platform_system_sepolicy/public/te_macros
Inseob Kim b4baf73477 Fix vendor defining macros and neverallows
init and dumpstate should be able to access all properties, but they are
in coredomain, so neverallow rules for vendor properties should be
changed in order to avoid conflicts.

Bug: 145339613
Test: add vendor_internal_prop manually and build.
Change-Id: If582870f855e4444f8ac0d091696c0c7fd833791
2019-12-03 18:42:12 +09:00

862 lines
30 KiB
Text

#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
allow $1 $2:file { getattr open read execute map };
allow $1 $3:process transition;
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr map };
# New domain can send SIGCHLD to its caller.
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')
#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
define(`domain_auto_trans', `
# Allow the necessary permissions.
domain_trans($1,$2,$3)
# Make the transition occur by default.
type_transition $1 $2:process $3;
')
#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
define(`file_type_trans', `
# Allow the domain to add entries to the directory.
allow $1 $2:dir ra_dir_perms;
# Allow the domain to create the file.
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
')
#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
define(`file_type_auto_trans', `
# Allow the necessary permissions.
file_type_trans($1, $2, $3)
# Make the transition occur by default.
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
')
#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')
#####################################
# tmpfs_domain(domain)
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
define(`tmpfs_domain', `
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write getattr map };
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
# rules from underlying transport (e.g. UDS-based implementation).
#####################################
# pdx_service_attributes(service)
# Defines type attribute used to identify various service-related types.
define(`pdx_service_attributes', `
attribute pdx_$1_endpoint_dir_type;
attribute pdx_$1_endpoint_socket_type;
attribute pdx_$1_channel_socket_type;
attribute pdx_$1_server_type;
')
#####################################
# pdx_service_socket_types(service, endpoint_dir_t)
# Define types for endpoint and channel sockets.
define(`pdx_service_socket_types', `
typeattribute $2 pdx_$1_endpoint_dir_type;
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
userdebug_or_eng(`
dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
')
')
#####################################
# pdx_server(server_domain, service)
define(`pdx_server', `
# Mark the server domain as a PDX server.
typeattribute $1 pdx_$2_server_type;
# Allow the init process to create the initial endpoint socket.
allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
# Allow the server domain to use the endpoint socket and accept connections on it.
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
# than we need (e.g. we don"t need "bind" or "connect").
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
allow $1 self:process setsockcreate;
# Allow the server domain to create a client channel socket.
allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
# Prevent other processes from claiming to be a server for the same service.
neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
')
#####################################
# pdx_connect(client, service)
define(`pdx_connect', `
# Allow client to open the service endpoint file.
allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
# Allow the client to connect to endpoint socket.
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
')
#####################################
# pdx_use(client, service)
define(`pdx_use', `
# Allow the client to use the PDX channel socket.
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
# than we need (e.g. we don"t need "bind" or "connect").
allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
# Client needs to use an channel event fd from the server.
allow $1 pdx_$2_server_type:fd use;
# Servers may receive sync fences, gralloc buffers, etc, from clients.
# This could be tightened on a per-server basis, but keeping track of service
# clients is error prone.
allow pdx_$2_server_type $1:fd use;
')
#####################################
# pdx_client(client, service)
define(`pdx_client', `
pdx_connect($1, $2)
pdx_use($1, $2)
')
#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
')
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
# produce stack traces. llkd is excluded, as it needs to inspect
# the kernel stack for live lock conditions. runas_app is excluded, as it can
# only access debuggable apps.
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
')
#####################################
# untrusted_app_domain(domain)
# Allow a base set of permissions required for all untrusted apps.
define(`untrusted_app_domain', `
typeattribute $1 untrusted_app_all;
')
#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
typeattribute $1 netdomain;
')
#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
define(`bluetooth_domain', `
typeattribute $1 bluetoothdomain;
')
#####################################
# hal_attribute(hal_name)
# Add an attribute for hal implementations along with necessary
# restrictions.
define(`hal_attribute', `
attribute hal_$1;
expandattribute hal_$1 true;
attribute hal_$1_client;
expandattribute hal_$1_client true;
attribute hal_$1_server;
expandattribute hal_$1_server false;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
# hal_*_client and halclientdomain attributes are always expanded for
# performance reasons. Neverallow rules targeting expanded attributes can not be
# verified by CTS since these attributes are already expanded by that time.
build_test_only(`
neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
')
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
# type hal_foo_default, domain;
# hal_server_domain(hal_foo_default, hal_foo)
#
define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')
#####################################
# hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a HAL of the specified type.
#
# For example, make some_domain a client of Foo HAL:
# hal_client_domain(some_domain, hal_foo)
#
define(`hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
# non-Treble devices. For now, on non-Treble device, always grant clients of a
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
not_full_treble(`
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute map };
')
')
#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
# passthrough_hal_client_domain(some_domain, hal_foo)
#
define(`passthrough_hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute map };
')
#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#
# Note: If you see denial records that distill to the
# following allow rules:
# allow clientdomain property_socket:sock_file write;
# allow clientdomain init:unix_stream_socket connectto;
# allow clientdomain something_prop:property_service set;
#
# This sequence is indicative of attempting to set a property.
# use set_prop(sourcedomain, targetproperty)
#
define(`unix_socket_connect', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')
#####################################
# set_prop(sourcedomain, targetproperty)
# Allows source domain to set the
# targetproperty.
#
define(`set_prop', `
unix_socket_connect($1, property, init)
allow $1 $2:property_service set;
get_prop($1, $2)
')
#####################################
# get_prop(sourcedomain, targetproperty)
# Allows source domain to read the
# targetproperty.
#
define(`get_prop', `
allow $1 $2:file { getattr open read map };
')
#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
define(`unix_socket_send', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_dgram_socket sendto;
')
#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# vndbinder_use(domain)
# Allow domain to use Binder IPC.
define(`vndbinder_use', `
# Talk to the vndbinder device node
allow $1 vndbinder_device:chr_file rw_file_perms;
# Call the vndservicemanager and transfer references to it.
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
allow vndservicemanager $1:file { read open map };
allow vndservicemanager $1:process getattr;
')
#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# Call the server domain and optionally transfer references to it.
allow $1 $2:binder { call transfer };
# Allow the serverdomain to transfer references to the client on the reply.
allow $2 $1:binder transfer;
# Receive and use open files from the server.
allow $1 $2:fd use;
')
#####################################
# binder_service(domain)
# Mark a domain as being a Binder service domain.
# Used to allow binder IPC to the various system services.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
# deprecated.
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
# system_suspend permissions
binder_call($1, system_suspend_server)
allow $1 system_suspend_hwservice:hwservice_manager find;
# halclientdomain permissions
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
')
#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
')
#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security check_context;
')
#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
# Each domain gets a unique devpts type.
type $1_devpts, fs_type;
# Label the pty with the unique type when created.
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')
#####################################
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
#####################################
# Recovery only
# SELinux rules which apply only to recovery mode
#
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
ifelse(target_full_treble, `cts',
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
$1
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
, )))
#####################################
# Not full TREBLE
# SELinux rules which apply only to devices which are not full TREBLE devices
#
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
ifelse(target_compatible_property, `cts',
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
$1
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
, )))
#####################################
# Not compatible property
# SELinux rules which apply only to devices without compatible property
#
define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
# native coverage builds
# SELinux rules which apply only to builds with native coverage
#
define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
define(`crash_dump_fallback', `
userdebug_or_eng(`
allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
allow $1 dumpstate:fd use;
allow $1 incidentd:fd use;
# TODO: Figure out why write is needed.
allow $1 dumpstate:fifo_file { append write };
allow $1 incidentd:fifo_file { append write };
allow $1 system_server:fifo_file { append write };
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;
allow $1 tombstone_data_file:file append;
')
#####################################
# WITH_DEXPREOPT builds
# SELinux rules which apply only when pre-opting.
#
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
define(`write_logd', `
unix_socket_send($1, logdw, logd)
allow $1 pmsg_device:chr_file w_file_perms;
')
#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
define(`read_logd', `
allow $1 logcat_exec:file rx_file_perms;
unix_socket_connect($1, logdr, logd)
')
#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
define(`read_runtime_log_tags', `
allow $1 runtime_event_log_tags_file:file r_file_perms;
')
#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
define(`control_logd', `
# Group AID_LOG checked by filesystem & logd
# to permit control commands
unix_socket_connect($1, logd, logd)
')
#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
# to call getpidcon.
define(`use_keystore', `
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
define(`use_drmservice', `
allow drmserver $1:dir search;
allow drmserver $1:file { read open };
allow drmserver $1:process getattr;
')
###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
')
###########################################
# add_hwservice(domain, service)
# Ability for domain to add a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
###########################################
# hal_attribute_hwservice(attribute, service)
# Ability for domain to get a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_hwservice
define(`hal_attribute_hwservice', `
allow $1_client $2:hwservice_manager find;
add_hwservice($1_server, $2)
build_test_only(`
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
###################################
# can_profile_heap(domain)
# Allow processes within the domain to have their heap profiled by heapprofd.
#
# Note that profiling is performed differently between debug and user builds.
# This macro covers both user and debug builds, but see
# can_profile_heap_userdebug_or_eng for a variant that can be used when
# allowing profiling for a domain only on debug builds, without granting
# the exec permission. The exec permission is necessary for user builds, but
# only a nice-to-have for development and testing purposes on debug builds.
define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow executing a private heapprofd process to handle profiling on
# user builds (also debug builds for testing & development purposes).
allow $1 heapprofd_exec:file rx_file_perms;
# Allow directory & file read to the central heapprofd daemon, as it scans
# /proc/[pid]/cmdline for by-process-name profiling configs.
# Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
allow heapprofd $1:file r_file_perms;
allow heapprofd $1:dir r_dir_perms;
# Profilability on user implies profilability on userdebug and eng.
can_profile_heap_userdebug_or_eng($1)
')
###################################
# can_profile_heap_userdebug_or_eng(domain)
# Allow processes within the domain to have their heap profiled by heapprofd on
# debug builds only.
#
# Only necessary when can_profile_heap cannot be applied, see its description
# for rationale.
define(`can_profile_heap_userdebug_or_eng', `
userdebug_or_eng(`
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow connecting to the daemon.
unix_socket_connect($1, heapprofd, heapprofd)
# Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
# Allow to read and write to heapprofd shmem.
# The client needs to read the read and write pointers in order to write.
allow $1 heapprofd_tmpfs:file { read write getattr map };
# Use shared memory received over the unix socket.
allow $1 heapprofd:fd use;
# To read and write from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
# process they relate to.
# We need to write to /proc/$PID/page_idle to find idle allocations.
# The client only opens /proc/self/page_idle with RDWR, everything else
# with RDONLY.
# heapprofd cannot open /proc/$PID/mem itself, as it does not have
# sys_ptrace.
allow heapprofd $1:file rw_file_perms;
# Allow searching the /proc/[pid] directory for cmdline.
allow heapprofd $1:dir r_dir_perms;
')
')
###################################
# never_profile_heap(domain)
# Opt out of heap profiling by heapprofd.
define(`never_profile_heap', `
neverallow heapprofd $1:file read;
neverallow heapprofd $1:process signal;
')
###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
define(`perfetto_producer', `
allow $1 traced:fd use;
allow $1 traced_tmpfs:file { read write getattr map };
unix_socket_connect($1, traced_producer, traced)
')
###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
#
define(`dump_hal', `
hal_client_domain(dumpstate, $1);
allow $1_server dumpstate:fifo_file write;
allow $1_server dumpstate:fd use;
')
#####################################
# treble_sysprop_neverallow(rules)
# SELinux neverallow rules which enforces the owner of each property and accessibility
# outside the owner.
#
# For devices launching with R or later, all properties must be explicitly marked as one of:
# system_property_type, vendor_property_type, or product_property_type.
# Also, exported properties must be explicitly marked as "restricted" or "public",
# depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
#
define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
ifelse(target_treble_sysprop_neverallow, `cts',
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
$1
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
, )))
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
#
define(`define_prop', `
type $1, property_type, $2_property_type, $2_$3_property_type;
')
###########################################
# system_internal_prop(name)
# Define a /system-owned property used only in /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`system_internal_prop', `
define_prop($1, system, internal)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
###########################################
# system_restricted_prop(name)
# Define a /system-owned property which can't be written outside /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`system_restricted_prop', `
define_prop($1, system, restricted)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:property_service set;
')
')
###########################################
# system_public_prop(name)
# Define a /system-owned property with no restrictions
#
define(`system_public_prop', `define_prop($1, system, public)')
###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`product_internal_prop', `
define_prop($1, product, internal)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
###########################################
# product_restricted_prop(name)
# Define a /product-owned property which can't be written outside /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`product_restricted_prop', `
define_prop($1, product, restricted)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:property_service set;
')
')
###########################################
# product_public_prop(name)
# Define a /product-owned property with no restrictions
#
define(`product_public_prop', `define_prop($1, product, public)')
###########################################
# vendor_internal_prop(name)
# Define a /vendor-owned property used only in /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`vendor_internal_prop', `
define_prop($1, vendor, internal)
treble_sysprop_neverallow(`
# init and dumpstate are in coredomain, but should be able to read all props.
neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
')
')
###########################################
# vendor_restricted_prop(name)
# Define a /vendor-owned property which can't be written outside /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`vendor_restricted_prop', `
define_prop($1, vendor, restricted)
treble_sysprop_neverallow(`
# init is in coredomain, but should be able to write all props.
neverallow { coredomain -init } $1:property_service set;
')
')
###########################################
# vendor_public_prop(name)
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')