Merge "Commit 27.0 sepolicy prebuilts to master."

prebuilts/api/27.0/private/access_vectors

+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	map
+	unlink
+	link
+	rename
+	execute
+	quotaon
+	mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	map
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	associate
+	quotamod
+	quotaget
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+	open
+	audit_access
+	execmod
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class lnk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class chr_file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class blk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class sock_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fifo_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class udp_socket
+inherits socket
+{
+	node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+	node_bind
+}
+
+class node
+{
+	recvfrom
+	sendto
+}
+
+class netif
+{
+	ingress
+	egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+	getattr
+	setexec
+	setfscreate
+	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
+	dyntransition
+	setcurrent
+	execmem
+	execstack
+	execheap
+	setkeycreate
+	setsockcreate
+	getrlimit
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
+	setsecparam
+	setcheckreqprot
+	read_policy
+	validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	syslog_read
+	syslog_mod
+	syslog_console
+	module_request
+	module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_relay
+	nlmsg_readpriv
+	nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+	sendto
+	recvfrom
+	setcontext
+	polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+	send
+	recv
+	relabelto
+	flow_in		# deprecated
+	flow_out	# deprecated
+	forward_in
+	forward_out
+}
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
+
+class dccp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class memprotect
+{
+	mmap_zero
+}
+
+# network peer labels
+class peer
+{
+	recv
+}
+
+class kernel_service
+{
+	use_as_override
+	create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+	attach_queue
+}
+
+class binder
+{
+	impersonate
+	call
+	set_context_mgr
+	transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+	node_bind
+}
+
+class icmp_socket
+inherits socket
+{
+	node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class property_service
+{
+	set
+}
+
+class service_manager
+{
+	add
+	find
+	list
+}
+
+class hwservice_manager
+{
+	add
+	find
+	list
+}
+
+class keystore_key
+{
+	get_state
+	get
+	insert
+	delete
+	exist
+	list
+	reset
+	password
+	lock
+	unlock
+	is_empty
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+	add_auth
+	user_changed
+	gen_unique_id
+}
+
+class drmservice {
+	consumeRights
+	setPlaybackStatus
+	openDecryptSession
+	closeDecryptSession
+	initializeDecryptUnit
+	decrypt
+	finalizeDecryptUnit
+	pread
+}

prebuilts/api/27.0/private/adbd.te

+### ADB daemon
+
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+init_daemon_domain(adbd)
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+  allow adbd self:process setcurrent;
+  allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell.  Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:capability setpcap;
+
+# Create and use network sockets.
+net_domain(adbd)
+
+# Access /dev/usb-ffs/adb/ep0
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
+# adb push/pull sdcard.
+allow adbd tmpfs:dir search;
+allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
+# adb pull /data/anr/traces.txt
+allow adbd anr_data_file:dir r_dir_perms;
+allow adbd anr_data_file:file r_file_perms;
+
+# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
+# Run /system/bin/bu
+allow adbd system_file:file rx_file_perms;
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file r_file_perms;
+
+userdebug_or_eng(`
+  # Write debugging information to /data/adb
+  # when persist.adb.trace_mask is set
+  # https://code.google.com/p/android/issues/detail?id=72895
+  allow adbd adb_data_file:dir rw_dir_perms;
+  allow adbd adb_data_file:file create_file_perms;
+')
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
+
+# Allow pulling config.gz for CTS purposes
+allow adbd config_gz:file r_file_perms;
+
+allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir r_dir_perms;
+allow adbd mnt_user_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow adbd media_rw_data_file:dir create_dir_perms;
+allow adbd media_rw_data_file:file create_file_perms;
+
+r_dir_file(adbd, apk_data_file)
+
+allow adbd rootfs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;

prebuilts/api/27.0/private/app_neverallows.te

+###
+### neverallow rules for untrusted app domains
+###
+
+define(`all_untrusted_apps',`{
+  ephemeral_app
+  isolated_app
+  mediaprovider
+  untrusted_app
+  untrusted_app_25
+  untrusted_app_all
+  untrusted_v2_app
+}')
+# Receive or send uevent messages.
+neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow all_untrusted_apps domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow all_untrusted_apps debugfs_type:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow all_untrusted_apps service_manager_type:service_manager add;
+
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
+# Do not allow untrusted apps to connect to the property service
+# or set properties. b/10243159
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+
+# Do not allow untrusted apps to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints.  As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and an untrusted app is allowed fork permission to itself.
+neverallow all_untrusted_apps mlstrustedsubject:process fork;
+
+# Do not allow untrusted apps to hard link to any files.
+# In particular, if an untrusted app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted apps never have this
+# capability.
+neverallow all_untrusted_apps file_type:file link;
+
+# Do not allow untrusted apps to access network MAC address file
+neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow all_untrusted_apps *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
+
+# Do not allow untrusted apps access to /cache
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted apps to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow { all_untrusted_apps -mediaprovider } {
+  fs_type
+  -fuse                     # sdcard
+  -sdcardfs                 # sdcard
+  -vfat
+  file_type
+  -app_data_file            # The apps sandbox itself
+  -media_rw_data_file       # Internal storage. Known that apps can
+                            # leave artfacts here after uninstall.
+  -user_profile_data_file   # Access to profile files
+  userdebug_or_eng(`
+    -method_trace_data_file # only on ro.debuggable=1
+    -coredump_file          # userdebug/eng only
+  ')
+}:dir_file_class_set { create unlink };
+
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
+# Do not allow untrusted apps to directly open tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow all_untrusted_apps anr_data_file:file ~{ open append };
+neverallow all_untrusted_apps anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+#    currently does not expose caller UID information and, even if it did, many
+#    HwBinder services either operate at a level below that of apps (e.g., HALs)
+#    or must not rely on app identity for authorization. Thus, to be safe, the
+#    default assumption is that every HwBinder service treats all its clients as
+#    equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+#    incidence rate of security issues than system/core components and have
+#    access to lower layes of the stack (all the way down to hardware) thus
+#    increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+#   of the client and thus have the same access as the client domain in which
+#   the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+#   associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
+#   designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+#   by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+#   Binder service which apps were permitted to access.
+neverallow all_untrusted_apps {
+  hwservice_manager_type
+  -same_process_hwservice
+  -coredomain_hwservice
+  -hal_configstore_ISurfaceFlingerConfigs
+  -hal_graphics_allocator_hwservice
+  -hal_omx_hwservice
+  -hal_cas_hwservice
+  -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+  default_android_hwservice
+  hal_audio_hwservice
+  hal_bluetooth_hwservice
+  hal_bootctl_hwservice
+  hal_camera_hwservice
+  hal_contexthub_hwservice
+  hal_drm_hwservice
+  hal_dumpstate_hwservice
+  hal_fingerprint_hwservice
+  hal_gatekeeper_hwservice
+  hal_gnss_hwservice
+  hal_graphics_composer_hwservice
+  hal_health_hwservice
+  hal_ir_hwservice
+  hal_keymaster_hwservice
+  hal_light_hwservice
+  hal_memtrack_hwservice
+  hal_neuralnetworks_hwservice
+  hal_nfc_hwservice
+  hal_oemlock_hwservice
+  hal_power_hwservice
+  hal_sensors_hwservice
+  hal_telephony_hwservice
+  hal_thermal_hwservice
+  hal_tv_cec_hwservice
+  hal_tv_input_hwservice
+  hal_usb_hwservice
+  hal_vibrator_hwservice
+  hal_vr_hwservice
+  hal_weaver_hwservice
+  hal_wifi_hwservice
+  hal_wifi_offload_hwservice
+  hal_wifi_supplicant_hwservice
+  hidl_base_hwservice
+  system_net_netd_hwservice
+  thermalcallback_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+  coredomain_hwservice
+  -same_process_hwservice
+  -hidl_allocator_hwservice # Designed for use by any domain
+  -hidl_manager_hwservice # Designed for use by any domain
+  -hidl_memory_hwservice # Designed for use by any domain
+  -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+  neverallow all_untrusted_apps {
+    halserverdomain
+    -coredomain
+    -hal_configstore_server
+    -hal_graphics_allocator_server
+    -hal_cas_server
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+    -untrusted_app_visible_halserver
+  }:binder { call transfer };
+')

prebuilts/api/27.0/private/asan_extract.te

+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')

prebuilts/api/27.0/private/atrace.te

+# Domain for atrace process spawned by boottrace service.
+
+type atrace_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+  type atrace, domain, coredomain, domain_deprecated;
+
+  init_daemon_domain(atrace)
+
+  # boottrace services uses /data/misc/boottrace/categories
+  allow atrace boottrace_data_file:dir search;
+  allow atrace boottrace_data_file:file r_file_perms;
+
+  # Allow atrace to access tracefs.
+  allow atrace debugfs_tracing:dir r_dir_perms;
+  allow atrace debugfs_tracing:file rw_file_perms;
+  allow atrace debugfs_tracing_debug:file rw_file_perms;
+  allow atrace debugfs_trace_marker:file getattr;
+
+  # atrace sets debug.atrace.* properties
+  set_prop(atrace, debug_prop)
+
+  # atrace pokes all the binder-enabled processes at startup.
+  binder_use(atrace)
+  allow atrace healthd:binder call;
+  allow atrace surfaceflinger:binder call;
+')

prebuilts/api/27.0/private/attributes

+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;

prebuilts/api/27.0/private/audioserver.te

+# audioserver - audio services daemon
+
+typeattribute audioserver coredomain;
+
+type audioserver_exec, exec_type, file_type;
+init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, appdomain)
+binder_service(audioserver)
+
+hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
+hal_client_domain(audioserver, hal_audio)
+
+userdebug_or_eng(`
+  # used for TEE sink - pcm capture for debug.
+  allow audioserver media_data_file:dir create_dir_perms;
+  allow audioserver audioserver_data_file:dir create_dir_perms;
+  allow audioserver audioserver_data_file:file create_file_perms;
+
+  # ptrace to processes in the same domain for memory leak detection
+  allow audioserver self:process ptrace;
+')
+
+add_service(audioserver, audioserver_service)
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;

prebuilts/api/27.0/private/binder_in_vendor_violators.te

+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;

prebuilts/api/27.0/private/binderservicedomain.te

+# Rules common to all binder service domains
+
+# Allow dumpstate and incidentd to collect information from binder services
+allow binderservicedomain { dumpstate incidentd }:fd use;
+allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain { dumpstate incidentd }:fifo_file  { getattr write };
+allow binderservicedomain shell_data_file:file { getattr write };
+
+# Allow dumpsys to work from adb shell or the serial console
+allow binderservicedomain devpts:chr_file rw_file_perms;
+allow binderservicedomain console_device:chr_file rw_file_perms;
+
+# Receive and write to a pipe received over Binder from an app.
+allow binderservicedomain appdomain:fd use;
+allow binderservicedomain appdomain:fifo_file write;
+
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore(binderservicedomain)

prebuilts/api/27.0/private/blkid.te

+# blkid called from vold
+
+typeattribute blkid coredomain;
+
+type blkid_exec, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

prebuilts/api/27.0/private/blkid_untrusted.te

+# blkid for untrusted block devices
+
+typeattribute blkid_untrusted coredomain;
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+  dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

prebuilts/api/27.0/private/bluetooth.te

+# bluetooth app
+
+typeattribute bluetooth coredomain;
+
+app_domain(bluetooth)
+net_domain(bluetooth)
+
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
+
+wakelock_use(bluetooth);
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
+allow bluetooth bluetooth_logs_data_file:file create_file_perms;
+
+# Socket creation under /data/misc/bluedroid.
+allow bluetooth bluetooth_socket:sock_file create_file_perms;
+
+allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;
+
+# tethering
+allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
+allow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth efs_file:dir search;
+
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# Allow write access to bluetooth specific properties
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+
+allow bluetooth audioserver_service:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth drmserver_service:service_manager find;
+allow bluetooth mediaserver_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth surfaceflinger_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
+
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
+hal_client_domain(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_telephony)
+
+read_runtime_log_tags(bluetooth)
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };

prebuilts/api/27.0/private/bluetoothdomain.te

+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };

prebuilts/api/27.0/private/bootanim.te

+typeattribute bootanim coredomain;
+
+init_daemon_domain(bootanim)

prebuilts/api/27.0/private/bootstat.te

+typeattribute bootstat coredomain;
+
+init_daemon_domain(bootstat)

prebuilts/api/27.0/private/bufferhubd.te

+typeattribute bufferhubd coredomain;
+
+init_daemon_domain(bufferhubd)

prebuilts/api/27.0/private/cameraserver.te

+typeattribute cameraserver coredomain;
+
+init_daemon_domain(cameraserver)

prebuilts/api/27.0/private/charger.te

+typeattribute charger coredomain;

prebuilts/api/27.0/private/clatd.te

+typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;