1# Transition to crash_dump when /system/bin/crash_dump* is executed. 2# This occurs when the process crashes. 3# We do not apply this to the su domain to avoid interfering with 4# tests (b/114136122) 5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); 6allow domain crash_dump:process sigchld; 7 8# Allow every process to check the heapprofd.enable properties to determine 9# whether to load the heap profiling library. This does not necessarily enable 10# heap profiling, as initialization will fail if it does not have the 11# necessary SELinux permissions. 12get_prop(domain, heapprofd_prop); 13# Allow heap profiling on debug builds. 14userdebug_or_eng(`can_profile_heap_userdebug_or_eng({ 15 domain 16 -bpfloader 17 -init 18 -kernel 19 -keystore 20 -llkd 21 -logd 22 -logpersist 23 -recovery 24 -recovery_persist 25 -recovery_refresh 26 -ueventd 27 -vendor_init 28 -vold 29})') 30 31# Path resolution access in cgroups. 32allow domain cgroup:dir search; 33allow { domain -appdomain -rs } cgroup:dir w_dir_perms; 34allow { domain -appdomain -rs } cgroup:file w_file_perms; 35 36allow domain cgroup_rc_file:dir search; 37allow domain cgroup_rc_file:file r_file_perms; 38allow domain task_profiles_file:file r_file_perms; 39allow domain vendor_task_profiles_file:file r_file_perms; 40 41# Allow all domains to read sys.use_memfd to determine 42# if memfd support can be used if device supports it 43get_prop(domain, use_memfd_prop); 44 45# For now, everyone can access core property files 46# Device specific properties are not granted by default 47not_compatible_property(` 48 get_prop(domain, core_property_type) 49 get_prop(domain, exported_dalvik_prop) 50 get_prop(domain, exported_ffs_prop) 51 get_prop(domain, exported_system_radio_prop) 52 get_prop(domain, exported2_config_prop) 53 get_prop(domain, exported2_radio_prop) 54 get_prop(domain, exported2_system_prop) 55 get_prop(domain, exported2_vold_prop) 56 get_prop(domain, exported3_default_prop) 57 get_prop(domain, exported3_radio_prop) 58 get_prop(domain, exported3_system_prop) 59 get_prop(domain, vendor_default_prop) 60') 61compatible_property_only(` 62 get_prop({coredomain appdomain shell}, core_property_type) 63 get_prop({coredomain appdomain shell}, exported_dalvik_prop) 64 get_prop({coredomain appdomain shell}, exported_ffs_prop) 65 get_prop({coredomain appdomain shell}, exported_system_radio_prop) 66 get_prop({coredomain appdomain shell}, exported2_config_prop) 67 get_prop({coredomain appdomain shell}, exported2_radio_prop) 68 get_prop({coredomain appdomain shell}, exported2_system_prop) 69 get_prop({coredomain appdomain shell}, exported2_vold_prop) 70 get_prop({coredomain appdomain shell}, exported3_default_prop) 71 get_prop({coredomain appdomain shell}, exported3_radio_prop) 72 get_prop({coredomain appdomain shell}, exported3_system_prop) 73 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 74') 75 76# Allow access to fsverity keyring. 77allow domain kernel:key search; 78# Allow access to keys in the fsverity keyring that were installed at boot. 79allow domain fsverity_init:key search; 80# For testing purposes, allow access to keys installed with su. 81userdebug_or_eng(` 82 allow domain su:key search; 83') 84 85# Limit ability to ptrace or read sensitive /proc/pid files of processes 86# with other UIDs to these whitelisted domains. 87neverallow { 88 domain 89 -vold 90 userdebug_or_eng(`-llkd') 91 -dumpstate 92 userdebug_or_eng(`-incidentd') 93 -storaged 94 -system_server 95 userdebug_or_eng(`-perfprofd') 96} self:global_capability_class_set sys_ptrace; 97 98# Limit ability to generate hardware unique device ID attestations to priv_apps 99neverallow { domain -priv_app } *:keystore_key gen_unique_id; 100 101neverallow { 102 domain 103 -init 104 -vendor_init 105 userdebug_or_eng(`-domain') 106} debugfs_tracing_debug:file no_rw_file_perms; 107 108# System_server owns dropbox data, and init creates/restorecons the directory 109# Disallow direct access by other processes. 110neverallow { domain -init -system_server } dropbox_data_file:dir *; 111neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; 112 113### 114# Services should respect app sandboxes 115neverallow { 116 domain 117 -appdomain 118 -installd # creation of sandbox 119} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 120 121# Only the following processes should be directly accessing private app 122# directories. 123neverallow { 124 domain 125 -adbd 126 -appdomain 127 -app_zygote 128 -dexoptanalyzer 129 -installd 130 userdebug_or_eng(`-perfprofd') 131 -profman 132 -rs # spawned by appdomain, so carryover the exception above 133 -runas 134 -system_server 135 -viewcompiler 136} { privapp_data_file app_data_file }:dir *; 137 138# Only apps should be modifying app data. installd is exempted for 139# restorecon and package install/uninstall. 140neverallow { 141 domain 142 -appdomain 143 -installd 144 -rs # spawned by appdomain, so carryover the exception above 145} { privapp_data_file app_data_file }:dir ~r_dir_perms; 146 147neverallow { 148 domain 149 -appdomain 150 -app_zygote 151 -installd 152 userdebug_or_eng(`-perfprofd') 153 -rs # spawned by appdomain, so carryover the exception above 154} { privapp_data_file app_data_file }:file_class_set open; 155 156neverallow { 157 domain 158 -appdomain 159 -installd # creation of sandbox 160} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 161 162neverallow { 163 domain 164 -installd 165} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; 166 167# The staging directory contains APEX and APK files. It is important to ensure 168# that these files cannot be accessed by other domains to ensure that the files 169# do not change between system_server staging the files and apexd processing 170# the files. 171neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *; 172neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *; 173neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; 174# apexd needs the link and unlink permissions, so list every `no_w_file_perms` 175# except for `link` and `unlink`. 176neverallow { domain -init -system_server } staging_data_file:file 177 { append create relabelfrom rename setattr write no_x_file_perms }; 178 179neverallow { 180 domain 181 -appdomain # for oemfs 182 -bootanim # for oemfs 183 -recovery # for /tmp/update_binary in tmpfs 184} { fs_type -rootfs }:file execute; 185 186# 187# Assert that, to the extent possible, we're not loading executable content from 188# outside the rootfs or /system partition except for a few whitelisted domains. 189# Executable files loaded from /data is a persistence vector 190# we want to avoid. See 191# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 192# 193neverallow { 194 domain 195 -appdomain 196 with_asan(`-asan_extract') 197 -shell 198 userdebug_or_eng(`-su') 199 -system_server_startup # for memfd backed executable regions 200 -app_zygote 201 -webview_zygote 202 -zygote 203 userdebug_or_eng(`-mediaextractor') 204 userdebug_or_eng(`-mediaswcodec') 205} { 206 file_type 207 -system_file_type 208 -system_lib_file 209 -system_linker_exec 210 -vendor_file_type 211 -exec_type 212 -postinstall_file 213}:file execute; 214 215# Only init is allowed to write cgroup.rc file 216neverallow { 217 domain 218 -init 219 -vendor_init 220} cgroup_rc_file:file no_w_file_perms; 221 222# Only authorized processes should be writing to files in /data/dalvik-cache 223neverallow { 224 domain 225 -init # TODO: limit init to relabelfrom for files 226 -zygote 227 -installd 228 -postinstall_dexopt 229 -cppreopts 230 -dex2oat 231 -otapreopt_slot 232 -art_apex_postinstall 233 -art_apex_boot_integrity 234} dalvikcache_data_file:file no_w_file_perms; 235 236neverallow { 237 domain 238 -init 239 -installd 240 -postinstall_dexopt 241 -cppreopts 242 -dex2oat 243 -zygote 244 -otapreopt_slot 245 -art_apex_boot_integrity 246 -art_apex_postinstall 247} dalvikcache_data_file:dir no_w_dir_perms; 248 249# Minimize dac_override and dac_read_search. 250# Instead of granting them it is usually better to add the domain to 251# a Unix group or change the permissions of a file. 252define(`dac_override_allowed', `{ 253 dnsmasq 254 dumpstate 255 init 256 installd 257 install_recovery 258 userdebug_or_eng(`llkd') 259 lmkd 260 migrate_legacy_obb_data 261 netd 262 perfprofd 263 postinstall_dexopt 264 recovery 265 rss_hwm_reset 266 sdcardd 267 tee 268 ueventd 269 uncrypt 270 vendor_init 271 vold 272 vold_prepare_subdirs 273 zygote 274}') 275neverallow ~dac_override_allowed self:global_capability_class_set dac_override; 276# Since the kernel checks dac_read_search before dac_override, domains that 277# have dac_override should also have dac_read_search to eliminate spurious 278# denials. Some domains have dac_read_search without having dac_override, so 279# this list should be a superset of the one above. 280neverallow ~{ 281 dac_override_allowed 282 traced_probes 283 userdebug_or_eng(`heapprofd') 284} self:global_capability_class_set dac_read_search; 285 286# Limit what domains can mount filesystems or change their mount flags. 287# sdcard_type / vfat is exempt as a larger set of domains need 288# this capability, including device-specific domains. 289neverallow { 290 domain 291 -apexd 292 recovery_only(`userdebug_or_eng(`-fastbootd')') 293 -init 294 -kernel 295 -otapreopt_chroot 296 -recovery 297 -update_engine 298 -vold 299 -zygote 300} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 301 302# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. 303neverallow { 304 domain 305 userdebug_or_eng(`-domain') 306 -kernel 307 -gsid 308 -init 309 -recovery 310 -ueventd 311 -healthd 312 -uncrypt 313 -tee 314 -hal_bootctl_server 315} self:global_capability_class_set sys_rawio; 316