Home | History | Annotate | Download | only in sepolicy 
      1 #####################################
      2 # domain_trans(olddomain, type, newdomain)
      3 # Allow a transition from olddomain to newdomain
      4 # upon executing a file labeled with type.
      5 # This only allows the transition; it does not
      6 # cause it to occur automatically - use domain_auto_trans
      7 # if that is what you want.
      8 #
      9 define(`domain_trans', `
     10 # Old domain may exec the file and transition to the new domain.
     11 allow $1 $2:file { getattr open read execute };
     12 allow $1 $3:process transition;
     13 # New domain is entered by executing the file.
     14 allow $3 $2:file { entrypoint open read execute getattr };
     15 # New domain can send SIGCHLD to its caller.
     16 allow $3 $1:process sigchld;
     17 # Enable AT_SECURE, i.e. libc secure mode.
     18 dontaudit $1 $3:process noatsecure;
     19 # XXX dontaudit candidate but requires further study.
     20 allow $1 $3:process { siginh rlimitinh };
     21 ')
     22 
     23 #####################################
     24 # domain_auto_trans(olddomain, type, newdomain)
     25 # Automatically transition from olddomain to newdomain
     26 # upon executing a file labeled with type.
     27 #
     28 define(`domain_auto_trans', `
     29 # Allow the necessary permissions.
     30 domain_trans($1,$2,$3)
     31 # Make the transition occur by default.
     32 type_transition $1 $2:process $3;
     33 ')
     34 
     35 #####################################
     36 # file_type_trans(domain, dir_type, file_type)
     37 # Allow domain to create a file labeled file_type in a
     38 # directory labeled dir_type.
     39 # This only allows the transition; it does not
     40 # cause it to occur automatically - use file_type_auto_trans
     41 # if that is what you want.
     42 #
     43 define(`file_type_trans', `
     44 # Allow the domain to add entries to the directory.
     45 allow $1 $2:dir ra_dir_perms;
     46 # Allow the domain to create the file.
     47 allow $1 $3:notdevfile_class_set create_file_perms;
     48 allow $1 $3:dir create_dir_perms;
     49 ')
     50 
     51 #####################################
     52 # file_type_auto_trans(domain, dir_type, file_type)
     53 # Automatically label new files with file_type when
     54 # they are created by domain in directories labeled dir_type.
     55 #
     56 define(`file_type_auto_trans', `
     57 # Allow the necessary permissions.
     58 file_type_trans($1, $2, $3)
     59 # Make the transition occur by default.
     60 type_transition $1 $2:dir $3;
     61 type_transition $1 $2:notdevfile_class_set $3;
     62 ')
     63 
     64 #####################################
     65 # r_dir_file(domain, type)
     66 # Allow the specified domain to read directories, files
     67 # and symbolic links of the specified type.
     68 define(`r_dir_file', `
     69 allow $1 $2:dir r_dir_perms;
     70 allow $1 $2:{ file lnk_file } r_file_perms;
     71 ')
     72 
     73 #####################################
     74 # unconfined_domain(domain)
     75 # Allow the specified domain to perform more privileged operations
     76 # than would be typically allowed. Please see the comments at the
     77 # top of unconfined.te.
     78 #
     79 define(`unconfined_domain', `
     80 typeattribute $1 mlstrustedsubject;
     81 typeattribute $1 unconfineddomain;
     82 ')
     83 
     84 #####################################
     85 # tmpfs_domain(domain)
     86 # Define and allow access to a unique type for
     87 # this domain when creating tmpfs / shmem / ashmem files.
     88 define(`tmpfs_domain', `
     89 type $1_tmpfs, file_type;
     90 type_transition $1 tmpfs:file $1_tmpfs;
     91 allow $1 $1_tmpfs:file { read write };
     92 ')
     93 
     94 #####################################
     95 # init_daemon_domain(domain)
     96 # Set up a transition from init to the daemon domain
     97 # upon executing its binary.
     98 define(`init_daemon_domain', `
     99 domain_auto_trans(init, $1_exec, $1)
    100 tmpfs_domain($1)
    101 ')
    102 
    103 #####################################
    104 # app_domain(domain)
    105 # Allow a base set of permissions required for all apps.
    106 define(`app_domain', `
    107 typeattribute $1 appdomain;
    108 # Label ashmem objects with our own unique type.
    109 tmpfs_domain($1)
    110 # Map with PROT_EXEC.
    111 allow $1 $1_tmpfs:file execute;
    112 ')
    113 
    114 #####################################
    115 # net_domain(domain)
    116 # Allow a base set of permissions required for network access.
    117 define(`net_domain', `
    118 typeattribute $1 netdomain;
    119 ')
    120 
    121 #####################################
    122 # bluetooth_domain(domain)
    123 # Allow a base set of permissions required for bluetooth access.
    124 define(`bluetooth_domain', `
    125 typeattribute $1 bluetoothdomain;
    126 ')
    127 
    128 #####################################
    129 # unix_socket_connect(clientdomain, socket, serverdomain)
    130 # Allow a local socket connection from clientdomain via
    131 # socket to serverdomain.
    132 define(`unix_socket_connect', `
    133 allow $1 $2_socket:sock_file write;
    134 allow $1 $3:unix_stream_socket connectto;
    135 ')
    136 
    137 #####################################
    138 # unix_socket_send(clientdomain, socket, serverdomain)
    139 # Allow a local socket send from clientdomain via
    140 # socket to serverdomain.
    141 define(`unix_socket_send', `
    142 allow $1 $2_socket:sock_file write;
    143 allow $1 $3:unix_dgram_socket sendto;
    144 ')
    145 
    146 #####################################
    147 # binder_use(domain)
    148 # Allow domain to use Binder IPC.
    149 define(`binder_use', `
    150 # Call the servicemanager and transfer references to it.
    151 allow $1 servicemanager:binder { call transfer };
    152 # servicemanager performs getpidcon on clients.
    153 allow servicemanager $1:dir search;
    154 allow servicemanager $1:file { read open };
    155 allow servicemanager $1:process getattr;
    156 # rw access to /dev/binder and /dev/ashmem is presently granted to
    157 # all domains in domain.te.
    158 ')
    159 
    160 #####################################
    161 # binder_call(clientdomain, serverdomain)
    162 # Allow clientdomain to perform binder IPC to serverdomain.
    163 define(`binder_call', `
    164 # Call the server domain and optionally transfer references to it.
    165 allow $1 $2:binder { call transfer };
    166 # Allow the serverdomain to transfer references to the client on the reply.
    167 allow $2 $1:binder transfer;
    168 # Receive and use open files from the server.
    169 allow $1 $2:fd use;
    170 ')
    171 
    172 #####################################
    173 # binder_service(domain)
    174 # Mark a domain as being a Binder service domain.
    175 # Used to allow binder IPC to the various system services.
    176 define(`binder_service', `
    177 typeattribute $1 binderservicedomain;
    178 ')
    179 
    180 #####################################
    181 # wakelock_use(domain)
    182 # Allow domain to manage wake locks
    183 define(`wakelock_use', `
    184 # Access /sys/power/wake_lock and /sys/power/wake_unlock
    185 allow $1 sysfs_wake_lock:file rw_file_perms;
    186 # Accessing these files requires CAP_BLOCK_SUSPEND
    187 allow $1 self:capability2 block_suspend;
    188 ')
    189 
    190 #####################################
    191 # selinux_check_access(domain)
    192 # Allow domain to check SELinux permissions via selinuxfs.
    193 define(`selinux_check_access', `
    194 allow $1 selinuxfs:file rw_file_perms;
    195 allow $1 kernel:security compute_av;
    196 allow $1 self:netlink_selinux_socket *;
    197 ')
    198 
    199 #####################################
    200 # selinux_check_context(domain)
    201 # Allow domain to check SELinux contexts via selinuxfs.
    202 define(`selinux_check_context', `
    203 allow $1 selinuxfs:file rw_file_perms;
    204 allow $1 kernel:security check_context;
    205 ')
    206 
    207 #####################################
    208 # selinux_setenforce(domain)
    209 # Allow domain to set SELinux to enforcing.
    210 define(`selinux_setenforce', `
    211 allow $1 selinuxfs:file rw_file_perms;
    212 allow $1 kernel:security setenforce;
    213 ')
    214 
    215 #####################################
    216 # selinux_setbool(domain)
    217 # Allow domain to set SELinux booleans.
    218 define(`selinux_setbool', `
    219 allow $1 selinuxfs:file rw_file_perms;
    220 allow $1 kernel:security setbool;
    221 ')
    222 
    223 #####################################
    224 # security_access_policy(domain)
    225 # Read only access to all policy files and
    226 # selinuxfs
    227 define(`security_access_policy', `
    228 allow $1 security_file:dir r_dir_perms;
    229 allow $1 security_file:file r_file_perms;
    230 ')
    231 
    232 #####################################
    233 # selinux_manage_policy(domain)
    234 # Ability to manage policy files and
    235 # trigger runtime reload.
    236 define(`selinux_manage_policy', `
    237 security_access_policy($1)
    238 unix_socket_connect($1, property, init)
    239 allow $1 security_file:dir create_dir_perms;
    240 allow $1 security_file:file create_file_perms;
    241 allow $1 security_file:lnk_file { create rename unlink };
    242 allow $1 security_prop:property_service set;
    243 ')
    244 
    245 #####################################
    246 # mmac_manage_policy(domain)
    247 # Ability to manage mmac policy files,
    248 # trigger runtime reload, change
    249 # mmac enforcing mode and access logcat.
    250 define(`mmac_manage_policy', `
    251 unix_socket_connect($1, property, init)
    252 allow $1 security_file:dir create_dir_perms;
    253 allow $1 security_file:file create_file_perms;
    254 allow $1 security_file:lnk_file { create rename unlink };
    255 allow $1 security_prop:property_service set;
    256 ')
    257 
    258 #####################################
    259 # access_kmsg(domain)
    260 # Ability to read from kernel logs
    261 # and execute the klogctl syscall
    262 # in a non destructive manner. See
    263 # man 2 klogctl
    264 define(`access_kmsg', `
    265 allow $1 kernel:system syslog_read;
    266 ')
    267 
    268 #####################################
    269 # write_klog(domain)
    270 # Ability to write to kernel log via
    271 # klog_write()
    272 # See system/core/libcutil/klog.c
    273 define(`write_klog', `
    274 type_transition $1 device:chr_file klog_device "__kmsg__";
    275 allow $1 klog_device:chr_file { create open write unlink };
    276 allow $1 device:dir { write add_name remove_name };
    277 ')
    278 
    279 #####################################
    280 # create_pty(domain)
    281 # Allow domain to create and use a pty, isolated from any other domain ptys.
    282 define(`create_pty', `
    283 # Each domain gets a unique devpts type.
    284 type $1_devpts, fs_type;
    285 # Label the pty with the unique type when created.
    286 type_transition $1 devpts:chr_file $1_devpts;
    287 # Allow use of the pty after creation.
    288 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
    289 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
    290 # allowed to everyone via domain.te.
    291 ')
    292 
    293 #####################################
    294 # Non system_app application set
    295 #
    296 define(`non_system_app_set', `{ appdomain -system_app }')
    297 
    298 #####################################
    299 # Recovery only
    300 # SELinux rules which apply only to recovery mode
    301 #
    302 define(`recovery_only', ifelse(target_recovery, `true', $1, ))
    303 
    304 #####################################
    305 # Userdebug or eng builds
    306 # SELinux rules which apply only to userdebug or eng builds
    307 #
    308 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
    309 
    310 #####################################
    311 # permissive_or_unconfined
    312 # Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
    313 # and "unconfined($1)" otherwise.
    314 #
    315 # This is used for experimental domains, where we want to ensure
    316 # the domain is unconfined+enforcing once new SELinux policy development
    317 # has ceased.
    318 #
    319 define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
    320 
    321 #####################################
    322 # write_logd(domain)
    323 # Ability to write to android log
    324 # daemon via sockets
    325 define(`write_logd', `
    326 userdebug_or_eng(`
    327   allow $1 logd_debug:file w_file_perms;
    328 ')
    329 unix_socket_send($1, logdw, logd)
    330 ')
    331 
    332 #####################################
    333 # read_logd(domain)
    334 # Ability to read from android
    335 # log daemon via sockets
    336 define(`read_logd', `
    337 unix_socket_connect($1, logdr, logd)
    338 ')
    339 
    340 #####################################
    341 # control_logd(domain)
    342 # Ability to control
    343 # android log daemon via sockets
    344 define(`control_logd', `
    345 # Group AID_LOG checked by filesystem & logd
    346 # to permit control commands
    347 unix_socket_connect($1, logd, logd)
    348 ')
    349 
    350 #####################################
    351 # use_keystore(domain)
    352 # Ability to use keystore.
    353 # Keystore is requires the following permissions
    354 # to call getpidcon.
    355 define(`use_keystore', `
    356   allow keystore $1:dir search;
    357   allow keystore $1:file { read open };
    358   allow keystore $1:process getattr;
    359   binder_call($1, keystore)
    360 ')
    361