Home | History | Annotate | Download | only in sepolicy 
      1 #####################################
      2 # domain_trans(olddomain, type, newdomain)
      3 # Allow a transition from olddomain to newdomain
      4 # upon executing a file labeled with type.
      5 # This only allows the transition; it does not
      6 # cause it to occur automatically - use domain_auto_trans
      7 # if that is what you want.
      8 #
      9 define(`domain_trans', `
     10 # Old domain may exec the file and transition to the new domain.
     11 allow $1 $2:file { getattr open read execute };
     12 allow $1 $3:process transition;
     13 # New domain is entered by executing the file.
     14 allow $3 $2:file { entrypoint open read execute getattr };
     15 # New domain can send SIGCHLD to its caller.
     16 allow $3 $1:process sigchld;
     17 # Enable AT_SECURE, i.e. libc secure mode.
     18 dontaudit $1 $3:process noatsecure;
     19 # XXX dontaudit candidate but requires further study.
     20 allow $1 $3:process { siginh rlimitinh };
     21 ')
     22 
     23 #####################################
     24 # domain_auto_trans(olddomain, type, newdomain)
     25 # Automatically transition from olddomain to newdomain
     26 # upon executing a file labeled with type.
     27 #
     28 define(`domain_auto_trans', `
     29 # Allow the necessary permissions.
     30 domain_trans($1,$2,$3)
     31 # Make the transition occur by default.
     32 type_transition $1 $2:process $3;
     33 ')
     34 
     35 #####################################
     36 # file_type_trans(domain, dir_type, file_type)
     37 # Allow domain to create a file labeled file_type in a
     38 # directory labeled dir_type.
     39 # This only allows the transition; it does not
     40 # cause it to occur automatically - use file_type_auto_trans
     41 # if that is what you want.
     42 #
     43 define(`file_type_trans', `
     44 # Allow the domain to add entries to the directory.
     45 allow $1 $2:dir ra_dir_perms;
     46 # Allow the domain to create the file.
     47 allow $1 $3:notdevfile_class_set create_file_perms;
     48 allow $1 $3:dir create_dir_perms;
     49 ')
     50 
     51 #####################################
     52 # file_type_auto_trans(domain, dir_type, file_type)
     53 # Automatically label new files with file_type when
     54 # they are created by domain in directories labeled dir_type.
     55 #
     56 define(`file_type_auto_trans', `
     57 # Allow the necessary permissions.
     58 file_type_trans($1, $2, $3)
     59 # Make the transition occur by default.
     60 type_transition $1 $2:dir $3;
     61 type_transition $1 $2:notdevfile_class_set $3;
     62 ')
     63 
     64 #####################################
     65 # r_dir_file(domain, type)
     66 # Allow the specified domain to read directories, files
     67 # and symbolic links of the specified type.
     68 define(`r_dir_file', `
     69 allow $1 $2:dir r_dir_perms;
     70 allow $1 $2:{ file lnk_file } r_file_perms;
     71 ')
     72 
     73 #####################################
     74 # tmpfs_domain(domain)
     75 # Define and allow access to a unique type for
     76 # this domain when creating tmpfs / shmem / ashmem files.
     77 define(`tmpfs_domain', `
     78 type $1_tmpfs, file_type;
     79 type_transition $1 tmpfs:file $1_tmpfs;
     80 allow $1 $1_tmpfs:file { read write };
     81 ')
     82 
     83 #####################################
     84 # init_daemon_domain(domain)
     85 # Set up a transition from init to the daemon domain
     86 # upon executing its binary.
     87 define(`init_daemon_domain', `
     88 domain_auto_trans(init, $1_exec, $1)
     89 tmpfs_domain($1)
     90 ')
     91 
     92 #####################################
     93 # app_domain(domain)
     94 # Allow a base set of permissions required for all apps.
     95 define(`app_domain', `
     96 typeattribute $1 appdomain;
     97 # Label ashmem objects with our own unique type.
     98 tmpfs_domain($1)
     99 # Map with PROT_EXEC.
    100 allow $1 $1_tmpfs:file execute;
    101 ')
    102 
    103 #####################################
    104 # net_domain(domain)
    105 # Allow a base set of permissions required for network access.
    106 define(`net_domain', `
    107 typeattribute $1 netdomain;
    108 ')
    109 
    110 #####################################
    111 # bluetooth_domain(domain)
    112 # Allow a base set of permissions required for bluetooth access.
    113 define(`bluetooth_domain', `
    114 typeattribute $1 bluetoothdomain;
    115 ')
    116 
    117 #####################################
    118 # unix_socket_connect(clientdomain, socket, serverdomain)
    119 # Allow a local socket connection from clientdomain via
    120 # socket to serverdomain.
    121 #
    122 # Note: If you see denial records that distill to the
    123 # following allow rules:
    124 # allow clientdomain property_socket:sock_file write;
    125 # allow clientdomain init:unix_stream_socket connectto;
    126 # allow clientdomain something_prop:property_service set;
    127 #
    128 # This sequence is indicative of attempting to set a property.
    129 # use set_prop(sourcedomain, targetproperty)
    130 #
    131 define(`unix_socket_connect', `
    132 ifelse($2, `property', `
    133     ifelse($3,`init', `
    134        print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
    135    ')
    136 ')
    137 __unix_socket_connect__($1, $2, $3)
    138 ')
    139 
    140 define(`__unix_socket_connect__', `
    141 allow $1 $2_socket:sock_file write;
    142 allow $1 $3:unix_stream_socket connectto;
    143 ')
    144 
    145 #####################################
    146 # set_prop(sourcedomain, targetproperty)
    147 # Allows source domain to set the
    148 # targetproperty.
    149 #
    150 define(`set_prop', `
    151 __unix_socket_connect__($1, property, init)
    152 allow $1 $2:property_service set;
    153 get_prop($1, $2)
    154 ')
    155 
    156 #####################################
    157 # get_prop(sourcedomain, targetproperty)
    158 # Allows source domain to read the
    159 # targetproperty.
    160 #
    161 define(`get_prop', `
    162 allow $1 $2:file r_file_perms;
    163 ')
    164 
    165 #####################################
    166 # unix_socket_send(clientdomain, socket, serverdomain)
    167 # Allow a local socket send from clientdomain via
    168 # socket to serverdomain.
    169 define(`unix_socket_send', `
    170 allow $1 $2_socket:sock_file write;
    171 allow $1 $3:unix_dgram_socket sendto;
    172 ')
    173 
    174 #####################################
    175 # binder_use(domain)
    176 # Allow domain to use Binder IPC.
    177 define(`binder_use', `
    178 # Call the servicemanager and transfer references to it.
    179 allow $1 servicemanager:binder { call transfer };
    180 # servicemanager performs getpidcon on clients.
    181 allow servicemanager $1:dir search;
    182 allow servicemanager $1:file { read open };
    183 allow servicemanager $1:process getattr;
    184 # rw access to /dev/binder and /dev/ashmem is presently granted to
    185 # all domains in domain.te.
    186 ')
    187 
    188 #####################################
    189 # binder_call(clientdomain, serverdomain)
    190 # Allow clientdomain to perform binder IPC to serverdomain.
    191 define(`binder_call', `
    192 # Call the server domain and optionally transfer references to it.
    193 allow $1 $2:binder { call transfer };
    194 # Allow the serverdomain to transfer references to the client on the reply.
    195 allow $2 $1:binder transfer;
    196 # Receive and use open files from the server.
    197 allow $1 $2:fd use;
    198 ')
    199 
    200 #####################################
    201 # binder_service(domain)
    202 # Mark a domain as being a Binder service domain.
    203 # Used to allow binder IPC to the various system services.
    204 define(`binder_service', `
    205 typeattribute $1 binderservicedomain;
    206 ')
    207 
    208 #####################################
    209 # wakelock_use(domain)
    210 # Allow domain to manage wake locks
    211 define(`wakelock_use', `
    212 # Access /sys/power/wake_lock and /sys/power/wake_unlock
    213 allow $1 sysfs_wake_lock:file rw_file_perms;
    214 # Accessing these files requires CAP_BLOCK_SUSPEND
    215 allow $1 self:capability2 block_suspend;
    216 ')
    217 
    218 #####################################
    219 # selinux_check_access(domain)
    220 # Allow domain to check SELinux permissions via selinuxfs.
    221 define(`selinux_check_access', `
    222 allow $1 selinuxfs:file rw_file_perms;
    223 allow $1 kernel:security compute_av;
    224 allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
    225 ')
    226 
    227 #####################################
    228 # selinux_check_context(domain)
    229 # Allow domain to check SELinux contexts via selinuxfs.
    230 define(`selinux_check_context', `
    231 allow $1 selinuxfs:file rw_file_perms;
    232 allow $1 kernel:security check_context;
    233 ')
    234 
    235 #####################################
    236 # selinux_setenforce(domain)
    237 # Allow domain to set SELinux to enforcing.
    238 define(`selinux_setenforce', `
    239 allow $1 selinuxfs:file rw_file_perms;
    240 allow $1 kernel:security setenforce;
    241 ')
    242 
    243 #####################################
    244 # selinux_setbool(domain)
    245 # Allow domain to set SELinux booleans.
    246 define(`selinux_setbool', `
    247 allow $1 selinuxfs:file rw_file_perms;
    248 allow $1 kernel:security setbool;
    249 ')
    250 
    251 #####################################
    252 # security_access_policy(domain)
    253 # Read only access to all policy files and
    254 # selinuxfs
    255 define(`security_access_policy', `
    256 allow $1 security_file:dir r_dir_perms;
    257 allow $1 security_file:file r_file_perms;
    258 ')
    259 
    260 #####################################
    261 # mmac_manage_policy(domain)
    262 # Ability to manage mmac policy files,
    263 # trigger runtime reload, change
    264 # mmac enforcing mode and access logcat.
    265 define(`mmac_manage_policy', `
    266 allow $1 security_file:dir create_dir_perms;
    267 allow $1 security_file:file create_file_perms;
    268 allow $1 security_file:lnk_file { create rename unlink };
    269 set_prop($1, security_prop)
    270 ')
    271 
    272 #####################################
    273 # create_pty(domain)
    274 # Allow domain to create and use a pty, isolated from any other domain ptys.
    275 define(`create_pty', `
    276 # Each domain gets a unique devpts type.
    277 type $1_devpts, fs_type;
    278 # Label the pty with the unique type when created.
    279 type_transition $1 devpts:chr_file $1_devpts;
    280 # Allow use of the pty after creation.
    281 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
    282 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
    283 # allowed to everyone via domain.te.
    284 ')
    285 
    286 #####################################
    287 # Non system_app application set
    288 #
    289 define(`non_system_app_set', `{ appdomain -system_app }')
    290 
    291 #####################################
    292 # Recovery only
    293 # SELinux rules which apply only to recovery mode
    294 #
    295 define(`recovery_only', ifelse(target_recovery, `true', $1, ))
    296 
    297 #####################################
    298 # Userdebug or eng builds
    299 # SELinux rules which apply only to userdebug or eng builds
    300 #
    301 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
    302 define(`eng', ifelse(target_build_variant, `eng', $1))
    303 
    304 #####################################
    305 # write_logd(domain)
    306 # Ability to write to android log
    307 # daemon via sockets
    308 define(`write_logd', `
    309 unix_socket_send($1, logdw, logd)
    310 allow $1 pmsg_device:chr_file w_file_perms;
    311 ')
    312 
    313 #####################################
    314 # read_logd(domain)
    315 # Ability to run logcat and read from android
    316 # log daemon via sockets
    317 define(`read_logd', `
    318 allow $1 logcat_exec:file rx_file_perms;
    319 unix_socket_connect($1, logdr, logd)
    320 ')
    321 
    322 #####################################
    323 # control_logd(domain)
    324 # Ability to control
    325 # android log daemon via sockets
    326 define(`control_logd', `
    327 # Group AID_LOG checked by filesystem & logd
    328 # to permit control commands
    329 unix_socket_connect($1, logd, logd)
    330 ')
    331 
    332 #####################################
    333 # use_keystore(domain)
    334 # Ability to use keystore.
    335 # Keystore is requires the following permissions
    336 # to call getpidcon.
    337 define(`use_keystore', `
    338   allow keystore $1:dir search;
    339   allow keystore $1:file { read open };
    340   allow keystore $1:process getattr;
    341   allow $1 keystore_service:service_manager find;
    342   binder_call($1, keystore)
    343 ')
    344 
    345 ###########################################
    346 # use_drmservice(domain)
    347 # Ability to use DrmService which requires
    348 # DrmService to call getpidcon.
    349 define(`use_drmservice', `
    350   allow drmserver $1:dir search;
    351   allow drmserver $1:file { read open };
    352   allow drmserver $1:process getattr;
    353 ')
    354 
    355 ##########################################
    356 # print a message with a trailing newline
    357 # print(`args')
    358 define(`print', `errprint(`m4: '__file__: __line__`: $*
    359 ')')
    360