55d808c28c
Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
1045 lines
37 KiB
Text
1045 lines
37 KiB
Text
#####################################
|
|
# domain_trans(olddomain, type, newdomain)
|
|
# Allow a transition from olddomain to newdomain
|
|
# upon executing a file labeled with type.
|
|
# This only allows the transition; it does not
|
|
# cause it to occur automatically - use domain_auto_trans
|
|
# if that is what you want.
|
|
#
|
|
define(`domain_trans', `
|
|
# Old domain may exec the file and transition to the new domain.
|
|
allow $1 $2:file { getattr open read execute map };
|
|
allow $1 $3:process transition;
|
|
# New domain is entered by executing the file.
|
|
allow $3 $2:file { entrypoint open read execute getattr map };
|
|
# New domain can send SIGCHLD to its caller.
|
|
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
|
|
# Enable AT_SECURE, i.e. libc secure mode.
|
|
dontaudit $1 $3:process noatsecure;
|
|
# XXX dontaudit candidate but requires further study.
|
|
allow $1 $3:process { siginh rlimitinh };
|
|
')
|
|
|
|
#####################################
|
|
# domain_auto_trans(olddomain, type, newdomain)
|
|
# Automatically transition from olddomain to newdomain
|
|
# upon executing a file labeled with type.
|
|
#
|
|
define(`domain_auto_trans', `
|
|
# Allow the necessary permissions.
|
|
domain_trans($1,$2,$3)
|
|
# Make the transition occur by default.
|
|
type_transition $1 $2:process $3;
|
|
')
|
|
|
|
#####################################
|
|
# file_type_trans(domain, dir_type, file_type)
|
|
# Allow domain to create a file labeled file_type in a
|
|
# directory labeled dir_type.
|
|
# This only allows the transition; it does not
|
|
# cause it to occur automatically - use file_type_auto_trans
|
|
# if that is what you want.
|
|
#
|
|
define(`file_type_trans', `
|
|
# Allow the domain to add entries to the directory.
|
|
allow $1 $2:dir ra_dir_perms;
|
|
# Allow the domain to create the file.
|
|
allow $1 $3:notdevfile_class_set create_file_perms;
|
|
allow $1 $3:dir create_dir_perms;
|
|
')
|
|
|
|
#####################################
|
|
# file_type_auto_trans(domain, dir_type, file_type)
|
|
# Automatically label new files with file_type when
|
|
# they are created by domain in directories labeled dir_type.
|
|
#
|
|
define(`file_type_auto_trans', `
|
|
# Allow the necessary permissions.
|
|
file_type_trans($1, $2, $3)
|
|
# Make the transition occur by default.
|
|
type_transition $1 $2:dir $3;
|
|
type_transition $1 $2:notdevfile_class_set $3;
|
|
')
|
|
|
|
#####################################
|
|
# r_dir_file(domain, type)
|
|
# Allow the specified domain to read directories, files
|
|
# and symbolic links of the specified type.
|
|
define(`r_dir_file', `
|
|
allow $1 $2:dir r_dir_perms;
|
|
allow $1 $2:{ file lnk_file } r_file_perms;
|
|
')
|
|
|
|
#####################################
|
|
# tmpfs_domain(domain)
|
|
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
|
|
define(`tmpfs_domain', `
|
|
type_transition $1 tmpfs:file $1_tmpfs;
|
|
allow $1 $1_tmpfs:file { read write getattr map };
|
|
')
|
|
|
|
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
|
|
# rules from underlying transport (e.g. UDS-based implementation).
|
|
|
|
#####################################
|
|
# pdx_service_attributes(service)
|
|
# Defines type attribute used to identify various service-related types.
|
|
define(`pdx_service_attributes', `
|
|
attribute pdx_$1_endpoint_dir_type;
|
|
attribute pdx_$1_endpoint_socket_type;
|
|
attribute pdx_$1_channel_socket_type;
|
|
attribute pdx_$1_server_type;
|
|
')
|
|
|
|
#####################################
|
|
# pdx_service_socket_types(service, endpoint_dir_t)
|
|
# Define types for endpoint and channel sockets.
|
|
define(`pdx_service_socket_types', `
|
|
typeattribute $2 pdx_$1_endpoint_dir_type;
|
|
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
|
|
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
|
|
userdebug_or_eng(`
|
|
dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
|
|
dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
|
|
')
|
|
')
|
|
|
|
#####################################
|
|
# pdx_server(server_domain, service)
|
|
define(`pdx_server', `
|
|
# Mark the server domain as a PDX server.
|
|
typeattribute $1 pdx_$2_server_type;
|
|
# Allow the init process to create the initial endpoint socket.
|
|
allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
|
|
# Allow the server domain to use the endpoint socket and accept connections on it.
|
|
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
|
|
# than we need (e.g. we don"t need "bind" or "connect").
|
|
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
|
|
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
|
|
allow $1 self:process setsockcreate;
|
|
# Allow the server domain to create a client channel socket.
|
|
allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
|
|
# Prevent other processes from claiming to be a server for the same service.
|
|
neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
|
|
')
|
|
|
|
#####################################
|
|
# pdx_connect(client, service)
|
|
define(`pdx_connect', `
|
|
# Allow client to open the service endpoint file.
|
|
allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
|
|
allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
|
|
# Allow the client to connect to endpoint socket.
|
|
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
|
|
')
|
|
|
|
#####################################
|
|
# pdx_use(client, service)
|
|
define(`pdx_use', `
|
|
# Allow the client to use the PDX channel socket.
|
|
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
|
|
# than we need (e.g. we don"t need "bind" or "connect").
|
|
allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
|
|
# Client needs to use an channel event fd from the server.
|
|
allow $1 pdx_$2_server_type:fd use;
|
|
# Servers may receive sync fences, gralloc buffers, etc, from clients.
|
|
# This could be tightened on a per-server basis, but keeping track of service
|
|
# clients is error prone.
|
|
allow pdx_$2_server_type $1:fd use;
|
|
')
|
|
|
|
#####################################
|
|
# pdx_client(client, service)
|
|
define(`pdx_client', `
|
|
pdx_connect($1, $2)
|
|
pdx_use($1, $2)
|
|
')
|
|
|
|
#####################################
|
|
# init_daemon_domain(domain)
|
|
# Set up a transition from init to the daemon domain
|
|
# upon executing its binary.
|
|
define(`init_daemon_domain', `
|
|
domain_auto_trans(init, $1_exec, $1)
|
|
')
|
|
|
|
####################################
|
|
# userfaultfd_use(domain)
|
|
# Allow domain to create/use userfaultfd.
|
|
define(`userfaultfd_use', `
|
|
# Set up a type_transition to "userfaultfd" named anonymous inode object.
|
|
type $1_userfaultfd;
|
|
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
|
|
# Allow domain to create/use userfaultfd anon_inode.
|
|
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
|
|
# Suppress errors generate during bugreport
|
|
dontaudit su $1_userfaultfd:anon_inode *;
|
|
# Other domains may not use userfaultfd anon_inodes created by this domain.
|
|
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
|
|
# This domain may not use userfaultfd anon_inodes created by other domains.
|
|
neverallow $1 ~$1_userfaultfd:anon_inode *;
|
|
')
|
|
|
|
####################################
|
|
# virtualizationservice_use(domain)
|
|
# Allow domain to create and communicate with a virtual machine using
|
|
# virtualizationservice and virtualizationmanager.
|
|
define(`virtualizationservice_use', `
|
|
# Transition to virtualizationmanager when the client executes it.
|
|
domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
|
|
# Allow virtualizationmanager to communicate over UDS with the client.
|
|
allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
|
|
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
|
|
allow { virtualizationmanager crosvm } $1:fd use;
|
|
# Let the client use file descriptors created by virtualizationmanager.
|
|
allow $1 virtualizationmanager:fd use;
|
|
# Allow piping console log to the client
|
|
allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
|
|
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
|
|
# that it created. Notice that we do not grant permission to create a vsock;
|
|
# the client can only connect to VMs that it owns.
|
|
allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
|
|
# Allow client to inspect hypervisor capabilities
|
|
get_prop($1, hypervisor_prop)
|
|
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
|
|
allow $1 virtualizationservice_data_file:file { getattr read };
|
|
')
|
|
|
|
#####################################
|
|
# app_domain(domain)
|
|
# Allow a base set of permissions required for all apps.
|
|
define(`app_domain', `
|
|
typeattribute $1 appdomain;
|
|
# Label tmpfs objects for all apps.
|
|
type_transition $1 tmpfs:file appdomain_tmpfs;
|
|
userfaultfd_use($1)
|
|
allow $1 appdomain_tmpfs:file { execute getattr map read write };
|
|
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
|
|
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
|
|
# The Android security model guarantees the confidentiality and integrity
|
|
# of application data and execution state. Ptrace bypasses those
|
|
# confidentiality guarantees. Disallow ptrace access from system components to
|
|
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
|
|
# traces. runas_app is excluded, as it operates only on debuggable apps.
|
|
# simpleperf is excluded, as it operates only on debuggable or profileable
|
|
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
|
|
# live lock conditions.
|
|
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
|
|
')
|
|
|
|
#####################################
|
|
# untrusted_app_domain(domain)
|
|
# Allow a base set of permissions required for all untrusted apps.
|
|
define(`untrusted_app_domain', `
|
|
typeattribute $1 untrusted_app_all;
|
|
')
|
|
|
|
#####################################
|
|
# net_domain(domain)
|
|
# Allow a base set of permissions required for network access.
|
|
define(`net_domain', `
|
|
typeattribute $1 netdomain;
|
|
')
|
|
|
|
#####################################
|
|
# bluetooth_domain(domain)
|
|
# Allow a base set of permissions required for bluetooth access.
|
|
define(`bluetooth_domain', `
|
|
typeattribute $1 bluetoothdomain;
|
|
')
|
|
|
|
#####################################
|
|
# hal_attribute(hal_name)
|
|
# Add an attribute for hal implementations along with necessary
|
|
# restrictions.
|
|
define(`hal_attribute', `
|
|
attribute hal_$1;
|
|
expandattribute hal_$1 true;
|
|
attribute hal_$1_client;
|
|
expandattribute hal_$1_client true;
|
|
attribute hal_$1_server;
|
|
expandattribute hal_$1_server false;
|
|
|
|
neverallow { hal_$1_server -halserverdomain } domain:process fork;
|
|
# hal_*_client and halclientdomain attributes are always expanded for
|
|
# performance reasons. Neverallow rules targeting expanded attributes can not be
|
|
# verified by CTS since these attributes are already expanded by that time.
|
|
build_test_only(`
|
|
neverallow { hal_$1_server -hal_$1 } domain:process fork;
|
|
neverallow { hal_$1_client -halclientdomain } domain:process fork;
|
|
')
|
|
')
|
|
|
|
#####################################
|
|
# hal_server_domain(domain, hal_type)
|
|
# Allow a base set of permissions required for a domain to offer a
|
|
# HAL implementation of the specified type over HwBinder.
|
|
#
|
|
# For example, default implementation of Foo HAL:
|
|
# type hal_foo_default, domain;
|
|
# hal_server_domain(hal_foo_default, hal_foo)
|
|
#
|
|
define(`hal_server_domain', `
|
|
typeattribute $1 halserverdomain;
|
|
typeattribute $1 $2_server;
|
|
typeattribute $1 $2;
|
|
')
|
|
|
|
#####################################
|
|
# hal_client_domain(domain, hal_type)
|
|
# Allow a base set of permissions required for a domain to be a
|
|
# client of a HAL of the specified type.
|
|
#
|
|
# For example, make some_domain a client of Foo HAL:
|
|
# hal_client_domain(some_domain, hal_foo)
|
|
#
|
|
define(`hal_client_domain', `
|
|
typeattribute $1 halclientdomain;
|
|
typeattribute $1 $2_client;
|
|
|
|
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
|
|
# non-Treble devices. For now, on non-Treble device, always grant clients of a
|
|
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
|
|
not_full_treble(`
|
|
typeattribute $1 $2;
|
|
# Find passthrough HAL implementations
|
|
allow $2 system_file:dir r_dir_perms;
|
|
allow $2 vendor_file:dir r_dir_perms;
|
|
allow $2 vendor_file:file { read open getattr execute map };
|
|
')
|
|
')
|
|
|
|
#####################################
|
|
# passthrough_hal_client_domain(domain, hal_type)
|
|
# Allow a base set of permissions required for a domain to be a
|
|
# client of a passthrough HAL of the specified type.
|
|
#
|
|
# For example, make some_domain a client of passthrough Foo HAL:
|
|
# passthrough_hal_client_domain(some_domain, hal_foo)
|
|
#
|
|
define(`passthrough_hal_client_domain', `
|
|
typeattribute $1 halclientdomain;
|
|
typeattribute $1 $2_client;
|
|
typeattribute $1 $2;
|
|
# Find passthrough HAL implementations
|
|
allow $2 system_file:dir r_dir_perms;
|
|
allow $2 vendor_file:dir r_dir_perms;
|
|
allow $2 vendor_file:file { read open getattr execute map };
|
|
')
|
|
|
|
#####################################
|
|
# unix_socket_connect(clientdomain, socket, serverdomain)
|
|
# Allow a local socket connection from clientdomain via
|
|
# socket to serverdomain.
|
|
#
|
|
# Note: If you see denial records that distill to the
|
|
# following allow rules:
|
|
# allow clientdomain property_socket:sock_file write;
|
|
# allow clientdomain init:unix_stream_socket connectto;
|
|
# allow clientdomain something_prop:property_service set;
|
|
#
|
|
# This sequence is indicative of attempting to set a property.
|
|
# use set_prop(sourcedomain, targetproperty)
|
|
#
|
|
define(`unix_socket_connect', `
|
|
allow $1 $2_socket:sock_file write;
|
|
allow $1 $3:unix_stream_socket connectto;
|
|
')
|
|
|
|
#####################################
|
|
# set_prop(sourcedomain, targetproperty)
|
|
# Allows source domain to set the
|
|
# targetproperty.
|
|
#
|
|
define(`set_prop', `
|
|
unix_socket_connect($1, property, init)
|
|
allow $1 $2:property_service set;
|
|
get_prop($1, $2)
|
|
')
|
|
|
|
#####################################
|
|
# get_prop(sourcedomain, targetproperty)
|
|
# Allows source domain to read the
|
|
# targetproperty.
|
|
#
|
|
define(`get_prop', `
|
|
allow $1 $2:file { getattr open read map };
|
|
')
|
|
|
|
#####################################
|
|
# unix_socket_send(clientdomain, socket, serverdomain)
|
|
# Allow a local socket send from clientdomain via
|
|
# socket to serverdomain.
|
|
define(`unix_socket_send', `
|
|
allow $1 $2_socket:sock_file write;
|
|
allow $1 $3:unix_dgram_socket sendto;
|
|
')
|
|
|
|
#####################################
|
|
# binder_use(domain)
|
|
# Allow domain to use Binder IPC.
|
|
define(`binder_use', `
|
|
# Call the servicemanager and transfer references to it.
|
|
allow $1 servicemanager:binder { call transfer };
|
|
# Allow servicemanager to send out callbacks
|
|
allow servicemanager $1:binder { call transfer };
|
|
# servicemanager performs getpidcon on clients.
|
|
allow servicemanager $1:dir search;
|
|
allow servicemanager $1:file { read open };
|
|
allow servicemanager $1:process getattr;
|
|
# rw access to /dev/binder and /dev/ashmem is presently granted to
|
|
# all domains in domain.te.
|
|
')
|
|
|
|
#####################################
|
|
# hwbinder_use(domain)
|
|
# Allow domain to use HwBinder IPC.
|
|
define(`hwbinder_use', `
|
|
# Call the hwservicemanager and transfer references to it.
|
|
allow $1 hwservicemanager:binder { call transfer };
|
|
# Allow hwservicemanager to send out callbacks
|
|
allow hwservicemanager $1:binder { call transfer };
|
|
# hwservicemanager performs getpidcon on clients.
|
|
allow hwservicemanager $1:dir search;
|
|
allow hwservicemanager $1:file { read open map };
|
|
allow hwservicemanager $1:process getattr;
|
|
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
|
|
# all domains in domain.te.
|
|
')
|
|
|
|
#####################################
|
|
# vndbinder_use(domain)
|
|
# Allow domain to use Binder IPC.
|
|
define(`vndbinder_use', `
|
|
# Talk to the vndbinder device node
|
|
allow $1 vndbinder_device:chr_file rw_file_perms;
|
|
# Call the vndservicemanager and transfer references to it.
|
|
allow $1 vndservicemanager:binder { call transfer };
|
|
# vndservicemanager performs getpidcon on clients.
|
|
allow vndservicemanager $1:dir search;
|
|
allow vndservicemanager $1:file { read open map };
|
|
allow vndservicemanager $1:process getattr;
|
|
')
|
|
|
|
#####################################
|
|
# binder_call(clientdomain, serverdomain)
|
|
# Allow clientdomain to perform binder IPC to serverdomain.
|
|
define(`binder_call', `
|
|
# Call the server domain and optionally transfer references to it.
|
|
allow $1 $2:binder { call transfer };
|
|
# Allow the serverdomain to transfer references to the client on the reply.
|
|
allow $2 $1:binder transfer;
|
|
# Receive and use open files from the server.
|
|
allow $1 $2:fd use;
|
|
')
|
|
|
|
#####################################
|
|
# binder_service(domain)
|
|
# Mark a domain as being a Binder service domain.
|
|
# Used to allow binder IPC to the various system services.
|
|
define(`binder_service', `
|
|
typeattribute $1 binderservicedomain;
|
|
')
|
|
|
|
#####################################
|
|
# wakelock_use(domain)
|
|
# Allow domain to manage wake locks
|
|
define(`wakelock_use', `
|
|
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
|
|
# deprecated.
|
|
# Access /sys/power/wake_lock and /sys/power/wake_unlock
|
|
allow $1 sysfs_wake_lock:file rw_file_perms;
|
|
# Accessing these files requires CAP_BLOCK_SUSPEND
|
|
allow $1 self:global_capability2_class_set block_suspend;
|
|
# system_suspend permissions
|
|
binder_call($1, system_suspend_server)
|
|
allow $1 system_suspend_hwservice:hwservice_manager find;
|
|
# halclientdomain permissions
|
|
hwbinder_use($1)
|
|
get_prop($1, hwservicemanager_prop)
|
|
allow $1 hidl_manager_hwservice:hwservice_manager find;
|
|
# AIDL suspend hal permissions
|
|
allow $1 hal_system_suspend_service:service_manager find;
|
|
binder_use($1)
|
|
')
|
|
|
|
#####################################
|
|
# selinux_check_access(domain)
|
|
# Allow domain to check SELinux permissions via selinuxfs.
|
|
define(`selinux_check_access', `
|
|
r_dir_file($1, selinuxfs)
|
|
allow $1 selinuxfs:file w_file_perms;
|
|
allow $1 kernel:security compute_av;
|
|
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
|
|
')
|
|
|
|
#####################################
|
|
# selinux_check_context(domain)
|
|
# Allow domain to check SELinux contexts via selinuxfs.
|
|
define(`selinux_check_context', `
|
|
r_dir_file($1, selinuxfs)
|
|
allow $1 selinuxfs:file w_file_perms;
|
|
allow $1 kernel:security check_context;
|
|
')
|
|
|
|
#####################################
|
|
# create_pty(domain)
|
|
# Allow domain to create and use a pty, isolated from any other domain ptys.
|
|
define(`create_pty', `
|
|
# Each domain gets a unique devpts type.
|
|
type $1_devpts, fs_type;
|
|
# Label the pty with the unique type when created.
|
|
type_transition $1 devpts:chr_file $1_devpts;
|
|
# Allow use of the pty after creation.
|
|
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
|
|
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
|
|
# TIOCSTI is only ever used for exploits. Block it.
|
|
# b/33073072, b/7530569
|
|
# http://www.openwall.com/lists/oss-security/2016/09/26/14
|
|
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
|
|
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
|
|
# allowed to everyone via domain.te.
|
|
')
|
|
|
|
#####################################
|
|
# Non system_app application set
|
|
#
|
|
define(`non_system_app_set', `{ appdomain -system_app }')
|
|
|
|
#####################################
|
|
# Recovery only
|
|
# SELinux rules which apply only to recovery mode
|
|
#
|
|
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
|
|
|
|
#####################################
|
|
# Not recovery
|
|
# SELinux rules which apply only to non-recovery (normal) mode
|
|
#
|
|
define(`not_recovery', ifelse(target_recovery, `true', , $1))
|
|
|
|
#####################################
|
|
# Full TREBLE only
|
|
# SELinux rules which apply only to full TREBLE devices
|
|
#
|
|
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
|
|
ifelse(target_full_treble, `cts',
|
|
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
|
$1
|
|
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
|
, )))
|
|
|
|
#####################################
|
|
# Not full TREBLE
|
|
# SELinux rules which apply only to devices which are not full TREBLE devices
|
|
#
|
|
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
|
|
|
|
#####################################
|
|
# enforce_debugfs_restriction
|
|
# SELinux rules which apply to devices that enable debugfs restrictions.
|
|
# The keyword "cts" is used to insert markers to only CTS test the neverallows
|
|
# added by the macro for S-launch devices and newer.
|
|
define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
|
|
ifelse(target_enforce_debugfs_restriction, `cts',
|
|
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
|
|
$1
|
|
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
|
|
, )))
|
|
|
|
#####################################
|
|
# no_debugfs_restriction
|
|
# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
|
|
define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
|
|
|
|
#####################################
|
|
# Compatible property only
|
|
# SELinux rules which apply only to devices with compatible property
|
|
#
|
|
define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
|
|
ifelse(target_compatible_property, `cts',
|
|
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
|
|
$1
|
|
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
|
|
, )))
|
|
|
|
#####################################
|
|
# Not compatible property
|
|
# SELinux rules which apply only to devices without compatible property
|
|
#
|
|
define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
|
|
|
|
#####################################
|
|
# Userdebug or eng builds
|
|
# SELinux rules which apply only to userdebug or eng builds
|
|
#
|
|
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
|
|
|
|
#####################################
|
|
# asan builds
|
|
# SELinux rules which apply only to asan builds
|
|
#
|
|
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
|
|
|
|
#####################################
|
|
# native coverage builds
|
|
# SELinux rules which apply only to builds with native coverage
|
|
#
|
|
define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
|
|
|
|
#####################################
|
|
# Build-time-only test
|
|
# SELinux rules which are verified during build, but not as part of *TS testing.
|
|
#
|
|
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
|
|
|
|
####################################
|
|
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
|
|
#
|
|
define(`crash_dump_fallback', `
|
|
userdebug_or_eng(`
|
|
allow $1 su:fifo_file append;
|
|
')
|
|
allow $1 anr_data_file:file append;
|
|
allow $1 dumpstate:fd use;
|
|
allow $1 incidentd:fd use;
|
|
# TODO: Figure out why write is needed.
|
|
allow $1 dumpstate:fifo_file { append write };
|
|
allow $1 incidentd:fifo_file { append write };
|
|
allow $1 system_server:fifo_file { append write };
|
|
allow $1 tombstoned:unix_stream_socket connectto;
|
|
allow $1 tombstoned:fd use;
|
|
allow $1 tombstoned_crash_socket:sock_file write;
|
|
allow $1 tombstone_data_file:file append;
|
|
')
|
|
|
|
#####################################
|
|
# WITH_DEXPREOPT builds
|
|
# SELinux rules which apply only when pre-opting.
|
|
#
|
|
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
|
|
|
|
#####################################
|
|
# write_logd(domain)
|
|
# Ability to write to android log
|
|
# daemon via sockets
|
|
define(`write_logd', `
|
|
unix_socket_send($1, logdw, logd)
|
|
allow $1 pmsg_device:chr_file w_file_perms;
|
|
')
|
|
|
|
#####################################
|
|
# read_logd(domain)
|
|
# Ability to run logcat and read from android
|
|
# log daemon via sockets
|
|
define(`read_logd', `
|
|
allow $1 logcat_exec:file rx_file_perms;
|
|
unix_socket_connect($1, logdr, logd)
|
|
')
|
|
|
|
#####################################
|
|
# read_runtime_log_tags(domain)
|
|
# ability to directly map the runtime event log tags
|
|
define(`read_runtime_log_tags', `
|
|
allow $1 runtime_event_log_tags_file:file r_file_perms;
|
|
')
|
|
|
|
#####################################
|
|
# control_logd(domain)
|
|
# Ability to control
|
|
# android log daemon via sockets
|
|
define(`control_logd', `
|
|
# Group AID_LOG checked by filesystem & logd
|
|
# to permit control commands
|
|
unix_socket_connect($1, logd, logd)
|
|
')
|
|
|
|
#####################################
|
|
# use_keystore(domain)
|
|
# Ability to use keystore.
|
|
# Keystore is requires the following permissions
|
|
# to call getpidcon.
|
|
define(`use_keystore', `
|
|
allow keystore $1:dir search;
|
|
allow keystore $1:file { read open };
|
|
allow keystore $1:process getattr;
|
|
allow $1 apc_service:service_manager find;
|
|
allow $1 keystore_service:service_manager find;
|
|
allow $1 legacykeystore_service:service_manager find;
|
|
binder_call($1, keystore)
|
|
binder_call(keystore, $1)
|
|
')
|
|
|
|
#####################################
|
|
# use_credstore(domain)
|
|
# Ability to use credstore.
|
|
define(`use_credstore', `
|
|
allow credstore $1:dir search;
|
|
allow credstore $1:file { read open };
|
|
allow credstore $1:process getattr;
|
|
allow $1 credstore_service:service_manager find;
|
|
binder_call($1, credstore)
|
|
binder_call(credstore, $1)
|
|
')
|
|
|
|
###########################################
|
|
# use_drmservice(domain)
|
|
# Ability to use DrmService which requires
|
|
# DrmService to call getpidcon.
|
|
define(`use_drmservice', `
|
|
allow drmserver $1:dir search;
|
|
allow drmserver $1:file { read open };
|
|
allow drmserver $1:process getattr;
|
|
')
|
|
|
|
###########################################
|
|
# add_service(domain, service)
|
|
# Ability for domain to add a service to service_manager
|
|
# and find it. It also creates a neverallow preventing
|
|
# others from adding it.
|
|
define(`add_service', `
|
|
allow $1 $2:service_manager { add find };
|
|
neverallow { domain -$1 } $2:service_manager add;
|
|
|
|
# On debug builds with root, allow binder services to use binder over TCP.
|
|
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
|
|
userdebug_or_eng(`
|
|
allow $1 su:tcp_socket { accept getopt read write };
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# add_hwservice(domain, service)
|
|
# Ability for domain to add a service to hwservice_manager
|
|
# and find it. It also creates a neverallow preventing
|
|
# others from adding it.
|
|
define(`add_hwservice', `
|
|
allow $1 $2:hwservice_manager { add find };
|
|
allow $1 hidl_base_hwservice:hwservice_manager add;
|
|
neverallow { domain -$1 } $2:hwservice_manager add;
|
|
')
|
|
|
|
###########################################
|
|
# hal_attribute_hwservice(attribute, service)
|
|
# Ability for domain to get a service to hwservice_manager
|
|
# and find it. It also creates a neverallow preventing
|
|
# others from adding it.
|
|
#
|
|
# Used to pair hal_foo_client with hal_foo_hwservice
|
|
define(`hal_attribute_hwservice', `
|
|
allow $1_client $2:hwservice_manager find;
|
|
add_hwservice($1_server, $2)
|
|
|
|
build_test_only(`
|
|
# if you are hitting this neverallow, try using:
|
|
# hal_client_domain(<your domain>, hal_<foo>)
|
|
# instead
|
|
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# hal_attribute_service(attribute, service)
|
|
# Ability for domain to get a service to service_manager
|
|
# and find it. It also creates a neverallow preventing
|
|
# others from adding it.
|
|
#
|
|
# Used to pair hal_foo_client with hal_foo_service
|
|
define(`hal_attribute_service', `
|
|
allow $1_client $2:service_manager find;
|
|
add_service($1_server, $2)
|
|
|
|
build_test_only(`
|
|
# if you are hitting this neverallow, try using:
|
|
# hal_client_domain(<your domain>, hal_<foo>)
|
|
# instead
|
|
neverallow {
|
|
domain
|
|
-$1_client
|
|
-$1_server
|
|
# some services are allowed to find all services
|
|
-atrace
|
|
-shell
|
|
-system_app
|
|
-traceur_app
|
|
} $2:service_manager find;
|
|
')
|
|
')
|
|
|
|
###################################
|
|
# can_profile_heap(domain)
|
|
# Allow processes within the domain to have their heap profiled by central
|
|
# heapprofd.
|
|
define(`can_profile_heap', `
|
|
# Allow central daemon to send signal for client initialization.
|
|
allow heapprofd $1:process signal;
|
|
# Allow connecting to the daemon.
|
|
unix_socket_connect($1, heapprofd, heapprofd)
|
|
# Allow daemon to use the passed fds.
|
|
allow heapprofd $1:fd use;
|
|
# Allow to read and write to heapprofd shmem.
|
|
# The client needs to read the read and write pointers in order to write.
|
|
allow $1 heapprofd_tmpfs:file { read write getattr map };
|
|
# Use shared memory received over the unix socket.
|
|
allow $1 heapprofd:fd use;
|
|
|
|
# To read and write from the received file descriptors.
|
|
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
|
|
# process they relate to.
|
|
# We need to write to /proc/$PID/page_idle to find idle allocations.
|
|
# The client only opens /proc/self/page_idle with RDWR, everything else
|
|
# with RDONLY.
|
|
# heapprofd cannot open /proc/$PID/mem itself, as it does not have
|
|
# sys_ptrace.
|
|
allow heapprofd $1:file rw_file_perms;
|
|
# Allow searching the /proc/[pid] directory for cmdline.
|
|
allow heapprofd $1:dir r_dir_perms;
|
|
')
|
|
|
|
###################################
|
|
# never_profile_heap(domain)
|
|
# Opt out of heap profiling by heapprofd.
|
|
define(`never_profile_heap', `
|
|
neverallow heapprofd $1:file read;
|
|
neverallow heapprofd $1:process signal;
|
|
')
|
|
|
|
###################################
|
|
# can_profile_perf(domain)
|
|
# Allow processes within the domain to be profiled, and have their stacks
|
|
# sampled, by traced_perf.
|
|
define(`can_profile_perf', `
|
|
# Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
|
|
# reads /proc/[pid]/cmdline.
|
|
allow traced_perf $1:file r_file_perms;
|
|
allow traced_perf $1:dir r_dir_perms;
|
|
|
|
# Allow central daemon to send signal to request /proc/[pid]/maps and
|
|
# /proc/[pid]/mem fds from this process.
|
|
allow traced_perf $1:process signal;
|
|
|
|
# Allow connecting to the daemon.
|
|
unix_socket_connect($1, traced_perf, traced_perf)
|
|
# Allow daemon to use the passed fds.
|
|
allow traced_perf $1:fd use;
|
|
')
|
|
|
|
###################################
|
|
# never_profile_perf(domain)
|
|
# Opt out of profiling by traced_perf.
|
|
define(`never_profile_perf', `
|
|
neverallow traced_perf $1:file read;
|
|
neverallow traced_perf $1:process signal;
|
|
')
|
|
|
|
###################################
|
|
# perfetto_producer(domain)
|
|
# Allow processes within the domain to write data to Perfetto.
|
|
# When applying this macro, you might need to also allow traced to use the
|
|
# producer tmpfs domain, if the producer will be the one creating the shared
|
|
# memory.
|
|
define(`perfetto_producer', `
|
|
allow $1 traced:fd use;
|
|
allow $1 traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect($1, traced_producer, traced)
|
|
|
|
# Also allow the service to use the producer file descriptors. This is
|
|
# necessary when the producer is creating the shared memory, as it will be
|
|
# passed to the service as a file descriptor (obtained from memfd_create).
|
|
allow traced $1:fd use;
|
|
')
|
|
|
|
###########################################
|
|
# dump_hal(hal_type)
|
|
# Ability to dump the hal debug info
|
|
#
|
|
define(`dump_hal', `
|
|
hal_client_domain(dumpstate, $1);
|
|
allow $1_server dumpstate:fifo_file write;
|
|
allow $1_server dumpstate:fd use;
|
|
')
|
|
|
|
#####################################
|
|
# treble_sysprop_neverallow(rules)
|
|
# SELinux neverallow rules which enforces the accessibility of each property
|
|
# outside the owner.
|
|
#
|
|
# For devices launching with R or later, exported properties must be explicitly marked as
|
|
# "restricted" or "public", depending on the accessibility outside the owner.
|
|
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
|
|
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
|
|
# See {partition}_{accessibility}_prop macros below.
|
|
#
|
|
# CTS uses these rules only for devices launching with R or later.
|
|
#
|
|
# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
|
|
#
|
|
define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
|
|
ifelse(target_treble_sysprop_neverallow, `cts',
|
|
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
|
|
$1
|
|
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
|
|
, )))
|
|
|
|
#####################################
|
|
# enforce_sysprop_owner(rules)
|
|
# SELinux neverallow rules which enforces the owner of each property.
|
|
#
|
|
# For devices launching with S or later, all properties must be explicitly marked as one of:
|
|
# system_property_type, vendor_property_type, or product_property_type.
|
|
# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
|
|
# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
|
|
# See {partition}_{accessibility}_prop macros below.
|
|
#
|
|
# CTS uses these ules only for devices launching with S or later.
|
|
#
|
|
define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
|
|
ifelse(target_enforce_sysprop_owner, `cts',
|
|
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
|
|
$1
|
|
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
|
|
, )))
|
|
|
|
###########################################
|
|
# define_prop(name, owner, scope)
|
|
# Define a property with given owner and scope
|
|
#
|
|
define(`define_prop', `
|
|
type $1, property_type, $2_property_type, $2_$3_property_type;
|
|
')
|
|
|
|
###########################################
|
|
# system_internal_prop(name)
|
|
# Define a /system-owned property used only in /system
|
|
# For devices launching with Q or eariler, this restriction can be relaxed with
|
|
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
|
|
#
|
|
define(`system_internal_prop', `
|
|
define_prop($1, system, internal)
|
|
treble_sysprop_neverallow(`
|
|
neverallow { domain -coredomain } $1:file no_rw_file_perms;
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# system_restricted_prop(name)
|
|
# Define a /system-owned property which can't be written outside /system
|
|
# For devices launching with Q or eariler, this restriction can be relaxed with
|
|
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
|
|
#
|
|
define(`system_restricted_prop', `
|
|
define_prop($1, system, restricted)
|
|
treble_sysprop_neverallow(`
|
|
neverallow { domain -coredomain } $1:property_service set;
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# system_public_prop(name)
|
|
# Define a /system-owned property with no restrictions
|
|
#
|
|
define(`system_public_prop', `define_prop($1, system, public)')
|
|
|
|
###########################################
|
|
# system_vendor_config_prop(name)
|
|
# Define a /system-owned property which can only be written by vendor_init
|
|
# This is a macro for vendor-specific configuration properties which is meant
|
|
# to be set once from vendor_init.
|
|
#
|
|
define(`system_vendor_config_prop', `
|
|
system_public_prop($1)
|
|
set_prop(vendor_init, $1)
|
|
neverallow { domain -init -vendor_init } $1:property_service set;
|
|
')
|
|
|
|
###########################################
|
|
# product_internal_prop(name)
|
|
# Define a /product-owned property used only in /product
|
|
# For devices launching with Q or eariler, this restriction can be relaxed with
|
|
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
|
|
#
|
|
define(`product_internal_prop', `
|
|
define_prop($1, product, internal)
|
|
treble_sysprop_neverallow(`
|
|
neverallow { domain -coredomain } $1:file no_rw_file_perms;
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# product_restricted_prop(name)
|
|
# Define a /product-owned property which can't be written outside /product
|
|
# For devices launching with Q or eariler, this restriction can be relaxed with
|
|
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
|
|
#
|
|
define(`product_restricted_prop', `
|
|
define_prop($1, product, restricted)
|
|
treble_sysprop_neverallow(`
|
|
neverallow { domain -coredomain } $1:property_service set;
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# product_public_prop(name)
|
|
# Define a /product-owned property with no restrictions
|
|
#
|
|
define(`product_public_prop', `define_prop($1, product, public)')
|
|
|
|
###########################################
|
|
# vendor_internal_prop(name)
|
|
# Define a /vendor-owned property used only in /vendor
|
|
# For devices launching with Q or eariler, this restriction can be relaxed with
|
|
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
|
|
#
|
|
define(`vendor_internal_prop', `
|
|
define_prop($1, vendor, internal)
|
|
treble_sysprop_neverallow(`
|
|
# init and dumpstate are in coredomain, but should be able to read all props.
|
|
neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# vendor_restricted_prop(name)
|
|
# Define a /vendor-owned property which can't be written outside /vendor
|
|
# For devices launching with Q or eariler, this restriction can be relaxed with
|
|
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
|
|
#
|
|
define(`vendor_restricted_prop', `
|
|
define_prop($1, vendor, restricted)
|
|
treble_sysprop_neverallow(`
|
|
# init is in coredomain, but should be able to write all props.
|
|
neverallow { coredomain -init } $1:property_service set;
|
|
')
|
|
')
|
|
|
|
###########################################
|
|
# vendor_public_prop(name)
|
|
# Define a /vendor-owned property with no restrictions
|
|
#
|
|
define(`vendor_public_prop', `define_prop($1, vendor, public)')
|
|
|
|
#####################################
|
|
# read_fstab(domain)
|
|
# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
|
|
#
|
|
define(`read_fstab', `
|
|
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
|
|
allow $1 gsi_public_metadata_file:file r_file_perms;
|
|
allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
|
|
')
|
|
|
|
######################################
|
|
# use_bootstrap_libs(domain)
|
|
# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
|
|
define(`use_bootstrap_libs', `
|
|
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
|
|
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
|
|
')
|
|
|
|
######################################
|
|
# use_apex_info(domain)
|
|
# Allow access to apex information
|
|
define(`use_apex_info', `
|
|
allow $1 apex_mnt_dir:dir r_dir_perms;
|
|
allow $1 apex_info_file:file r_file_perms;
|
|
')
|