tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/domain.te
Nick Kralevich 1e5021c450 Move some rules around 
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:55:21 -08:00

171 lines
5.2 KiB
Text
Raw Blame History

# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
userdebug_or_eng(`can_profile_heap({
domain
-bpfloader
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
})')
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain } cgroup:dir w_dir_perms;
allow { domain -appdomain } cgroup:file w_file_perms;
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
get_prop(domain, core_property_type)
get_prop(domain, exported_dalvik_prop)
get_prop(domain, exported_ffs_prop)
get_prop(domain, exported_system_radio_prop)
get_prop(domain, exported2_config_prop)
get_prop(domain, exported2_radio_prop)
get_prop(domain, exported2_system_prop)
get_prop(domain, exported2_vold_prop)
get_prop(domain, exported3_default_prop)
get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported_dalvik_prop)
get_prop({coredomain appdomain shell}, exported_ffs_prop)
get_prop({coredomain appdomain shell}, exported_system_radio_prop)
get_prop({coredomain appdomain shell}, exported2_config_prop)
get_prop({coredomain appdomain shell}, exported2_radio_prop)
get_prop({coredomain appdomain shell}, exported2_system_prop)
get_prop({coredomain appdomain shell}, exported2_vold_prop)
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
-dexoptanalyzer
-installd
userdebug_or_eng(`-perfprofd')
-profman
-runas
-system_server
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-installd
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
domain
-appdomain
-installd
userdebug_or_eng(`-perfprofd')
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
domain
-appdomain
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
Reference in a new issue View git blame Copy permalink