platform_system_sepolicy/private/coredomain.te

get_prop(coredomain, apex_ready_prop)
get_prop(coredomain, boot_status_prop)
get_prop(coredomain, camera_config_prop)
get_prop(coredomain, dalvik_config_prop)
get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)
get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
get_prop(coredomain, telephony_config_prop)
get_prop(coredomain, usb_config_prop)
get_prop(coredomain, usb_control_prop)
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
get_prop(coredomain, zygote_config_prop)
get_prop(coredomain, zygote_wrap_prop)

# TODO(b/170590987): remove this after cleaning up default_prop
get_prop(coredomain, default_prop)

full_treble_only(`
neverallow {
    coredomain

    # for chowning
    -init

    # generic access to sysfs_type
    -apexd
    -ueventd
    -vold
} sysfs_leds:file *;
')

# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
    # Limit access to /vendor/app
    neverallow {
        coredomain
        -appdomain
        -artd
        -dex2oat
        -dexoptanalyzer
        -idmap
        -init
        -installd
        -heapprofd
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
        -system_server
        -traced_perf
    } vendor_app_file:dir { open read getattr search };
')

full_treble_only(`
    neverallow {
        coredomain
        -appdomain
        -artd
        -dex2oat
        -dexoptanalyzer
        -idmap
        -init
        -installd
        -heapprofd
        userdebug_or_eng(`-profcollectd')
        -postinstall_dexopt
        -profman
        -rs # spawned by appdomain, so carryover the exception above
        userdebug_or_eng(`-simpleperf_boot')
        -system_server
        -traced_perf
        -mediaserver
    } vendor_app_file:file r_file_perms;
')

full_treble_only(`
    # Limit access to /vendor/overlay
    neverallow {
        coredomain
        -appdomain
        -idmap
        -init
        -installd
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
        -system_server
        -traced_perf
        -app_zygote
        -webview_zygote
        -zygote
        -heapprofd
    } vendor_overlay_file:dir { getattr open read search };
')

full_treble_only(`
    neverallow {
        coredomain
        -appdomain
        -idmap
        -init
        -installd
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
        -system_server
        -traced_perf
        -app_zygote
        -webview_zygote
        -zygote
        -heapprofd
        userdebug_or_eng(`-profcollectd')
        userdebug_or_eng(`-simpleperf_boot')
    } vendor_overlay_file:file open;
')

# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
  # /proc
  neverallow {
    coredomain
    -init
    -vold
  } proc:file no_rw_file_perms;

  # /sys
  neverallow {
    coredomain
    -apexd
    -init
    -ueventd
    -vold
  } sysfs:file no_rw_file_perms;

  # /dev
  neverallow {
    coredomain
    -apexd
    -fsck
    -init
    -ueventd
  } device:{ blk_file file } no_rw_file_perms;

  # debugfs
  neverallow {
    coredomain
    no_debugfs_restriction(`
      -dumpstate
      -init
      -system_server
    ')
  } debugfs:file no_rw_file_perms;

  # tracefs
  neverallow {
    coredomain
    -atrace
    -dumpstate
    -gpuservice
    -init
    -traced_perf
    -traced_probes
    -shell
    -system_server
    -traceur_app
    userdebug_or_eng(`-profcollectd')
    userdebug_or_eng(`-simpleperf_boot')
  } debugfs_tracing:file no_rw_file_perms;

  # inotifyfs
  neverallow {
    coredomain
    -init
  } inotify:file no_rw_file_perms;

  # pstorefs
  neverallow {
    coredomain
    -bootstat
    -charger
    -dumpstate
    userdebug_or_eng(`-incidentd')
    -init
    -logd
    -logpersist
    -recovery_persist
    -recovery_refresh
    -shell
    -system_server
  } pstorefs:file no_rw_file_perms;

  # configfs
  neverallow {
    coredomain
    -init
    -system_server
  } configfs:file no_rw_file_perms;

  # functionfs
  neverallow {
    coredomain
    -adbd
    -init
    -mediaprovider
    -system_server
  } functionfs:file no_rw_file_perms;

  # usbfs and binfmt_miscfs
  neverallow {
    coredomain
    -init
  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;

  # dmabuf heaps
  neverallow {
    coredomain
    -init
    -ueventd
  }{
    dmabuf_heap_device_type
    -dmabuf_system_heap_device
    -dmabuf_system_secure_heap_device
  }:chr_file no_rw_file_perms;
')

# Following /dev nodes must not be directly accessed by coredomain, but should
# instead be wrapped by HALs.
neverallow coredomain {
  iio_device
  radio_device
}:chr_file { open read append write ioctl };

# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
full_treble_only(`
  neverallow coredomain tee_device:chr_file { open read append write ioctl };
')