1 # Rules for all domains. 2 3 # Allow reaping by init. 4 allow domain init:process sigchld; 5 6 # Read access to properties mapping. 7 allow domain kernel:fd use; 8 allow domain tmpfs:file { read getattr }; 9 allow domain tmpfs:lnk_file { read getattr }; 10 11 # Search /storage/emulated tmpfs mount. 12 allow domain tmpfs:dir r_dir_perms; 13 14 # Intra-domain accesses. 15 allow domain self:process { 16 fork 17 sigchld 18 sigkill 19 sigstop 20 signull 21 signal 22 getsched 23 setsched 24 getsession 25 getpgid 26 setpgid 27 getcap 28 setcap 29 getattr 30 setrlimit 31 }; 32 allow domain self:fd use; 33 allow domain self:dir r_dir_perms; 34 allow domain self:lnk_file r_file_perms; 35 allow domain self:{ fifo_file file } rw_file_perms; 36 allow domain self:unix_dgram_socket { create_socket_perms sendto }; 37 allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 38 39 # Inherit or receive open files from others. 40 allow domain init:fd use; 41 allow domain system_server:fd use; 42 43 # Connect to adbd and use a socket transferred from it. 44 # This is used for e.g. adb backup/restore. 45 allow domain adbd:unix_stream_socket connectto; 46 allow domain adbd:fd use; 47 allow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; 48 49 userdebug_or_eng(` 50 # Same as adbd rules above, except allow su to do the same thing 51 allow domain su:unix_stream_socket connectto; 52 allow domain su:fd use; 53 allow domain su:unix_stream_socket { getattr getopt read write shutdown }; 54 55 binder_call({ domain -init }, su) 56 57 # Running something like "pm dump com.android.bluetooth" requires 58 # fifo writes 59 allow domain su:fifo_file { write getattr }; 60 61 # allow "gdbserver --attach" to work for su. 62 allow domain su:process sigchld; 63 64 # Allow writing coredumps to /cores/* 65 allow domain coredump_file:file create_file_perms; 66 allow domain coredump_file:dir ra_dir_perms; 67 ') 68 69 ### 70 ### Talk to debuggerd. 71 ### 72 allow domain debuggerd:process sigchld; 73 allow domain debuggerd:unix_stream_socket connectto; 74 75 # Root fs. 76 allow domain rootfs:dir r_dir_perms; 77 allow domain rootfs:file r_file_perms; 78 allow domain rootfs:lnk_file r_file_perms; 79 80 # Device accesses. 81 allow domain device:dir search; 82 allow domain dev_type:lnk_file r_file_perms; 83 allow domain devpts:dir search; 84 allow domain device:file read; 85 allow domain socket_device:dir r_dir_perms; 86 allow domain owntty_device:chr_file rw_file_perms; 87 allow domain null_device:chr_file rw_file_perms; 88 allow domain zero_device:chr_file rw_file_perms; 89 allow domain ashmem_device:chr_file rw_file_perms; 90 allow domain binder_device:chr_file rw_file_perms; 91 allow domain ptmx_device:chr_file rw_file_perms; 92 allow domain alarm_device:chr_file r_file_perms; 93 allow domain urandom_device:chr_file rw_file_perms; 94 allow domain random_device:chr_file rw_file_perms; 95 allow domain properties_device:file r_file_perms; 96 allow domain init:key search; 97 allow domain vold:key search; 98 99 # logd access 100 write_logd(domain) 101 102 # Filesystem accesses. 103 allow domain fs_type:filesystem getattr; 104 allow domain fs_type:dir getattr; 105 106 # System file accesses. 107 allow domain system_file:dir r_dir_perms; 108 allow domain system_file:file r_file_perms; 109 allow domain system_file:file execute; 110 allow domain system_file:lnk_file r_file_perms; 111 112 # Run toolbox. 113 # Kernel and init never run anything without changing domains. 114 allow { domain -kernel -init } toolbox_exec:file rx_file_perms; 115 116 # Read files already opened under /data. 117 allow domain system_data_file:dir { search getattr }; 118 allow domain system_data_file:file { getattr read }; 119 allow domain system_data_file:lnk_file r_file_perms; 120 121 # Read apk files under /data/app. 122 allow domain apk_data_file:dir { getattr search }; 123 allow domain apk_data_file:file r_file_perms; 124 allow domain apk_data_file:lnk_file r_file_perms; 125 126 # Read /data/dalvik-cache. 127 allow domain dalvikcache_data_file:dir { search getattr }; 128 allow domain dalvikcache_data_file:file r_file_perms; 129 130 # Read already opened /cache files. 131 allow domain cache_file:dir r_dir_perms; 132 allow domain cache_file:file { getattr read }; 133 allow domain cache_file:lnk_file r_file_perms; 134 135 # Read timezone related information 136 r_dir_file(domain, zoneinfo_data_file) 137 138 # For /acct/uid/*/tasks. 139 allow domain cgroup:dir { search write }; 140 allow domain cgroup:file w_file_perms; 141 142 #Allow access to ion memory allocation device 143 allow domain ion_device:chr_file rw_file_perms; 144 145 # Read access to pseudo filesystems. 146 r_dir_file(domain, proc) 147 r_dir_file(domain, sysfs) 148 r_dir_file(domain, sysfs_devices_system_cpu) 149 r_dir_file(domain, inotify) 150 r_dir_file(domain, cgroup) 151 r_dir_file(domain, proc_net) 152 allow domain proc_cpuinfo:file r_file_perms; 153 154 # debugfs access 155 allow domain debugfs:dir r_dir_perms; 156 allow domain debugfs:file w_file_perms; 157 158 # Get SELinux enforcing status. 159 allow domain selinuxfs:dir r_dir_perms; 160 allow domain selinuxfs:file r_file_perms; 161 162 # /data/security files 163 allow domain security_file:dir { search getattr }; 164 allow domain security_file:file getattr; 165 allow domain security_file:lnk_file r_file_perms; 166 167 # World readable asec image contents 168 allow domain asec_public_file:file r_file_perms; 169 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; 170 171 ### 172 ### neverallow rules 173 ### 174 175 # Do not allow any domain other than init or recovery to create unlabeled files. 176 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 177 178 # Limit ability to ptrace or read sensitive /proc/pid files of processes 179 # with other UIDs to these whitelisted domains. 180 neverallow { 181 domain 182 -debuggerd 183 -vold 184 -dumpstate 185 -system_server 186 userdebug_or_eng(`-procrank') 187 userdebug_or_eng(`-perfprofd') 188 } self:capability sys_ptrace; 189 190 # Limit device node creation to these whitelisted domains. 191 neverallow { 192 domain 193 -kernel 194 -init 195 -ueventd 196 -vold 197 } self:capability mknod; 198 199 # Limit raw I/O to these whitelisted domains. 200 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; 201 202 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 203 neverallow domain self:memprotect mmap_zero; 204 205 # No domain needs mac_override as it is unused by SELinux. 206 neverallow domain self:capability2 mac_override; 207 208 # Only recovery needs mac_admin to set contexts not defined in current policy. 209 neverallow { domain -recovery } self:capability2 mac_admin; 210 211 # Only init should be able to load SELinux policies. 212 # The first load technically occurs while still in the kernel domain, 213 # but this does not trigger a denial since there is no policy yet. 214 # Policy reload requires allowing this to the init domain. 215 neverallow { domain -init } kernel:security load_policy; 216 217 # Only init and the system_server can set selinux.reload_policy 1 218 # to trigger a policy reload. 219 neverallow { domain -init -system_server } security_prop:property_service set; 220 221 # Only init and system_server can write to /data/security, where runtime 222 # policy updates live. 223 # Only init can relabel /data/security (for init.rc restorecon_recursive /data). 224 neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto }; 225 # Only init and system_server can create/setattr directories with this type. 226 # init is for init.rc mkdir /data/security. 227 # system_server is for creating subdirectories under /data/security. 228 neverallow { domain -init -system_server } security_file:dir { create setattr }; 229 # Only system_server can create subdirectories and files under /data/security. 230 neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir }; 231 neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename }; 232 neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename }; 233 234 # Only init prior to switching context should be able to set enforcing mode. 235 # init starts in kernel domain and switches to init domain via setcon in 236 # the init.rc, so the setenforce occurs while still in kernel. After 237 # switching domains, there is never any need to setenforce again by init. 238 neverallow domain kernel:security setenforce; 239 neverallow { domain -kernel } kernel:security setcheckreqprot; 240 241 # No booleans in AOSP policy, so no need to ever set them. 242 neverallow domain kernel:security setbool; 243 244 # Adjusting the AVC cache threshold. 245 # Not presently allowed to anything in policy, but possibly something 246 # that could be set from init.rc. 247 neverallow { domain -init } kernel:security setsecparam; 248 249 # Only init, ueventd and system_server should be able to access HW RNG 250 neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *; 251 252 # Ensure that all entrypoint executables are in exec_type. 253 neverallow domain { file_type -exec_type }:file entrypoint; 254 255 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem 256 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; 257 neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; 258 259 # Only init should be able to configure kernel usermodehelpers or 260 # security-sensitive proc settings. 261 neverallow { domain -init } usermodehelper:file { append write }; 262 neverallow { domain -init } proc_security:file { append write }; 263 264 # No domain should be allowed to ptrace init. 265 neverallow domain init:process ptrace; 266 267 # Init can't do anything with binder calls. If this neverallow rule is being 268 # triggered, it's probably due to a service with no SELinux domain. 269 neverallow domain init:binder *; 270 271 # Don't allow raw read/write/open access to block_device 272 # Rather force a relabel to a more specific type 273 neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write }; 274 275 # Don't allow raw read/write/open access to generic devices. 276 # Rather force a relabel to a more specific type. 277 # init is exempt from this as there are character devices that only it uses. 278 # ueventd is exempt from this, as it is managing these devices. 279 neverallow { domain -init -ueventd } device:chr_file { open read write }; 280 281 # Limit what domains can mount filesystems or change their mount flags. 282 # sdcard_type / vfat is exempt as a larger set of domains need 283 # this capability, including device-specific domains. 284 neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 285 286 # 287 # Assert that, to the extent possible, we're not loading executable content from 288 # outside the rootfs or /system partition except for a few whitelisted domains. 289 # 290 neverallow { 291 domain 292 -appdomain 293 -dumpstate 294 -shell 295 userdebug_or_eng(`-su') 296 -system_server 297 -zygote 298 } { file_type -system_file -exec_type }:file execute; 299 neverallow { 300 domain 301 -appdomain # for oemfs 302 -recovery # for /tmp/update_binary in tmpfs 303 } { fs_type -rootfs }:file execute; 304 305 # Only the init property service should write to /data/property. 306 neverallow { domain -init } property_data_file:dir no_w_dir_perms; 307 neverallow { domain -init } property_data_file:file no_w_file_perms; 308 309 # Only recovery should be doing writes to /system 310 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set 311 { create write setattr relabelfrom append unlink link rename }; 312 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto; 313 314 # Don't allow mounting on top of /system files or directories 315 neverallow domain { system_file exec_type }:dir_file_class_set mounton; 316 317 # Nothing should be writing to files in the rootfs. 318 neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; 319 320 # Restrict context mounts to specific types marked with 321 # the contextmount_type attribute. 322 neverallow domain {fs_type -contextmount_type}:filesystem relabelto; 323 324 # Ensure that context mount types are not writable, to ensure that 325 # the write to /system restriction above is not bypassed via context= 326 # mount to another type. 327 neverallow { domain -recovery } contextmount_type:dir_file_class_set 328 { create write setattr relabelfrom relabelto append unlink link rename }; 329 330 # Do not allow service_manager add for default_android_service. 331 # Instead domains should use a more specific type such as 332 # system_app_service rather than the generic type. 333 # New service_types are defined in service.te and new mappings 334 # from service name to service_type are defined in service_contexts. 335 neverallow domain default_android_service:service_manager add; 336 337 # Require that domains explicitly label unknown properties, and do not allow 338 # anyone but init to modify unknown properties. 339 neverallow { domain -init } default_prop:property_service set; 340 341 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms; 342 343 # No domain other than recovery can write to system. 344 neverallow { domain -recovery } system_block_device:blk_file write; 345 346 # No domains other than install_recovery or recovery can write to recovery. 347 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; 348 349 # Only servicemanager should be able to register with binder as the context manager 350 neverallow { domain -servicemanager } *:binder set_context_mgr; 351 352 # Only authorized processes should be writing to files in /data/dalvik-cache 353 # (excluding /data/dalvik-cache/profiles, which is labeled differently) 354 neverallow { 355 domain 356 -init # TODO: limit init to relabelfrom for files 357 -zygote 358 -installd 359 -dex2oat 360 } dalvikcache_data_file:file no_w_file_perms; 361 362 neverallow { 363 domain 364 -init 365 -installd 366 -dex2oat 367 -zygote 368 } dalvikcache_data_file:dir no_w_dir_perms; 369 370 # Only system_server should be able to send commands via the zygote socket 371 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 372 neverallow { domain -system_server } zygote_socket:sock_file write; 373 374 # Android does not support System V IPCs. 375 # 376 # The reason for this is due to the fact that, by design, they lead to global 377 # kernel resource leakage. 378 # 379 # For example, there is no way to automatically release a SysV semaphore 380 # allocated in the kernel when: 381 # 382 # - a buggy or malicious process exits 383 # - a non-buggy and non-malicious process crashes or is explicitly killed. 384 # 385 # Killing processes automatically to make room for new ones is an 386 # important part of Android's application lifecycle implementation. This means 387 # that, even assuming only non-buggy and non-malicious code, it is very likely 388 # that over time, the kernel global tables used to implement SysV IPCs will fill 389 # up. 390 neverallow domain domain:{ shm sem msg msgq } *; 391 392 # Do not mount on top of symlinks, fifos, or sockets. 393 # Feature parity with Chromium LSM. 394 neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 395 396 # Nobody should be able to execute su on user builds. 397 # On userdebug/eng builds, only dumpstate, shell, and 398 # su itself execute su. 399 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 400 401 # Do not allow the introduction of new execmod rules. Text relocations 402 # and modification of executable pages are unsafe. 403 # The only exceptions are for NDK text relocations associated with 404 # https://code.google.com/p/android/issues/detail?id=23203 405 # which, long term, need to go away. 406 neverallow domain { 407 file_type 408 -system_file # needs to die. b/20013628 409 -system_data_file 410 -apk_data_file 411 -app_data_file 412 -asec_public_file 413 }:file execmod; 414 415 # TODO: prohibit non-zygote spawned processes from using shared libraries 416 # with text relocations. b/20013628 . 417 # neverallow { domain -appdomain } file_type:file execmod; 418 419 neverallow { domain -init } proc:{ file dir } mounton; 420 421 # Ensure that all types assigned to processes are included 422 # in the domain attribute, so that all allow and neverallow rules 423 # written on domain are applied to all processes. 424 # This is achieved by ensuring that it is impossible to transition 425 # from a domain to a non-domain type and vice versa. 426 neverallow domain ~domain:process { transition dyntransition }; 427 neverallow ~domain domain:process { transition dyntransition }; 428 429 # 430 # Only system_app and system_server should be creating or writing 431 # their files. The proper way to share files is to setup 432 # type transitions to a more specific type or assigning a type 433 # to its parent directory via a file_contexts entry. 434 # Example type transition: 435 # mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 436 # 437 neverallow { 438 domain 439 -system_server 440 -system_app 441 -init 442 -installd # for relabelfrom and unlink, check for this in explicit neverallow 443 } system_data_file:file no_w_file_perms; 444 # do not grant anything greater than r_file_perms and relabelfrom unlink 445 # to installd 446 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 447 448 # 449 # Only these domains should transition to shell domain. This domain is 450 # permissible for the "shell user". If you need a process to exec a shell 451 # script with differing privilege, define a domain and set up a transition. 452 # 453 neverallow { 454 domain 455 -adbd 456 -init 457 -runas 458 -zygote 459 } shell:process { transition dyntransition }; 460 461 # Minimize read access to shell- or app-writable symlinks. 462 # This is to prevent malicious symlink attacks. 463 neverallow { 464 domain 465 -appdomain 466 -installd 467 -uncrypt # TODO: see if we can remove 468 } app_data_file:lnk_file read; 469 470 neverallow { 471 domain 472 -shell 473 userdebug_or_eng(`-uncrypt') 474 -installd 475 } shell_data_file:lnk_file read; 476
