1get_prop(coredomain, pm_prop) 2get_prop(coredomain, exported_pm_prop) 3 4full_treble_only(` 5neverallow { 6 coredomain 7 8 # for chowning 9 -init 10 11 # generic access to sysfs_type 12 -ueventd 13 -vold 14} sysfs_leds:file *; 15') 16 17# On TREBLE devices, a limited set of files in /vendor are accessible to 18# only a few whitelisted coredomains to keep system/vendor separation. 19full_treble_only(` 20 # Limit access to /vendor/app 21 neverallow { 22 coredomain 23 -appdomain 24 -dex2oat 25 -idmap 26 -init 27 -installd 28 userdebug_or_eng(`-heapprofd') 29 -postinstall_dexopt 30 -rs # spawned by appdomain, so carryover the exception above 31 -system_server 32 -traced_perf 33 } vendor_app_file:dir { open read getattr search }; 34') 35 36full_treble_only(` 37 neverallow { 38 coredomain 39 -appdomain 40 -dex2oat 41 -idmap 42 -init 43 -installd 44 userdebug_or_eng(`-heapprofd') 45 -postinstall_dexopt 46 -rs # spawned by appdomain, so carryover the exception above 47 -system_server 48 -traced_perf 49 -mediaserver 50 } vendor_app_file:file r_file_perms; 51') 52 53full_treble_only(` 54 # Limit access to /vendor/overlay 55 neverallow { 56 coredomain 57 -appdomain 58 -idmap 59 -init 60 -installd 61 -iorap_inode2filename 62 -iorap_prefetcherd 63 -postinstall_dexopt 64 -rs # spawned by appdomain, so carryover the exception above 65 -system_server 66 -traced_perf 67 -app_zygote 68 -webview_zygote 69 -zygote 70 userdebug_or_eng(`-heapprofd') 71 } vendor_overlay_file:dir { getattr open read search }; 72') 73 74full_treble_only(` 75 neverallow { 76 coredomain 77 -appdomain 78 -idmap 79 -init 80 -installd 81 -iorap_inode2filename 82 -iorap_prefetcherd 83 -postinstall_dexopt 84 -rs # spawned by appdomain, so carryover the exception above 85 -system_server 86 -traced_perf 87 -app_zygote 88 -webview_zygote 89 -zygote 90 userdebug_or_eng(`-heapprofd') 91 } vendor_overlay_file:file open; 92') 93 94# Core domains are not permitted to use kernel interfaces which are not 95# explicitly labeled. 96# TODO(b/65643247): Apply these neverallow rules to all coredomain. 97full_treble_only(` 98 # /proc 99 neverallow { 100 coredomain 101 -init 102 -vold 103 } proc:file no_rw_file_perms; 104 105 # /sys 106 neverallow { 107 coredomain 108 -init 109 -ueventd 110 -vold 111 } sysfs:file no_rw_file_perms; 112 113 # /dev 114 neverallow { 115 coredomain 116 -fsck 117 -init 118 -ueventd 119 } device:{ blk_file file } no_rw_file_perms; 120 121 # debugfs 122 neverallow { 123 coredomain 124 -dumpstate 125 -init 126 -system_server 127 } debugfs:file no_rw_file_perms; 128 129 # tracefs 130 neverallow { 131 coredomain 132 -atrace 133 -dumpstate 134 -init 135 -traced_probes 136 -shell 137 -system_server 138 -traceur_app 139 } debugfs_tracing:file no_rw_file_perms; 140 141 # inotifyfs 142 neverallow { 143 coredomain 144 -init 145 } inotify:file no_rw_file_perms; 146 147 # pstorefs 148 neverallow { 149 coredomain 150 -bootstat 151 -charger 152 -dumpstate 153 -healthd 154 userdebug_or_eng(`-incidentd') 155 -init 156 -logd 157 -logpersist 158 -recovery_persist 159 -recovery_refresh 160 -shell 161 -system_server 162 } pstorefs:file no_rw_file_perms; 163 164 # configfs 165 neverallow { 166 coredomain 167 -init 168 -system_server 169 } configfs:file no_rw_file_perms; 170 171 # functionfs 172 neverallow { 173 coredomain 174 -adbd 175 -init 176 -mediaprovider 177 -system_server 178 } functionfs:file no_rw_file_perms; 179 180 # usbfs and binfmt_miscfs 181 neverallow { 182 coredomain 183 -init 184 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 185') 186 187# Following /dev nodes must not be directly accessed by coredomain, but should 188# instead be wrapped by HALs. 189neverallow coredomain { 190 iio_device 191 radio_device 192}:chr_file { open read append write ioctl }; 193 194# TODO(b/120243891): HAL permission to tee_device is included into coredomain 195# on non-Treble devices. 196full_treble_only(` 197 neverallow coredomain tee_device:chr_file { open read append write ioctl }; 198') 199