Home | History | Annotate | Download | only in sepolicy 
      1 # Rules for all domains.
      2 
      3 # Allow reaping by init.
      4 allow domain init:process sigchld;
      5 
      6 # Read access to properties mapping.
      7 allow domain kernel:fd use;
      8 allow domain tmpfs:file { read getattr };
      9 
     10 # Search /storage/emulated tmpfs mount.
     11 allow domain tmpfs:dir r_dir_perms;
     12 
     13 # Intra-domain accesses.
     14 allow domain self:process {
     15     fork
     16     sigchld
     17     sigkill
     18     sigstop
     19     signull
     20     signal
     21     getsched
     22     setsched
     23     getsession
     24     getpgid
     25     setpgid
     26     getcap
     27     setcap
     28     getattr
     29     setrlimit
     30 };
     31 allow domain self:fd use;
     32 allow domain self:dir r_dir_perms;
     33 allow domain self:lnk_file r_file_perms;
     34 allow domain self:{ fifo_file file } rw_file_perms;
     35 allow domain self:unix_dgram_socket { create_socket_perms sendto };
     36 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
     37 
     38 # Inherit or receive open files from others.
     39 allow domain init:fd use;
     40 allow domain system_server:fd use;
     41 
     42 # Connect to adbd and use a socket transferred from it.
     43 # This is used for e.g. adb backup/restore.
     44 allow domain adbd:unix_stream_socket connectto;
     45 allow domain adbd:fd use;
     46 allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
     47 
     48 userdebug_or_eng(`
     49   # Same as adbd rules above, except allow su to do the same thing
     50   allow domain su:unix_stream_socket connectto;
     51   allow domain su:fd use;
     52   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
     53 
     54   binder_call(domain, su)
     55 
     56   # Running something like "pm dump com.android.bluetooth" requires
     57   # fifo writes
     58   allow domain su:fifo_file { write getattr };
     59 
     60   # allow "gdbserver --attach" to work for su.
     61   allow domain su:process sigchld;
     62 
     63   # Allow writing coredumps to /cores/*
     64   allow domain coredump_file:file create_file_perms;
     65   allow domain coredump_file:dir ra_dir_perms;
     66 ')
     67 
     68 ###
     69 ### Talk to debuggerd.
     70 ###
     71 allow domain debuggerd:process sigchld;
     72 allow domain debuggerd:unix_stream_socket connectto;
     73 
     74 # Root fs.
     75 allow domain rootfs:dir r_dir_perms;
     76 allow domain rootfs:file r_file_perms;
     77 allow domain rootfs:lnk_file r_file_perms;
     78 
     79 # Device accesses.
     80 allow domain device:dir search;
     81 allow domain dev_type:lnk_file r_file_perms;
     82 allow domain devpts:dir search;
     83 allow domain device:file read;
     84 allow domain socket_device:dir r_dir_perms;
     85 allow domain owntty_device:chr_file rw_file_perms;
     86 allow domain null_device:chr_file rw_file_perms;
     87 allow domain zero_device:chr_file rw_file_perms;
     88 allow domain ashmem_device:chr_file rw_file_perms;
     89 allow domain binder_device:chr_file rw_file_perms;
     90 allow domain ptmx_device:chr_file rw_file_perms;
     91 allow domain log_device:dir search;
     92 allow domain log_device:chr_file rw_file_perms;
     93 allow domain alarm_device:chr_file r_file_perms;
     94 allow domain urandom_device:chr_file rw_file_perms;
     95 allow domain random_device:chr_file rw_file_perms;
     96 allow domain properties_device:file r_file_perms;
     97 
     98 # logd access
     99 write_logd(domain)
    100 
    101 # Filesystem accesses.
    102 allow domain fs_type:filesystem getattr;
    103 allow domain fs_type:dir getattr;
    104 
    105 # System file accesses.
    106 allow domain system_file:dir r_dir_perms;
    107 allow domain system_file:file r_file_perms;
    108 allow domain system_file:file execute;
    109 allow domain system_file:lnk_file r_file_perms;
    110 
    111 # Read files already opened under /data.
    112 allow domain system_data_file:dir { search getattr };
    113 allow domain system_data_file:file { getattr read };
    114 allow domain system_data_file:lnk_file r_file_perms;
    115 
    116 # Read apk files under /data/app.
    117 allow domain apk_data_file:dir { getattr search };
    118 allow domain apk_data_file:file r_file_perms;
    119 allow domain apk_data_file:lnk_file r_file_perms;
    120 
    121 # Read /data/dalvik-cache.
    122 allow domain dalvikcache_data_file:dir { search getattr };
    123 allow domain dalvikcache_data_file:file r_file_perms;
    124 
    125 # Read already opened /cache files.
    126 allow domain cache_file:dir r_dir_perms;
    127 allow domain cache_file:file { getattr read };
    128 allow domain cache_file:lnk_file r_file_perms;
    129 
    130 # Read timezone related information
    131 r_dir_file(domain, zoneinfo_data_file)
    132 
    133 # For /acct/uid/*/tasks.
    134 allow domain cgroup:dir { search write };
    135 allow domain cgroup:file w_file_perms;
    136 
    137 #Allow access to ion memory allocation device
    138 allow domain ion_device:chr_file rw_file_perms;
    139 
    140 # Read access to pseudo filesystems.
    141 r_dir_file(domain, proc)
    142 r_dir_file(domain, sysfs)
    143 r_dir_file(domain, sysfs_devices_system_cpu)
    144 r_dir_file(domain, inotify)
    145 r_dir_file(domain, cgroup)
    146 r_dir_file(domain, proc_net)
    147 allow domain proc_cpuinfo:file r_file_perms;
    148 
    149 # debugfs access
    150 allow domain debugfs:dir r_dir_perms;
    151 allow domain debugfs:file w_file_perms;
    152 
    153 # Get SELinux enforcing status.
    154 allow domain selinuxfs:dir r_dir_perms;
    155 allow domain selinuxfs:file r_file_perms;
    156 
    157 # /data/security files
    158 allow domain security_file:dir { search getattr };
    159 allow domain security_file:file getattr;
    160 allow domain security_file:lnk_file r_file_perms;
    161 
    162 # World readable asec image contents
    163 allow domain asec_public_file:file r_file_perms;
    164 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
    165 
    166 allow domain servicemanager:service_manager list;
    167 allow domain service_manager_type:service_manager find;
    168 
    169 ###
    170 ### neverallow rules
    171 ###
    172 
    173 # Do not allow any confined domain to create new unlabeled files.
    174 neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
    175 
    176 # Limit ability to ptrace or read sensitive /proc/pid files of processes
    177 # with other UIDs to these whitelisted domains.
    178 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
    179 
    180 # Limit device node creation to these whitelisted domains.
    181 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
    182 
    183 # Limit raw I/O to these whitelisted domains.
    184 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
    185 
    186 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
    187 neverallow domain self:memprotect mmap_zero;
    188 
    189 # No domain needs mac_override as it is unused by SELinux.
    190 neverallow domain self:capability2 mac_override;
    191 
    192 # Only recovery needs mac_admin to set contexts not defined in current policy.
    193 neverallow { domain -recovery } self:capability2 mac_admin;
    194 
    195 # Only init should be able to load SELinux policies.
    196 # The first load technically occurs while still in the kernel domain,
    197 # but this does not trigger a denial since there is no policy yet.
    198 # Policy reload requires allowing this to the init domain.
    199 neverallow { domain -init } kernel:security load_policy;
    200 
    201 # Only init and the system_server can set selinux.reload_policy 1
    202 # to trigger a policy reload.
    203 neverallow { domain -init -system_server } security_prop:property_service set;
    204 
    205 # Only init and system_server can write to /data/security, where runtime
    206 # policy updates live.
    207 # Only init can relabel /data/security (for init.rc restorecon_recursive /data).
    208 neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
    209 # Only init and system_server can create/setattr directories with this type.
    210 # init is for init.rc mkdir /data/security.
    211 # system_server is for creating subdirectories under /data/security.
    212 neverallow { domain -init -system_server } security_file:dir { create setattr };
    213 # Only system_server can create subdirectories and files under /data/security.
    214 neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
    215 neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
    216 neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
    217 
    218 # Only init prior to switching context should be able to set enforcing mode.
    219 # init starts in kernel domain and switches to init domain via setcon in
    220 # the init.rc, so the setenforce occurs while still in kernel. After
    221 # switching domains, there is never any need to setenforce again by init.
    222 neverallow domain kernel:security setenforce;
    223 neverallow { domain -kernel } kernel:security setcheckreqprot;
    224 
    225 # No booleans in AOSP policy, so no need to ever set them.
    226 neverallow domain kernel:security setbool;
    227 
    228 # Adjusting the AVC cache threshold.
    229 # Not presently allowed to anything in policy, but possibly something
    230 # that could be set from init.rc.
    231 neverallow { domain -init } kernel:security setsecparam;
    232 
    233 # Only init, ueventd and system_server should be able to access HW RNG
    234 neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
    235 
    236 # Ensure that all entrypoint executables are in exec_type.
    237 neverallow domain { file_type -exec_type }:file entrypoint;
    238 
    239 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
    240 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
    241 neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
    242 
    243 # Only init should be able to configure kernel usermodehelpers or
    244 # security-sensitive proc settings.
    245 neverallow { domain -init } usermodehelper:file { append write };
    246 neverallow { domain -init } proc_security:file { append write };
    247 
    248 # No domain should be allowed to ptrace init.
    249 neverallow domain init:process ptrace;
    250 
    251 # Init can't receive binder calls. If this neverallow rule is being
    252 # triggered, it's probably due to a service with no SELinux domain.
    253 neverallow domain init:binder call;
    254 
    255 # Don't allow raw read/write/open access to block_device
    256 # Rather force a relabel to a more specific type
    257 neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
    258 
    259 # Don't allow raw read/write/open access to generic devices.
    260 # Rather force a relabel to a more specific type.
    261 # ueventd is exempt from this, as its managing these devices.
    262 neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write };
    263 
    264 # Limit what domains can mount filesystems or change their mount flags.
    265 # sdcard_type / vfat is exempt as a larger set of domains need
    266 # this capability, including device-specific domains.
    267 neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
    268 
    269 #
    270 # Assert that, to the extent possible, we're not loading executable content from
    271 # outside the rootfs or /system partition except for a few whitelisted domains.
    272 #
    273 neverallow {
    274     domain
    275     -appdomain
    276     -dumpstate
    277     -shell
    278     userdebug_or_eng(`-su')
    279     -system_server
    280     -zygote
    281 } { file_type -system_file -exec_type }:file execute;
    282 neverallow {
    283     domain
    284     -appdomain # for oemfs
    285     -recovery # for /tmp/update_binary in tmpfs
    286 } { fs_type -rootfs }:file execute;
    287 
    288 # Only the init property service should write to /data/property.
    289 neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
    290 neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
    291 
    292 # Only recovery should be doing writes to /system
    293 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
    294     { create write setattr relabelfrom relabelto append unlink link rename };
    295 
    296 # Nothing should be writing to files in the rootfs.
    297 neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
    298 
    299 # Restrict context mounts to specific types marked with
    300 # the contextmount_type attribute.
    301 neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
    302 
    303 # Ensure that context mount types are not writable, to ensure that
    304 # the write to /system restriction above is not bypassed via context=
    305 # mount to another type.
    306 neverallow { domain -recovery } contextmount_type:dir_file_class_set
    307     { create write setattr relabelfrom relabelto append unlink link rename };
    308 
    309 # Do not allow service_manager add for default_android_service.
    310 # Instead domains should use a more specific type such as
    311 # system_app_service rather than the generic type.
    312 # New service_types are defined in service.te and new mappings
    313 # from service name to service_type are defined in service_contexts.
    314 neverallow domain default_android_service:service_manager add;
    315 
    316 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
    317