Home | History | Annotate | Download | only in sepolicy 
      1 # Rules for all domains.
      2 
      3 # Allow reaping by init.
      4 allow domain init:process sigchld;
      5 
      6 # Read access to properties mapping.
      7 allow domain kernel:fd use;
      8 allow domain tmpfs:file { read getattr };
      9 
     10 # Search /storage/emulated tmpfs mount.
     11 allow domain tmpfs:dir r_dir_perms;
     12 
     13 # binder adjusts the nice value during IPC.
     14 allow domain self:capability sys_nice;
     15 
     16 # Intra-domain accesses.
     17 allow domain self:process ~{ execstack execheap ptrace };
     18 allow domain self:fd use;
     19 allow domain self:dir r_dir_perms;
     20 allow domain self:lnk_file r_file_perms;
     21 allow domain self:{ fifo_file file } rw_file_perms;
     22 allow domain self:{ unix_dgram_socket unix_stream_socket } *;
     23 
     24 # Inherit or receive open files from others.
     25 allow domain init:fd use;
     26 allow domain system:fd use;
     27 
     28 # Connect to adbd and use a socket transferred from it.
     29 allow domain adbd:unix_stream_socket connectto;
     30 allow domain adbd:fd use;
     31 allow domain adbd:unix_stream_socket { getattr read write shutdown };
     32 
     33 ###
     34 ### Talk to debuggerd.
     35 ###
     36 allow domain debuggerd:process sigchld;
     37 allow domain debuggerd:unix_stream_socket connectto;
     38 # b/9858255 - debuggerd sockets are not getting properly labeled.
     39 # TODO: Remove this temporary workaround.
     40 allow domain init:unix_stream_socket connectto;
     41 
     42 # Root fs.
     43 allow domain rootfs:dir r_dir_perms;
     44 allow domain rootfs:file r_file_perms;
     45 allow domain rootfs:lnk_file { read getattr };
     46 
     47 # Device accesses.
     48 allow domain device:dir search;
     49 allow domain dev_type:lnk_file read;
     50 allow domain devpts:dir search;
     51 allow domain device:file read;
     52 allow domain socket_device:dir search;
     53 allow domain owntty_device:chr_file rw_file_perms;
     54 allow domain null_device:chr_file rw_file_perms;
     55 allow domain zero_device:chr_file r_file_perms;
     56 allow domain ashmem_device:chr_file rw_file_perms;
     57 allow domain binder_device:chr_file rw_file_perms;
     58 allow domain ptmx_device:chr_file rw_file_perms;
     59 allow domain powervr_device:chr_file rw_file_perms;
     60 allow domain log_device:dir search;
     61 allow domain log_device:chr_file rw_file_perms;
     62 allow domain nv_device:chr_file rw_file_perms;
     63 allow domain alarm_device:chr_file r_file_perms;
     64 allow domain urandom_device:chr_file r_file_perms;
     65 allow domain random_device:chr_file r_file_perms;
     66 allow domain properties_device:file r_file_perms;
     67 
     68 # Filesystem accesses.
     69 allow domain fs_type:filesystem getattr;
     70 allow domain fs_type:dir getattr;
     71 
     72 # System file accesses.
     73 allow domain system_file:dir r_dir_perms;
     74 allow domain system_file:file r_file_perms;
     75 allow domain system_file:file execute;
     76 allow domain system_file:lnk_file read;
     77 
     78 # Read files already opened under /data.
     79 allow domain system_data_file:dir { search getattr };
     80 allow domain system_data_file:file { getattr read };
     81 allow domain system_data_file:lnk_file read;
     82 
     83 # Read apk files under /data/app.
     84 allow domain apk_data_file:dir search;
     85 allow domain apk_data_file:file r_file_perms;
     86 
     87 # Read /data/dalvik-cache.
     88 allow domain dalvikcache_data_file:dir { search getattr };
     89 allow domain dalvikcache_data_file:file r_file_perms;
     90 
     91 # Read already opened /cache files.
     92 allow domain cache_file:dir r_dir_perms;
     93 allow domain cache_file:file { getattr read };
     94 allow domain cache_file:lnk_file read;
     95 
     96 # For /acct/uid/*/tasks.
     97 allow domain cgroup:dir { search write };
     98 allow domain cgroup:file w_file_perms;
     99 
    100 #Allow access to ion memory allocation device
    101 allow domain ion_device:chr_file rw_file_perms;
    102 
    103 # For /sys/qemu_trace files in the emulator.
    104 bool in_qemu false;
    105 if (in_qemu) {
    106 allow domain sysfs:file rw_file_perms;
    107 }
    108 allow domain sysfs_writable:file rw_file_perms;
    109 
    110 # Read access to pseudo filesystems.
    111 r_dir_file(domain, proc)
    112 r_dir_file(domain, sysfs)
    113 r_dir_file(domain, inotify)
    114 r_dir_file(domain, cgroup)
    115 
    116 # debugfs access
    117 allow domain debugfs:dir r_dir_perms;
    118 allow domain debugfs:file w_file_perms;
    119 
    120 # security files
    121 allow domain security_file:dir { search getattr };
    122 allow domain security_file:file getattr;
    123 
    124 ######## Backwards compatibility - Unlabeled files ############
    125 
    126 # Revert to DAC rules when looking at unlabeled files. Over time, the number
    127 # of unlabeled files should decrease.
    128 # TODO: delete these rules in the future.
    129 #
    130 # Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
    131 # capability, it's essentially useless. This is needed to allow an app with
    132 # relabelto to relabel unlabeled files.
    133 #
    134 allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
    135 allow domain unlabeled:dir { create_dir_perms relabelfrom };
    136 allow domain unlabeled:lnk_file { create_file_perms };
    137 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
    138 
    139 ###
    140 ### neverallow rules
    141 ###
    142 
    143 # Only init should be able to load SELinux policies
    144 neverallow { domain -init } kernel:security load_policy;
    145