Home | History | Annotate | Download | only in sepolicy 
      1 #####################################
      2 # domain_trans(olddomain, type, newdomain)
      3 # Allow a transition from olddomain to newdomain
      4 # upon executing a file labeled with type.
      5 # This only allows the transition; it does not
      6 # cause it to occur automatically - use domain_auto_trans
      7 # if that is what you want.
      8 #
      9 define(`domain_trans', `
     10 # Old domain may exec the file and transition to the new domain.
     11 allow $1 $2:file { getattr open read execute };
     12 allow $1 $3:process transition;
     13 # New domain is entered by executing the file.
     14 allow $3 $2:file { entrypoint read execute };
     15 # New domain can send SIGCHLD to its caller.
     16 allow $3 $1:process sigchld;
     17 # Enable AT_SECURE, i.e. libc secure mode.
     18 dontaudit $1 $3:process noatsecure;
     19 # XXX dontaudit candidate but requires further study.
     20 allow $1 $3:process { siginh rlimitinh };
     21 ')
     22 
     23 #####################################
     24 # domain_auto_trans(olddomain, type, newdomain)
     25 # Automatically transition from olddomain to newdomain
     26 # upon executing a file labeled with type.
     27 #
     28 define(`domain_auto_trans', `
     29 # Allow the necessary permissions.
     30 domain_trans($1,$2,$3)
     31 # Make the transition occur by default.
     32 type_transition $1 $2:process $3;
     33 ')
     34 
     35 #####################################
     36 # file_type_trans(domain, dir_type, file_type)
     37 # Allow domain to create a file labeled file_type in a
     38 # directory labeled dir_type.
     39 # This only allows the transition; it does not
     40 # cause it to occur automatically - use file_type_auto_trans
     41 # if that is what you want.
     42 #
     43 define(`file_type_trans', `
     44 # Allow the domain to add entries to the directory.
     45 allow $1 $2:dir ra_dir_perms;
     46 # Allow the domain to create the file.
     47 allow $1 $3:notdevfile_class_set create_file_perms;
     48 allow $1 $3:dir create_dir_perms;
     49 ')
     50 
     51 #####################################
     52 # file_type_auto_trans(domain, dir_type, file_type)
     53 # Automatically label new files with file_type when
     54 # they are created by domain in directories labeled dir_type.
     55 #
     56 define(`file_type_auto_trans', `
     57 # Allow the necessary permissions.
     58 file_type_trans($1, $2, $3)
     59 # Make the transition occur by default.
     60 type_transition $1 $2:dir $3;
     61 type_transition $1 $2:notdevfile_class_set $3;
     62 ')
     63 
     64 #####################################
     65 # r_dir_file(domain, type)
     66 # Allow the specified domain to read directories, files
     67 # and symbolic links of the specified type.
     68 define(`r_dir_file', `
     69 allow $1 $2:dir r_dir_perms;
     70 allow $1 $2:{ file lnk_file } r_file_perms;
     71 ')
     72 
     73 #####################################
     74 # unconfined_domain(domain)
     75 # Allow the specified domain to do anything.
     76 #
     77 define(`unconfined_domain', `
     78 typeattribute $1 mlstrustedsubject;
     79 typeattribute $1 unconfineddomain;
     80 ')
     81 
     82 #####################################
     83 # tmpfs_domain(domain)
     84 # Define and allow access to a unique type for
     85 # this domain when creating tmpfs / shmem / ashmem files.
     86 define(`tmpfs_domain', `
     87 type $1_tmpfs, file_type;
     88 type_transition $1 tmpfs:file $1_tmpfs;
     89 # Map with PROT_EXEC.
     90 allow $1 $1_tmpfs:file { read execute execmod };
     91 ')
     92 
     93 #####################################
     94 # init_daemon_domain(domain)
     95 # Set up a transition from init to the daemon domain
     96 # upon executing its binary.
     97 define(`init_daemon_domain', `
     98 domain_auto_trans(init, $1_exec, $1)
     99 tmpfs_domain($1)
    100 ')
    101 
    102 #####################################
    103 # app_domain(domain)
    104 # Allow a base set of permissions required for all apps.
    105 define(`app_domain', `
    106 typeattribute $1 appdomain;
    107 # Label ashmem objects with our own unique type.
    108 tmpfs_domain($1)
    109 ')
    110 
    111 #####################################
    112 # relabelto_domain(domain)
    113 # Allows this domain to use the relabelto permission
    114 define(`relabelto_domain', `
    115 typeattribute $1 relabeltodomain;
    116 ')
    117 
    118 #####################################
    119 # platform_app_domain(domain)
    120 # Allow permissions specific to platform apps.
    121 define(`platform_app_domain', `
    122 typeattribute $1 platformappdomain;
    123 typeattribute $1 mlstrustedsubject;
    124 ')
    125 
    126 #####################################
    127 # net_domain(domain)
    128 # Allow a base set of permissions required for network access.
    129 define(`net_domain', `
    130 typeattribute $1 netdomain;
    131 ')
    132 
    133 #####################################
    134 # bluetooth_domain(domain)
    135 # Allow a base set of permissions required for bluetooth access.
    136 define(`bluetooth_domain', `
    137 typeattribute $1 bluetoothdomain;
    138 ')
    139 
    140 #####################################
    141 # unix_socket_connect(clientdomain, socket, serverdomain)
    142 # Allow a local socket connection from clientdomain via
    143 # socket to serverdomain.
    144 define(`unix_socket_connect', `
    145 allow $1 $2_socket:sock_file write;
    146 allow $1 $3:unix_stream_socket connectto;
    147 ')
    148 
    149 #####################################
    150 # unix_socket_send(clientdomain, socket, serverdomain)
    151 # Allow a local socket send from clientdomain via
    152 # socket to serverdomain.
    153 define(`unix_socket_send', `
    154 allow $1 $2_socket:sock_file write;
    155 allow $1 $3:unix_dgram_socket sendto;
    156 ')
    157 
    158 #####################################
    159 # binder_use(domain)
    160 # Allow domain to use Binder IPC.
    161 define(`binder_use', `
    162 # Call the servicemanager and transfer references to it.
    163 allow $1 servicemanager:binder { call transfer };
    164 # Map /dev/ashmem with PROT_EXEC.
    165 allow $1 ashmem_device:chr_file execute;
    166 # rw access to /dev/binder and /dev/ashmem is presently granted to
    167 # all domains in domain.te.
    168 ')
    169 
    170 #####################################
    171 # binder_call(clientdomain, serverdomain)
    172 # Allow clientdomain to perform binder IPC to serverdomain.
    173 define(`binder_call', `
    174 # Call the server domain and optionally transfer references to it.
    175 allow $1 $2:binder { call transfer };
    176 # Allow the serverdomain to transfer references to the client on the reply.
    177 allow $2 $1:binder transfer;
    178 # Receive and use open files from the server.
    179 allow $1 $2:fd use;
    180 ')
    181 
    182 #####################################
    183 # binder_service(domain)
    184 # Mark a domain as being a Binder service domain.
    185 # Used to allow binder IPC to the various system services.
    186 define(`binder_service', `
    187 typeattribute $1 binderservicedomain;
    188 ')
    189 
    190 #####################################
    191 # selinux_check_access(domain)
    192 # Allow domain to check SELinux permissions via selinuxfs.
    193 define(`selinux_check_access', `
    194 allow $1 selinuxfs:dir r_dir_perms;
    195 allow $1 selinuxfs:file rw_file_perms;
    196 allow $1 kernel:security compute_av;
    197 allow $1 self:netlink_selinux_socket *;
    198 ')
    199 
    200 #####################################
    201 # selinux_check_context(domain)
    202 # Allow domain to check SELinux contexts via selinuxfs.
    203 define(`selinux_check_context', `
    204 allow $1 selinuxfs:dir r_dir_perms;
    205 allow $1 selinuxfs:file rw_file_perms;
    206 allow $1 kernel:security check_context;
    207 ')
    208 
    209 #####################################
    210 # selinux_getenforce(domain)
    211 # Allow domain to check whether SELinux is enforcing.
    212 define(`selinux_getenforce', `
    213 allow $1 selinuxfs:dir r_dir_perms;
    214 allow $1 selinuxfs:file r_file_perms;
    215 ')
    216 
    217 #####################################
    218 # selinux_setenforce(domain)
    219 # Allow domain to set SELinux to enforcing.
    220 define(`selinux_setenforce', `
    221 allow $1 selinuxfs:dir r_dir_perms;
    222 allow $1 selinuxfs:file rw_file_perms;
    223 allow $1 kernel:security setenforce;
    224 ')
    225 
    226 #####################################
    227 # selinux_setbool(domain)
    228 # Allow domain to set SELinux booleans.
    229 define(`selinux_setbool', `
    230 allow $1 selinuxfs:dir r_dir_perms;
    231 allow $1 selinuxfs:file rw_file_perms;
    232 allow $1 kernel:security setbool;
    233 ')
    234 
    235 #####################################
    236 # security_access_policy(domain)
    237 # Read only access to all policy files and
    238 # selinuxfs
    239 define(`security_access_policy', `
    240 allow $1 security_file:dir r_dir_perms;
    241 allow $1 security_file:file r_file_perms;
    242 allow $1 security_file:lnk_file read;
    243 allow $1 selinuxfs:dir r_dir_perms;
    244 allow $1 selinuxfs:file r_file_perms;
    245 allow $1 rootfs:dir r_dir_perms;
    246 allow $1 rootfs:file r_file_perms;
    247 ')
    248 
    249 #####################################
    250 # selinux_manage_policy(domain)
    251 # Ability to manage policy files,
    252 # trigger runtime reload, change
    253 # enforcing mode, manipulate booleans
    254 # and access kernel logs.
    255 define(`selinux_manage_policy', `
    256 selinux_setenforce($1)
    257 selinux_setbool($1)
    258 security_access_policy($1)
    259 unix_socket_connect($1, property, init)
    260 allow $1 security_file:dir create_dir_perms;
    261 allow $1 security_file:file create_file_perms;
    262 allow $1 security_prop:property_service set;
    263 ')
    264 
    265 #####################################
    266 # mmac_manage_policy(domain)
    267 # Ability to manage mmac policy files,
    268 # trigger runtime reload, change
    269 # mmac enforcing mode and access logcat.
    270 define(`mmac_manage_policy', `
    271 unix_socket_connect($1, property, init)
    272 allow $1 security_file:dir create_dir_perms;
    273 allow $1 security_file:file create_file_perms;
    274 allow $1 security_prop:property_service set;
    275 ')
    276 
    277 #####################################
    278 # access_logcat(domain)
    279 # Ability to read from logcat logs
    280 # and execute the logcat command
    281 define(`access_logcat', `
    282 allow $1 log_device:chr_file read;
    283 allow $1 system_file:file x_file_perms;
    284 ')
    285 
    286 #####################################
    287 # access_kmsg(domain)
    288 # Ability to read from kernel logs
    289 # and execute the klogctl syscall
    290 # in a non destructive manner. See
    291 # man 2 klogctl
    292 define(`access_kmsg', `
    293 allow $1 kernel:system syslog_read;
    294 ')
    295 
    296 #####################################
    297 # write_klog(domain)
    298 # Ability to write to kernel log via
    299 # klog_write()
    300 # See system/core/libcutil/klog.c
    301 define(`write_klog', `
    302 type_transition $1 device:chr_file klog_device "__kmsg__";
    303 allow $1 klog_device:chr_file { create open write unlink };
    304 allow $1 device:dir { add_name remove_name };
    305 ')
    306 
    307 #####################################
    308 # Non system_app application set
    309 #
    310 define(`non_system_app_set', `{ appdomain -system_app }')
    311