1 # rules removed from the domain attribute 2 3 # Search /storage/emulated tmpfs mount. 4 allow { domain_deprecated -installd } tmpfs:dir r_dir_perms; 5 userdebug_or_eng(` 6 auditallow { 7 domain_deprecated 8 -appdomain 9 -installd 10 -sdcardd 11 -surfaceflinger 12 -system_server 13 -vold 14 -zygote 15 } tmpfs:dir r_dir_perms; 16 ') 17 18 # Inherit or receive open files from others. 19 allow domain_deprecated system_server:fd use; 20 userdebug_or_eng(` 21 auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use; 22 ') 23 24 # Connect to adbd and use a socket transferred from it. 25 # This is used for e.g. adb backup/restore. 26 allow domain_deprecated adbd:fd use; 27 userdebug_or_eng(` 28 auditallow { domain_deprecated -appdomain -system_server } adbd:fd use; 29 ') 30 31 # Root fs. 32 allow domain_deprecated rootfs:dir r_dir_perms; 33 allow domain_deprecated rootfs:file r_file_perms; 34 allow domain_deprecated rootfs:lnk_file r_file_perms; 35 userdebug_or_eng(` 36 auditallow { 37 domain_deprecated 38 -fsck 39 -healthd 40 -installd 41 -servicemanager 42 -system_server 43 -ueventd 44 -uncrypt 45 -vold 46 -zygote 47 } rootfs:dir { open getattr read ioctl lock }; # search granted in domain 48 auditallow { 49 domain_deprecated 50 -healthd 51 -installd 52 -servicemanager 53 -system_server 54 -ueventd 55 -uncrypt 56 -vold 57 -zygote 58 } rootfs:file r_file_perms; 59 auditallow { 60 domain_deprecated 61 -appdomain 62 -healthd 63 -installd 64 -servicemanager 65 -system_server 66 -ueventd 67 -uncrypt 68 -vold 69 -zygote 70 } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain 71 ') 72 73 # System file accesses. 74 allow domain_deprecated system_file:dir r_dir_perms; 75 userdebug_or_eng(` 76 auditallow { 77 domain_deprecated 78 -appdomain 79 -fingerprintd 80 -installd 81 -keystore 82 -surfaceflinger 83 -system_server 84 -update_engine 85 -vold 86 -zygote 87 } system_file:dir { open read ioctl lock }; # search getattr in domain 88 ') 89 90 # Read files already opened under /data. 91 allow domain_deprecated system_data_file:file { getattr read }; 92 allow domain_deprecated system_data_file:lnk_file r_file_perms; 93 userdebug_or_eng(` 94 auditallow { 95 domain_deprecated 96 -appdomain 97 -sdcardd 98 -system_server 99 -tee 100 } system_data_file:file { getattr read }; 101 auditallow { 102 domain_deprecated 103 -appdomain 104 -system_server 105 -tee 106 } system_data_file:lnk_file r_file_perms; 107 ') 108 109 # Read apk files under /data/app. 110 allow domain_deprecated apk_data_file:dir { getattr search }; 111 allow domain_deprecated apk_data_file:file r_file_perms; 112 allow domain_deprecated apk_data_file:lnk_file r_file_perms; 113 userdebug_or_eng(` 114 auditallow { 115 domain_deprecated 116 -appdomain 117 -dex2oat 118 -installd 119 -system_server 120 } apk_data_file:dir { getattr search }; 121 auditallow { 122 domain_deprecated 123 -appdomain 124 -dex2oat 125 -installd 126 -system_server 127 } apk_data_file:file r_file_perms; 128 auditallow { 129 domain_deprecated 130 -appdomain 131 -dex2oat 132 -installd 133 -system_server 134 } apk_data_file:lnk_file r_file_perms; 135 ') 136 137 # Read already opened /cache files. 138 allow domain_deprecated cache_file:dir r_dir_perms; 139 allow domain_deprecated cache_file:file { getattr read }; 140 allow domain_deprecated cache_file:lnk_file r_file_perms; 141 userdebug_or_eng(` 142 auditallow { 143 domain_deprecated 144 -system_server 145 -vold 146 } cache_file:dir { open read search ioctl lock }; 147 auditallow { 148 domain_deprecated 149 -appdomain 150 -system_server 151 -vold 152 } cache_file:dir getattr; 153 auditallow { 154 domain_deprecated 155 -system_server 156 -vold 157 } cache_file:file { getattr read }; 158 auditallow { 159 domain_deprecated 160 -system_server 161 -vold 162 } cache_file:lnk_file r_file_perms; 163 ') 164 165 # Allow access to ion memory allocation device 166 allow domain_deprecated ion_device:chr_file rw_file_perms; 167 # split this auditallow into read and write perms since most domains seem to 168 # only require read 169 userdebug_or_eng(` 170 auditallow { 171 domain_deprecated 172 -appdomain 173 -fingerprintd 174 -keystore 175 -surfaceflinger 176 -system_server 177 -tee 178 -vold 179 -zygote 180 } ion_device:chr_file r_file_perms; 181 auditallow domain_deprecated ion_device:chr_file { write append }; 182 ') 183 184 # Read access to pseudo filesystems. 185 r_dir_file(domain_deprecated, proc) 186 r_dir_file(domain_deprecated, sysfs) 187 r_dir_file(domain_deprecated, cgroup) 188 allow domain_deprecated proc_meminfo:file r_file_perms; 189 190 userdebug_or_eng(` 191 auditallow { 192 domain_deprecated 193 -fsck 194 -fsck_untrusted 195 -sdcardd 196 -system_server 197 -update_engine 198 -vold 199 } proc:file r_file_perms; 200 auditallow { 201 domain_deprecated 202 -fsck 203 -fsck_untrusted 204 -system_server 205 -vold 206 } proc:lnk_file { open ioctl lock }; # getattr read granted in domain 207 auditallow { 208 domain_deprecated 209 -bluetooth 210 -fingerprintd 211 -healthd 212 -netd 213 -system_app 214 -surfaceflinger 215 -system_server 216 -tee 217 -ueventd 218 -vold 219 } sysfs:dir { open getattr read ioctl lock }; # search granted in domain 220 auditallow { 221 domain_deprecated 222 -bluetooth 223 -fingerprintd 224 -healthd 225 -netd 226 -system_app 227 -surfaceflinger 228 -system_server 229 -tee 230 -ueventd 231 -vold 232 } sysfs:file r_file_perms; 233 auditallow { 234 domain_deprecated 235 -bluetooth 236 -fingerprintd 237 -healthd 238 -netd 239 -system_app 240 -surfaceflinger 241 -system_server 242 -tee 243 -ueventd 244 -vold 245 } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain 246 auditallow { 247 domain_deprecated 248 -appdomain 249 -dumpstate 250 -fingerprintd 251 -healthd 252 -inputflinger 253 -installd 254 -keystore 255 -netd 256 -surfaceflinger 257 -system_server 258 -zygote 259 } cgroup:dir r_dir_perms; 260 auditallow { 261 domain_deprecated 262 -appdomain 263 -dumpstate 264 -fingerprintd 265 -healthd 266 -inputflinger 267 -installd 268 -keystore 269 -netd 270 -surfaceflinger 271 -system_server 272 -zygote 273 } cgroup:{ file lnk_file } r_file_perms; 274 auditallow { 275 domain_deprecated 276 -appdomain 277 -surfaceflinger 278 -system_server 279 -vold 280 } proc_meminfo:file r_file_perms; 281 ') 282 283 # Get SELinux enforcing status. 284 allow domain_deprecated selinuxfs:dir r_dir_perms; 285 allow domain_deprecated selinuxfs:file r_file_perms; 286 userdebug_or_eng(` 287 auditallow { 288 domain_deprecated 289 -appdomain 290 -installd 291 -keystore 292 -postinstall_dexopt 293 -runas 294 -servicemanager 295 -system_server 296 -ueventd 297 -zygote 298 } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain 299 auditallow { 300 domain_deprecated 301 -appdomain 302 -installd 303 -keystore 304 -postinstall_dexopt 305 -runas 306 -servicemanager 307 -system_server 308 -ueventd 309 -zygote 310 } selinuxfs:file { open read ioctl lock }; # getattr granted in domain 311 ') 312
