9d9333ac86
init now creates two mount namespaces one for pre-apexd processes and the other for post-apexd processes. This is to mount different files to the same mount point at /bionic. For pre-apexd processes, the bootstrap Bionic is mounted. For post-apexd processes, the default Bionic (from the runtime APEX) is mounted. Using unshare and setns, init first starts with the mount namespace for the pre-apexd and then switches to the other mount namespace when APEXes are ready. It then occasionally switches to pre-apexd mount namespace when it has to re-launch a pre-apexd process (e.g. the process has crashed, etc.) In doing so, read access to /proc/self/ns/mnt is granted to init as well. Bug: 120266448 Bug: 122717176 Test: m device boots Change-Id: Idbf15cbf5cc36b9993d718d4d887cd8f23a94666
190 lines
3.9 KiB
Text
190 lines
3.9 KiB
Text
get_prop(coredomain, pm_prop)
|
|
get_prop(coredomain, exported_pm_prop)
|
|
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
|
|
# for chowning
|
|
-init
|
|
|
|
# generic access to sysfs_type
|
|
-ueventd
|
|
-vold
|
|
} sysfs_leds:file *;
|
|
')
|
|
|
|
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
|
# only a few whitelisted coredomains to keep system/vendor separation.
|
|
full_treble_only(`
|
|
# Limit access to /vendor/app
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-dex2oat
|
|
-idmap
|
|
-init
|
|
-installd
|
|
userdebug_or_eng(`-perfprofd')
|
|
userdebug_or_eng(`-heapprofd')
|
|
-postinstall_dexopt
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
} vendor_app_file:dir { open read getattr search };
|
|
')
|
|
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-dex2oat
|
|
-idmap
|
|
-init
|
|
-installd
|
|
userdebug_or_eng(`-perfprofd')
|
|
userdebug_or_eng(`-heapprofd')
|
|
-postinstall_dexopt
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
-mediaserver
|
|
} vendor_app_file:file r_file_perms;
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Limit access to /vendor/overlay
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-idmap
|
|
-init
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
-app_zygote
|
|
-webview_zygote
|
|
-zygote
|
|
userdebug_or_eng(`-heapprofd')
|
|
} vendor_overlay_file:dir { getattr open read search };
|
|
')
|
|
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-idmap
|
|
-init
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
-app_zygote
|
|
-webview_zygote
|
|
-zygote
|
|
userdebug_or_eng(`-heapprofd')
|
|
} vendor_overlay_file:file r_file_perms;
|
|
')
|
|
|
|
# Core domains are not permitted to use kernel interfaces which are not
|
|
# explicitly labeled.
|
|
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
|
|
full_treble_only(`
|
|
# /proc
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-vold
|
|
} proc:file no_rw_file_perms;
|
|
|
|
# /sys
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-ueventd
|
|
-vold
|
|
} sysfs:file no_rw_file_perms;
|
|
|
|
# /dev
|
|
neverallow {
|
|
coredomain
|
|
-fsck
|
|
-init
|
|
-ueventd
|
|
} device:{ blk_file file } no_rw_file_perms;
|
|
|
|
# debugfs
|
|
neverallow {
|
|
coredomain
|
|
-dumpstate
|
|
-init
|
|
-system_server
|
|
} debugfs:file no_rw_file_perms;
|
|
|
|
# tracefs
|
|
neverallow {
|
|
coredomain
|
|
-atrace
|
|
-dumpstate
|
|
-init
|
|
userdebug_or_eng(`-perfprofd')
|
|
-traced_probes
|
|
-shell
|
|
-traceur_app
|
|
} debugfs_tracing:file no_rw_file_perms;
|
|
|
|
# inotifyfs
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
} inotify:file no_rw_file_perms;
|
|
|
|
# pstorefs
|
|
neverallow {
|
|
coredomain
|
|
-bootstat
|
|
-charger
|
|
-dumpstate
|
|
-healthd
|
|
userdebug_or_eng(`-incidentd')
|
|
-init
|
|
-logd
|
|
-logpersist
|
|
-recovery_persist
|
|
-recovery_refresh
|
|
-shell
|
|
-system_server
|
|
} pstorefs:file no_rw_file_perms;
|
|
|
|
# configfs
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-system_server
|
|
} configfs:file no_rw_file_perms;
|
|
|
|
# functionfs
|
|
neverallow {
|
|
coredomain
|
|
-adbd
|
|
-init
|
|
-mediaprovider
|
|
-system_server
|
|
} functionfs:file no_rw_file_perms;
|
|
|
|
# usbfs and binfmt_miscfs
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
|
')
|
|
|
|
# Following /dev nodes must not be directly accessed by coredomain, but should
|
|
# instead be wrapped by HALs.
|
|
neverallow coredomain {
|
|
iio_device
|
|
radio_device
|
|
}:chr_file { open read append write ioctl };
|
|
|
|
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
|
|
# on non-Treble devices.
|
|
full_treble_only(`
|
|
neverallow coredomain tee_device:chr_file { open read append write ioctl };
|
|
')
|