Skip to content
Snippets Groups Projects
Commit 869e4905 authored by Ian Pedowitz's avatar Ian Pedowitz Committed by android-build-team Robot
Browse files

DO NOT SUBMIT: SEPolicy Prebuilts for Q

This is a hacked version of ag/7282335 as qt-release is behind qt-dev

Bug: 129943426
Test: Build
Change-Id: I5863d433668b90a641d07fdbcd30ed82b28c9c1a
(cherry picked from commit 8d411adea3eba1e943e45e104113f4efbc3d5d65)
parent b4248453
No related branches found
No related tags found
No related merge requests found
Showing
with 1961 additions and 0 deletions
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
unlink
link
rename
execute
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common for capability access vectors.
#
common cap
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the cap2 common.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
common cap2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
syslog
wake_alarm
block_suspend
audit_read
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
open
audit_access
execmod
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
open
audit_access
}
class lnk_file
inherits file
{
open
audit_access
execmod
}
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
open
audit_access
}
class blk_file
inherits file
{
open
audit_access
execmod
}
class sock_file
inherits file
{
open
audit_access
execmod
}
class fifo_file
inherits file
{
open
audit_access
execmod
}
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
recvfrom
sendto
}
class netif
{
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
getrlimit
}
class process2
{
nnp_transition
nosuid_transition
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
read_policy
validate_trans
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
module_load
}
#
# Define the access vector interpretation for controlling capabilities
#
class capability
inherits cap
class capability2
inherits cap2
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
flow_in # deprecated
flow_out # deprecated
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
# network peer labels
class peer
{
recv
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
inherits socket
{
attach_queue
}
class binder
{
impersonate
call
set_context_mgr
transfer
}
class netlink_iscsi_socket
inherits socket
class netlink_fib_lookup_socket
inherits socket
class netlink_connector_socket
inherits socket
class netlink_netfilter_socket
inherits socket
class netlink_generic_socket
inherits socket
class netlink_scsitransport_socket
inherits socket
class netlink_rdma_socket
inherits socket
class netlink_crypto_socket
inherits socket
class infiniband_pkey
{
access
}
class infiniband_endport
{
manage_subnet
}
#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#
class cap_userns
inherits cap
class cap2_userns
inherits cap2
#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#
#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
node_bind
name_connect
association
}
class icmp_socket
inherits socket
{
node_bind
}
#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#
class ax25_socket
inherits socket
class ipx_socket
inherits socket
class netrom_socket
inherits socket
class atmpvc_socket
inherits socket
class x25_socket
inherits socket
class rose_socket
inherits socket
class decnet_socket
inherits socket
class atmsvc_socket
inherits socket
class rds_socket
inherits socket
class irda_socket
inherits socket
class pppox_socket
inherits socket
class llc_socket
inherits socket
class can_socket
inherits socket
class tipc_socket
inherits socket
class bluetooth_socket
inherits socket
class iucv_socket
inherits socket
class rxrpc_socket
inherits socket
class isdn_socket
inherits socket
class phonet_socket
inherits socket
class ieee802154_socket
inherits socket
class caif_socket
inherits socket
class alg_socket
inherits socket
class nfc_socket
inherits socket
class vsock_socket
inherits socket
class kcm_socket
inherits socket
class qipcrtr_socket
inherits socket
class smc_socket
inherits socket
class bpf
{
map_create
map_read
map_write
prog_load
prog_run
}
class property_service
{
set
}
class service_manager
{
add
find
list
}
class hwservice_manager
{
add
find
list
}
class keystore_key
{
get_state
get
insert
delete
exist
list
reset
password
lock
unlock
is_empty
sign
verify
grant
duplicate
clear_uid
add_auth
user_changed
gen_unique_id
}
class drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
}
class xdp_socket
inherits socket
### ADB daemon
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
init_daemon_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
# is not labeled as shell but as rootfs.
recovery_only(`
domain_trans(adbd, rootfs, shell)
allow adbd shell:process dyntransition;
# Allows reboot fastboot to enter fastboot directly
unix_socket_connect(adbd, recovery, recovery)
')
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
# Create and use network sockets.
net_domain(adbd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
allowxperm adbd functionfs:file ioctl {
FUNCTIONFS_ENDPOINT_DESC
FUNCTIONFS_CLEAR_HALT
};
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
# adb pull /data/local/traces/*
allow adbd trace_data_file:dir r_dir_perms;
allow adbd trace_data_file:file r_file_perms;
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
# Read device's serial number from system properties
get_prop(adbd, serialno_prop)
# Read whether or not Test Harness Mode is enabled
get_prop(adbd, test_harness_prop)
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
r_dir_file(adbd, sysfs_dt_firmware_android)
')
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;
userdebug_or_eng(`
# Write debugging information to /data/adb
# when persist.adb.trace_mask is set
# https://code.google.com/p/android/issues/detail?id=72895
allow adbd adb_data_file:dir rw_dir_perms;
allow adbd adb_data_file:file create_file_perms;
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file r_file_perms;
allow adbd file_contexts_file:file r_file_perms;
allow adbd seapp_contexts_file:file r_file_perms;
allow adbd property_contexts_file:file r_file_perms;
allow adbd sepolicy_file:file r_file_perms;
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;
r_dir_file(adbd, apk_data_file)
allow adbd rootfs:dir r_dir_perms;
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write };
allow adbd shell:fd use;
###
### Neverallow rules
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
# APEX pre- & post-install test.
#
# Allow to run pre- and post-install hooks for APEX test modules
# in debuggable builds.
type apex_test_prepostinstall, domain, coredomain;
type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
# /dev/zero
allow apex_test_prepostinstall apexd:fd use;
# Logwrapper.
create_pty(apex_test_prepostinstall)
# Logwrapper executing sh.
allow apex_test_prepostinstall shell_exec:file rx_file_perms;
# Logwrapper exec.
allow apex_test_prepostinstall system_file:file execute_no_trans;
# Ls.
allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
')
typeattribute apexd coredomain;
init_daemon_domain(apexd)
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
allow apexd loop_device:blk_file rw_file_perms;
allowxperm apexd loop_device:blk_file ioctl {
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
allow apexd dm_device:blk_file rw_file_perms;
# sys_admin is required to access the device-mapper and mount
allow apexd self:global_capability_class_set sys_admin;
# allow apexd to create a mount point in /apex
allow apexd apex_mnt_dir:dir create_dir_perms;
# allow apexd to mount in /apex
allow apexd apex_mnt_dir:filesystem { mount unmount };
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
allow apexd sysfs_dm:file rw_file_perms;
# for loopX
allow apexd sysfs_loop:dir r_dir_perms;
allow apexd sysfs_loop:file rw_file_perms;
# Spawning a libbinder thread results in a dac_override deny,
# /dev/cpuset/tasks is owned by system.
#
# See b/35323867#comment3
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
# Allow apexd to reboot device. Required for rollbacks of apexes that are
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
allow apexd apexd_exec:file execute_no_trans;
# Unshare and make / private so that hooks cannot influence the
# running system.
allow apexd rootfs:dir mounton;
# Allow to execute shell for pre- and postinstall scripts. A transition
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
# apexd is using bootstrap bionic
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
# Allow transition to ART APEX preinstall domain.
domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
# Allow transition to ART APEX postinstall domain.
domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
# Transition to a non-app domain.
# Exception for the shell and su domains, can transition to runas, etc.
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
###
### neverallow rules for untrusted app domains
###
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
mediaprovider
untrusted_app
untrusted_app_25
untrusted_app_27
untrusted_app_all
}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow all_untrusted_apps domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
# Do not allow untrusted apps to use VendorBinder
neverallow all_untrusted_apps vndbinder_device:chr_file *;
neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} dex2oat_exec:file no_x_file_perms;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
neverallow all_untrusted_apps mlstrustedsubject:process fork;
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
# Do not allow any write access to files in /sys
neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
# Apps may never access the default sysfs label.
neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
-app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
}:dir_file_class_set { create unlink };
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
SIOCGIFHWADDR
SIOCSIFHWADDR
TUNATTACHFILTER
TUNDETACHFILTER
TUNGETFEATURES
TUNGETFILTER
TUNGETSNDBUF
TUNGETVNETHDRSZ
TUNSETDEBUG
TUNSETGROUP
TUNSETIFF
TUNSETLINK
TUNSETNOCSUM
TUNSETOFFLOAD
TUNSETOWNER
TUNSETPERSIST
TUNSETQUEUE
TUNSETSNDBUF
TUNSETTXFILTER
TUNSETVNETHDRSZ
};
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
neverallow all_untrusted_apps anr_data_file:dir ~search;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
proc_asound
proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
proc_pagetypeinfo
proc_slabinfo
proc_stat
proc_swaps
proc_uptime
proc_version
proc_vmallocinfo
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
# Do not permit access from apps which host arbitrary code to HwBinder services,
# except those considered sufficiently safe for access from such apps.
# The two main reasons for this are:
# 1. HwBinder servers do not perform client authentication because HIDL
# currently does not expose caller UID information and, even if it did, many
# HwBinder services either operate at a level below that of apps (e.g., HALs)
# or must not rely on app identity for authorization. Thus, to be safe, the
# default assumption is that every HwBinder service treats all its clients as
# equally authorized to perform operations offered by the service.
# 2. HAL servers (a subset of HwBinder services) contain code with higher
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
#
# Safe services include:
# - same process services: because they by definition run in the process
# of the client and thus have the same access as the client domain in which
# the process runs
# - coredomain_hwservice: are considered safe because they do not pose risks
# associated with reason #2 above.
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
# designed for use by any domain.
# - hal_graphics_allocator_hwservice: because these operations are also offered
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
-coredomain_hwservice
-hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
-hal_cas_hwservice
-hal_neuralnetworks_hwservice
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
# Make sure that the following services are never accessible by untrusted_apps
neverallow all_untrusted_apps {
default_android_hwservice
hal_atrace_hwservice
hal_audio_hwservice
hal_authsecret_hwservice
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
hal_confirmationui_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
hal_fingerprint_hwservice
hal_gatekeeper_hwservice
hal_gnss_hwservice
hal_graphics_composer_hwservice
hal_health_hwservice
hal_input_classifier_hwservice
hal_ir_hwservice
hal_keymaster_hwservice
hal_light_hwservice
hal_memtrack_hwservice
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
hal_power_stats_hwservice
hal_secure_element_hwservice
hal_sensors_hwservice
hal_telephony_hwservice
hal_thermal_hwservice
hal_tv_cec_hwservice
hal_tv_input_hwservice
hal_usb_hwservice
hal_vibrator_hwservice
hal_vr_hwservice
hal_weaver_hwservice
hal_wifi_hwservice
hal_wifi_offload_hwservice
hal_wifi_supplicant_hwservice
hidl_base_hwservice
system_net_netd_hwservice
thermalcallback_hwservice
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
neverallow all_untrusted_apps {
coredomain_hwservice
-same_process_hwservice
-fwk_bufferhub_hwservice # Designed for use by any domain
-hidl_allocator_hwservice # Designed for use by any domain
-hidl_manager_hwservice # Designed for use by any domain
-hidl_memory_hwservice # Designed for use by any domain
-hidl_token_hwservice # Designed for use by any domain
}:hwservice_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
# Restrict *Binder access from apps to HAL domains. We can only do this on full
# Treble devices where *Binder communications between apps and HALs are tightly
# restricted.
full_treble_only(`
neverallow all_untrusted_apps {
halserverdomain
-coredomain
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-untrusted_app_visible_halserver_violators
}:binder { call transfer };
')
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
# They must use ASharedMemory NDK API instead.
neverallow {
all_untrusted_apps
-ephemeral_app
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
typeattribute app_zygote coredomain;
######
###### Policy below is different from regular zygote-spawned apps
######
# The app_zygote needs to be able to transition domains.
typeattribute app_zygote mlstrustedsubject;
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
# Set the UID/GID of the process.
# This will be further limited to a range of isolated UIDs with seccomp.
allow app_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
allow app_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to isolated app domain.
allow app_zygote self:process setcurrent;
allow app_zygote isolated_app:process dyntransition;
# For JIT
allow app_zygote self:process execmem;
# Allow app_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow app_zygote debugfs_trace_marker:file getattr;
# get system_server process group
allow app_zygote system_server:process getpgid;
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
# Get seapp_contexts
allow app_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(app_zygote)
# Check SELinux permissions.
selinux_check_access(app_zygote)
######
###### Policy below is shared with regular zygote-spawned apps
######
# Child of zygote.
allow app_zygote zygote:fd use;
allow app_zygote zygote:process sigchld;
# For ART (read /data/dalvik-cache).
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir r_dir_perms;
allow app_zygote apk_data_file:file { r_file_perms execute };
# Allow app_zygote access to /vendor/overlay
r_dir_file(app_zygote, vendor_overlay_file)
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
#####
##### Neverallow
#####
# Only permit transition to isolated_app.
neverallow app_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow app_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow app_zygote *:file execute_no_trans;
# The only way to enter this domain is for the zygote to fork a new
# app_zygote child.
neverallow { domain -zygote } app_zygote:process dyntransition;
# Disallow write access to properties.
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
# Should not have any access to non-app data files.
neverallow app_zygote {
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
}:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
-activity_service
-ashmem_device_service
-webviewupdate_service
}:service_manager find;
# Isolated apps should not be able to access the driver directly.
neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
# Do not allow app_zygote access to /cache.
neverallow app_zygote cache_file:dir ~{ r_dir_perms };
neverallow app_zygote cache_file:file ~{ read getattr };
# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow app_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
appletalk_socket netlink_route_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
# Think twice before changing.
neverallow app_zygote {
domain
-app_zygote
-logd
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_dgram_socket *;
neverallow app_zygote {
domain
-app_zygote
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_stream_socket *;
# Never allow ptrace
neverallow app_zygote *:process ptrace;
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
bluetooth_a2dp_offload_prop
bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
# This command set checks the integrity of boot classpath ART
# artifacts in /data, potentially removing them.
type art_apex_boot_integrity, domain, coredomain;
type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# art_apex_boot_integrity to occur.
init_daemon_domain(art_apex_boot_integrity)
# Read dalvik cache directories, remove entries.
allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
# Read and possibly delete dalvik cache files.
allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
allow art_apex_boot_integrity shell_exec:file rx_file_perms;
# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
# permissions.
allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
# Fsverity in the same domain.
allow art_apex_boot_integrity system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
# ART APEX postinstall.
#
type art_apex_postinstall, domain, coredomain;
type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
# /system/bin/sh (see b/126787589).
allow art_apex_postinstall apexd:fd use;
# Read temp dirs and files. Move directories.
allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
# We're deleting the old /data/dalvik-cache/* and move the new ones
# over.
allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
# Required for relabel.
allow art_apex_postinstall file_contexts_file:file r_file_perms;
allow art_apex_postinstall self:global_capability_class_set sys_admin;
# Script helpers.
allow art_apex_postinstall shell_exec:file rx_file_perms;
allow art_apex_postinstall toolbox_exec:file rx_file_perms;
# Fsverity in the same domain.
allow art_apex_postinstall system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_postinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
# ART APEX preinstall.
#
type art_apex_preinstall, domain, coredomain;
type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
# /system/bin/sh (see b/126787589).
allow art_apex_preinstall apexd:fd use;
# Create temp dirs and files under /data/ota.
allow art_apex_preinstall ota_data_file:dir create_dir_perms;
allow art_apex_preinstall ota_data_file:file create_file_perms;
# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
# mount namespace.
allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
allow art_apex_preinstall self:capability sys_admin;
# Script helpers.
allow art_apex_preinstall shell_exec:file rx_file_perms;
allow art_apex_preinstall toolbox_exec:file rx_file_perms;
# Execute subscripts in the same domain.
allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
# Run dex2oat.
domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
# Fsverity in the same domain.
allow art_apex_preinstall system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_preinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
with_asan(`
typeattribute asan_extract coredomain;
init_daemon_domain(asan_extract)
')
typeattribute ashmemd coredomain;
type ashmemd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(ashmemd)
binder_use(ashmemd)
add_service(ashmemd, ashmem_device_service)
allow ashmemd ashmem_device:chr_file rw_file_perms;
# Domain for atrace process.
# It is spawned either by traced_probes or by init for the boottrace service.
type atrace, domain, coredomain;
type atrace_exec, exec_type, file_type, system_file_type;
# boottrace services uses /data/misc/boottrace/categories
allow atrace boottrace_data_file:dir search;
allow atrace boottrace_data_file:file r_file_perms;
# Allow atrace to access tracefs.
allow atrace debugfs_tracing:dir r_dir_perms;
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
# Allow atrace to write data when a pipe is used for stdout/stderr
# This is used by Perfetto to capture the output on error in atrace.
allow atrace traced_probes:fd use;
allow atrace traced_probes:fifo_file write;
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
get_prop(atrace, hwservicemanager_prop)
# atrace can call atrace HAL
hal_client_domain(atrace, hal_atrace)
allow atrace {
service_manager_type
-apex_service
-incident_service
-iorapd_service
-netd_service
-dnsresolver_service
-stats_service
-dumpstate_service
-installd_service
-vold_service
-lpdump_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
# a further option to run atrace as an init daemon for boot tracing.
init_daemon_domain(atrace)
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
')
# audioserver - audio services daemon
typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
binder_call(audioserver, appdomain)
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
r_dir_file(audioserver, system_file)
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
# used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:file create_file_perms;
# ptrace to processes in the same domain for memory leak detection
allow audioserver self:process ptrace;
')
add_service(audioserver, audioserver_service)
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
set_prop(audioserver, bluetooth_audio_hal_prop)
set_prop(audioserver, bluetooth_prop)
set_prop(audioserver, exported_bluetooth_prop)
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
# Allow shell commands from ADB and shell for CTS testing/dumping
allow audioserver adbd:fd use;
allow audioserver adbd:unix_stream_socket { read write };
allow audioserver shell:fifo_file { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow audioserver su:fd use;
allow audioserver su:fifo_file { read write };
allow audioserver su:unix_stream_socket { read write };
')
# Allow write access to log tag property
set_prop(audioserver, log_tag_prop);
###
### neverallow rules
###
# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
# Allow using wake locks
wakelock_use(audioserver)
#
# /system/bin/auditctl executed for logd
#
# Performs maintenance of the kernel auditing system, including
# setting rate limits on SELinux denials.
#
type auditctl, domain, coredomain;
type auditctl_exec, file_type, system_file_type, exec_type;
# Uncomment the line below to put this domain into permissive
# mode. This helps speed SELinux policy development.
# userdebug_or_eng(`permissive auditctl;')
init_daemon_domain(auditctl)
allow auditctl self:global_capability_class_set audit_control;
allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
# Rules common to all binder service domains
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
allow binderservicedomain devpts:chr_file rw_file_perms;
allow binderservicedomain console_device:chr_file rw_file_perms;
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
use_keystore(binderservicedomain)
type blank_screen, domain, coredomain;
type blank_screen_exec, exec_type, file_type, system_file_type;
init_daemon_domain(blank_screen)
hal_client_domain(blank_screen, hal_light)
# blkid called from vold
typeattribute blkid coredomain;
type blkid_exec, system_file_type, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search;
allow blkid userdata_block_device:blk_file r_file_perms;
allow blkid dm_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow * blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
# blkid for untrusted block devices
typeattribute blkid_untrusted coredomain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file rx_file_perms;
###
### neverallow rules
###
# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow * blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment