1 # Rules for all domains. 2 3 # Allow reaping by init. 4 allow domain init:process sigchld; 5 6 # Read access to properties mapping. 7 allow domain kernel:fd use; 8 allow domain tmpfs:file read; 9 10 # binder adjusts the nice value during IPC. 11 allow domain self:capability sys_nice; 12 13 # Intra-domain accesses. 14 allow domain self:process ~{ execstack execheap }; 15 allow domain self:fd use; 16 allow domain self:dir r_dir_perms; 17 allow domain self:lnk_file r_file_perms; 18 allow domain self:{ fifo_file file } rw_file_perms; 19 allow domain self:{ unix_dgram_socket unix_stream_socket } *; 20 21 # Inherit or receive open files from others. 22 allow domain init:fd use; 23 allow domain system:fd use; 24 25 # Connect to adbd and use a socket transferred from it. 26 allow domain adbd:unix_stream_socket connectto; 27 allow domain adbd:fd use; 28 allow domain adbd:unix_stream_socket { getattr read write shutdown }; 29 30 # Talk to debuggerd. 31 allow domain debuggerd:process sigchld; 32 allow domain debuggerd:unix_stream_socket connectto; 33 34 # Root fs. 35 allow domain rootfs:dir r_dir_perms; 36 allow domain rootfs:lnk_file { read getattr }; 37 38 # Device accesses. 39 allow domain device:dir search; 40 allow domain devpts:dir search; 41 allow domain device:file read; 42 allow domain socket_device:dir search; 43 allow domain null_device:chr_file rw_file_perms; 44 allow domain zero_device:chr_file r_file_perms; 45 allow domain ashmem_device:chr_file rw_file_perms; 46 allow domain binder_device:chr_file rw_file_perms; 47 allow domain ptmx_device:chr_file rw_file_perms; 48 allow domain powervr_device:chr_file rw_file_perms; 49 allow domain log_device:dir search; 50 allow domain log_device:chr_file w_file_perms; 51 allow domain nv_device:chr_file rw_file_perms; 52 allow domain alarm_device:chr_file r_file_perms; 53 allow domain urandom_device:chr_file r_file_perms; 54 55 # Filesystem accesses. 56 allow domain fs_type:filesystem getattr; 57 58 # System file accesses. 59 allow domain system_file:dir r_dir_perms; 60 allow domain system_file:file r_file_perms; 61 allow domain system_file:file execute; 62 allow domain system_file:lnk_file read; 63 64 # Read files already opened under /data. 65 allow domain system_data_file:dir { search getattr }; 66 allow domain system_data_file:file { getattr read }; 67 allow domain system_data_file:lnk_file read; 68 69 # Read apk files under /data/app. 70 allow domain apk_data_file:dir search; 71 allow domain apk_data_file:file r_file_perms; 72 73 # Read /data/dalvik-cache. 74 allow domain dalvikcache_data_file:dir { search getattr }; 75 allow domain dalvikcache_data_file:file r_file_perms; 76 77 # Read already opened /cache files. 78 allow domain cache_file:dir r_dir_perms; 79 allow domain cache_file:file { getattr read }; 80 allow domain cache_file:lnk_file read; 81 82 # For /acct/uid/*/tasks. 83 allow domain cgroup:dir { search write }; 84 allow domain cgroup:file w_file_perms; 85 86 #Allow access to ion memory allocation device 87 allow domain ion_device:chr_file rw_file_perms; 88 89 # For /sys/qemu_trace files in the emulator. 90 bool in_qemu false; 91 if (in_qemu) { 92 allow domain sysfs:file rw_file_perms; 93 } 94 allow domain sysfs_writable:file rw_file_perms; 95 96 # Read access to pseudo filesystems. 97 r_dir_file(domain, proc) 98 r_dir_file(domain, sysfs) 99 r_dir_file(domain, inotify) 100 r_dir_file(domain, cgroup) 101 102 # debugfs access 103 bool debugfs true; 104 if (debugfs) { 105 allow domain debugfs:dir r_dir_perms; 106 allow domain debugfs:file rw_file_perms; 107 } else { 108 dontaudit domain debugfs:dir r_dir_perms; 109 dontaudit domain debugfs:file rw_file_perms; 110 } 111
