tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/domain.te
Michael Eastwood 670b38baa9 Allow vendor domain to communicate with traced. 
This is necessary for vendor code to be able to send trace packets to
Perfetto, which we are doing as part of an effort to provide more
detailed profiling of some vendor code.

Bug: 222684359
Test: (with downstream policy updates) m selinux_policy
Change-Id: I5ab1c04290f69e391d66a76c262d75cadb794f8d
2022-03-04 08:30:29 -08:00

614 lines
17 KiB
Text
Raw Blame History

# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
userdebug_or_eng(`can_profile_heap({
domain
-bpfloader
-init
-kernel
-keystore
-llkd
-logd
-logpersist
-recovery
-recovery_persist
-recovery_refresh
-ueventd
-vendor_init
-vold
})')
# As above, allow perf profiling most processes on debug builds.
# zygote is excluded as system-wide profiling could end up with it
# (unexpectedly) holding an open fd across a fork.
userdebug_or_eng(`can_profile_perf({
domain
-bpfloader
-init
-kernel
-keystore
-llkd
-logd
-logpersist
-recovery
-recovery_persist
-recovery_refresh
-ueventd
-vendor_init
-vold
-zygote
})')
# Everyone can access the IncFS list of features.
r_dir_file(domain, sysfs_fs_incfs_features);
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
allow domain cgroup_v2:dir search;
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
# Read access to bq configuration values
get_prop(domain, bq_config_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({coredomain shell}, userspace_reboot_test_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
')
# Allow access to linkerconfig file
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
# this partition for testing purposes.
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
-fastbootd
-hal_bootctl_server
-init
-uncrypt
-update_engine
-vendor_init
-vendor_misc_writer
-vold
-recovery
-ueventd
-mtectrl
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
-app_zygote
-dexoptanalyzer
-installd
-iorap_inode2filename
-iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
-viewcompiler
-zygote
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
domain
-appdomain
-app_zygote
-installd
-iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
domain
-appdomain
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
neverallow {
domain
-init
-system_server
-apexd
-installd
-iorap_inode2filename
-priv_app
-virtualizationservice
} staging_data_file:dir *;
neverallow {
domain
-init
-system_app
-system_server
-apexd
-adbd
-kernel
-installd
-iorap_inode2filename
-priv_app
-shell
-virtualizationservice
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
{ append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
# Only init is allowed to write cgroup.rc file
neverallow {
domain
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:file no_w_file_perms;
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:dir no_w_dir_perms;
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-appdomain
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
apexd
dnsmasq
dumpstate
init
installd
userdebug_or_eng(`llkd')
lmkd
migrate_legacy_obb_data
netd
postinstall_dexopt
recovery
rss_hwm_reset
sdcardd
tee
ueventd
uncrypt
vendor_init
vold
vold_prepare_subdirs
zygote
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
# have dac_override should also have dac_read_search to eliminate spurious
# denials. Some domains have dac_read_search without having dac_override, so
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
iorap_inode2filename
iorap_prefetcherd
traced_perf
traced_probes
heapprofd
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type
-sdcard_type
-fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
neverallow {
domain userdebug_or_eng(`-init')
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
')
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
-kernel
-gsid
-init
-recovery
-ueventd
-uncrypt
-tee
-hal_bootctl_server
-fastbootd
} self:global_capability_class_set sys_rawio;
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
-fsck
-init
-installd
-zygote
} mirror_data_file:dir *;
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
# Only core domains are allowed to access package_manager properties
neverallow { domain -init -system_server } pm_prop:property_service set;
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
# On TREBLE devices, most coredomains should not access vendor_files.
# TODO(b/71553434): Remove exceptions here.
full_treble_only(`
neverallow {
coredomain
-appdomain
-bootanim
-crash_dump
-heapprofd
userdebug_or_eng(`-profcollectd')
-init
-iorap_inode2filename
-iorap_prefetcherd
-kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
# Vendor domains are not permitted to initiate communications to core domain sockets
full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-appdomain
-socket_between_core_and_vendor_violators
}, {
coredomain
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced')
userdebug_or_eng(`-traced_perf')
});
')
full_treble_only(`
# Do not allow system components access to /vendor files except for the
# ones allowed here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-crosvm # loads vendor-specific disk images
-init # starts vendor executables
-iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
-vold # loads incremental fs driver
} {
vendor_file_type
-same_process_hal_file
-vendor_app_file
-vendor_apex_file
-vendor_configs_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_framework_file
-vendor_public_lib_file
-vendor_task_profiles_file
-vendor_uuid_mapping_config_file
-vndk_sp_file
}:file *;
')
# mlsvendorcompat is only for compatibility support for older vendor
# images, and should not be granted to any domain in current policy.
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
# Only init and otapreopt_chroot should be mounting filesystems on locations
# labeled system or vendor (/product and /vendor respectively).
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Only allow init and vendor_init to read/write mm_events properties
# NOTE: dumpstate is allowed to read any system property
neverallow {
domain
-init
-vendor_init
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
# kernel traces. Addresses are not disclosed, they are repalced with symbol
# names (if available). Traces don't disclose KASLR.
neverallow {
domain
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
# debugfs_kcov type is not included in this neverallow statement since the KCOV
# tool uses it for kernel fuzzing.
# vendor_modprobe is also exempted since the kernel modules it loads may create
# debugfs files in its context.
enforce_debugfs_restriction(`
neverallow {
domain
-vendor_modprobe
userdebug_or_eng(`
-init
-hal_dumpstate
')
} { debugfs_type
userdebug_or_eng(`-debugfs_kcov')
-tracefs_type
}:file no_rw_file_perms;
')
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
# Restrict write access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
neverallow {
domain
-adbd
-appdomain
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
Reference in a new issue View git blame Copy permalink