Home | History | Annotate | Download | only in sepolicy 
      1 #####################################
      2 # domain_trans(olddomain, type, newdomain)
      3 # Allow a transition from olddomain to newdomain
      4 # upon executing a file labeled with type.
      5 # This only allows the transition; it does not
      6 # cause it to occur automatically - use domain_auto_trans
      7 # if that is what you want.
      8 #
      9 define(`domain_trans', `
     10 # Old domain may exec the file and transition to the new domain.
     11 allow $1 $2:file { getattr open read execute };
     12 allow $1 $3:process transition;
     13 # New domain is entered by executing the file.
     14 allow $3 $2:file { entrypoint open read execute getattr };
     15 # New domain can send SIGCHLD to its caller.
     16 allow $3 $1:process sigchld;
     17 # Enable AT_SECURE, i.e. libc secure mode.
     18 dontaudit $1 $3:process noatsecure;
     19 # XXX dontaudit candidate but requires further study.
     20 allow $1 $3:process { siginh rlimitinh };
     21 ')
     22 
     23 #####################################
     24 # domain_auto_trans(olddomain, type, newdomain)
     25 # Automatically transition from olddomain to newdomain
     26 # upon executing a file labeled with type.
     27 #
     28 define(`domain_auto_trans', `
     29 # Allow the necessary permissions.
     30 domain_trans($1,$2,$3)
     31 # Make the transition occur by default.
     32 type_transition $1 $2:process $3;
     33 ')
     34 
     35 #####################################
     36 # file_type_trans(domain, dir_type, file_type)
     37 # Allow domain to create a file labeled file_type in a
     38 # directory labeled dir_type.
     39 # This only allows the transition; it does not
     40 # cause it to occur automatically - use file_type_auto_trans
     41 # if that is what you want.
     42 #
     43 define(`file_type_trans', `
     44 # Allow the domain to add entries to the directory.
     45 allow $1 $2:dir ra_dir_perms;
     46 # Allow the domain to create the file.
     47 allow $1 $3:notdevfile_class_set create_file_perms;
     48 allow $1 $3:dir create_dir_perms;
     49 ')
     50 
     51 #####################################
     52 # file_type_auto_trans(domain, dir_type, file_type)
     53 # Automatically label new files with file_type when
     54 # they are created by domain in directories labeled dir_type.
     55 #
     56 define(`file_type_auto_trans', `
     57 # Allow the necessary permissions.
     58 file_type_trans($1, $2, $3)
     59 # Make the transition occur by default.
     60 type_transition $1 $2:dir $3;
     61 type_transition $1 $2:notdevfile_class_set $3;
     62 ')
     63 
     64 #####################################
     65 # r_dir_file(domain, type)
     66 # Allow the specified domain to read directories, files
     67 # and symbolic links of the specified type.
     68 define(`r_dir_file', `
     69 allow $1 $2:dir r_dir_perms;
     70 allow $1 $2:{ file lnk_file } r_file_perms;
     71 ')
     72 
     73 #####################################
     74 # tmpfs_domain(domain)
     75 # Define and allow access to a unique type for
     76 # this domain when creating tmpfs / shmem / ashmem files.
     77 define(`tmpfs_domain', `
     78 type $1_tmpfs, file_type;
     79 type_transition $1 tmpfs:file $1_tmpfs;
     80 allow $1 $1_tmpfs:file { read write };
     81 ')
     82 
     83 #####################################
     84 # init_daemon_domain(domain)
     85 # Set up a transition from init to the daemon domain
     86 # upon executing its binary.
     87 define(`init_daemon_domain', `
     88 domain_auto_trans(init, $1_exec, $1)
     89 tmpfs_domain($1)
     90 ')
     91 
     92 #####################################
     93 # app_domain(domain)
     94 # Allow a base set of permissions required for all apps.
     95 define(`app_domain', `
     96 typeattribute $1 appdomain;
     97 # Label ashmem objects with our own unique type.
     98 tmpfs_domain($1)
     99 # Map with PROT_EXEC.
    100 allow $1 $1_tmpfs:file execute;
    101 ')
    102 
    103 #####################################
    104 # net_domain(domain)
    105 # Allow a base set of permissions required for network access.
    106 define(`net_domain', `
    107 typeattribute $1 netdomain;
    108 ')
    109 
    110 #####################################
    111 # bluetooth_domain(domain)
    112 # Allow a base set of permissions required for bluetooth access.
    113 define(`bluetooth_domain', `
    114 typeattribute $1 bluetoothdomain;
    115 ')
    116 
    117 #####################################
    118 # unix_socket_connect(clientdomain, socket, serverdomain)
    119 # Allow a local socket connection from clientdomain via
    120 # socket to serverdomain.
    121 #
    122 # Note: If you see denial records that distill to the
    123 # following allow rules:
    124 # allow clientdomain property_socket:sock_file write;
    125 # allow clientdomain init:unix_stream_socket connectto;
    126 # allow clientdomain something_prop:property_service set;
    127 #
    128 # This sequence is indicative of attempting to set a property.
    129 # use set_prop(sourcedomain, targetproperty)
    130 #
    131 define(`unix_socket_connect', `
    132 allow $1 $2_socket:sock_file write;
    133 allow $1 $3:unix_stream_socket connectto;
    134 ')
    135 
    136 #####################################
    137 # set_prop(sourcedomain, targetproperty)
    138 # Allows source domain to set the
    139 # targetproperty.
    140 #
    141 define(`set_prop', `
    142 unix_socket_connect($1, property, init)
    143 allow $1 $2:property_service set;
    144 ')
    145 
    146 #####################################
    147 # unix_socket_send(clientdomain, socket, serverdomain)
    148 # Allow a local socket send from clientdomain via
    149 # socket to serverdomain.
    150 define(`unix_socket_send', `
    151 allow $1 $2_socket:sock_file write;
    152 allow $1 $3:unix_dgram_socket sendto;
    153 ')
    154 
    155 #####################################
    156 # binder_use(domain)
    157 # Allow domain to use Binder IPC.
    158 define(`binder_use', `
    159 # Call the servicemanager and transfer references to it.
    160 allow $1 servicemanager:binder { call transfer };
    161 # servicemanager performs getpidcon on clients.
    162 allow servicemanager $1:dir search;
    163 allow servicemanager $1:file { read open };
    164 allow servicemanager $1:process getattr;
    165 # rw access to /dev/binder and /dev/ashmem is presently granted to
    166 # all domains in domain.te.
    167 ')
    168 
    169 #####################################
    170 # binder_call(clientdomain, serverdomain)
    171 # Allow clientdomain to perform binder IPC to serverdomain.
    172 define(`binder_call', `
    173 # Call the server domain and optionally transfer references to it.
    174 allow $1 $2:binder { call transfer };
    175 # Allow the serverdomain to transfer references to the client on the reply.
    176 allow $2 $1:binder transfer;
    177 # Receive and use open files from the server.
    178 allow $1 $2:fd use;
    179 ')
    180 
    181 #####################################
    182 # binder_service(domain)
    183 # Mark a domain as being a Binder service domain.
    184 # Used to allow binder IPC to the various system services.
    185 define(`binder_service', `
    186 typeattribute $1 binderservicedomain;
    187 ')
    188 
    189 #####################################
    190 # wakelock_use(domain)
    191 # Allow domain to manage wake locks
    192 define(`wakelock_use', `
    193 # Access /sys/power/wake_lock and /sys/power/wake_unlock
    194 allow $1 sysfs_wake_lock:file rw_file_perms;
    195 # Accessing these files requires CAP_BLOCK_SUSPEND
    196 allow $1 self:capability2 block_suspend;
    197 ')
    198 
    199 #####################################
    200 # selinux_check_access(domain)
    201 # Allow domain to check SELinux permissions via selinuxfs.
    202 define(`selinux_check_access', `
    203 allow $1 selinuxfs:file rw_file_perms;
    204 allow $1 kernel:security compute_av;
    205 allow $1 self:netlink_selinux_socket *;
    206 ')
    207 
    208 #####################################
    209 # selinux_check_context(domain)
    210 # Allow domain to check SELinux contexts via selinuxfs.
    211 define(`selinux_check_context', `
    212 allow $1 selinuxfs:file rw_file_perms;
    213 allow $1 kernel:security check_context;
    214 ')
    215 
    216 #####################################
    217 # selinux_setenforce(domain)
    218 # Allow domain to set SELinux to enforcing.
    219 define(`selinux_setenforce', `
    220 allow $1 selinuxfs:file rw_file_perms;
    221 allow $1 kernel:security setenforce;
    222 ')
    223 
    224 #####################################
    225 # selinux_setbool(domain)
    226 # Allow domain to set SELinux booleans.
    227 define(`selinux_setbool', `
    228 allow $1 selinuxfs:file rw_file_perms;
    229 allow $1 kernel:security setbool;
    230 ')
    231 
    232 #####################################
    233 # security_access_policy(domain)
    234 # Read only access to all policy files and
    235 # selinuxfs
    236 define(`security_access_policy', `
    237 allow $1 security_file:dir r_dir_perms;
    238 allow $1 security_file:file r_file_perms;
    239 ')
    240 
    241 #####################################
    242 # selinux_manage_policy(domain)
    243 # Ability to manage policy files and
    244 # trigger runtime reload.
    245 define(`selinux_manage_policy', `
    246 security_access_policy($1)
    247 unix_socket_connect($1, property, init)
    248 allow $1 security_file:dir create_dir_perms;
    249 allow $1 security_file:file create_file_perms;
    250 allow $1 security_file:lnk_file { create rename unlink };
    251 allow $1 security_prop:property_service set;
    252 ')
    253 
    254 #####################################
    255 # mmac_manage_policy(domain)
    256 # Ability to manage mmac policy files,
    257 # trigger runtime reload, change
    258 # mmac enforcing mode and access logcat.
    259 define(`mmac_manage_policy', `
    260 unix_socket_connect($1, property, init)
    261 allow $1 security_file:dir create_dir_perms;
    262 allow $1 security_file:file create_file_perms;
    263 allow $1 security_file:lnk_file { create rename unlink };
    264 allow $1 security_prop:property_service set;
    265 ')
    266 
    267 #####################################
    268 # access_kmsg(domain)
    269 # Ability to read from kernel logs
    270 # and execute the klogctl syscall
    271 # in a non destructive manner. See
    272 # man 2 klogctl
    273 define(`access_kmsg', `
    274 allow $1 kernel:system syslog_read;
    275 ')
    276 
    277 #####################################
    278 # create_pty(domain)
    279 # Allow domain to create and use a pty, isolated from any other domain ptys.
    280 define(`create_pty', `
    281 # Each domain gets a unique devpts type.
    282 type $1_devpts, fs_type;
    283 # Label the pty with the unique type when created.
    284 type_transition $1 devpts:chr_file $1_devpts;
    285 # Allow use of the pty after creation.
    286 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
    287 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
    288 # allowed to everyone via domain.te.
    289 ')
    290 
    291 #####################################
    292 # Non system_app application set
    293 #
    294 define(`non_system_app_set', `{ appdomain -system_app }')
    295 
    296 #####################################
    297 # Recovery only
    298 # SELinux rules which apply only to recovery mode
    299 #
    300 define(`recovery_only', ifelse(target_recovery, `true', $1, ))
    301 
    302 #####################################
    303 # Userdebug or eng builds
    304 # SELinux rules which apply only to userdebug or eng builds
    305 #
    306 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
    307 
    308 #####################################
    309 # write_logd(domain)
    310 # Ability to write to android log
    311 # daemon via sockets
    312 define(`write_logd', `
    313 unix_socket_send($1, logdw, logd)
    314 allow $1 pmsg_device:chr_file w_file_perms;
    315 ')
    316 
    317 #####################################
    318 # read_logd(domain)
    319 # Ability to run logcat and read from android
    320 # log daemon via sockets
    321 define(`read_logd', `
    322 allow $1 logcat_exec:file rx_file_perms;
    323 unix_socket_connect($1, logdr, logd)
    324 ')
    325 
    326 #####################################
    327 # control_logd(domain)
    328 # Ability to control
    329 # android log daemon via sockets
    330 define(`control_logd', `
    331 # Group AID_LOG checked by filesystem & logd
    332 # to permit control commands
    333 unix_socket_connect($1, logd, logd)
    334 ')
    335 
    336 #####################################
    337 # use_keystore(domain)
    338 # Ability to use keystore.
    339 # Keystore is requires the following permissions
    340 # to call getpidcon.
    341 define(`use_keystore', `
    342   allow keystore $1:dir search;
    343   allow keystore $1:file { read open };
    344   allow keystore $1:process getattr;
    345   allow $1 keystore_service:service_manager find;
    346   binder_call($1, keystore)
    347 ')
    348 
    349 ###########################################
    350 # use_drmservice(domain)
    351 # Ability to use DrmService which requires
    352 # DrmService to call getpidcon.
    353 define(`use_drmservice', `
    354   allow drmserver $1:dir search;
    355   allow drmserver $1:file { read open };
    356   allow drmserver $1:process getattr;
    357 ')
    358