platform_system_sepolicy/private/coredomain.te
Igor Murashkin e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00

198 lines
4 KiB
Text

get_prop(coredomain, pm_prop)
get_prop(coredomain, exported_pm_prop)
full_treble_only(`
neverallow {
coredomain
# for chowning
-init
# generic access to sysfs_type
-ueventd
-vold
} sysfs_leds:file *;
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
} vendor_app_file:dir { open read getattr search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-mediaserver
} vendor_app_file:file r_file_perms;
')
full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
-appdomain
-idmap
-init
-installd
-iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-idmap
-init
-installd
-iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file r_file_perms;
')
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
# /proc
neverallow {
coredomain
-init
-vold
} proc:file no_rw_file_perms;
# /sys
neverallow {
coredomain
-init
-ueventd
-vold
} sysfs:file no_rw_file_perms;
# /dev
neverallow {
coredomain
-fsck
-init
-ueventd
} device:{ blk_file file } no_rw_file_perms;
# debugfs
neverallow {
coredomain
-dumpstate
-init
-system_server
} debugfs:file no_rw_file_perms;
# tracefs
neverallow {
coredomain
-atrace
-dumpstate
-init
-traced_probes
-shell
-system_server
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
} inotify:file no_rw_file_perms;
# pstorefs
neverallow {
coredomain
-bootstat
-charger
-dumpstate
-healthd
userdebug_or_eng(`-incidentd')
-init
-logd
-logpersist
-recovery_persist
-recovery_refresh
-shell
-system_server
} pstorefs:file no_rw_file_perms;
# configfs
neverallow {
coredomain
-init
-system_server
} configfs:file no_rw_file_perms;
# functionfs
neverallow {
coredomain
-adbd
-init
-mediaprovider
-system_server
} functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
# instead be wrapped by HALs.
neverallow coredomain {
iio_device
radio_device
}:chr_file { open read append write ioctl };
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')