1 # Rules for all domains. 2 3 # Allow reaping by init. 4 allow domain init:process sigchld; 5 6 # Intra-domain accesses. 7 allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23 }; 24 allow domain self:fd use; 25 allow domain proc:dir r_dir_perms; 26 allow domain proc_net:dir search; 27 r_dir_file(domain, self) 28 allow domain self:{ fifo_file file } rw_file_perms; 29 allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30 allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32 # Inherit or receive open files from others. 33 allow domain init:fd use; 34 35 userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52 ') 53 54 # Root fs. 55 allow domain rootfs:dir search; 56 allow domain rootfs:lnk_file { read getattr }; 57 58 # Device accesses. 59 allow domain device:dir search; 60 allow domain dev_type:lnk_file r_file_perms; 61 allow domain devpts:dir search; 62 allow domain socket_device:dir r_dir_perms; 63 allow domain owntty_device:chr_file rw_file_perms; 64 allow domain null_device:chr_file rw_file_perms; 65 allow domain zero_device:chr_file rw_file_perms; 66 allow domain ashmem_device:chr_file rw_file_perms; 67 # /dev/binder can be accessed by non-vendor domains and by apps 68 allow { 69 coredomain 70 appdomain 71 binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 72 -hwservicemanager 73 } binder_device:chr_file rw_file_perms; 74 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder 75 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') 76 allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 77 allow domain ptmx_device:chr_file rw_file_perms; 78 allow domain alarm_device:chr_file r_file_perms; 79 allow domain random_device:chr_file rw_file_perms; 80 allow domain proc_random:dir r_dir_perms; 81 allow domain proc_random:file r_file_perms; 82 allow domain properties_device:dir { search getattr }; 83 allow domain properties_serial:file r_file_perms; 84 allow domain property_info:file r_file_perms; 85 86 # For now, everyone can access core property files 87 # Device specific properties are not granted by default 88 not_compatible_property(` 89 get_prop(domain, core_property_type) 90 get_prop(domain, exported_dalvik_prop) 91 get_prop(domain, exported_ffs_prop) 92 get_prop(domain, exported_system_radio_prop) 93 get_prop(domain, exported2_config_prop) 94 get_prop(domain, exported2_radio_prop) 95 get_prop(domain, exported2_system_prop) 96 get_prop(domain, exported2_vold_prop) 97 get_prop(domain, exported3_default_prop) 98 get_prop(domain, exported3_radio_prop) 99 get_prop(domain, exported3_system_prop) 100 get_prop(domain, vendor_default_prop) 101 ') 102 compatible_property_only(` 103 get_prop({coredomain appdomain shell}, core_property_type) 104 get_prop({coredomain appdomain shell}, exported_dalvik_prop) 105 get_prop({coredomain appdomain shell}, exported_ffs_prop) 106 get_prop({coredomain appdomain shell}, exported_system_radio_prop) 107 get_prop({coredomain appdomain shell}, exported2_config_prop) 108 get_prop({coredomain appdomain shell}, exported2_radio_prop) 109 get_prop({coredomain appdomain shell}, exported2_system_prop) 110 get_prop({coredomain appdomain shell}, exported2_vold_prop) 111 get_prop({coredomain appdomain shell}, exported3_default_prop) 112 get_prop({coredomain appdomain shell}, exported3_radio_prop) 113 get_prop({coredomain appdomain shell}, exported3_system_prop) 114 userdebug_or_eng(` 115 get_prop(su, core_property_type) 116 get_prop(su, exported_dalvik_prop) 117 get_prop(su, exported_ffs_prop) 118 get_prop(su, exported_system_radio_prop) 119 get_prop(su, exported2_config_prop) 120 get_prop(su, exported2_radio_prop) 121 get_prop(su, exported2_system_prop) 122 get_prop(su, exported2_vold_prop) 123 get_prop(su, exported3_default_prop) 124 get_prop(su, exported3_radio_prop) 125 get_prop(su, exported3_system_prop) 126 ') 127 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 128 ') 129 130 # Public readable properties 131 get_prop(domain, debug_prop) 132 get_prop(domain, exported_config_prop) 133 get_prop(domain, exported_default_prop) 134 get_prop(domain, exported_dumpstate_prop) 135 get_prop(domain, exported_fingerprint_prop) 136 get_prop(domain, exported_radio_prop) 137 get_prop(domain, exported_secure_prop) 138 get_prop(domain, exported_system_prop) 139 get_prop(domain, exported_vold_prop) 140 get_prop(domain, exported2_default_prop) 141 get_prop(domain, logd_prop) 142 143 # Let everyone read log properties, so that liblog can avoid sending unloggable 144 # messages to logd. 145 get_prop(domain, log_property_type) 146 dontaudit domain property_type:file audit_access; 147 allow domain property_contexts_file:file r_file_perms; 148 149 allow domain init:key search; 150 allow domain vold:key search; 151 152 # logd access 153 write_logd(domain) 154 155 # System file accesses. 156 allow domain system_file:dir { search getattr }; 157 allow domain system_file:file { execute read open getattr map }; 158 allow domain system_file:lnk_file { getattr read }; 159 160 # Make sure system/vendor split doesn not affect non-treble 161 # devices 162 not_full_treble(` 163 allow domain vendor_file_type:dir { search getattr }; 164 allow domain vendor_file_type:file { execute read open getattr map }; 165 allow domain vendor_file_type:lnk_file { getattr read }; 166 ') 167 168 # All domains are allowed to open and read directories 169 # that contain HAL implementations (e.g. passthrough 170 # HALs require clients to have these permissions) 171 allow domain vendor_hal_file:dir r_dir_perms; 172 173 # Everyone can read and execute all same process HALs 174 allow domain same_process_hal_file:dir r_dir_perms; 175 allow domain same_process_hal_file:file { execute read open getattr map }; 176 177 # Any process can load vndk-sp libraries, which are system libraries 178 # used by same process HALs 179 allow domain vndk_sp_file:dir r_dir_perms; 180 allow domain vndk_sp_file:file { execute read open getattr map }; 181 182 # All domains get access to /vendor/etc 183 allow domain vendor_configs_file:dir r_dir_perms; 184 allow domain vendor_configs_file:file { read open getattr }; 185 186 full_treble_only(` 187 # Allow all domains to be able to follow /system/vendor and/or 188 # /vendor/odm symlinks. 189 allow domain vendor_file_type:lnk_file { getattr open read }; 190 191 # This is required to be able to search & read /vendor/lib64 192 # in order to lookup vendor libraries. The execute permission 193 # for coredomains is granted *only* for same process HALs 194 allow domain vendor_file:dir { getattr search }; 195 196 # Allow reading and executing out of /vendor to all vendor domains 197 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 198 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 199 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 200 ') 201 202 # read and stat any sysfs symlinks 203 allow domain sysfs:lnk_file { getattr read }; 204 205 # libc references /data/misc/zoneinfo for timezone related information 206 # This directory is considered to be a VNDK-stable 207 allow domain zoneinfo_data_file:file r_file_perms; 208 allow domain zoneinfo_data_file:dir r_dir_perms; 209 210 # Lots of processes access current CPU information 211 r_dir_file(domain, sysfs_devices_system_cpu) 212 213 r_dir_file(domain, sysfs_usb); 214 215 # files under /data. 216 not_full_treble(` 217 allow domain system_data_file:dir getattr; 218 ') 219 allow { coredomain appdomain } system_data_file:dir getattr; 220 # /data has the label system_data_file. Vendor components need the search 221 # permission on system_data_file for path traversal to /data/vendor. 222 allow domain system_data_file:dir search; 223 # TODO restrict this to non-coredomain 224 allow domain vendor_data_file:dir { getattr search }; 225 226 # required by the dynamic linker 227 allow domain proc:lnk_file { getattr read }; 228 229 # /proc/cpuinfo 230 allow domain proc_cpuinfo:file r_file_perms; 231 232 # jemalloc needs to read /proc/sys/vm/overcommit_memory 233 allow domain proc_overcommit_memory:file r_file_perms; 234 235 # profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 236 allow domain proc_perf:file r_file_perms; 237 238 # toybox loads libselinux which stats /sys/fs/selinux/ 239 allow domain selinuxfs:dir search; 240 allow domain selinuxfs:file getattr; 241 allow domain sysfs:dir search; 242 allow domain selinuxfs:filesystem getattr; 243 244 # For /acct/uid/*/tasks. 245 allow domain cgroup:dir { search write }; 246 allow domain cgroup:file w_file_perms; 247 248 # Almost all processes log tracing information to 249 # /sys/kernel/debug/tracing/trace_marker 250 # The reason behind this is documented in b/6513400 251 allow domain debugfs:dir search; 252 allow domain debugfs_tracing:dir search; 253 allow domain debugfs_tracing_debug:dir search; 254 allow domain debugfs_trace_marker:file w_file_perms; 255 256 # Filesystem access. 257 allow domain fs_type:filesystem getattr; 258 allow domain fs_type:dir getattr; 259 260 # Restrict all domains to a whitelist for common socket types. Additional 261 # ioctl commands may be added to individual domains, but this sets safe 262 # defaults for all processes. Note that granting this whitelist to domain does 263 # not grant the ioctl permission on these socket types. That must be granted 264 # separately. 265 allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } 266 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 267 # default whitelist for unix sockets. 268 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } 269 ioctl unpriv_unix_sock_ioctls; 270 271 # Restrict PTYs to only whitelisted ioctls. 272 # Note that granting this whitelist to domain does 273 # not grant the wider ioctl permission. That must be granted 274 # separately. 275 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 276 277 # Workaround for policy compiler being too aggressive and removing hwservice_manager_type 278 # when it's not explicitly used in allow rules 279 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 280 # Workaround for policy compiler being too aggressive and removing vndservice_manager_type 281 # when it's not explicitly used in allow rules 282 allow { domain -domain } vndservice_manager_type:service_manager { add find }; 283 284 # Under ASAN, processes will try to read /data, as the sanitized libraries are there. 285 with_asan(`allow domain system_data_file:dir getattr;') 286 287 ### 288 ### neverallow rules 289 ### 290 291 # All socket ioctls must be restricted to a whitelist. 292 neverallowxperm domain domain:socket_class_set ioctl { 0 }; 293 294 # b/68014825 and https://android-review.googlesource.com/516535 295 # rfc6093 says that processes should not use the TCP urgent mechanism 296 neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 297 298 # TIOCSTI is only ever used for exploits. Block it. 299 # b/33073072, b/7530569 300 # http://www.openwall.com/lists/oss-security/2016/09/26/14 301 neverallowxperm * devpts:chr_file ioctl TIOCSTI; 302 303 # Do not allow any domain other than init to create unlabeled files. 304 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 305 306 # Limit device node creation to these whitelisted domains. 307 neverallow { 308 domain 309 -kernel 310 -init 311 -ueventd 312 -vold 313 } self:global_capability_class_set mknod; 314 315 # Limit raw I/O to these whitelisted domains. Do not apply to debug builds. 316 neverallow { 317 domain 318 userdebug_or_eng(`-domain') 319 -kernel 320 -init 321 -recovery 322 -ueventd 323 -healthd 324 -uncrypt 325 -tee 326 } self:global_capability_class_set sys_rawio; 327 328 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 329 neverallow * self:memprotect mmap_zero; 330 331 # No domain needs mac_override as it is unused by SELinux. 332 neverallow * self:global_capability2_class_set mac_override; 333 334 # Disallow attempts to set contexts not defined in current policy 335 # This helps guarantee that unknown or dangerous contents will not ever 336 # be set. 337 neverallow * self:global_capability2_class_set mac_admin; 338 339 # Once the policy has been loaded there shall be none to modify the policy. 340 # It is sealed. 341 neverallow * kernel:security load_policy; 342 343 # Only init prior to switching context should be able to set enforcing mode. 344 # init starts in kernel domain and switches to init domain via setcon in 345 # the init.rc, so the setenforce occurs while still in kernel. After 346 # switching domains, there is never any need to setenforce again by init. 347 neverallow * kernel:security setenforce; 348 neverallow { domain -kernel } kernel:security setcheckreqprot; 349 350 # No booleans in AOSP policy, so no need to ever set them. 351 neverallow * kernel:security setbool; 352 353 # Adjusting the AVC cache threshold. 354 # Not presently allowed to anything in policy, but possibly something 355 # that could be set from init.rc. 356 neverallow { domain -init } kernel:security setsecparam; 357 358 # Only init, ueventd, shell and system_server should be able to access HW RNG 359 neverallow { 360 domain 361 -init 362 -shell # For CTS and is restricted to getattr in shell.te 363 -system_server 364 -ueventd 365 } hw_random_device:chr_file *; 366 # b/78174219 b/64114943 367 neverallow { 368 domain 369 -init 370 -shell # stat of /dev, getattr only 371 -vendor_init 372 -ueventd 373 } keychord_device:chr_file *; 374 375 # Ensure that all entrypoint executables are in exec_type or postinstall_file. 376 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 377 378 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem 379 neverallow { 380 domain 381 -shell # For CTS and is restricted to getattr in shell.te 382 -ueventd # Further restricted in ueventd.te 383 } kmem_device:chr_file *; 384 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; 385 386 #Ensure that nothing in userspace can access /dev/port 387 neverallow { 388 domain 389 -shell # Shell user should not have any abilities outside of getattr 390 -ueventd 391 } port_device:chr_file *; 392 neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 393 # Only init should be able to configure kernel usermodehelpers or 394 # security-sensitive proc settings. 395 neverallow { domain -init } usermodehelper:file { append write }; 396 neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 397 neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 398 399 # No domain should be allowed to ptrace init. 400 neverallow * init:process ptrace; 401 402 # Init can't do anything with binder calls. If this neverallow rule is being 403 # triggered, it's probably due to a service with no SELinux domain. 404 neverallow * init:binder *; 405 neverallow * vendor_init:binder *; 406 407 # Don't allow raw read/write/open access to block_device 408 # Rather force a relabel to a more specific type 409 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 410 411 # Do not allow renaming of block files or character files 412 # Ability to do so can lead to possible use in an exploit chain 413 # e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 414 neverallow * *:{ blk_file chr_file } rename; 415 416 # Don't allow raw read/write/open access to generic devices. 417 # Rather force a relabel to a more specific type. 418 neverallow domain device:chr_file { open read write }; 419 420 # Limit what domains can mount filesystems or change their mount flags. 421 # sdcard_type / vfat is exempt as a larger set of domains need 422 # this capability, including device-specific domains. 423 neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 424 425 # 426 # Assert that, to the extent possible, we're not loading executable content from 427 # outside the rootfs or /system partition except for a few whitelisted domains. 428 # 429 neverallow { 430 domain 431 -appdomain 432 with_asan(`-asan_extract') 433 -dumpstate 434 -shell 435 userdebug_or_eng(`-su') 436 -webview_zygote 437 -zygote 438 userdebug_or_eng(`-mediaextractor') 439 } { 440 file_type 441 -system_file 442 -vendor_file_type 443 -exec_type 444 -postinstall_file 445 }:file execute; 446 447 neverallow { 448 domain 449 -appdomain # for oemfs 450 -bootanim # for oemfs 451 -recovery # for /tmp/update_binary in tmpfs 452 } { fs_type -rootfs }:file execute; 453 454 # Files from cache should never be executed 455 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 456 457 # Protect most domains from executing arbitrary content from /data. 458 neverallow { 459 domain 460 -appdomain 461 } { 462 data_file_type 463 -dalvikcache_data_file 464 -system_data_file # shared libs in apks 465 -apk_data_file 466 }:file no_x_file_perms; 467 468 # The test files and executables MUST not be accessible to any domain 469 neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 470 neverallow domain nativetest_data_file:dir no_w_dir_perms; 471 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 472 473 # Only the init property service should write to /data/property and /dev/__properties__ 474 neverallow { domain -init } property_data_file:dir no_w_dir_perms; 475 neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 476 neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 477 neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 478 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 479 480 # Nobody should be doing writes to /system & /vendor 481 # These partitions are intended to be read-only and must never be 482 # modified. Doing so would violate important Android security guarantees 483 # and invalidate dm-verity signatures. 484 neverallow { 485 domain 486 with_asan(`-asan_extract') 487 } { 488 system_file 489 vendor_file_type 490 exec_type 491 }:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 492 493 neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; 494 495 # Don't allow mounting on top of /system files or directories 496 neverallow * exec_type:dir_file_class_set mounton; 497 neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton; 498 499 # Nothing should be writing to files in the rootfs. 500 neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 501 502 # Restrict context mounts to specific types marked with 503 # the contextmount_type attribute. 504 neverallow * {fs_type -contextmount_type}:filesystem relabelto; 505 506 # Ensure that context mount types are not writable, to ensure that 507 # the write to /system restriction above is not bypassed via context= 508 # mount to another type. 509 neverallow * contextmount_type:dir_file_class_set 510 { create write setattr relabelfrom relabelto append unlink link rename }; 511 512 # Do not allow service_manager add for default service labels. 513 # Instead domains should use a more specific type such as 514 # system_app_service rather than the generic type. 515 # New service_types are defined in {,hw,vnd}service.te and new mappings 516 # from service name to service_type are defined in {,hw,vnd}service_contexts. 517 neverallow * default_android_service:service_manager add; 518 neverallow * default_android_vndservice:service_manager { add find }; 519 neverallow * default_android_hwservice:hwservice_manager { add find }; 520 521 # Looking up the base class/interface of all HwBinder services is a bad idea. 522 # hwservicemanager currently offer such lookups only to make it so that security 523 # decisions are expressed in SELinux policy. However, it's unclear whether this 524 # lookup has security implications. If it doesn't, hwservicemanager should be 525 # modified to not offer this lookup. 526 # This rule can be removed if hwservicemanager is modified to not permit these 527 # lookups. 528 neverallow * hidl_base_hwservice:hwservice_manager find; 529 530 # Require that domains explicitly label unknown properties, and do not allow 531 # anyone but init to modify unknown properties. 532 neverallow { domain -init -vendor_init } default_prop:property_service set; 533 neverallow { domain -init -vendor_init } mmc_prop:property_service set; 534 535 compatible_property_only(` 536 neverallow { domain -init } default_prop:property_service set; 537 neverallow { domain -init } mmc_prop:property_service set; 538 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 539 neverallow { domain -init } exported_secure_prop:property_service set; 540 neverallow { domain -init } exported2_default_prop:property_service set; 541 neverallow { domain -init -vendor_init } exported3_default_prop:property_service set; 542 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 543 ') 544 545 # Only core domains are allowed to access package_manager properties 546 neverallow { domain -init -system_server } pm_prop:property_service set; 547 neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 548 549 compatible_property_only(` 550 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 551 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 552 ') 553 554 # Do not allow reading device's serial number from system properties except form 555 # a few whitelisted domains. 556 neverallow { 557 domain 558 -adbd 559 -dumpstate 560 -hal_drm_server 561 -hal_cas_server 562 -init 563 -mediadrmserver 564 -recovery 565 -shell 566 -system_server 567 -vendor_init 568 } serialno_prop:file r_file_perms; 569 570 # Do not allow reading the last boot timestamp from system properties 571 neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 572 573 neverallow { 574 domain 575 -init 576 -recovery 577 -system_server 578 -shell # Shell is further restricted in shell.te 579 -ueventd # Further restricted in ueventd.te 580 } frp_block_device:blk_file no_rw_file_perms; 581 582 # The metadata block device is set aside for device encryption and 583 # verified boot metadata. It may be reset at will and should not 584 # be used by other domains. 585 neverallow { 586 domain 587 -init 588 -recovery 589 -vold 590 -e2fs 591 -fsck 592 } metadata_block_device:blk_file { append link rename write open read ioctl lock }; 593 594 # No domain other than recovery and update_engine can write to system partition(s). 595 neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append }; 596 597 # No domains other than install_recovery or recovery can write to recovery. 598 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append }; 599 600 # No domains other than a select few can access the misc_block_device. This 601 # block device is reserved for OTA use. 602 # Do not assert this rule on userdebug/eng builds, due to some devices using 603 # this partition for testing purposes. 604 neverallow { 605 domain 606 userdebug_or_eng(`-domain') # exclude debuggable builds 607 -hal_bootctl_server 608 -init 609 -uncrypt 610 -update_engine 611 -vendor_init 612 -vold 613 -recovery 614 -ueventd 615 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 616 617 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 618 neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 619 # The service managers are only allowed to access their own device node 620 neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 621 neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 622 neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 623 neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 624 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 625 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 626 627 # On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core 628 # domain apps need this because Android framework offers many of its services to apps as Binder 629 # services. 630 full_treble_only(` 631 neverallow { 632 domain 633 -coredomain 634 -appdomain 635 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 636 } binder_device:chr_file rw_file_perms; 637 ') 638 full_treble_only(` 639 neverallow { 640 domain 641 -coredomain 642 -appdomain # restrictions for vendor apps are declared lower down 643 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 644 } service_manager_type:service_manager find; 645 ') 646 full_treble_only(` 647 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 648 # services which can change any time framework/core is updated, breakage is likely. 649 neverallow { 650 appdomain 651 -coredomain 652 } { 653 service_manager_type 654 -app_api_service 655 -ephemeral_app_api_service 656 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 657 -cameraserver_service 658 -drmserver_service 659 -keystore_service 660 -mediadrmserver_service 661 -mediaextractor_service 662 -mediametrics_service 663 -mediaserver_service 664 -nfc_service 665 -radio_service 666 -virtual_touchpad_service 667 -vr_hwc_service 668 -vr_manager_service 669 }:service_manager find; 670 ') 671 full_treble_only(` 672 neverallow { 673 domain 674 -coredomain 675 -appdomain 676 -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 677 } servicemanager:binder { call transfer }; 678 ') 679 680 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 681 full_treble_only(` 682 neverallow { 683 coredomain 684 -shell 685 userdebug_or_eng(`-su') 686 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 687 } vndbinder_device:chr_file rw_file_perms; 688 ') 689 full_treble_only(` 690 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 691 ') 692 full_treble_only(` 693 neverallow { 694 coredomain 695 -shell 696 userdebug_or_eng(`-su') 697 } vndservice_manager_type:service_manager *; 698 ') 699 full_treble_only(` 700 neverallow { 701 coredomain 702 -shell 703 userdebug_or_eng(`-su') 704 } vndservicemanager:binder *; 705 ') 706 707 # On full TREBLE devices, socket communications between core components and vendor components are 708 # not permitted. 709 # Most general rules first, more specific rules below. 710 711 # Core domains are not permitted to initiate communications to vendor domain sockets. 712 # We are not restricting the use of already established sockets because it is fine for a process 713 # to obtain an already established socket via some public/official/stable API and then exchange 714 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 715 # and thus does not break the core-vendor separation. 716 full_treble_only(` 717 neverallow_establish_socket_comms({ 718 coredomain 719 -init 720 -adbd 721 }, { 722 domain 723 -coredomain 724 -socket_between_core_and_vendor_violators 725 }); 726 ') 727 # Vendor domains are not permitted to initiate communications to core domain sockets 728 full_treble_only(` 729 neverallow_establish_socket_comms({ 730 domain 731 -coredomain 732 -appdomain 733 -socket_between_core_and_vendor_violators 734 }, { 735 coredomain 736 -logd # Logging by writing to logd Unix domain socket is public API 737 -netd # netdomain needs this 738 -mdnsd # netdomain needs this 739 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 740 -init 741 -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services 742 -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services 743 }); 744 ') 745 746 # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets 747 full_treble_only(` 748 neverallow_establish_socket_comms({ 749 domain 750 -coredomain 751 -netdomain 752 -socket_between_core_and_vendor_violators 753 }, netd); 754 ') 755 756 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 757 full_treble_only(` 758 neverallow { 759 domain 760 -coredomain 761 -appdomain # appdomain restrictions below 762 -data_between_core_and_vendor_violators # b/70393317 763 -socket_between_core_and_vendor_violators 764 -vendor_init 765 } { 766 coredomain_socket 767 core_data_file_type 768 unlabeled # used only by core domains 769 }:sock_file ~{ append getattr ioctl read write }; 770 ') 771 full_treble_only(` 772 neverallow { 773 appdomain 774 -coredomain 775 } { 776 coredomain_socket 777 unlabeled # used only by core domains 778 core_data_file_type 779 -app_data_file 780 -pdx_endpoint_socket_type # used by VR layer 781 -pdx_channel_socket_type # used by VR layer 782 }:sock_file ~{ append getattr ioctl read write }; 783 ') 784 785 # Core domains are not permitted to create/open sockets owned by vendor domains 786 full_treble_only(` 787 neverallow { 788 coredomain 789 -init 790 -ueventd 791 -socket_between_core_and_vendor_violators 792 } { 793 file_type 794 dev_type 795 -coredomain_socket 796 -core_data_file_type 797 -unlabeled 798 }:sock_file ~{ append getattr ioctl read write }; 799 ') 800 801 # On TREBLE devices, vendor and system components are only allowed to share 802 # files by passing open FDs over hwbinder. Ban all directory access and all file 803 # accesses other than what can be applied to an open FD such as 804 # ioctl/stat/read/write/append. This is enforced by segregating /data. 805 # Vendor domains may directly access file in /data/vendor by path, but may only 806 # access files outside of /data/vendor via an open FD passed over hwbinder. 807 # Likewise, core domains may only directly access files outside /data/vendor by 808 # path and files in /data/vendor by open FD. 809 full_treble_only(` 810 # only coredomains may only access core_data_file_type, particularly not 811 # /data/vendor 812 neverallow { 813 coredomain 814 -appdomain # TODO(b/34980020) remove exemption for appdomain 815 -data_between_core_and_vendor_violators 816 -init 817 -vold_prepare_subdirs 818 } { 819 data_file_type 820 -core_data_file_type 821 }:file_class_set ~{ append getattr ioctl read write }; 822 ') 823 full_treble_only(` 824 neverallow { 825 coredomain 826 -appdomain # TODO(b/34980020) remove exemption for appdomain 827 -data_between_core_and_vendor_violators 828 -init 829 -vold_prepare_subdirs 830 } { 831 data_file_type 832 -core_data_file_type 833 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 834 # neverallow. Currently only getattr and search are allowed. 835 -vendor_data_file 836 }:dir *; 837 838 ') 839 full_treble_only(` 840 # vendor domains may only access files in /data/vendor, never core_data_file_types 841 neverallow { 842 domain 843 -appdomain # TODO(b/34980020) remove exemption for appdomain 844 -coredomain 845 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 846 -vendor_init 847 } { 848 core_data_file_type 849 # libc includes functions like mktime and localtime which attempt to access 850 # files in /data/misc/zoneinfo/tzdata file. These functions are considered 851 # vndk-stable and thus must be allowed for all processes. 852 -zoneinfo_data_file 853 }:file_class_set ~{ append getattr ioctl read write }; 854 neverallow { 855 vendor_init 856 -data_between_core_and_vendor_violators 857 } { 858 core_data_file_type 859 -unencrypted_data_file 860 -zoneinfo_data_file 861 }:file_class_set ~{ append getattr ioctl read write }; 862 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 863 # The vendor init binary lives on the system partition so there is not a concern with stability. 864 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 865 ') 866 full_treble_only(` 867 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 868 neverallow { 869 domain 870 -appdomain # TODO(b/34980020) remove exemption for appdomain 871 -coredomain 872 -data_between_core_and_vendor_violators 873 -vendor_init 874 } { 875 core_data_file_type 876 -system_data_file # default label for files on /data. Covered below... 877 -vendor_data_file 878 -zoneinfo_data_file 879 }:dir *; 880 neverallow { 881 vendor_init 882 -data_between_core_and_vendor_violators 883 } { 884 core_data_file_type 885 -unencrypted_data_file 886 -system_data_file 887 -vendor_data_file 888 -zoneinfo_data_file 889 }:dir *; 890 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 891 # The vendor init binary lives on the system partition so there is not a concern with stability. 892 neverallow vendor_init unencrypted_data_file:dir ~search; 893 ') 894 full_treble_only(` 895 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 896 neverallow { 897 domain 898 -appdomain # TODO(b/34980020) remove exemption for appdomain 899 -coredomain 900 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 901 } { 902 system_data_file # default label for files on /data. Covered below 903 }:dir ~{ getattr search }; 904 ') 905 906 full_treble_only(` 907 # coredomains may not access dirs in /data/vendor. 908 neverallow { 909 coredomain 910 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 911 -init 912 -vold # vold creates per-user storage for both system and vendor 913 -vold_prepare_subdirs 914 } { 915 vendor_data_file # default label for files on /data. Covered below 916 }:dir ~{ getattr search }; 917 ') 918 919 full_treble_only(` 920 # coredomains may not access dirs in /data/vendor. 921 neverallow { 922 coredomain 923 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 924 -init 925 } { 926 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 927 }:file_class_set ~{ append getattr ioctl read write }; 928 ') 929 930 # On TREBLE devices, a limited set of files in /vendor are accessible to 931 # only a few whitelisted coredomains to keep system/vendor separation. 932 full_treble_only(` 933 # Limit access to /vendor/app 934 neverallow { 935 coredomain 936 -appdomain 937 -dex2oat 938 -idmap 939 -init 940 -installd 941 userdebug_or_eng(`-perfprofd') 942 -postinstall_dexopt 943 -system_server 944 } vendor_app_file:dir { open read getattr search }; 945 ') 946 947 full_treble_only(` 948 neverallow { 949 coredomain 950 -appdomain 951 -dex2oat 952 -idmap 953 -init 954 -installd 955 userdebug_or_eng(`-perfprofd') 956 -postinstall_dexopt 957 -system_server 958 } vendor_app_file:file r_file_perms; 959 ') 960 961 full_treble_only(` 962 # Limit access to /vendor/overlay 963 neverallow { 964 coredomain 965 -appdomain 966 -idmap 967 -init 968 -installd 969 -system_server 970 -webview_zygote 971 -zygote 972 } vendor_overlay_file:dir { getattr open read search }; 973 ') 974 975 full_treble_only(` 976 neverallow { 977 coredomain 978 -appdomain 979 -idmap 980 -init 981 -installd 982 -system_server 983 -webview_zygote 984 -zygote 985 } vendor_overlay_file:file r_file_perms; 986 ') 987 988 full_treble_only(` 989 # Non-vendor domains are not allowed to file execute shell 990 # from vendor 991 neverallow { 992 coredomain 993 -init 994 -shell 995 } vendor_shell_exec:file { execute execute_no_trans }; 996 ') 997 998 full_treble_only(` 999 # Do not allow vendor components to execute files from system 1000 # except for the ones whitelist here. 1001 neverallow { 1002 domain 1003 -coredomain 1004 -appdomain 1005 -vendor_executes_system_violators 1006 -vendor_init 1007 } { 1008 exec_type 1009 -vendor_file_type 1010 -crash_dump_exec 1011 -netutils_wrapper_exec 1012 }:file { entrypoint execute execute_no_trans }; 1013 ') 1014 1015 full_treble_only(` 1016 # Do not allow system components to execute files from vendor 1017 # except for the ones whitelisted here. 1018 neverallow { 1019 coredomain 1020 -init 1021 -shell 1022 -system_executes_vendor_violators 1023 } { 1024 vendor_file_type 1025 -same_process_hal_file 1026 -vndk_sp_file 1027 -vendor_app_file 1028 }:file execute; 1029 ') 1030 1031 full_treble_only(` 1032 neverallow { 1033 coredomain 1034 -shell 1035 -system_executes_vendor_violators 1036 } vendor_file_type:file execute_no_trans; 1037 ') 1038 1039 # Only authorized processes should be writing to files in /data/dalvik-cache 1040 neverallow { 1041 domain 1042 -init # TODO: limit init to relabelfrom for files 1043 -zygote 1044 -installd 1045 -postinstall_dexopt 1046 -cppreopts 1047 -dex2oat 1048 -otapreopt_slot 1049 } dalvikcache_data_file:file no_w_file_perms; 1050 1051 neverallow { 1052 domain 1053 -init 1054 -installd 1055 -postinstall_dexopt 1056 -cppreopts 1057 -dex2oat 1058 -zygote 1059 -otapreopt_slot 1060 } dalvikcache_data_file:dir no_w_dir_perms; 1061 1062 # Only system_server should be able to send commands via the zygote socket 1063 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1064 neverallow { domain -system_server } zygote_socket:sock_file write; 1065 1066 neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; 1067 neverallow { domain -system_server } webview_zygote:sock_file write; 1068 1069 neverallow { 1070 domain 1071 -tombstoned 1072 -crash_dump 1073 -dumpstate 1074 -incidentd 1075 -system_server 1076 1077 # Processes that can't exec crash_dump 1078 -mediacodec 1079 -mediaextractor 1080 } tombstoned_crash_socket:unix_stream_socket connectto; 1081 1082 # Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1083 # the tombstoned intercept socket. 1084 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1085 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1086 1087 # Android does not support System V IPCs. 1088 # 1089 # The reason for this is due to the fact that, by design, they lead to global 1090 # kernel resource leakage. 1091 # 1092 # For example, there is no way to automatically release a SysV semaphore 1093 # allocated in the kernel when: 1094 # 1095 # - a buggy or malicious process exits 1096 # - a non-buggy and non-malicious process crashes or is explicitly killed. 1097 # 1098 # Killing processes automatically to make room for new ones is an 1099 # important part of Android's application lifecycle implementation. This means 1100 # that, even assuming only non-buggy and non-malicious code, it is very likely 1101 # that over time, the kernel global tables used to implement SysV IPCs will fill 1102 # up. 1103 neverallow * *:{ shm sem msg msgq } *; 1104 1105 # Do not mount on top of symlinks, fifos, or sockets. 1106 # Feature parity with Chromium LSM. 1107 neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1108 1109 # Nobody should be able to execute su on user builds. 1110 # On userdebug/eng builds, only dumpstate, shell, and 1111 # su itself execute su. 1112 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1113 1114 # Do not allow the introduction of new execmod rules. Text relocations 1115 # and modification of executable pages are unsafe. 1116 # The only exceptions are for NDK text relocations associated with 1117 # https://code.google.com/p/android/issues/detail?id=23203 1118 # which, long term, need to go away. 1119 neverallow * { 1120 file_type 1121 -apk_data_file 1122 -app_data_file 1123 -asec_public_file 1124 }:file execmod; 1125 1126 # Do not allow making the stack or heap executable. 1127 # We would also like to minimize execmem but it seems to be 1128 # required by some device-specific service domains. 1129 neverallow * self:process { execstack execheap }; 1130 1131 # prohibit non-zygote spawned processes from using shared libraries 1132 # with text relocations. b/20013628 . 1133 neverallow { domain -untrusted_app_all } file_type:file execmod; 1134 1135 neverallow { domain -init } proc:{ file dir } mounton; 1136 1137 # Ensure that all types assigned to processes are included 1138 # in the domain attribute, so that all allow and neverallow rules 1139 # written on domain are applied to all processes. 1140 # This is achieved by ensuring that it is impossible to transition 1141 # from a domain to a non-domain type and vice versa. 1142 # TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1143 neverallow ~domain domain:process { transition dyntransition }; 1144 1145 # 1146 # Only system_app and system_server should be creating or writing 1147 # their files. The proper way to share files is to setup 1148 # type transitions to a more specific type or assigning a type 1149 # to its parent directory via a file_contexts entry. 1150 # Example type transition: 1151 # mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1152 # 1153 neverallow { 1154 domain 1155 -system_server 1156 -system_app 1157 -init 1158 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1159 -vold_prepare_subdirs # For unlink 1160 with_asan(`-asan_extract') 1161 } system_data_file:file no_w_file_perms; 1162 # do not grant anything greater than r_file_perms and relabelfrom unlink 1163 # to installd 1164 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1165 1166 # respect system_app sandboxes 1167 neverallow { 1168 domain 1169 -appdomain # finer-grained rules for appdomain are listed below 1170 -system_server #populate com.android.providers.settings/databases/settings.db. 1171 -installd # creation of app sandbox 1172 -traced_probes # resolve inodes for i/o tracing. 1173 # only needs open and read, the rest is neverallow in 1174 # traced_probes.te. 1175 } system_app_data_file:dir_file_class_set { create unlink open }; 1176 neverallow { 1177 isolated_app 1178 untrusted_app_all # finer-grained rules for appdomain are listed below 1179 ephemeral_app 1180 priv_app 1181 } system_app_data_file:dir_file_class_set { create unlink open }; 1182 1183 1184 # Services should respect app sandboxes 1185 neverallow { 1186 domain 1187 -appdomain 1188 -installd # creation of sandbox 1189 } app_data_file:dir_file_class_set { create unlink }; 1190 1191 # 1192 # Only these domains should transition to shell domain. This domain is 1193 # permissible for the "shell user". If you need a process to exec a shell 1194 # script with differing privilege, define a domain and set up a transition. 1195 # 1196 neverallow { 1197 domain 1198 -adbd 1199 -init 1200 -runas 1201 -zygote 1202 } shell:process { transition dyntransition }; 1203 1204 # Only domains spawned from zygote and runas may have the appdomain attribute. 1205 neverallow { domain -runas -webview_zygote -zygote } { 1206 appdomain -shell userdebug_or_eng(`-su') 1207 }:process { transition dyntransition }; 1208 1209 # Minimize read access to shell- or app-writable symlinks. 1210 # This is to prevent malicious symlink attacks. 1211 neverallow { 1212 domain 1213 -appdomain 1214 -installd 1215 -uncrypt # TODO: see if we can remove 1216 } app_data_file:lnk_file read; 1217 1218 neverallow { 1219 domain 1220 -shell 1221 userdebug_or_eng(`-uncrypt') 1222 -installd 1223 } shell_data_file:lnk_file read; 1224 1225 # In addition to the symlink reading restrictions above, restrict 1226 # write access to shell owned directories. The /data/local/tmp 1227 # directory is untrustworthy, and non-whitelisted domains should 1228 # not be trusting any content in those directories. 1229 neverallow { 1230 domain 1231 -adbd 1232 -dumpstate 1233 -installd 1234 -init 1235 -shell 1236 -vold 1237 } shell_data_file:dir no_w_dir_perms; 1238 1239 neverallow { 1240 domain 1241 -adbd 1242 -appdomain 1243 -dumpstate 1244 -init 1245 -installd 1246 -system_server # why? 1247 userdebug_or_eng(`-uncrypt') 1248 } shell_data_file:dir { open search }; 1249 1250 # Same as above for /data/local/tmp files. We allow shell files 1251 # to be passed around by file descriptor, but not directly opened. 1252 neverallow { 1253 domain 1254 -adbd 1255 -appdomain 1256 -dumpstate 1257 -installd 1258 userdebug_or_eng(`-uncrypt') 1259 } shell_data_file:file open; 1260 1261 # servicemanager and vndservicemanager are the only processes which handle the 1262 # service_manager list request 1263 neverallow * ~{ 1264 servicemanager 1265 vndservicemanager 1266 }:service_manager list; 1267 1268 # hwservicemanager is the only process which handles hw list requests 1269 neverallow * ~{ 1270 hwservicemanager 1271 }:hwservice_manager list; 1272 1273 # only service_manager_types can be added to service_manager 1274 # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1275 1276 # Prevent assigning non property types to properties 1277 # TODO - rework this: neverallow * ~property_type:property_service set; 1278 1279 # Domain types should never be assigned to any files other 1280 # than the /proc/pid files associated with a process. The 1281 # executable file used to enter a domain should be labeled 1282 # with its own _exec type, not with the domain type. 1283 # Conventionally, this looks something like: 1284 # $ cat mydaemon.te 1285 # type mydaemon, domain; 1286 # type mydaemon_exec, exec_type, file_type; 1287 # init_daemon_domain(mydaemon) 1288 # $ grep mydaemon file_contexts 1289 # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1290 neverallow * domain:file { execute execute_no_trans entrypoint }; 1291 1292 # Do not allow access to the generic debugfs label. This is too broad. 1293 # Instead, if access to part of debugfs is desired, it should have a 1294 # more specific label. 1295 # TODO: fix system_server and dumpstate 1296 neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms; 1297 1298 # Profiles contain untrusted data and profman parses that. We should only run 1299 # in from installd forked processes. 1300 neverallow { 1301 domain 1302 -installd 1303 -profman 1304 } profman_exec:file no_x_file_perms; 1305 1306 # Enforce restrictions on kernel module origin. 1307 # Do not allow kernel module loading except from system, 1308 # vendor, and boot partitions. 1309 neverallow * ~{ system_file vendor_file rootfs }:system module_load; 1310 1311 # Only allow filesystem caps to be set at build time. Runtime changes 1312 # to filesystem capabilities are not permitted. 1313 neverallow * self:global_capability_class_set setfcap; 1314 1315 # Enforce AT_SECURE for executing crash_dump. 1316 neverallow domain crash_dump:process noatsecure; 1317 1318 # Do not permit non-core domains to register HwBinder services which are 1319 # guaranteed to be provided by core domains only. 1320 neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1321 1322 # Do not permit the registeration of HwBinder services which are guaranteed to 1323 # be passthrough only (i.e., run in the process of their clients instead of a 1324 # separate server process). 1325 neverallow * same_process_hwservice:hwservice_manager add; 1326 1327 # On TREBLE devices, most coredomains should not access vendor_files. 1328 # TODO(b/71553434): Remove exceptions here. 1329 full_treble_only(` 1330 neverallow { 1331 coredomain 1332 -appdomain 1333 -bootanim 1334 -crash_dump 1335 -init 1336 -kernel 1337 -perfprofd 1338 -ueventd 1339 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 1340 ') 1341 1342 # Minimize dac_override and dac_read_search. 1343 # Instead of granting them it is usually better to add the domain to 1344 # a Unix group or change the permissions of a file. 1345 neverallow { 1346 domain 1347 -dnsmasq 1348 -dumpstate 1349 -init 1350 -installd 1351 -install_recovery 1352 -lmkd 1353 -netd 1354 -perfprofd 1355 -postinstall_dexopt 1356 -recovery 1357 -sdcardd 1358 -tee 1359 -ueventd 1360 -uncrypt 1361 -vendor_init 1362 -vold 1363 -vold_prepare_subdirs 1364 -zygote 1365 } self:capability dac_override; 1366 neverallow { domain -traced_probes } self:capability dac_read_search; 1367 1368 # If an already existing file is opened with O_CREAT, the kernel might generate 1369 # a false report of a create denial. Silence these denials and make sure that 1370 # inappropriate permissions are not granted. 1371 1372 # These filesystems don't allow files or directories to be created, so the permission 1373 # to do so should never be granted. 1374 neverallow domain { 1375 proc_type 1376 sysfs_type 1377 }:dir { add_name create link remove_name rename reparent rmdir write }; 1378 1379 # cgroupfs directories can be created, but not files within them. 1380 neverallow domain cgroup:file create; 1381 1382 dontaudit domain proc_type:dir write; 1383 dontaudit domain sysfs_type:dir write; 1384 dontaudit domain cgroup:file create; 1385 1386 # These are only needed in permissive mode - in enforcing mode the 1387 # directory write check fails and so these are never attempted. 1388 userdebug_or_eng(` 1389 dontaudit domain proc_type:dir add_name; 1390 dontaudit domain sysfs_type:dir add_name; 1391 dontaudit domain proc_type:file create; 1392 dontaudit domain sysfs_type:file create; 1393 ') 1394 1395 # Platform must not have access to /mnt/vendor. 1396 neverallow { 1397 coredomain 1398 -init 1399 } mnt_vendor_file:dir *; 1400
