Skip to content
Snippets Groups Projects
Commit bffa911d authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "Commit 27.0 sepolicy prebuilts to master."

parents f691b127 80582488
No related branches found
No related tags found
No related merge requests found
Showing
with 1441 additions and 0 deletions
This diff is collapsed.
;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
( adbd_exec
broadcastradio_service
e2fs
e2fs_exec
hal_broadcastradio_hwservice
hal_cas_hwservice
hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
hal_wifi_offload_hwservice
kmsg_debug_device
mediaprovider_tmpfs
netd_stable_secret_prop
package_native_service
sysfs_fs_ext4_features
system_net_netd_hwservice
thermal_service
thermalcallback_hwservice
thermalserviced
thermalserviced_exec
thermalserviced_tmpfs
timezone_service
tombstoned_java_trace_socket))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
;; Thus, these types are also not mapped, but recorded for checkapi tests
(typeattribute priv_objects)
(typeattributeset priv_objects
( adbd_tmpfs ))
typeattribute cppreopts coredomain;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
typeattribute crash_dump coredomain;
typeattribute dex2oat coredomain;
typeattribute dex2oat domain_deprecated;
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, exec_type, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
#processes.
tmpfs_domain(dexoptanalyzer)
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
allow dexoptanalyzer installd:fd use;
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer app_data_file:dir { getattr search };
allow dexoptanalyzer app_data_file:file r_file_perms;
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
dontaudit dexoptanalyzer app_data_file:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
typeattribute dhcp coredomain;
typeattribute dhcp domain_deprecated;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
typeattribute dnsmasq coredomain;
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
-dumpstate
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
# rules removed from the domain attribute
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
typeattribute drmserver coredomain;
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
typeattribute drmserver_socket coredomain_socket;
typeattribute dumpstate coredomain;
typeattribute dumpstate domain_deprecated;
init_daemon_domain(dumpstate)
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
# TODO: deal with tmpfs_domain pub/priv split properly
allow dumpstate dumpstate_tmpfs:file execute;
# systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms;
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms;
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.
typeattribute ephemeral_app coredomain;
net_domain(ephemeral_app)
app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app app_data_file:file {r_file_perms execute};
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
allow ephemeral_app mediaserver_service:service_manager find;
allow ephemeral_app mediaextractor_service:service_manager find;
allow ephemeral_app mediacodec_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
###
### neverallow rules
###
neverallow ephemeral_app app_data_file:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow ephemeral_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow ephemeral_app debugfs:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow ephemeral_app proc_net:file no_rw_file_perms;
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
typealias audio_data_file alias audio_firmware_file;
typealias app_data_file alias platform_app_data_file;
typealias app_data_file alias download_file;
# /proc/config.gz
type config_gz, fs_type;
This diff is collapsed.
/data/asan/system/lib(/.*)? u:object_r:system_file:s0
/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
/system/bin/asan/app_process u:object_r:zygote_exec:s0
/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
typeattribute fingerprintd coredomain;
typeattribute fingerprintd domain_deprecated;
init_daemon_domain(fingerprintd)
# Label inodes via getxattr.
fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
fs_use_xattr jffs2 u:object_r:labeledfs:s0;
fs_use_xattr ext2 u:object_r:labeledfs:s0;
fs_use_xattr ext3 u:object_r:labeledfs:s0;
fs_use_xattr ext4 u:object_r:labeledfs:s0;
fs_use_xattr xfs u:object_r:labeledfs:s0;
fs_use_xattr btrfs u:object_r:labeledfs:s0;
fs_use_xattr f2fs u:object_r:labeledfs:s0;
fs_use_xattr squashfs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
fs_use_task sockfs u:object_r:sockfs:s0;
# Label inodes from combination of task label and fs label.
# Define type_transition rules if you want per-domain types.
fs_use_trans devpts u:object_r:devpts:s0;
fs_use_trans tmpfs u:object_r:tmpfs:s0;
fs_use_trans devtmpfs u:object_r:device:s0;
fs_use_trans shm u:object_r:shm:s0;
fs_use_trans mqueue u:object_r:mqueue:s0;
typeattribute fsck coredomain;
typeattribute fsck domain_deprecated;
init_daemon_domain(fsck)
typeattribute fsck_untrusted coredomain;
typeattribute fsck_untrusted domain_deprecated;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment