Home | History | Annotate | Download | only in sepolicy 
      1 #####################################
      2 # domain_trans(olddomain, type, newdomain)
      3 # Allow a transition from olddomain to newdomain
      4 # upon executing a file labeled with type.
      5 # This only allows the transition; it does not
      6 # cause it to occur automatically - use domain_auto_trans
      7 # if that is what you want.
      8 #
      9 define(`domain_trans', `
     10 # Old domain may exec the file and transition to the new domain.
     11 allow $1 $2:file { getattr open read execute };
     12 allow $1 $3:process transition;
     13 # New domain is entered by executing the file.
     14 allow $3 $2:file { entrypoint read execute };
     15 # New domain can send SIGCHLD to its caller.
     16 allow $3 $1:process sigchld;
     17 # Enable AT_SECURE, i.e. libc secure mode.
     18 dontaudit $1 $3:process noatsecure;
     19 # XXX dontaudit candidate but requires further study.
     20 allow $1 $3:process { siginh rlimitinh };
     21 ')
     22 
     23 #####################################
     24 # domain_auto_trans(olddomain, type, newdomain)
     25 # Automatically transition from olddomain to newdomain
     26 # upon executing a file labeled with type.
     27 #
     28 define(`domain_auto_trans', `
     29 # Allow the necessary permissions.
     30 domain_trans($1,$2,$3)
     31 # Make the transition occur by default.
     32 type_transition $1 $2:process $3;
     33 ')
     34 
     35 #####################################
     36 # file_type_trans(domain, dir_type, file_type)
     37 # Allow domain to create a file labeled file_type in a
     38 # directory labeled dir_type.
     39 # This only allows the transition; it does not
     40 # cause it to occur automatically - use file_type_auto_trans
     41 # if that is what you want.
     42 #
     43 define(`file_type_trans', `
     44 # Allow the domain to add entries to the directory.
     45 allow $1 $2:dir ra_dir_perms;
     46 # Allow the domain to create the file.
     47 allow $1 $3:notdevfile_class_set create_file_perms;
     48 allow $1 $3:dir create_dir_perms;
     49 ')
     50 
     51 #####################################
     52 # file_type_auto_trans(domain, dir_type, file_type)
     53 # Automatically label new files with file_type when
     54 # they are created by domain in directories labeled dir_type.
     55 #
     56 define(`file_type_auto_trans', `
     57 # Allow the necessary permissions.
     58 file_type_trans($1, $2, $3)
     59 # Make the transition occur by default.
     60 type_transition $1 $2:dir $3;
     61 type_transition $1 $2:notdevfile_class_set $3;
     62 ')
     63 
     64 #####################################
     65 # r_dir_file(domain, type)
     66 # Allow the specified domain to read directories, files
     67 # and symbolic links of the specified type.
     68 define(`r_dir_file', `
     69 allow $1 $2:dir r_dir_perms;
     70 allow $1 $2:{ file lnk_file } r_file_perms;
     71 ')
     72 
     73 #####################################
     74 # unconfined_domain(domain)
     75 # Allow the specified domain to do anything.
     76 #
     77 define(`unconfined_domain', `
     78 typeattribute $1 mlstrustedsubject;
     79 typeattribute $1 unconfineddomain;
     80 ')
     81 
     82 #####################################
     83 # tmpfs_domain(domain)
     84 # Define and allow access to a unique type for
     85 # this domain when creating tmpfs / shmem / ashmem files.
     86 define(`tmpfs_domain', `
     87 type $1_tmpfs, file_type;
     88 type_transition $1 tmpfs:file $1_tmpfs;
     89 # Map with PROT_EXEC.
     90 allow $1 $1_tmpfs:file { read execute execmod };
     91 ')
     92 
     93 #####################################
     94 # init_daemon_domain(domain)
     95 # Set up a transition from init to the daemon domain
     96 # upon executing its binary.
     97 define(`init_daemon_domain', `
     98 domain_auto_trans(init, $1_exec, $1)
     99 tmpfs_domain($1)
    100 ')
    101 
    102 #####################################
    103 # app_domain(domain)
    104 # Allow a base set of permissions required for all apps.
    105 define(`app_domain', `
    106 typeattribute $1 appdomain;
    107 # Label ashmem objects with our own unique type.
    108 tmpfs_domain($1)
    109 ')
    110 
    111 #####################################
    112 # platform_app_domain(domain)
    113 # Allow permissions specific to platform apps.
    114 define(`platform_app_domain', `
    115 typeattribute $1 platformappdomain;
    116 typeattribute $1 mlstrustedsubject;
    117 ')
    118 
    119 #####################################
    120 # net_domain(domain)
    121 # Allow a base set of permissions required for network access.
    122 define(`net_domain', `
    123 typeattribute $1 netdomain;
    124 ')
    125 
    126 #####################################
    127 # bluetooth_domain(domain)
    128 # Allow a base set of permissions required for bluetooth access.
    129 define(`bluetooth_domain', `
    130 typeattribute $1 bluetoothdomain;
    131 ')
    132 
    133 #####################################
    134 # unix_socket_connect(clientdomain, socket, serverdomain)
    135 # Allow a local socket connection from clientdomain via
    136 # socket to serverdomain.
    137 define(`unix_socket_connect', `
    138 allow $1 $2_socket:sock_file write;
    139 allow $1 $3:unix_stream_socket connectto;
    140 ')
    141 
    142 #####################################
    143 # unix_socket_send(clientdomain, socket, serverdomain)
    144 # Allow a local socket send from clientdomain via
    145 # socket to serverdomain.
    146 define(`unix_socket_send', `
    147 allow $1 $2_socket:sock_file write;
    148 allow $1 $3:unix_dgram_socket sendto;
    149 ')
    150 
    151 #####################################
    152 # binder_use(domain)
    153 # Allow domain to use Binder IPC.
    154 define(`binder_use', `
    155 # Call the servicemanager and transfer references to it.
    156 allow $1 servicemanager:binder { call transfer };
    157 # Map /dev/ashmem with PROT_EXEC.
    158 allow $1 ashmem_device:chr_file execute;
    159 # rw access to /dev/binder and /dev/ashmem is presently granted to
    160 # all domains in domain.te.
    161 ')
    162 
    163 #####################################
    164 # binder_call(clientdomain, serverdomain)
    165 # Allow clientdomain to perform binder IPC to serverdomain.
    166 define(`binder_call', `
    167 # Call the server domain and optionally transfer references to it.
    168 allow $1 $2:binder { call transfer };
    169 # Allow the serverdomain to transfer references to the client on the reply.
    170 allow $2 $1:binder transfer;
    171 # Receive and use open files from the server.
    172 allow $1 $2:fd use;
    173 ')
    174 
    175 #####################################
    176 # binder_service(domain)
    177 # Mark a domain as being a Binder service domain.
    178 # Used to allow binder IPC to the various system services.
    179 define(`binder_service', `
    180 typeattribute $1 binderservicedomain;
    181 ')
    182 
    183 #####################################
    184 # selinux_check_access(domain)
    185 # Allow domain to check SELinux permissions via selinuxfs.
    186 define(`selinux_check_access', `
    187 allow $1 selinuxfs:dir r_dir_perms;
    188 allow $1 selinuxfs:file rw_file_perms;
    189 allow $1 kernel:security compute_av;
    190 allow $1 self:netlink_selinux_socket *;
    191 ')
    192 
    193 #####################################
    194 # selinux_check_context(domain)
    195 # Allow domain to check SELinux contexts via selinuxfs.
    196 define(`selinux_check_context', `
    197 allow $1 selinuxfs:dir r_dir_perms;
    198 allow $1 selinuxfs:file rw_file_perms;
    199 allow $1 kernel:security check_context;
    200 ')
    201 
    202 #####################################
    203 # selinux_getenforce(domain)
    204 # Allow domain to check whether SELinux is enforcing.
    205 define(`selinux_getenforce', `
    206 allow $1 selinuxfs:dir r_dir_perms;
    207 allow $1 selinuxfs:file r_file_perms;
    208 ')
    209 
    210 #####################################
    211 # selinux_setenforce(domain)
    212 # Allow domain to set SELinux to enforcing.
    213 define(`selinux_setenforce', `
    214 allow $1 selinuxfs:dir r_dir_perms;
    215 allow $1 selinuxfs:file rw_file_perms;
    216 allow $1 kernel:security setenforce;
    217 ')
    218 
    219 #####################################
    220 # selinux_setbool(domain)
    221 # Allow domain to set SELinux booleans.
    222 define(`selinux_setbool', `
    223 allow $1 selinuxfs:dir r_dir_perms;
    224 allow $1 selinuxfs:file rw_file_perms;
    225 allow $1 kernel:security setbool;
    226 ')
    227 
    228 #####################################
    229 # security_access_policy(domain)
    230 # Read only access to all policy files and
    231 # selinuxfs
    232 define(`security_access_policy', `
    233 allow $1 security_file:dir r_dir_perms;
    234 allow $1 security_file:file r_file_perms;
    235 allow $1 security_file:lnk_file read;
    236 allow $1 selinuxfs:dir r_dir_perms;
    237 allow $1 selinuxfs:file r_file_perms;
    238 allow $1 rootfs:dir r_dir_perms;
    239 allow $1 rootfs:file r_file_perms;
    240 ')
    241 
    242 #####################################
    243 # selinux_manage_policy(domain)
    244 # Ability to manage policy files,
    245 # trigger runtime reload, change
    246 # enforcing mode, manipulate booleans
    247 # and access kernel logs.
    248 define(`selinux_manage_policy', `
    249 selinux_setenforce($1)
    250 selinux_setbool($1)
    251 security_access_policy($1)
    252 unix_socket_connect($1, property, init)
    253 allow $1 security_file:dir create_dir_perms;
    254 allow $1 security_file:file create_file_perms;
    255 allow $1 security_prop:property_service set;
    256 ')
    257 
    258 #####################################
    259 # mmac_manage_policy(domain)
    260 # Ability to manage mmac policy files,
    261 # trigger runtime reload, change
    262 # mmac enforcing mode and access logcat.
    263 define(`mmac_manage_policy', `
    264 unix_socket_connect($1, property, init)
    265 allow $1 security_file:dir create_dir_perms;
    266 allow $1 security_file:file create_file_perms;
    267 allow $1 security_prop:property_service set;
    268 ')
    269 
    270 #####################################
    271 # access_logcat(domain)
    272 # Ability to read from logcat logs
    273 # and execute the logcat command
    274 define(`access_logcat', `
    275 allow $1 log_device:chr_file read;
    276 allow $1 system_file:file x_file_perms;
    277 ')
    278 
    279 #####################################
    280 # access_kmsg(domain)
    281 # Ability to read from kernel logs
    282 # and execute the klogctl syscall
    283 # in a non destructive manner. See
    284 # man 2 klogctl
    285 define(`access_kmsg', `
    286 allow $1 kernel:system syslog_read;
    287 ')
    288 
    289 #####################################
    290 # write_klog(domain)
    291 # Ability to write to kernel log via
    292 # klog_write()
    293 # See system/core/libcutil/klog.c
    294 define(`write_klog', `
    295 type_transition $1 device:chr_file klog_device "__kmsg__";
    296 allow $1 klog_device:chr_file { create open write unlink };
    297 allow $1 device:dir { add_name remove_name };
    298 ')
    299