1 # Rules for all domains. 2 3 # Allow reaping by init. 4 allow domain init:process sigchld; 5 6 # Intra-domain accesses. 7 allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23 }; 24 allow domain self:fd use; 25 allow domain proc:dir r_dir_perms; 26 allow domain proc_net:dir search; 27 r_dir_file(domain, self) 28 allow domain self:{ fifo_file file } rw_file_perms; 29 allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30 allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls; 32 33 # Inherit or receive open files from others. 34 allow domain init:fd use; 35 36 userdebug_or_eng(` 37 # Same as adbd rules above, except allow su to do the same thing 38 allow domain su:unix_stream_socket connectto; 39 allow domain su:fd use; 40 allow domain su:unix_stream_socket { getattr getopt read write shutdown }; 41 42 allow { domain -init } su:binder { call transfer }; 43 allow { domain -init } su:fd use; 44 45 # Running something like "pm dump com.android.bluetooth" requires 46 # fifo writes 47 allow domain su:fifo_file { write getattr }; 48 49 # allow "gdbserver --attach" to work for su. 50 allow domain su:process sigchld; 51 52 # Allow writing coredumps to /cores/* 53 allow domain coredump_file:file create_file_perms; 54 allow domain coredump_file:dir ra_dir_perms; 55 ') 56 57 ### 58 ### Talk to debuggerd. 59 ### 60 allow domain debuggerd:process sigchld; 61 allow domain debuggerd:unix_stream_socket connectto; 62 63 # Root fs. 64 allow domain rootfs:dir search; 65 allow domain rootfs:lnk_file read; 66 67 # Device accesses. 68 allow domain device:dir search; 69 allow domain dev_type:lnk_file r_file_perms; 70 allow domain devpts:dir search; 71 allow domain socket_device:dir r_dir_perms; 72 allow domain owntty_device:chr_file rw_file_perms; 73 allow domain null_device:chr_file rw_file_perms; 74 allow domain zero_device:chr_file rw_file_perms; 75 allow domain ashmem_device:chr_file rw_file_perms; 76 allow domain binder_device:chr_file rw_file_perms; 77 allow domain ptmx_device:chr_file rw_file_perms; 78 allow domain alarm_device:chr_file r_file_perms; 79 allow domain urandom_device:chr_file rw_file_perms; 80 allow domain random_device:chr_file rw_file_perms; 81 allow domain properties_device:dir r_dir_perms; 82 allow domain properties_serial:file r_file_perms; 83 84 # For now, everyone can access core property files 85 # Device specific properties are not granted by default 86 get_prop(domain, core_property_type) 87 # Let everyone read log properties, so that liblog can avoid sending unloggable 88 # messages to logd. 89 get_prop(domain, log_property_type) 90 dontaudit domain property_type:file audit_access; 91 allow domain property_contexts:file r_file_perms; 92 93 allow domain init:key search; 94 allow domain vold:key search; 95 96 # logd access 97 write_logd(domain) 98 99 # System file accesses. 100 allow domain system_file:dir { search getattr }; 101 allow domain system_file:file { execute read open getattr }; 102 allow domain system_file:lnk_file read; 103 104 # read any sysfs symlinks 105 allow domain sysfs:lnk_file read; 106 107 # libc references /data/misc/zoneinfo for timezone related information 108 r_dir_file(domain, zoneinfo_data_file) 109 110 # Lots of processes access current CPU information 111 r_dir_file(domain, sysfs_devices_system_cpu) 112 113 r_dir_file(domain, sysfs_usb); 114 115 # files under /data. 116 allow domain system_data_file:dir { search getattr }; 117 allow domain system_data_file:lnk_file read; 118 119 # required by the dynamic linker 120 allow domain proc:lnk_file { getattr read }; 121 122 # /proc/cpuinfo 123 allow domain proc_cpuinfo:file r_file_perms; 124 125 # toybox loads libselinux which stats /sys/fs/selinux/ 126 allow domain selinuxfs:dir search; 127 allow domain selinuxfs:file getattr; 128 allow domain sysfs:dir search; 129 allow domain selinuxfs:filesystem getattr; 130 131 # For /acct/uid/*/tasks. 132 allow domain cgroup:dir { search write }; 133 allow domain cgroup:file w_file_perms; 134 135 # Almost all processes log tracing information to 136 # /sys/kernel/debug/tracing/trace_marker 137 # The reason behind this is documented in b/6513400 138 allow domain debugfs:dir search; 139 allow domain debugfs_tracing:dir search; 140 allow domain debugfs_trace_marker:file w_file_perms; 141 142 # Filesystem access. 143 allow domain fs_type:filesystem getattr; 144 allow domain fs_type:dir getattr; 145 146 ### 147 ### neverallow rules 148 ### 149 150 # Do not allow any domain other than init or recovery to create unlabeled files. 151 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 152 153 # Limit ability to ptrace or read sensitive /proc/pid files of processes 154 # with other UIDs to these whitelisted domains. 155 neverallow { 156 domain 157 -debuggerd 158 -vold 159 -dumpstate 160 -system_server 161 userdebug_or_eng(`-perfprofd') 162 } self:capability sys_ptrace; 163 164 # Limit device node creation to these whitelisted domains. 165 neverallow { 166 domain 167 -kernel 168 -init 169 -ueventd 170 -vold 171 } self:capability mknod; 172 173 # Limit raw I/O to these whitelisted domains. Do not apply to debug builds. 174 neverallow { 175 domain 176 userdebug_or_eng(`-domain') 177 -kernel 178 -init 179 -recovery 180 -ueventd 181 -healthd 182 -uncrypt 183 -tee 184 } self:capability sys_rawio; 185 186 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 187 neverallow * self:memprotect mmap_zero; 188 189 # No domain needs mac_override as it is unused by SELinux. 190 neverallow * self:capability2 mac_override; 191 192 # Only recovery needs mac_admin to set contexts not defined in current policy. 193 neverallow { domain -recovery } self:capability2 mac_admin; 194 195 # Only init should be able to load SELinux policies. 196 # The first load technically occurs while still in the kernel domain, 197 # but this does not trigger a denial since there is no policy yet. 198 # Policy reload requires allowing this to the init domain. 199 neverallow { domain -init } kernel:security load_policy; 200 201 # Only init and the system_server can set selinux.reload_policy 1 202 # to trigger a policy reload. 203 neverallow { domain -init -system_server } security_prop:property_service set; 204 205 # Only init and system_server can write to /data/security, where runtime 206 # policy updates live. 207 # Only init can relabel /data/security (for init.rc restorecon_recursive /data). 208 neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto }; 209 # Only init and system_server can create/setattr directories with this type. 210 # init is for init.rc mkdir /data/security. 211 # system_server is for creating subdirectories under /data/security. 212 neverallow { domain -init -system_server } security_file:dir { create setattr }; 213 # Only system_server can create subdirectories and files under /data/security. 214 neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir }; 215 neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename }; 216 neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename }; 217 218 # Only init prior to switching context should be able to set enforcing mode. 219 # init starts in kernel domain and switches to init domain via setcon in 220 # the init.rc, so the setenforce occurs while still in kernel. After 221 # switching domains, there is never any need to setenforce again by init. 222 neverallow * kernel:security setenforce; 223 neverallow { domain -kernel } kernel:security setcheckreqprot; 224 225 # No booleans in AOSP policy, so no need to ever set them. 226 neverallow * kernel:security setbool; 227 228 # Adjusting the AVC cache threshold. 229 # Not presently allowed to anything in policy, but possibly something 230 # that could be set from init.rc. 231 neverallow { domain -init } kernel:security setsecparam; 232 233 # Only init, ueventd and system_server should be able to access HW RNG 234 neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *; 235 236 # Ensure that all entrypoint executables are in exec_type or postinstall_file. 237 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 238 239 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem 240 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; 241 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr }; 242 243 # Only init should be able to configure kernel usermodehelpers or 244 # security-sensitive proc settings. 245 neverallow { domain -init } usermodehelper:file { append write }; 246 neverallow { domain -init } proc_security:file { append write }; 247 248 # No domain should be allowed to ptrace init. 249 neverallow * init:process ptrace; 250 251 # Init can't do anything with binder calls. If this neverallow rule is being 252 # triggered, it's probably due to a service with no SELinux domain. 253 neverallow * init:binder *; 254 255 # Don't allow raw read/write/open access to block_device 256 # Rather force a relabel to a more specific type 257 neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write }; 258 259 # Don't allow raw read/write/open access to generic devices. 260 # Rather force a relabel to a more specific type. 261 # init is exempt from this as there are character devices that only it uses. 262 # ueventd is exempt from this, as it is managing these devices. 263 neverallow { domain -init -ueventd } device:chr_file { open read write }; 264 265 # Limit what domains can mount filesystems or change their mount flags. 266 # sdcard_type / vfat is exempt as a larger set of domains need 267 # this capability, including device-specific domains. 268 neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 269 270 # 271 # Assert that, to the extent possible, we're not loading executable content from 272 # outside the rootfs or /system partition except for a few whitelisted domains. 273 # 274 neverallow { 275 domain 276 -appdomain 277 -autoplay_app 278 -dumpstate 279 -shell 280 userdebug_or_eng(`-su') 281 -system_server 282 -zygote 283 } { file_type -system_file -exec_type -postinstall_file }:file execute; 284 neverallow { 285 domain 286 -appdomain # for oemfs 287 -recovery # for /tmp/update_binary in tmpfs 288 } { fs_type -rootfs }:file execute; 289 # Files from cache should never be executed 290 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 291 292 # Protect most domains from executing arbitrary content from /data. 293 neverallow { 294 domain 295 -appdomain 296 } { 297 data_file_type 298 -dalvikcache_data_file 299 -system_data_file # shared libs in apks 300 -apk_data_file 301 }:file no_x_file_perms; 302 303 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 304 305 # Only the init property service should write to /data/property and /dev/__properties__ 306 neverallow { domain -init } property_data_file:dir no_w_dir_perms; 307 neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 308 neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 309 neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 310 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 311 312 # Only recovery should be doing writes to /system 313 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set 314 { create write setattr relabelfrom append unlink link rename }; 315 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto; 316 317 # Don't allow mounting on top of /system files or directories 318 neverallow * exec_type:dir_file_class_set mounton; 319 neverallow { domain -init } system_file:dir_file_class_set mounton; 320 321 # Nothing should be writing to files in the rootfs. 322 neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 323 324 # Restrict context mounts to specific types marked with 325 # the contextmount_type attribute. 326 neverallow * {fs_type -contextmount_type}:filesystem relabelto; 327 328 # Ensure that context mount types are not writable, to ensure that 329 # the write to /system restriction above is not bypassed via context= 330 # mount to another type. 331 neverallow { domain -recovery } contextmount_type:dir_file_class_set 332 { create write setattr relabelfrom relabelto append unlink link rename }; 333 334 # Do not allow service_manager add for default_android_service. 335 # Instead domains should use a more specific type such as 336 # system_app_service rather than the generic type. 337 # New service_types are defined in service.te and new mappings 338 # from service name to service_type are defined in service_contexts. 339 neverallow * default_android_service:service_manager add; 340 341 # Require that domains explicitly label unknown properties, and do not allow 342 # anyone but init to modify unknown properties. 343 neverallow { domain -init } default_prop:property_service set; 344 neverallow { domain -init } mmc_prop:property_service set; 345 346 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms; 347 348 # No domain other than recovery and update_engine can write to system partition(s). 349 neverallow { domain -recovery -update_engine } system_block_device:blk_file write; 350 351 # No domains other than install_recovery or recovery can write to recovery. 352 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; 353 354 # No domains other than a select few can access the misc_block_device. This 355 # block device is reserved for OTA use. 356 # Do not assert this rule on userdebug/eng builds, due to some devices using 357 # this partition for testing purposes. 358 neverallow { 359 domain 360 userdebug_or_eng(`-domain') # exclude debuggable builds 361 -init 362 -uncrypt 363 -update_engine 364 -vold 365 -recovery 366 -ueventd 367 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 368 369 # Only servicemanager should be able to register with binder as the context manager 370 neverallow { domain -servicemanager } *:binder set_context_mgr; 371 372 # Only authorized processes should be writing to files in /data/dalvik-cache 373 neverallow { 374 domain 375 -init # TODO: limit init to relabelfrom for files 376 -zygote 377 -installd 378 -postinstall_dexopt 379 -cppreopts 380 -dex2oat 381 -otapreopt_slot 382 } dalvikcache_data_file:file no_w_file_perms; 383 384 neverallow { 385 domain 386 -init 387 -installd 388 -postinstall_dexopt 389 -cppreopts 390 -dex2oat 391 -zygote 392 -otapreopt_slot 393 } dalvikcache_data_file:dir no_w_dir_perms; 394 395 # Only system_server should be able to send commands via the zygote socket 396 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 397 neverallow { domain -system_server } zygote_socket:sock_file write; 398 399 # Android does not support System V IPCs. 400 # 401 # The reason for this is due to the fact that, by design, they lead to global 402 # kernel resource leakage. 403 # 404 # For example, there is no way to automatically release a SysV semaphore 405 # allocated in the kernel when: 406 # 407 # - a buggy or malicious process exits 408 # - a non-buggy and non-malicious process crashes or is explicitly killed. 409 # 410 # Killing processes automatically to make room for new ones is an 411 # important part of Android's application lifecycle implementation. This means 412 # that, even assuming only non-buggy and non-malicious code, it is very likely 413 # that over time, the kernel global tables used to implement SysV IPCs will fill 414 # up. 415 neverallow * *:{ shm sem msg msgq } *; 416 417 # Do not mount on top of symlinks, fifos, or sockets. 418 # Feature parity with Chromium LSM. 419 neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 420 421 # Nobody should be able to execute su on user builds. 422 # On userdebug/eng builds, only dumpstate, shell, and 423 # su itself execute su. 424 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 425 426 # Do not allow the introduction of new execmod rules. Text relocations 427 # and modification of executable pages are unsafe. 428 # The only exceptions are for NDK text relocations associated with 429 # https://code.google.com/p/android/issues/detail?id=23203 430 # which, long term, need to go away. 431 neverallow * { 432 file_type 433 -system_data_file 434 -apk_data_file 435 -app_data_file 436 -asec_public_file 437 }:file execmod; 438 439 # Do not allow making the stack or heap executable. 440 # We would also like to minimize execmem but it seems to be 441 # required by some device-specific service domains. 442 neverallow * self:process { execstack execheap }; 443 444 # prohibit non-zygote spawned processes from using shared libraries 445 # with text relocations. b/20013628 . 446 neverallow { domain -appdomain } file_type:file execmod; 447 448 neverallow { domain -init } proc:{ file dir } mounton; 449 450 # Ensure that all types assigned to processes are included 451 # in the domain attribute, so that all allow and neverallow rules 452 # written on domain are applied to all processes. 453 # This is achieved by ensuring that it is impossible to transition 454 # from a domain to a non-domain type and vice versa. 455 neverallow domain ~domain:process { transition dyntransition }; 456 neverallow ~domain domain:process { transition dyntransition }; 457 458 # 459 # Only system_app and system_server should be creating or writing 460 # their files. The proper way to share files is to setup 461 # type transitions to a more specific type or assigning a type 462 # to its parent directory via a file_contexts entry. 463 # Example type transition: 464 # mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 465 # 466 neverallow { 467 domain 468 -system_server 469 -system_app 470 -init 471 -installd # for relabelfrom and unlink, check for this in explicit neverallow 472 } system_data_file:file no_w_file_perms; 473 # do not grant anything greater than r_file_perms and relabelfrom unlink 474 # to installd 475 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 476 477 # 478 # Only these domains should transition to shell domain. This domain is 479 # permissible for the "shell user". If you need a process to exec a shell 480 # script with differing privilege, define a domain and set up a transition. 481 # 482 neverallow { 483 domain 484 -adbd 485 -init 486 -runas 487 -zygote 488 } shell:process { transition dyntransition }; 489 490 # Only domains spawned from zygote and runas may have the appdomain attribute. 491 neverallow { domain -runas -zygote } { 492 appdomain -shell userdebug_or_eng(`-su') -bluetooth 493 }:process { transition dyntransition }; 494 495 # Minimize read access to shell- or app-writable symlinks. 496 # This is to prevent malicious symlink attacks. 497 neverallow { 498 domain 499 -appdomain 500 -installd 501 -uncrypt # TODO: see if we can remove 502 } app_data_file:lnk_file read; 503 504 neverallow { 505 domain 506 -shell 507 userdebug_or_eng(`-uncrypt') 508 -installd 509 } shell_data_file:lnk_file read; 510 511 # In addition to the symlink reading restrictions above, restrict 512 # write access to shell owned directories. The /data/local/tmp 513 # directory is untrustworthy, and non-whitelisted domains should 514 # not be trusting any content in those directories. 515 neverallow { 516 domain 517 -adbd 518 -dumpstate 519 -installd 520 -init 521 -shell 522 -vold 523 } shell_data_file:dir no_w_dir_perms; 524 525 neverallow { 526 domain 527 -adbd 528 -appdomain 529 -dumpstate 530 -init 531 -installd 532 -system_server # why? 533 userdebug_or_eng(`-uncrypt') 534 } shell_data_file:dir { open search }; 535 536 # Same as above for /data/local/tmp files. We allow shell files 537 # to be passed around by file descriptor, but not directly opened. 538 neverallow { 539 domain 540 -adbd 541 -appdomain 542 -dumpstate 543 -installd 544 userdebug_or_eng(`-uncrypt') 545 } shell_data_file:file open; 546 547 # servicemanager is the only process which handles list request 548 neverallow * ~servicemanager:service_manager list; 549 550 # only service_manager_types can be added to service_manager 551 neverallow * ~service_manager_type:service_manager { add find }; 552 553 # Prevent assigning non property types to properties 554 neverallow * ~property_type:property_service set; 555 556 # Domain types should never be assigned to any files other 557 # than the /proc/pid files associated with a process. The 558 # executable file used to enter a domain should be labeled 559 # with its own _exec type, not with the domain type. 560 # Conventionally, this looks something like: 561 # $ cat mydaemon.te 562 # type mydaemon, domain; 563 # type mydaemon_exec, exec_type, file_type; 564 # init_daemon_domain(mydaemon) 565 # $ grep mydaemon file_contexts 566 # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 567 neverallow * domain:file { execute execute_no_trans entrypoint }; 568 569 # Do not allow access to the generic debugfs label. This is too broad. 570 # Instead, if access to part of debugfs is desired, it should have a 571 # more specific label. 572 # TODO: fix system_server and dumpstate 573 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms; 574 575 neverallow { 576 domain 577 -init 578 -recovery 579 -sdcardd 580 -vold 581 } fuse_device:chr_file open; 582 neverallow { 583 domain 584 -dumpstate 585 -init 586 -priv_app 587 -recovery 588 -sdcardd 589 -system_server 590 -ueventd 591 -vold 592 } fuse_device:chr_file *; 593 594 # Profiles contain untrusted data and profman parses that. We should only run 595 # in from installd forked processes. 596 neverallow { 597 domain 598 -installd 599 -profman 600 } profman_exec:file no_x_file_perms; 601 602 # Enforce restrictions on kernel module origin. 603 # Do not allow kernel module loading except from system, 604 # vendor, and boot partitions. 605 neverallow * ~{ system_file rootfs }:system module_load; 606
