|
|
# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
|
|
# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
|
|
allow domain system_seccomp_policy_file:file r_file_perms;
|
|
# cacerts are accessible from public Java API.
|
|
allow domain system_security_cacerts_file:file r_file_perms;
|
|
allow domain system_group_file:file r_file_perms;
|
|
allow domain system_passwd_file:file r_file_perms;
|
|
allow domain system_linker_exec:file { execute read open getattr map };
|
|
allow domain system_linker_config_file:file r_file_perms;
|
|
allow domain system_lib_file:file { execute read open getattr map };
|
|
# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
|
|
allow domain system_linker_exec:lnk_file { read open getattr };
|
|
allow domain system_lib_file:lnk_file { read open getattr };
|
|
|
|
allow domain system_event_log_tags_file:file r_file_perms;
|
|
|
|
allow { appdomain coredomain } system_file:file { execute read open getattr map };
|
|
|
|
# Make sure system/vendor split doesn not affect non-treble
|
|
# devices
|
|
not_full_treble(`
|
|
allow domain system_file:file { execute read open getattr map };
|
|
allow domain vendor_file_type:dir { search getattr };
|
|
allow domain vendor_file_type:file { execute read open getattr map };
|
|
allow domain vendor_file_type:lnk_file { getattr read };
|
|
')
|
|
|
|
# All domains are allowed to open and read directories
|
|
# that contain HAL implementations (e.g. passthrough
|
|
# HALs require clients to have these permissions)
|
|
allow domain vendor_hal_file:dir r_dir_perms;
|
|
|
|
# Everyone can read and execute all same process HALs
|
|
allow domain same_process_hal_file:dir r_dir_perms;
|
|
allow {
|
|
domain
|
|
-coredomain # access is explicitly granted to individual coredomains
|
|
} same_process_hal_file:file { execute read open getattr map };
|
|
|
|
# Any process can load vndk-sp libraries, which are system libraries
|
|
# used by same process HALs
|
|
allow domain vndk_sp_file:dir r_dir_perms;
|
|
allow domain vndk_sp_file:file { execute read open getattr map };
|
|
|
|
# All domains get access to /vendor/etc
|
|
allow domain vendor_configs_file:dir r_dir_perms;
|
|
allow domain vendor_configs_file:file { read open getattr map };
|
|
|
|
full_treble_only(`
|
|
# Allow all domains to be able to follow /system/vendor and/or
|
|
# /vendor/odm symlinks.
|
|
allow domain vendor_file_type:lnk_file { getattr open read };
|
|
|
|
# This is required to be able to search & read /vendor/lib64
|
|
# in order to lookup vendor libraries. The execute permission
|
|
# for coredomains is granted *only* for same process HALs
|
|
allow domain vendor_file:dir { getattr search };
|
|
|
|
# Allow reading and executing out of /vendor to all vendor domains
|
|
allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
|
|
allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
|
|
allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
|
|
')
|
|
|
|
# read and stat any sysfs symlinks
|
|
allow domain sysfs:lnk_file { getattr read };
|
|
|
|
# libc references /system/usr/share/zoneinfo for timezone related information.
|
|
# This directory is considered to be a VNDK-stable
|
|
allow domain { system_zoneinfo_file }:file r_file_perms;
|
|
allow domain { system_zoneinfo_file }:dir r_dir_perms;
|
|
|
|
# Lots of processes access current CPU information
|
|
r_dir_file(domain, sysfs_devices_system_cpu)
|
|
|
|
r_dir_file(domain, sysfs_usb);
|
|
|
|
# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
|
|
# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
|
|
allow domain sysfs_transparent_hugepage:dir search;
|
|
allow domain sysfs_transparent_hugepage:file r_file_perms;
|
|
|
|
# Allow search access, and sometimes getattr access, to various directories
|
|
# under /data. We are fairly lenient in allowing search access to top-level
|
|
# dirs that commonly need to be traversed to get access to the "real" files, as
|
|
# this greatly simplifies the policy and doesn't open up much attack surface.
|
|
not_full_treble(`
|
|
allow domain system_data_file:dir getattr;
|
|
')
|
|
allow { coredomain appdomain } system_data_file:dir getattr;
|
|
# Anything that accesses anything in /data needs search access to /data itself.
|
|
# This includes vendor components, as they need to access /data/vendor.
|
|
allow domain system_data_root_file:dir { search getattr } ;
|
|
# system_data_file is the default type for directories in /data. Anything
|
|
# accessing data files with a more specific type often has to traverse a
|
|
# system_data_file directory such as /data/misc to get there.
|
|
allow domain system_data_file:dir search;
|
|
# Anything that accesses files in /data/user (and /data/user_de, etc.) needs
|
|
# search access to these directories themselves. getattr access is sometimes
|
|
# needed too.
|
|
allow { coredomain appdomain } system_userdir_file:dir { search getattr };
|
|
# Anything that accesses files in /data/media needs search access to /data/media
|
|
# itself.
|
|
allow { coredomain appdomain } media_userdir_file:dir search;
|
|
# TODO restrict this to non-coredomain
|
|
allow domain vendor_userdir_file:dir { getattr search };
|
|
allow domain vendor_data_file:dir { getattr search };
|
|
|
|
# required by the dynamic linker
|
|
allow domain proc:lnk_file { getattr read };
|
|
|
|
# /proc/cpuinfo
|
|
allow domain proc_cpuinfo:file r_file_perms;
|
|
|
|
# /dev/cpu_variant:.*
|
|
allow domain dev_cpu_variant:file r_file_perms;
|
|
|
|
# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
|
|
allow domain proc_perf:file r_file_perms;
|
|
|
|
# toybox loads libselinux which stats /sys/fs/selinux/
|
|
allow domain selinuxfs:dir search;
|
|
allow domain selinuxfs:file getattr;
|
|
allow domain sysfs:dir search;
|
|
allow domain selinuxfs:filesystem getattr;
|
|
|
|
# Almost all processes log tracing information to
|
|
# /sys/kernel/debug/tracing/trace_marker
|
|
# The reason behind this is documented in b/6513400
|
|
allow domain debugfs:dir search;
|
|
allow domain debugfs_tracing:dir search;
|
|
allow domain debugfs_tracing_debug:dir search;
|
|
allow domain debugfs_trace_marker:file w_file_perms;
|
|
|
|
# Linux lockdown mode offered coarse-grained definitions for access controls. In
|
|
# previous versions of the policy, the integrity permission was neverallowed.
|
|
# It was found that this permission mainly duplicates pre-existing rules in
|
|
# the policy (see b/285443587). Additionally, some access were found to be
|
|
# required (b/269377822). The access vector was removed from kernel 5.16
|
|
# onwards. Grant unconditional access, these rules should be removed from the
|
|
# policy once no kernel <5.16 are supported.
|
|
allow domain self:lockdown { confidentiality integrity };
|
|
|
|
# Filesystem access.
|
|
allow domain fs_type:filesystem getattr;
|
|
allow domain fs_type:dir getattr;
|
|
|
|
# Restrict all domains to an allowlist for common socket types. Additional
|
|
# ioctl commands may be added to individual domains, but this sets safe
|
|
# defaults for all processes. Note that granting this allowlist to domain does
|
|
# not grant the ioctl permission on these socket types. That must be granted
|
|
# separately.
|
|
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
|
|
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
|
# default allowlist for unix sockets.
|
|
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
|
|
ioctl unpriv_unix_sock_ioctls;
|
|
|
|
# Restrict PTYs to only allowed ioctls.
|
|
# Note that granting this allowlist to domain does
|
|
# not grant the wider ioctl permission. That must be granted
|
|
# separately.
|
|
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
|
|
|
# All domains must clearly enumerate what ioctls they use
|
|
# on filesystem objects (plain files, directories, symbolic links,
|
|
# named pipes, and named sockets). We start off with a safe set.
|
|
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
|
|
|
|
# If a domain has ioctl access to tun_device, it must clearly enumerate the
|
|
# ioctls used. Safe defaults are listed below.
|
|
allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
|
|
|
|
# Allow a process to make a determination whether a file descriptor
|
|
# for a plain file or pipe (fifo_file) is a tty. Note that granting
|
|
# this allowlist to domain does not grant the ioctl permission to
|
|
# these files. That must be granted separately.
|
|
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
|
|
allowxperm domain domain:fifo_file ioctl { TCGETS };
|
|
|
|
# If a domain has access to perform an ioctl on a block device, allow these
|
|
# very common, benign ioctls
|
|
allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
|
|
|
|
# Support sqlite F2FS specific optimizations
|
|
# ioctl permission on the specific file type is still required
|
|
# TODO: consider only compiling these rules if we know the
|
|
# /data partition is F2FS
|
|
allowxperm domain { file_type sdcard_type }:file ioctl {
|
|
F2FS_IOC_ABORT_VOLATILE_WRITE
|
|
F2FS_IOC_COMMIT_ATOMIC_WRITE
|
|
F2FS_IOC_GET_FEATURES
|
|
F2FS_IOC_GET_PIN_FILE
|
|
F2FS_IOC_SET_PIN_FILE
|
|
F2FS_IOC_START_ATOMIC_WRITE
|
|
};
|
|
|
|
# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
|
|
# when it's not explicitly used in allow rules
|
|
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
|
|
# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
|
|
# when it's not explicitly used in allow rules
|
|
allow { domain -domain } vndservice_manager_type:service_manager { add find };
|
|
|
|
# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
|
|
with_asan(`allow domain system_data_file:dir getattr;')
|
|
# Under ASAN, /system/asan.options needs to be globally accessible.
|
|
with_asan(`allow domain system_asan_options_file:file r_file_perms;')
|
|
|
|
# read APEX dir and stat any symlink pointing to APEXs.
|
|
allow domain apex_mnt_dir:dir { getattr search };
|
|
allow domain apex_mnt_dir:lnk_file r_file_perms;
|
|
|
|
# Allow reading /sys/kernel/mm/pgsize_migration/enabled
|
|
allow domain sysfs_pgsize_migration:dir search;
|
|
allow domain sysfs_pgsize_migration:file r_file_perms;
|
|
|
|
# Allow everyone to read media server-configurable flags, so that libstagefright can be
|
|
# configured using server-configurable flags
|
|
get_prop(domain, device_config_media_native_prop)
|
|
|
|
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
# This occurs when the process crashes.
|
|
# We do not apply this to the su domain to avoid interfering with
|
|
# tests (b/114136122)
|
|
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
# Allow every process to check the heapprofd.enable properties to determine
|
|
# whether to load the heap profiling library. This does not necessarily enable
|
|
# heap profiling, as initialization will fail if it does not have the
|
|
# necessary SELinux permissions.
|
|
get_prop(domain, heapprofd_prop);
|
|
|
|
# See private/crash_dump.te
|
|
define(`dumpable_domain',`{
|
|
domain
|
|
-apexd
|
|
-bpfloader
|
|
-crash_dump
|
|
-crosvm # TODO(b/236672526): Remove exception for crosvm
|
|
-init
|
|
-kernel
|
|
-keystore
|
|
-llkd
|
|
-logd
|
|
-ueventd
|
|
-vendor_init
|
|
-vold
|
|
}')
|
|
|
|
# Allow heap profiling by heapprofd.
|
|
# Zygotes are excluded due to potential issues with holding open file
|
|
# descriptors or other state across forks. Other exclusions conflict with
|
|
# neverallows, and are not considered important to profile.
|
|
can_profile_heap({
|
|
dumpable_domain
|
|
-app_zygote
|
|
-hal_configstore_server
|
|
-logpersist
|
|
-recovery
|
|
-recovery_persist
|
|
-recovery_refresh
|
|
-webview_zygote
|
|
-zygote
|
|
})
|
|
|
|
# Allow profiling using perf_event_open by traced_perf.
|
|
can_profile_perf({
|
|
dumpable_domain
|
|
-app_zygote
|
|
-hal_configstore_server
|
|
-webview_zygote
|
|
-zygote
|
|
})
|
|
|
|
# Everyone can access the IncFS list of features.
|
|
r_dir_file(domain, sysfs_fs_incfs_features);
|
|
|
|
# Everyone can access the fuse list of features.
|
|
r_dir_file(domain, sysfs_fs_fuse_features);
|
|
|
|
# Path resolution access in cgroups.
|
|
allow domain cgroup:dir search;
|
|
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
|
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
|
|
|
allow domain cgroup_v2:dir search;
|
|
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
|
|
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
|
|
|
|
allow domain cgroup_rc_file:dir search;
|
|
allow domain cgroup_rc_file:file r_file_perms;
|
|
allow domain task_profiles_file:file r_file_perms;
|
|
allow domain task_profiles_api_file:file r_file_perms;
|
|
allow domain vendor_task_profiles_file:file r_file_perms;
|
|
|
|
# Allow all domains to read sys.use_memfd to determine
|
|
# if memfd support can be used if device supports it
|
|
get_prop(domain, use_memfd_prop);
|
|
|
|
# Read access to sdkextensions props
|
|
get_prop(domain, module_sdkextensions_prop)
|
|
|
|
# Read access to bq configuration values
|
|
get_prop(domain, bq_config_prop);
|
|
|
|
# Allow all domains to check whether MTE is set to permissive mode.
|
|
get_prop(domain, permissive_mte_prop);
|
|
|
|
# Allow ART to be configurable via device_config properties
|
|
# (ART "runs" inside the app process), and MTE bootloader override to be
|
|
# observed by everything
|
|
get_prop(domain, device_config_memory_safety_native_boot_prop);
|
|
get_prop(domain, device_config_memory_safety_native_prop);
|
|
get_prop(domain, device_config_runtime_native_boot_prop);
|
|
get_prop(domain, device_config_runtime_native_prop);
|
|
|
|
# For now, everyone can access core property files
|
|
# Device specific properties are not granted by default
|
|
not_compatible_property(`
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
get_prop(domain, core_property_type)
|
|
get_prop(domain, exported3_system_prop)
|
|
get_prop(domain, vendor_default_prop)
|
|
')
|
|
compatible_property_only(`
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
get_prop({coredomain appdomain shell}, core_property_type)
|
|
get_prop({coredomain appdomain shell}, exported3_system_prop)
|
|
get_prop({coredomain appdomain shell}, exported_camera_prop)
|
|
get_prop({coredomain shell}, userspace_reboot_exported_prop)
|
|
get_prop({coredomain shell}, userspace_reboot_log_prop)
|
|
get_prop({coredomain shell}, userspace_reboot_test_prop)
|
|
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
|
|
')
|
|
|
|
# Public readable properties
|
|
get_prop(domain, aaudio_config_prop)
|
|
get_prop(domain, apexd_select_prop)
|
|
get_prop(domain, arm64_memtag_prop)
|
|
get_prop(domain, bluetooth_config_prop)
|
|
get_prop(domain, bootloader_prop)
|
|
get_prop(domain, build_odm_prop)
|
|
get_prop(domain, build_prop)
|
|
get_prop(domain, build_vendor_prop)
|
|
get_prop(domain, debug_prop)
|
|
get_prop(domain, exported_config_prop)
|
|
get_prop(domain, exported_default_prop)
|
|
get_prop(domain, exported_dumpstate_prop)
|
|
get_prop(domain, exported_secure_prop)
|
|
get_prop(domain, exported_system_prop)
|
|
get_prop(domain, fingerprint_prop)
|
|
get_prop(domain, framework_status_prop)
|
|
get_prop(domain, gwp_asan_prop)
|
|
get_prop(domain, hal_instrumentation_prop)
|
|
get_prop(domain, hw_timeout_multiplier_prop)
|
|
get_prop(domain, init_service_status_prop)
|
|
get_prop(domain, libc_debug_prop)
|
|
get_prop(domain, locale_prop)
|
|
get_prop(domain, logd_prop)
|
|
get_prop(domain, mediadrm_config_prop)
|
|
get_prop(domain, property_service_version_prop)
|
|
get_prop(domain, soc_prop)
|
|
get_prop(domain, socket_hook_prop)
|
|
get_prop(domain, surfaceflinger_prop)
|
|
get_prop(domain, telephony_status_prop)
|
|
get_prop(domain, timezone_prop)
|
|
get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
|
|
get_prop(domain, vendor_socket_hook_prop)
|
|
get_prop(domain, vndk_prop)
|
|
get_prop(domain, vold_status_prop)
|
|
get_prop(domain, vts_config_prop)
|
|
|
|
# Binder cache properties are world-readable
|
|
get_prop(domain, binder_cache_bluetooth_server_prop)
|
|
get_prop(domain, binder_cache_system_server_prop)
|
|
get_prop(domain, binder_cache_telephony_server_prop)
|
|
|
|
# Binderfs logs contain sensitive information about other processes.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
userdebug_or_eng(`-dumpstate')
|
|
userdebug_or_eng(`-system_server')
|
|
} binderfs_logs_transactions:file no_rw_file_perms;
|
|
|
|
# Binderfs transaction history is less sensitive than transactions, but it
|
|
# still contains global information about the system.
|
|
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;
|
|
|
|
# Allow access to fsverity keyring.
|
|
allow domain kernel:key search;
|
|
# Allow access to keys in the fsverity keyring that were installed at boot.
|
|
allow domain fsverity_init:key search;
|
|
# For testing purposes, allow access to keys installed with su.
|
|
userdebug_or_eng(`
|
|
allow domain su:key search;
|
|
')
|
|
|
|
# Allow access to linkerconfig file
|
|
allow domain linkerconfig_file:dir search;
|
|
allow domain linkerconfig_file:file r_file_perms;
|
|
|
|
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
|
|
allow domain boringssl_self_test_marker:dir search;
|
|
|
|
# Allow all processes to read the file_logger property that liblog uses to check if file_logger
|
|
# should be used.
|
|
get_prop(domain, log_file_logger_prop)
|
|
|
|
# Allow all processes to connect to PRNG seeder daemon.
|
|
unix_socket_connect(domain, prng_seeder, prng_seeder)
|
|
|
|
# Allow calls to system(3), popen(3), ...
|
|
allow {
|
|
domain
|
|
# Except domains that explicitly neverallow it.
|
|
-kernel
|
|
-init
|
|
-vendor_init
|
|
-app_zygote
|
|
-webview_zygote
|
|
-system_server
|
|
-artd
|
|
-dexopt_chroot_setup
|
|
-audioserver
|
|
-cameraserver
|
|
-mediadrmserver
|
|
-mediaextractor
|
|
-mediametrics
|
|
-mediaserver
|
|
-mediatuner
|
|
-mediatranscoding
|
|
-ueventd
|
|
-hal_audio_server
|
|
-hal_camera_server
|
|
-hal_cas_server
|
|
-hal_codec2_server
|
|
-hal_configstore_server
|
|
-hal_drm_server
|
|
-hal_omx_server
|
|
} {shell_exec toolbox_exec}:file rx_file_perms;
|
|
|
|
# Allow all to read from flag value boot snapshot storage files and general pb files
|
|
# The boot snapshot of storage files serves flag read traffic for all processes, thus
|
|
# needs to be readable by everybody.
|
|
r_dir_file(domain, aconfig_storage_metadata_file);
|
|
|
|
r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
|
|
r_dir_file({ coredomain appdomain }, aconfig_test_mission_files);
|
|
|
|
# processes needs to access storage file stored at /metadata/aconfig/boot, require search
|
|
# permission on /metadata dir
|
|
allow domain metadata_file:dir search;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# All ioctls on file-like objects (except chr_file and blk_file) and
|
|
# sockets must be restricted to an allowlist.
|
|
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
|
|
|
|
# b/68014825 and https://android-review.googlesource.com/516535
|
|
# rfc6093 says that processes should not use the TCP urgent mechanism
|
|
neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
|
|
|
|
# TIOCSTI is only ever used for exploits. Block it.
|
|
# b/33073072, b/7530569
|
|
# http://www.openwall.com/lists/oss-security/2016/09/26/14
|
|
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
|
|
|
# Do not allow any domain other than init to create unlabeled files.
|
|
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
|
|
|
# Limit device node creation to these allowed domains.
|
|
neverallow {
|
|
domain
|
|
-kernel
|
|
-init
|
|
-ueventd
|
|
-vold
|
|
-recovery
|
|
} self:global_capability_class_set mknod;
|
|
|
|
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
|
|
neverallow * self:memprotect mmap_zero;
|
|
|
|
# No domain needs mac_override as it is unused by SELinux.
|
|
neverallow * self:global_capability2_class_set mac_override;
|
|
|
|
# Disallow attempts to set contexts not defined in current policy
|
|
# This helps guarantee that unknown or dangerous contents will not ever
|
|
# be set.
|
|
neverallow * self:global_capability2_class_set mac_admin;
|
|
|
|
# Once the policy has been loaded there shall be none to modify the policy.
|
|
# It is sealed.
|
|
neverallow * kernel:security load_policy;
|
|
|
|
# Only init prior to switching context should be able to set enforcing mode.
|
|
# init starts in kernel domain and switches to init domain via setcon in
|
|
# the init.rc, so the setenforce occurs while still in kernel. After
|
|
# switching domains, there is never any need to setenforce again by init.
|
|
neverallow * kernel:security setenforce;
|
|
neverallow { domain -kernel } kernel:security setcheckreqprot;
|
|
|
|
# No booleans in AOSP policy, so no need to ever set them.
|
|
neverallow * kernel:security setbool;
|
|
|
|
# Adjusting the AVC cache threshold.
|
|
# Not presently allowed to anything in policy, but possibly something
|
|
# that could be set from init.rc.
|
|
neverallow { domain -init } kernel:security setsecparam;
|
|
|
|
# Only the kernel hwrng thread should be able to read from the HW RNG.
|
|
neverallow {
|
|
domain
|
|
-prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
|
|
-shell # For CTS, restricted to just getattr in shell.te
|
|
-ueventd # To create the /dev/hw_random file
|
|
} hw_random_device:chr_file *;
|
|
# b/78174219 b/64114943
|
|
neverallow {
|
|
domain
|
|
-shell # stat of /dev, getattr only
|
|
-ueventd
|
|
} keychord_device:chr_file *;
|
|
|
|
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
|
|
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
|
|
|
|
# The dynamic linker always calls access(2) on the path. Don't generate SElinux
|
|
# denials since the linker does not actually access the path in case the path
|
|
# does not exist or isn't accessible for the process.
|
|
dontaudit domain postinstall_mnt_dir:dir audit_access;
|
|
|
|
#Ensure that nothing in userspace can access /dev/port
|
|
neverallow {
|
|
domain
|
|
-shell # Shell user should not have any abilities outside of getattr
|
|
-ueventd
|
|
} port_device:chr_file *;
|
|
neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
|
|
# Only init should be able to configure kernel usermodehelpers or
|
|
# security-sensitive proc settings.
|
|
neverallow { domain -init } usermodehelper:file { append write };
|
|
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
|
|
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
|
|
|
|
# Init can't do anything with binder calls. If this neverallow rule is being
|
|
# triggered, it's probably due to a service with no SELinux domain.
|
|
neverallow * init:binder *;
|
|
neverallow * vendor_init:binder *;
|
|
|
|
# Binderfs logs contain sensitive information about other processes.
|
|
neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
|
|
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
|
|
|
|
# Don't allow raw read/write/open access to block_device
|
|
# Rather force a relabel to a more specific type
|
|
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
|
|
|
|
# Do not allow renaming of block files or character files
|
|
# Ability to do so can lead to possible use in an exploit chain
|
|
# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
|
|
neverallow * *:{ blk_file chr_file } rename;
|
|
|
|
# Don't allow raw read/write/open access to generic devices.
|
|
# Rather force a relabel to a more specific type.
|
|
neverallow domain device:chr_file { open read write };
|
|
|
|
# Files from cache should never be executed
|
|
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
|
|
|
|
# The test files and executables MUST not be accessible to any domain
|
|
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
|
|
neverallow domain nativetest_data_file:dir no_w_dir_perms;
|
|
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
|
|
|
|
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
|
|
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
|
|
neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
|
|
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
|
|
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
|
|
|
|
# Only the init property service should write to /data/property and /dev/__properties__
|
|
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
|
|
neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
|
|
neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
|
|
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
|
|
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
|
|
|
|
# Nobody should be doing writes to /system & /vendor
|
|
# These partitions are intended to be read-only and must never be
|
|
# modified. Doing so would violate important Android security guarantees
|
|
# and invalidate dm-verity signatures.
|
|
neverallow {
|
|
domain
|
|
with_asan(`-asan_extract')
|
|
recovery_only(`userdebug_or_eng(`-fastbootd')')
|
|
} {
|
|
system_file_type
|
|
vendor_file_type
|
|
exec_type
|
|
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
|
|
|
|
neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
|
|
|
|
# Don't allow mounting on top of /system files or directories
|
|
neverallow * exec_type:dir_file_class_set mounton;
|
|
|
|
# Nothing should be writing to files in the rootfs, except recovery.
|
|
neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
|
|
|
|
# Restrict context mounts to specific types marked with
|
|
# the contextmount_type attribute.
|
|
neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto;
|
|
|
|
# Ensure that context mount types are not writable, to ensure that
|
|
# the write to /system restriction above is not bypassed via context=
|
|
# mount to another type.
|
|
neverallow * contextmount_type:dir_file_class_set
|
|
{ create setattr relabelfrom relabelto append link rename };
|
|
neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
|
|
|
|
# Do not allow service_manager add for default service labels.
|
|
# Instead domains should use a more specific type such as
|
|
# system_app_service rather than the generic type.
|
|
# New service_types are defined in {,hw,vnd}service.te and new mappings
|
|
# from service name to service_type are defined in {,hw,vnd}service_contexts.
|
|
neverallow * default_android_service:service_manager *;
|
|
neverallow * default_android_vndservice:service_manager *;
|
|
neverallow * default_android_hwservice:hwservice_manager *;
|
|
|
|
# Looking up the base class/interface of all HwBinder services is a bad idea.
|
|
# hwservicemanager currently offer such lookups only to make it so that security
|
|
# decisions are expressed in SELinux policy. However, it's unclear whether this
|
|
# lookup has security implications. If it doesn't, hwservicemanager should be
|
|
# modified to not offer this lookup.
|
|
# This rule can be removed if hwservicemanager is modified to not permit these
|
|
# lookups.
|
|
neverallow * hidl_base_hwservice:hwservice_manager find;
|
|
|
|
# Require that domains explicitly label unknown properties, and do not allow
|
|
# anyone but init to modify unknown properties.
|
|
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
|
|
neverallow { domain -init -vendor_init } vndk_prop:property_service set;
|
|
|
|
compatible_property_only(`
|
|
neverallow { domain -init } mmc_prop:property_service set;
|
|
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
|
|
neverallow { domain -init } exported_secure_prop:property_service set;
|
|
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
|
|
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
|
|
neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
|
|
')
|
|
|
|
compatible_property_only(`
|
|
neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
|
|
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
|
|
')
|
|
|
|
# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
|
|
neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
|
|
neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
|
|
|
|
# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
|
|
# old platforms shouldn't be regarded as a problem.
|
|
dontaudit domain future_pm_prop:file read;
|
|
|
|
neverallow { domain -init } aac_drc_prop:property_service set;
|
|
neverallow { domain -init } build_prop:property_service set;
|
|
neverallow { domain -init } userdebug_or_eng_prop:property_service set;
|
|
|
|
# Do not allow reading device's serial number from system properties except form
|
|
# a few allowed domains.
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-dumpstate
|
|
-fastbootd
|
|
-hal_camera_server
|
|
-hal_cas_server
|
|
-hal_drm_server
|
|
-hal_keymint_server
|
|
userdebug_or_eng(`-incidentd')
|
|
-init
|
|
-mediadrmserver
|
|
-mediaserver
|
|
-recovery
|
|
-shell
|
|
-system_server
|
|
-vendor_init
|
|
} serialno_prop:file r_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-recovery
|
|
-system_server
|
|
-ueventd # Further restricted in ueventd.te
|
|
} frp_block_device:blk_file no_rw_file_perms;
|
|
|
|
# The metadata block device is set aside for device encryption and
|
|
# verified boot metadata. It may be reset at will and should not
|
|
# be used by other domains.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-recovery
|
|
-vold
|
|
-e2fs
|
|
-fsck
|
|
-fastbootd
|
|
-hal_fastboot_server
|
|
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
|
|
|
|
# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
|
|
neverallow {
|
|
domain
|
|
-fastbootd
|
|
userdebug_or_eng(`-fsck')
|
|
userdebug_or_eng(`-init')
|
|
-recovery
|
|
-update_engine
|
|
} system_block_device:blk_file { write append };
|
|
|
|
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
|
|
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
|
|
# The service managers are only allowed to access their own device node
|
|
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
|
|
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
|
|
neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
|
|
neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
|
|
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
|
|
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
|
|
|
|
full_treble_only(`
|
|
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
|
|
# services which can change any time framework/core is updated, breakage is likely.
|
|
#
|
|
# Note, this same logic applies to untrusted apps, but neverallows for these are separate.
|
|
neverallow {
|
|
appdomain
|
|
-coredomain
|
|
} {
|
|
service_manager_type
|
|
|
|
-app_api_service
|
|
-ephemeral_app_api_service
|
|
|
|
-hal_service_type # see app_neverallows.te
|
|
|
|
-apc_service
|
|
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
|
|
-cameraserver_service
|
|
-drmserver_service
|
|
-credstore_service
|
|
-keystore_maintenance_service
|
|
-keystore_service
|
|
-legacykeystore_service
|
|
-mediadrmserver_service
|
|
-mediaextractor_service
|
|
-mediametrics_service
|
|
-mediaserver_service
|
|
-nfc_service
|
|
-radio_service
|
|
-virtual_touchpad_service
|
|
-vr_manager_service
|
|
userdebug_or_eng(`-hal_face_service')
|
|
}:service_manager find;
|
|
')
|
|
|
|
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-shell
|
|
userdebug_or_eng(`-su')
|
|
-ueventd # uevent is granted create for this device, but we still neverallow I/O below
|
|
} vndbinder_device:chr_file rw_file_perms;
|
|
')
|
|
full_treble_only(`
|
|
neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
|
|
')
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-shell
|
|
userdebug_or_eng(`-su')
|
|
} vndservice_manager_type:service_manager *;
|
|
')
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-shell
|
|
userdebug_or_eng(`-su')
|
|
} vndservicemanager:binder *;
|
|
')
|
|
|
|
# On full TREBLE devices, socket communications between core components and vendor components are
|
|
# not permitted.
|
|
# Most general rules first, more specific rules below.
|
|
|
|
# Core domains are not permitted to initiate communications to vendor domain sockets.
|
|
# We are not restricting the use of already established sockets because it is fine for a process
|
|
# to obtain an already established socket via some public/official/stable API and then exchange
|
|
# data with its peer over that socket. The wire format in this scenario is dicatated by the API
|
|
# and thus does not break the core-vendor separation.
|
|
full_treble_only(`
|
|
neverallow_establish_socket_comms({
|
|
coredomain
|
|
-init
|
|
-adbd
|
|
}, {
|
|
domain
|
|
-coredomain
|
|
-socket_between_core_and_vendor_violators
|
|
});
|
|
')
|
|
|
|
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
|
|
full_treble_only(`
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain # appdomain restrictions below
|
|
-data_between_core_and_vendor_violators # b/70393317
|
|
-socket_between_core_and_vendor_violators
|
|
-vendor_init
|
|
} {
|
|
coredomain_socket
|
|
core_data_file_type
|
|
unlabeled # used only by core domains
|
|
}:sock_file ~{ append getattr ioctl read write };
|
|
')
|
|
full_treble_only(`
|
|
neverallow {
|
|
appdomain
|
|
-coredomain
|
|
} {
|
|
coredomain_socket
|
|
unlabeled # used only by core domains
|
|
core_data_file_type
|
|
-app_data_file
|
|
-privapp_data_file
|
|
-pdx_endpoint_socket_type # used by VR layer
|
|
-pdx_channel_socket_type # used by VR layer
|
|
}:sock_file ~{ append getattr ioctl read write };
|
|
')
|
|
|
|
# Core domains are not permitted to create/open sockets owned by vendor domains
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-ueventd
|
|
-socket_between_core_and_vendor_violators
|
|
} {
|
|
file_type
|
|
dev_type
|
|
-coredomain_socket
|
|
-core_data_file_type
|
|
-app_data_file_type
|
|
-unlabeled
|
|
}:sock_file ~{ append getattr ioctl read write };
|
|
')
|
|
|
|
# On TREBLE devices, vendor and system components are only allowed to share
|
|
# files by passing open FDs over hwbinder. Ban all directory access and all file
|
|
# accesses other than what can be applied to an open FD such as
|
|
# ioctl/stat/read/write/append. This is enforced by segregating /data.
|
|
# Vendor domains may directly access file in /data/vendor by path, but may only
|
|
# access files outside of /data/vendor via an open FD passed over hwbinder.
|
|
# Likewise, core domains may only directly access files outside /data/vendor by
|
|
# path and files in /data/vendor by open FD.
|
|
full_treble_only(`
|
|
# only coredomains may only access core_data_file_type, particularly not
|
|
# /data/vendor
|
|
neverallow {
|
|
coredomain
|
|
-appdomain # TODO(b/34980020) remove exemption for appdomain
|
|
-data_between_core_and_vendor_violators
|
|
-init
|
|
-vold_prepare_subdirs
|
|
} {
|
|
data_file_type
|
|
-core_data_file_type
|
|
-app_data_file_type
|
|
}:file_class_set ~{ append getattr ioctl read write map };
|
|
')
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain # TODO(b/34980020) remove exemption for appdomain
|
|
-data_between_core_and_vendor_violators
|
|
-init
|
|
-vold_prepare_subdirs
|
|
} {
|
|
data_file_type
|
|
-core_data_file_type
|
|
-app_data_file_type
|
|
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
|
|
# neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
}:dir *;
|
|
|
|
')
|
|
full_treble_only(`
|
|
# vendor domains may only access files in /data/vendor, never core_data_file_types
|
|
neverallow {
|
|
domain
|
|
-appdomain # TODO(b/34980020) remove exemption for appdomain
|
|
-coredomain
|
|
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
|
|
-vendor_init
|
|
} {
|
|
core_data_file_type
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file_class_set ~{ append getattr ioctl read write map };
|
|
neverallow {
|
|
vendor_init
|
|
-data_between_core_and_vendor_violators
|
|
} {
|
|
core_data_file_type
|
|
-unencrypted_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file_class_set ~{ append getattr ioctl read write map };
|
|
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
|
|
# The vendor init binary lives on the system partition so there is not a concern with stability.
|
|
neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
|
|
')
|
|
full_treble_only(`
|
|
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
|
|
neverallow {
|
|
domain
|
|
-appdomain # TODO(b/34980020) remove exemption for appdomain
|
|
-coredomain
|
|
-data_between_core_and_vendor_violators
|
|
-vendor_init
|
|
} {
|
|
core_data_file_type
|
|
-system_data_file # default label for files on /data. Covered below...
|
|
-system_data_root_file
|
|
-vendor_userdir_file
|
|
-vendor_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:dir *;
|
|
neverallow {
|
|
vendor_init
|
|
-data_between_core_and_vendor_violators
|
|
} {
|
|
core_data_file_type
|
|
-unencrypted_data_file
|
|
-system_data_file
|
|
-system_data_root_file
|
|
-vendor_userdir_file
|
|
-vendor_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:dir *;
|
|
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
|
|
# The vendor init binary lives on the system partition so there is not a concern with stability.
|
|
neverallow vendor_init unencrypted_data_file:dir ~search;
|
|
')
|
|
full_treble_only(`
|
|
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
|
|
neverallow {
|
|
domain
|
|
-appdomain # TODO(b/34980020) remove exemption for appdomain
|
|
-coredomain
|
|
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
|
|
} {
|
|
system_data_file # default label for files on /data. Covered below
|
|
}:dir ~{ getattr search };
|
|
')
|
|
|
|
full_treble_only(`
|
|
# coredomains may not access dirs in /data/vendor.
|
|
neverallow {
|
|
coredomain
|
|
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
|
|
-init
|
|
-vold # vold creates per-user storage for both system and vendor
|
|
-vold_prepare_subdirs
|
|
} {
|
|
vendor_data_file # default label for files on /data. Covered below
|
|
}:dir ~{ getattr search };
|
|
')
|
|
|
|
full_treble_only(`
|
|
# coredomains may not access dirs in /data/vendor.
|
|
neverallow {
|
|
coredomain
|
|
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
|
|
-init
|
|
} {
|
|
vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
|
|
}:file_class_set ~{ append getattr ioctl read write map };
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Non-vendor domains are not allowed to file execute shell
|
|
# from vendor
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-shell
|
|
-ueventd
|
|
} vendor_shell_exec:file { execute execute_no_trans };
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Do not allow vendor components to execute files from system
|
|
# except for the ones allowed here.
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_executes_system_violators
|
|
-vendor_init
|
|
} {
|
|
system_file_type
|
|
-system_lib_file
|
|
-system_linker_exec
|
|
-crash_dump_exec
|
|
-netutils_wrapper_exec
|
|
userdebug_or_eng(`-tcpdump_exec')
|
|
# Vendor components still can invoke shell commands via /system/bin/sh
|
|
-shell_exec
|
|
-toolbox_exec
|
|
}:file { entrypoint execute execute_no_trans };
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Do not allow coredomain to access entrypoint for files other
|
|
# than system_file_type and postinstall_file
|
|
neverallow coredomain {
|
|
file_type
|
|
-system_file_type
|
|
-postinstall_file
|
|
}:file entrypoint;
|
|
# Do not allow domains other than coredomain to access entrypoint
|
|
# for anything but vendor_file_type and init_exec for vendor_init.
|
|
neverallow { domain -coredomain } {
|
|
file_type
|
|
-vendor_file_type
|
|
-init_exec
|
|
}:file entrypoint;
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Do not allow system components to execute files from vendor
|
|
# except for the ones allowed here.
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-shell
|
|
-system_executes_vendor_violators
|
|
-ueventd
|
|
} {
|
|
vendor_file_type
|
|
-same_process_hal_file
|
|
-vndk_sp_file
|
|
-vendor_app_file
|
|
-vendor_public_framework_file
|
|
-vendor_public_lib_file
|
|
}:file execute;
|
|
')
|
|
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-shell
|
|
-system_executes_vendor_violators
|
|
} {
|
|
vendor_file_type
|
|
-same_process_hal_file
|
|
}:file execute_no_trans;
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Do not allow vendor components access to /system files except for the
|
|
# ones allowed here.
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-coredomain
|
|
-vendor_executes_system_violators
|
|
# vendor_init needs access to init_exec for domain transition. vendor_init
|
|
# neverallows are covered in public/vendor_init.te
|
|
-vendor_init
|
|
} {
|
|
system_file_type
|
|
-crash_dump_exec
|
|
-file_contexts_file
|
|
-netutils_wrapper_exec
|
|
-property_contexts_file
|
|
-system_event_log_tags_file
|
|
-system_group_file
|
|
-system_lib_file
|
|
with_asan(`-system_asan_options_file')
|
|
-system_linker_exec
|
|
-system_linker_config_file
|
|
-system_passwd_file
|
|
-system_seccomp_policy_file
|
|
-system_security_cacerts_file
|
|
-system_zoneinfo_file
|
|
-task_profiles_api_file
|
|
-task_profiles_file
|
|
userdebug_or_eng(`-tcpdump_exec')
|
|
# Vendor components still can invoke shell commands via /system/bin/sh
|
|
-shell_exec
|
|
-toolbox_exec
|
|
}:file *;
|
|
')
|
|
|
|
# Only system_server should be able to send commands via the zygote socket
|
|
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
|
|
neverallow { domain -system_server } zygote_socket:sock_file write;
|
|
|
|
neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
|
|
neverallow { domain -system_server } webview_zygote:sock_file write;
|
|
neverallow { domain -system_server } app_zygote:sock_file write;
|
|
|
|
neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
|
|
|
|
# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
|
|
# the tombstoned intercept socket.
|
|
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
|
|
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
|
|
|
|
# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
|
|
neverallow { domain -init -system_server } heapdump_data_file:file read;
|
|
|
|
# Android does not support System V IPCs.
|
|
#
|
|
# The reason for this is due to the fact that, by design, they lead to global
|
|
# kernel resource leakage.
|
|
#
|
|
# For example, there is no way to automatically release a SysV semaphore
|
|
# allocated in the kernel when:
|
|
#
|
|
# - a buggy or malicious process exits
|
|
# - a non-buggy and non-malicious process crashes or is explicitly killed.
|
|
#
|
|
# Killing processes automatically to make room for new ones is an
|
|
# important part of Android's application lifecycle implementation. This means
|
|
# that, even assuming only non-buggy and non-malicious code, it is very likely
|
|
# that over time, the kernel global tables used to implement SysV IPCs will fill
|
|
# up.
|
|
neverallow * *:{ shm sem msg msgq } *;
|
|
|
|
# Do not mount on top of symlinks, fifos, or sockets.
|
|
# Feature parity with Chromium LSM.
|
|
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
|
|
|
|
# Nobody should be able to execute su on user builds.
|
|
# On userdebug/eng builds, only dumpstate, shell, and
|
|
# su itself execute su.
|
|
neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
|
|
|
|
# Do not allow the introduction of new execmod rules. Text relocations
|
|
# and modification of executable pages are unsafe.
|
|
# The only exceptions are for NDK text relocations associated with
|
|
# https://code.google.com/p/android/issues/detail?id=23203
|
|
# which, long term, need to go away.
|
|
neverallow * {
|
|
file_type
|
|
-apk_data_file
|
|
-app_data_file
|
|
-asec_public_file
|
|
}:file execmod;
|
|
|
|
# Do not allow making the stack or heap executable.
|
|
# We would also like to minimize execmem but it seems to be
|
|
# required by some device-specific service domains.
|
|
neverallow * self:process { execstack execheap };
|
|
|
|
# Do not allow the introduction of new execmod rules. Text relocations
|
|
# and modification of executable pages are unsafe.
|
|
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
|
|
|
|
# Ensure that all types assigned to processes are included
|
|
# in the domain attribute, so that all allow and neverallow rules
|
|
# written on domain are applied to all processes.
|
|
# This is achieved by ensuring that it is impossible to transition
|
|
# from a domain to a non-domain type and vice versa.
|
|
# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
|
|
neverallow ~domain domain:process { transition dyntransition };
|
|
|
|
#
|
|
# Only system_app and system_server should be creating or writing
|
|
# their files. The proper way to share files is to setup
|
|
# type transitions to a more specific type or assigning a type
|
|
# to its parent directory via a file_contexts entry.
|
|
# Example type transition:
|
|
# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
|
|
#
|
|
neverallow {
|
|
domain
|
|
-system_server
|
|
-system_app
|
|
-init
|
|
-toolbox # TODO(b/141108496) We want to remove toolbox
|
|
-installd # for relabelfrom and unlink, check for this in explicit neverallow
|
|
-vold_prepare_subdirs # For unlink
|
|
with_asan(`-asan_extract')
|
|
} system_data_file:file no_w_file_perms;
|
|
# do not grant anything greater than r_file_perms and relabelfrom unlink
|
|
# to installd
|
|
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
|
|
|
|
#
|
|
# Only these domains should transition to shell domain. This domain is
|
|
# permissible for the "shell user". If you need a process to exec a shell
|
|
# script with differing privilege, define a domain and set up a transition.
|
|
#
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-init
|
|
-runas
|
|
-zygote
|
|
} shell:process { transition dyntransition };
|
|
|
|
# Only domains spawned from zygote, runas and simpleperf_app_runner may have
|
|
# the appdomain attribute. simpleperf is excluded as a domain transitioned to
|
|
# when running an app-scoped profiling session.
|
|
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
|
|
appdomain -shell -simpleperf userdebug_or_eng(`-su')
|
|
}:process { transition dyntransition };
|
|
|
|
# Minimize read access to shell- or app-writable symlinks.
|
|
# This is to prevent malicious symlink attacks.
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-artd
|
|
-installd
|
|
} { app_data_file privapp_data_file }:lnk_file read;
|
|
|
|
neverallow {
|
|
domain
|
|
-shell
|
|
userdebug_or_eng(`-uncrypt')
|
|
-installd
|
|
} shell_data_file:lnk_file read;
|
|
|
|
# servicemanager and vndservicemanager are the only processes which handle the
|
|
# service_manager list request
|
|
neverallow * ~{
|
|
servicemanager
|
|
vndservicemanager
|
|
}:service_manager list;
|
|
|
|
# hwservicemanager is the only process which handles hw list requests
|
|
neverallow * ~{
|
|
hwservicemanager
|
|
}:hwservice_manager list;
|
|
|
|
# only service_manager_types can be added to service_manager
|
|
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
|
|
|
|
# Prevent assigning non property types to properties
|
|
# TODO - rework this: neverallow * ~property_type:property_service set;
|
|
|
|
# Domain types should never be assigned to any files other
|
|
# than the /proc/pid files associated with a process. The
|
|
# executable file used to enter a domain should be labeled
|
|
# with its own _exec type, not with the domain type.
|
|
# Conventionally, this looks something like:
|
|
# $ cat mydaemon.te
|
|
# type mydaemon, domain;
|
|
# type mydaemon_exec, exec_type, file_type;
|
|
# init_daemon_domain(mydaemon)
|
|
# $ grep mydaemon file_contexts
|
|
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
|
|
neverallow * domain:file { execute execute_no_trans entrypoint };
|
|
|
|
# Do not allow access to the generic debugfs label. This is too broad.
|
|
# Instead, if access to part of debugfs is desired, it should have a
|
|
# more specific label.
|
|
# TODO: fix dumpstate
|
|
neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
|
|
|
|
# Do not allow executable files in debugfs.
|
|
neverallow domain debugfs_type:file { execute execute_no_trans };
|
|
|
|
# Don't allow access to the FUSE control filesystem, except to vold and init's
|
|
neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
|
|
|
|
# Profiles contain untrusted data and profman parses that. We should only run
|
|
# it from installd and artd forked processes.
|
|
neverallow {
|
|
domain
|
|
-installd
|
|
-profman
|
|
-artd
|
|
} profman_exec:file no_x_file_perms;
|
|
|
|
# Enforce restrictions on kernel module origin.
|
|
# Do not allow kernel module loading except from system,
|
|
# vendor, boot, and system_dlkm partitions.
|
|
# TODO(b/218951883): Remove usage of system and rootfs as origin
|
|
neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
|
|
|
|
# Only allow filesystem caps to be set at build time. Runtime changes
|
|
# to filesystem capabilities are not permitted.
|
|
neverallow * self:global_capability_class_set setfcap;
|
|
|
|
# Enforce AT_SECURE for executing crash_dump.
|
|
neverallow domain crash_dump:process noatsecure;
|
|
|
|
# Do not permit non-core domains to register HwBinder services which are
|
|
# guaranteed to be provided by core domains only.
|
|
neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
|
|
|
|
# Do not permit the registeration of HwBinder services which are guaranteed to
|
|
# be passthrough only (i.e., run in the process of their clients instead of a
|
|
# separate server process).
|
|
neverallow * same_process_hwservice:hwservice_manager add;
|
|
|
|
# If an already existing file is opened with O_CREAT, the kernel might generate
|
|
# a false report of a create denial. Silence these denials and make sure that
|
|
# inappropriate permissions are not granted.
|
|
|
|
# These filesystems don't allow files or directories to be created, so the permission
|
|
# to do so should never be granted.
|
|
neverallow domain {
|
|
proc_type
|
|
sysfs_type
|
|
}:dir { add_name create link remove_name rename reparent rmdir write };
|
|
|
|
# cgroupfs directories can be created, but not files within them.
|
|
neverallow domain cgroup:file create;
|
|
neverallow domain cgroup_v2:file create;
|
|
|
|
dontaudit domain proc_type:dir write;
|
|
dontaudit domain sysfs_type:dir write;
|
|
dontaudit domain cgroup:file create;
|
|
dontaudit domain cgroup_v2:file create;
|
|
|
|
# These are only needed in permissive mode - in enforcing mode the
|
|
# directory write check fails and so these are never attempted.
|
|
userdebug_or_eng(`
|
|
dontaudit domain proc_type:dir add_name;
|
|
dontaudit domain sysfs_type:dir add_name;
|
|
dontaudit domain proc_type:file create;
|
|
dontaudit domain sysfs_type:file create;
|
|
')
|
|
|
|
# Platform must not have access to /mnt/vendor.
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-ueventd
|
|
-vold
|
|
-system_writes_mnt_vendor_violators
|
|
} mnt_vendor_file:dir *;
|
|
|
|
# Only apps are allowed access to vendor public libraries.
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
} {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
|
|
')
|
|
|
|
# Vendor domian must not have access to /mnt/product.
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
} mnt_product_file:dir *;
|
|
|
|
# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-shell
|
|
# For access to block device information under /sys/class/block.
|
|
-apexd
|
|
# Read sysfs block device information.
|
|
-init
|
|
# Generate uevents for health info
|
|
-ueventd
|
|
# Recovery uses health HAL passthrough implementation.
|
|
-recovery
|
|
# Charger uses health HAL passthrough implementation.
|
|
-charger
|
|
# TODO(b/110891300): remove this exception
|
|
-incidentd
|
|
} sysfs_batteryinfo:file { open read };
|
|
')
|
|
|
|
neverallow {
|
|
domain
|
|
-hal_codec2_server
|
|
-hal_omx_server
|
|
} hal_codec2_hwservice:hwservice_manager add;
|
|
|
|
# Only apps targetting < Q are allowed to open /dev/ashmem directly.
|
|
# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
|
|
neverallow {
|
|
domain
|
|
-ephemeral_app # We don't distinguish ephemeral apps based on target API.
|
|
-untrusted_app_25
|
|
-untrusted_app_27
|
|
} ashmem_device:chr_file open;
|
|
|
|
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
|
|
|
|
# No domains other than a select few can access the misc_block_device. This
|
|
# block device is reserved for OTA use.
|
|
# Do not assert this rule on userdebug/eng builds, due to some devices using
|
|
# this partition for testing purposes.
|
|
neverallow {
|
|
domain
|
|
userdebug_or_eng(`-domain') # exclude debuggable builds
|
|
-fastbootd
|
|
-hal_bootctl_server
|
|
-init
|
|
-uncrypt
|
|
-update_engine
|
|
-vendor_init
|
|
-vendor_misc_writer
|
|
-vold
|
|
-recovery
|
|
-ueventd
|
|
-mtectrl
|
|
-misctrl
|
|
-kcmdlinectrl
|
|
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
|
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
|
# with other UIDs to these allowlisted domains.
|
|
neverallow {
|
|
domain
|
|
-vold
|
|
userdebug_or_eng(`-llkd')
|
|
-dumpstate
|
|
userdebug_or_eng(`-incidentd')
|
|
userdebug_or_eng(`-profcollectd')
|
|
userdebug_or_eng(`-simpleperf_boot')
|
|
-storaged
|
|
-system_server
|
|
} self:global_capability_class_set sys_ptrace;
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
|
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
|
|
neverallow { domain -system_server } *:keystore2_key use_dev_id;
|
|
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
userdebug_or_eng(`-domain')
|
|
} debugfs_tracing_debug:file no_rw_file_perms;
|
|
|
|
# System_server owns dropbox data, and init creates/restorecons the directory
|
|
# Disallow direct access by other processes.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_server
|
|
userdebug_or_eng(`-dumpstate')
|
|
} dropbox_data_file:dir *;
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_server
|
|
userdebug_or_eng(`-dumpstate')
|
|
} dropbox_data_file:file ~{ getattr read };
|
|
|
|
###
|
|
# Services should respect app sandboxes
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-artd # compile secondary dex files
|
|
-installd # creation of sandbox
|
|
} {
|
|
privapp_data_file
|
|
app_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:dir_file_class_set { create unlink };
|
|
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
neverallow {
|
|
domain
|
|
-artd # compile secondary dex files
|
|
-installd # creation of sandbox
|
|
-vold_prepare_subdirs # creation of storage area directories
|
|
} {storage_area_app_dir storage_area_dir }:dir { create unlink };
|
|
')
|
|
|
|
# Only the following processes should be directly accessing private app
|
|
# directories.
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-appdomain
|
|
-app_zygote
|
|
-artd # compile secondary dex files
|
|
-dexoptanalyzer
|
|
-installd
|
|
-profman
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-runas
|
|
-system_server
|
|
-zygote
|
|
} {
|
|
privapp_data_file
|
|
app_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:dir *;
|
|
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-app_zygote
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
-vold # encryption of storage area directories
|
|
-vold_prepare_subdirs # creation of storage area directories
|
|
-zygote
|
|
} { storage_area_dir storage_area_app_dir }:dir *;
|
|
')
|
|
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
# only vold and installd can access the storage area key files
|
|
# (and init, in case of a recursive restorecon)
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
-installd
|
|
} { storage_area_key_file }:dir_file_class_set *;
|
|
')
|
|
|
|
# Only apps should be modifying app data. installd is exempted for
|
|
# restorecon and package install/uninstall.
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
} {
|
|
privapp_data_file
|
|
app_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:dir ~r_dir_perms;
|
|
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-vold_prepare_subdirs # creation of storage area directories
|
|
} { storage_area_dir storage_area_app_dir }:dir ~r_dir_perms;
|
|
')
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-app_zygote
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
} {
|
|
privapp_data_file
|
|
app_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:file_class_set open;
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-artd # compile secondary dex files
|
|
-installd # creation of sandbox
|
|
} {
|
|
privapp_data_file
|
|
app_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:dir_file_class_set { create unlink };
|
|
|
|
neverallow {
|
|
domain
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
} {
|
|
privapp_data_file
|
|
app_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
}:dir_file_class_set { relabelfrom relabelto };
|
|
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
neverallow {
|
|
domain
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-vold_prepare_subdirs
|
|
} { storage_area_dir storage_area_app_dir }:dir { relabelfrom relabelto };
|
|
')
|
|
|
|
# The staging directory contains APEX and APK files. It is important to ensure
|
|
# that these files cannot be accessed by other domains to ensure that the files
|
|
# do not change between system_server staging the files and apexd processing
|
|
# the files.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_server
|
|
-apexd
|
|
-installd
|
|
-priv_app
|
|
-virtualizationmanager
|
|
} staging_data_file:dir *;
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_app
|
|
-system_server
|
|
-apexd
|
|
-adbd
|
|
-kernel
|
|
-installd
|
|
-priv_app
|
|
-shell
|
|
-virtualizationmanager
|
|
-crosvm
|
|
} staging_data_file:file *;
|
|
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
|
|
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
|
|
# except for `link` and `unlink`.
|
|
neverallow { domain -init -system_server } staging_data_file:file
|
|
{ append create relabelfrom rename setattr write no_x_file_perms };
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain # for oemfs
|
|
-bootanim # for oemfs
|
|
-recovery # for /tmp/update_binary in tmpfs
|
|
} { fs_type -rootfs }:file execute;
|
|
|
|
#
|
|
# Assert that, to the extent possible, we're not loading executable content from
|
|
# outside the rootfs or /system partition except for a few allowlisted domains.
|
|
# Executable files loaded from /data is a persistence vector
|
|
# we want to avoid. See
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
|
#
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
with_asan(`-asan_extract')
|
|
-shell
|
|
userdebug_or_eng(`-su')
|
|
-system_server_startup # for memfd backed executable regions
|
|
-app_zygote
|
|
-webview_zygote
|
|
-zygote
|
|
userdebug_or_eng(`-mediaextractor')
|
|
userdebug_or_eng(`-mediaswcodec')
|
|
} {
|
|
file_type
|
|
-system_file_type
|
|
-system_lib_file
|
|
-system_linker_exec
|
|
-vendor_file_type
|
|
-exec_type
|
|
-postinstall_file
|
|
}:file execute;
|
|
|
|
# Only init is allowed to write cgroup.rc file
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
} cgroup_rc_file:file no_w_file_perms;
|
|
|
|
# Only authorized processes should be writing to files in /data/dalvik-cache
|
|
neverallow {
|
|
domain
|
|
-init # TODO: limit init to relabelfrom for files
|
|
-zygote
|
|
-installd
|
|
-postinstall_dexopt
|
|
-cppreopts
|
|
-dex2oat
|
|
-otapreopt_slot
|
|
-artd
|
|
} dalvikcache_data_file:file no_w_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-installd
|
|
-postinstall_dexopt
|
|
-cppreopts
|
|
-dex2oat
|
|
-zygote
|
|
-otapreopt_slot
|
|
-artd
|
|
} dalvikcache_data_file:dir no_w_dir_perms;
|
|
|
|
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
|
|
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
|
|
neverallow {
|
|
domain
|
|
# art-related processes
|
|
-composd
|
|
-compos_fd_server
|
|
-odrefresh
|
|
-odsign
|
|
# others
|
|
-apexd
|
|
-init
|
|
-vold_prepare_subdirs
|
|
} apex_art_data_file:file no_w_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
# art-related processes
|
|
-composd
|
|
-compos_fd_server
|
|
-odrefresh
|
|
-odsign
|
|
# others
|
|
-apexd
|
|
-init
|
|
-vold_prepare_subdirs
|
|
} apex_art_data_file:dir no_w_dir_perms;
|
|
|
|
# Protect most domains from executing arbitrary content from /data.
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
} {
|
|
data_file_type
|
|
-apex_art_data_file
|
|
-dalvikcache_data_file
|
|
-system_data_file # shared libs in apks
|
|
-apk_data_file
|
|
}:file no_x_file_perms;
|
|
|
|
# Minimize dac_override and dac_read_search.
|
|
# Instead of granting them it is usually better to add the domain to
|
|
# a Unix group or change the permissions of a file.
|
|
define(`dac_override_allowed', `{
|
|
apexd
|
|
artd
|
|
dnsmasq
|
|
dumpstate
|
|
init
|
|
installd
|
|
userdebug_or_eng(`llkd')
|
|
lmkd
|
|
migrate_legacy_obb_data
|
|
netd
|
|
postinstall_dexopt
|
|
recovery
|
|
rss_hwm_reset
|
|
sdcardd
|
|
tee
|
|
ueventd
|
|
uncrypt
|
|
vendor_init
|
|
vold
|
|
vold_prepare_subdirs
|
|
zygote
|
|
}')
|
|
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
|
|
# Since the kernel checks dac_read_search before dac_override, domains that
|
|
# have dac_override should also have dac_read_search to eliminate spurious
|
|
# denials. Some domains have dac_read_search without having dac_override, so
|
|
# this list should be a superset of the one above.
|
|
neverallow ~{
|
|
dac_override_allowed
|
|
traced_perf
|
|
traced_probes
|
|
heapprofd
|
|
} self:global_capability_class_set dac_read_search;
|
|
|
|
# Limit what domains can mount filesystems or change their mount flags.
|
|
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
|
|
# set of domains need this capability, including device-specific domains.
|
|
neverallow {
|
|
domain
|
|
-apexd
|
|
-dexopt_chroot_setup
|
|
recovery_only(`-fastbootd')
|
|
-init
|
|
-kernel
|
|
-otapreopt_chroot
|
|
-recovery
|
|
-update_engine
|
|
-vold
|
|
-zygote
|
|
} { fs_type
|
|
-sdcard_type
|
|
-fusefs_type
|
|
}:filesystem { mount remount relabelfrom relabelto };
|
|
|
|
enforce_debugfs_restriction(`
|
|
neverallow {
|
|
domain userdebug_or_eng(`-init')
|
|
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
|
|
')
|
|
|
|
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
|
|
neverallow {
|
|
domain
|
|
userdebug_or_eng(`-domain')
|
|
-kernel
|
|
-gsid
|
|
-init
|
|
-recovery
|
|
-ueventd
|
|
-uncrypt
|
|
-tee
|
|
-hal_bootctl_server
|
|
-fastbootd
|
|
} self:global_capability_class_set sys_rawio;
|
|
|
|
# Limit directory operations that doesn't need to do app data isolation.
|
|
neverallow {
|
|
domain
|
|
-fsck
|
|
-init
|
|
-installd
|
|
-zygote
|
|
} mirror_data_file:dir *;
|
|
|
|
# This property is being removed. Remove remaining access.
|
|
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
|
|
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
|
|
|
|
# Only core domains are allowed to access package_manager properties
|
|
neverallow { domain -init -system_server } pm_prop:property_service set;
|
|
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
|
|
|
|
# Do not allow reading the last boot timestamp from system properties
|
|
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
|
|
|
|
# Allow ART to set its config properties in its oneshot boot service, in
|
|
# addition to the common init and vendor_init access.
|
|
neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
|
|
|
|
# Kprobes should only be used by adb root
|
|
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
|
|
|
|
# On TREBLE devices, most coredomains should not access vendor_files.
|
|
# TODO(b/71553434): Remove exceptions here.
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-bootanim
|
|
-crash_dump
|
|
-heapprofd
|
|
userdebug_or_eng(`-profcollectd')
|
|
-init
|
|
-kernel
|
|
userdebug_or_eng(`-simpleperf_boot')
|
|
-traced_perf
|
|
-ueventd
|
|
} vendor_file:file { no_w_file_perms no_x_file_perms open };
|
|
')
|
|
|
|
# Vendor domains are not permitted to initiate communications to core domain sockets
|
|
full_treble_only(`
|
|
neverallow_establish_socket_comms({
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-socket_between_core_and_vendor_violators
|
|
}, {
|
|
coredomain
|
|
-logd # Logging by writing to logd Unix domain socket is public API
|
|
-netd # netdomain needs this
|
|
-mdnsd # netdomain needs this
|
|
-prng_seeder # Any process using libcrypto needs this
|
|
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
|
|
-init
|
|
-tombstoned # linker to tombstoned
|
|
-heapprofd
|
|
-traced
|
|
-traced_perf
|
|
});
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Do not allow system components access to /vendor files except for the
|
|
# ones allowed here.
|
|
neverallow {
|
|
coredomain
|
|
# TODO(b/37168747): clean up fwk access to /vendor
|
|
-crash_dump
|
|
-crosvm # loads vendor-specific disk images
|
|
-init # starts vendor executables
|
|
-kernel # loads /vendor/firmware
|
|
-heapprofd
|
|
userdebug_or_eng(`-profcollectd')
|
|
-shell
|
|
userdebug_or_eng(`-simpleperf_boot')
|
|
-system_executes_vendor_violators
|
|
-traced_perf # library/binary access for symbolization
|
|
-ueventd # reads /vendor/ueventd.rc
|
|
-vold # loads incremental fs driver
|
|
} {
|
|
vendor_file_type
|
|
-same_process_hal_file
|
|
-vendor_app_file
|
|
-vendor_apex_file
|
|
-vendor_apex_metadata_file
|
|
-vendor_boot_ota_file
|
|
-vendor_configs_file
|
|
-vendor_microdroid_file
|
|
-vendor_service_contexts_file
|
|
-vendor_framework_file
|
|
-vendor_idc_file
|
|
-vendor_keychars_file
|
|
-vendor_keylayout_file
|
|
-vendor_overlay_file
|
|
-vendor_public_framework_file
|
|
-vendor_public_lib_file
|
|
-vendor_task_profiles_file
|
|
-vendor_uuid_mapping_config_file
|
|
-vndk_sp_file
|
|
-vendor_aconfig_storage_file
|
|
}:file *;
|
|
')
|
|
|
|
# mlsvendorcompat is only for compatibility support for older vendor
|
|
# images, and should not be granted to any domain in current policy.
|
|
# (Every domain is allowed self:fork, so this will trigger if the
|
|
# intsersection of domain & mlsvendorcompat is not empty.)
|
|
neverallow domain mlsvendorcompat:process fork;
|
|
|
|
# Only init and otapreopt_chroot should be mounting filesystems on locations
|
|
# labeled system or vendor (/product and /vendor respectively).
|
|
neverallow { domain -dexopt_chroot_setup -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
|
|
|
|
# Only allow init and vendor_init to read/write mm_events properties
|
|
# NOTE: dumpstate is allowed to read any system property
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
-dumpstate
|
|
} mm_events_config_prop:file no_rw_file_perms;
|
|
|
|
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
|
|
# kernel traces. Addresses are not disclosed, they are repalced with symbol
|
|
# names (if available). Traces don't disclose KASLR.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
userdebug_or_eng(`-profcollectd')
|
|
-vendor_init
|
|
userdebug_or_eng(`-simpleperf_boot')
|
|
-traced_probes
|
|
-traced_perf
|
|
} proc_kallsyms:file { open read };
|
|
|
|
# debugfs_kcov type is not included in this neverallow statement since the KCOV
|
|
# tool uses it for kernel fuzzing.
|
|
# vendor_modprobe is also exempted since the kernel modules it loads may create
|
|
# debugfs files in its context.
|
|
enforce_debugfs_restriction(`
|
|
neverallow {
|
|
domain
|
|
-vendor_modprobe
|
|
userdebug_or_eng(`
|
|
-init
|
|
-hal_dumpstate
|
|
-incidentd
|
|
')
|
|
} { debugfs_type
|
|
userdebug_or_eng(`-debugfs_kcov')
|
|
-tracefs_type
|
|
}:file no_rw_file_perms;
|
|
')
|
|
|
|
# Restrict write access to etm sysfs interface.
|
|
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
|
|
|
|
# Restrict CAP_PERFMON.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_modprobe
|
|
userdebug_or_eng(`-simpleperf_boot')
|
|
-kernel
|
|
-uprobestats
|
|
} self:capability2 perfmon;
|
|
|
|
# Restrict direct access to shell owned files. The /data/local/tmp directory is
|
|
# untrustworthy, and non-allowed domains should not be trusting any content in
|
|
# those directories. We allow shell files to be passed around by file
|
|
# descriptor, but not directly opened.
|
|
# artd doesn't need to access /data/local/tmp, but it needs to access
|
|
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
|
|
# dex files.
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-appdomain
|
|
-artd
|
|
-dumpstate
|
|
-installd
|
|
userdebug_or_eng(`-aconfigd')
|
|
userdebug_or_eng(`-uncrypt')
|
|
userdebug_or_eng(`-virtualizationmanager')
|
|
userdebug_or_eng(`-virtualizationservice')
|
|
userdebug_or_eng(`-crosvm')
|
|
} shell_data_file:file open;
|
|
|
|
# In addition to the symlink reading restrictions above, restrict
|
|
# write access to shell owned directories. The /data/local/tmp
|
|
# directory is untrustworthy, and non-allowed domains should
|
|
# not be trusting any content in those directories.
|
|
# artd doesn't need to access /data/local/tmp, but it needs to access
|
|
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
|
|
# dex files.
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-artd
|
|
-dumpstate
|
|
-installd
|
|
-init
|
|
-shell
|
|
-vold
|
|
} shell_data_file:dir no_w_dir_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-appdomain
|
|
-artd
|
|
-dumpstate
|
|
-init
|
|
-installd
|
|
-simpleperf_app_runner
|
|
-system_server # why?
|
|
userdebug_or_eng(`-uncrypt')
|
|
} shell_data_file:dir open;
|
|
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-appdomain
|
|
-artd
|
|
-dumpstate
|
|
-init
|
|
-installd
|
|
-simpleperf_app_runner
|
|
-system_server # why?
|
|
userdebug_or_eng(`-aconfigd')
|
|
userdebug_or_eng(`-uncrypt')
|
|
userdebug_or_eng(`-virtualizationmanager')
|
|
userdebug_or_eng(`-crosvm')
|
|
} shell_data_file:dir search;
|
|
|
|
# respect system_app sandboxes
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-artd # compile secondary dex files
|
|
-system_server #populate com.android.providers.settings/databases/settings.db.
|
|
-installd # creation of app sandbox
|
|
-traced_probes # resolve inodes for i/o tracing.
|
|
# only needs open and read, the rest is neverallow in
|
|
# traced_probes.te.
|
|
} system_app_data_file:dir_file_class_set { create unlink open };
|
|
neverallow {
|
|
isolated_app_all
|
|
ephemeral_app
|
|
priv_app
|
|
sdk_sandbox_all
|
|
untrusted_app_all
|
|
} system_app_data_file:dir_file_class_set { create unlink open };
|
|
|
|
neverallow { domain -init } mtectrl:process { dyntransition transition };
|
|
neverallow { domain -init } kcmdlinectrl:process { dyntransition transition };
|
|
|
|
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
|
|
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
|
|
|
|
# Do not allow write access to aconfig flag value files except init and aconfigd
|
|
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
|
|
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
|
|
|
|
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
|
|
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
|
|
|
|
# Only init/vendor are allowed to write sysfs_pgsize_migration;
|
|
# ueventd needs write access to all sysfs files.
|
|
neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
|