1# Transition to crash_dump when /system/bin/crash_dump* is executed.
2# This occurs when the process crashes.
3# We do not apply this to the su domain to avoid interfering with
4# tests (b/114136122)
5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
6allow domain crash_dump:process sigchld;
7
8# Allow every process to check the heapprofd.enable properties to determine
9# whether to load the heap profiling library. This does not necessarily enable
10# heap profiling, as initialization will fail if it does not have the
11# necessary SELinux permissions.
12get_prop(domain, heapprofd_prop);
13# Allow heap profiling on debug builds.
14userdebug_or_eng(`can_profile_heap_central({
15  domain
16  -bpfloader
17  -init
18  -kernel
19  -keystore
20  -llkd
21  -logd
22  -logpersist
23  -recovery
24  -recovery_persist
25  -recovery_refresh
26  -ueventd
27  -vendor_init
28  -vold
29})')
30
31# As above, allow perf profiling most processes on debug builds.
32# zygote is excluded as system-wide profiling could end up with it
33# (unexpectedly) holding an open fd across a fork.
34userdebug_or_eng(`can_profile_perf({
35  domain
36  -bpfloader
37  -init
38  -kernel
39  -keystore
40  -llkd
41  -logd
42  -logpersist
43  -recovery
44  -recovery_persist
45  -recovery_refresh
46  -ueventd
47  -vendor_init
48  -vold
49  -zygote
50})')
51
52# Path resolution access in cgroups.
53allow domain cgroup:dir search;
54allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
55allow { domain -appdomain -rs } cgroup:file w_file_perms;
56
57allow domain cgroup_rc_file:dir search;
58allow domain cgroup_rc_file:file r_file_perms;
59allow domain task_profiles_file:file r_file_perms;
60allow domain vendor_task_profiles_file:file r_file_perms;
61
62# Allow all domains to read sys.use_memfd to determine
63# if memfd support can be used if device supports it
64get_prop(domain, use_memfd_prop);
65
66# Read access to sdkextensions props
67get_prop(domain, module_sdkextensions_prop)
68
69# Read access to bq configuration values
70get_prop(domain, bq_config_prop);
71
72# For now, everyone can access core property files
73# Device specific properties are not granted by default
74not_compatible_property(`
75    get_prop(domain, core_property_type)
76    get_prop(domain, exported_dalvik_prop)
77    get_prop(domain, exported_ffs_prop)
78    get_prop(domain, exported_system_radio_prop)
79    get_prop(domain, exported2_config_prop)
80    get_prop(domain, exported2_radio_prop)
81    get_prop(domain, exported2_system_prop)
82    get_prop(domain, exported2_vold_prop)
83    get_prop(domain, exported3_default_prop)
84    get_prop(domain, exported3_radio_prop)
85    get_prop(domain, exported3_system_prop)
86    get_prop(domain, vendor_default_prop)
87')
88compatible_property_only(`
89    get_prop({coredomain appdomain shell}, core_property_type)
90    get_prop({coredomain appdomain shell}, exported_dalvik_prop)
91    get_prop({coredomain appdomain shell}, exported_ffs_prop)
92    get_prop({coredomain appdomain shell}, exported_system_radio_prop)
93    get_prop({coredomain appdomain shell}, exported2_config_prop)
94    get_prop({coredomain appdomain shell}, exported2_radio_prop)
95    get_prop({coredomain appdomain shell}, exported2_system_prop)
96    get_prop({coredomain appdomain shell}, exported2_vold_prop)
97    get_prop({coredomain appdomain shell}, exported3_default_prop)
98    get_prop({coredomain appdomain shell}, exported3_radio_prop)
99    get_prop({coredomain appdomain shell}, exported3_system_prop)
100    get_prop({coredomain appdomain shell}, exported_camera_prop)
101    get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
102    get_prop({coredomain shell}, userspace_reboot_exported_prop)
103    get_prop({coredomain shell}, userspace_reboot_log_prop)
104    get_prop({coredomain shell}, userspace_reboot_test_prop)
105    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
106')
107
108# Allow access to fsverity keyring.
109allow domain kernel:key search;
110# Allow access to keys in the fsverity keyring that were installed at boot.
111allow domain fsverity_init:key search;
112# For testing purposes, allow access to keys installed with su.
113userdebug_or_eng(`
114  allow domain su:key search;
115')
116
117# Allow access to linkerconfig file
118allow domain linkerconfig_file:dir search;
119allow domain linkerconfig_file:file r_file_perms;
120
121# Allow all processes to check for the existence of the boringssl_self_test_marker files.
122allow domain boringssl_self_test_marker:dir search;
123
124# Limit ability to ptrace or read sensitive /proc/pid files of processes
125# with other UIDs to these whitelisted domains.
126neverallow {
127  domain
128  -vold
129  userdebug_or_eng(`-llkd')
130  -dumpstate
131  userdebug_or_eng(`-incidentd')
132  -storaged
133  -system_server
134} self:global_capability_class_set sys_ptrace;
135
136# Limit ability to generate hardware unique device ID attestations to priv_apps
137neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
138
139neverallow {
140  domain
141  -init
142  -vendor_init
143  userdebug_or_eng(`-domain')
144} debugfs_tracing_debug:file no_rw_file_perms;
145
146# System_server owns dropbox data, and init creates/restorecons the directory
147# Disallow direct access by other processes.
148neverallow { domain -init -system_server } dropbox_data_file:dir *;
149neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
150
151###
152# Services should respect app sandboxes
153neverallow {
154  domain
155  -appdomain
156  -installd # creation of sandbox
157} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
158
159# Only the following processes should be directly accessing private app
160# directories.
161neverallow {
162  domain
163  -adbd
164  -appdomain
165  -app_zygote
166  -dexoptanalyzer
167  -installd
168  -iorap_inode2filename
169  -iorap_prefetcherd
170  -profman
171  -rs # spawned by appdomain, so carryover the exception above
172  -runas
173  -system_server
174  -viewcompiler
175  -zygote
176} { privapp_data_file app_data_file }:dir *;
177
178# Only apps should be modifying app data. installd is exempted for
179# restorecon and package install/uninstall.
180neverallow {
181  domain
182  -appdomain
183  -installd
184  -rs # spawned by appdomain, so carryover the exception above
185} { privapp_data_file app_data_file }:dir ~r_dir_perms;
186
187neverallow {
188  domain
189  -appdomain
190  -app_zygote
191  -installd
192  -iorap_prefetcherd
193  -rs # spawned by appdomain, so carryover the exception above
194} { privapp_data_file app_data_file }:file_class_set open;
195
196neverallow {
197  domain
198  -appdomain
199  -installd # creation of sandbox
200} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
201
202neverallow {
203  domain
204  -installd
205} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
206
207# The staging directory contains APEX and APK files. It is important to ensure
208# that these files cannot be accessed by other domains to ensure that the files
209# do not change between system_server staging the files and apexd processing
210# the files.
211neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
212neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
213neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
214# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
215# except for `link` and `unlink`.
216neverallow { domain -init -system_server } staging_data_file:file
217  { append create relabelfrom rename setattr write no_x_file_perms };
218
219neverallow {
220    domain
221    -appdomain # for oemfs
222    -bootanim # for oemfs
223    -recovery # for /tmp/update_binary in tmpfs
224} { fs_type -rootfs }:file execute;
225
226#
227# Assert that, to the extent possible, we're not loading executable content from
228# outside the rootfs or /system partition except for a few whitelisted domains.
229# Executable files loaded from /data is a persistence vector
230# we want to avoid. See
231# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
232#
233neverallow {
234    domain
235    -appdomain
236    with_asan(`-asan_extract')
237    -iorap_prefetcherd
238    -shell
239    userdebug_or_eng(`-su')
240    -system_server_startup # for memfd backed executable regions
241    -app_zygote
242    -webview_zygote
243    -zygote
244    userdebug_or_eng(`-mediaextractor')
245    userdebug_or_eng(`-mediaswcodec')
246} {
247    file_type
248    -system_file_type
249    -system_lib_file
250    -system_linker_exec
251    -vendor_file_type
252    -exec_type
253    -postinstall_file
254}:file execute;
255
256# Only init is allowed to write cgroup.rc file
257neverallow {
258  domain
259  -init
260  -vendor_init
261} cgroup_rc_file:file no_w_file_perms;
262
263# Only authorized processes should be writing to files in /data/dalvik-cache
264neverallow {
265  domain
266  -init # TODO: limit init to relabelfrom for files
267  -zygote
268  -installd
269  -postinstall_dexopt
270  -cppreopts
271  -dex2oat
272  -otapreopt_slot
273  -art_apex_postinstall
274  -art_apex_boot_integrity
275} dalvikcache_data_file:file no_w_file_perms;
276
277neverallow {
278  domain
279  -init
280  -installd
281  -postinstall_dexopt
282  -cppreopts
283  -dex2oat
284  -zygote
285  -otapreopt_slot
286  -art_apex_boot_integrity
287  -art_apex_postinstall
288} dalvikcache_data_file:dir no_w_dir_perms;
289
290# Minimize dac_override and dac_read_search.
291# Instead of granting them it is usually better to add the domain to
292# a Unix group or change the permissions of a file.
293define(`dac_override_allowed', `{
294  apexd
295  dnsmasq
296  dumpstate
297  init
298  installd
299  userdebug_or_eng(`llkd')
300  lmkd
301  migrate_legacy_obb_data
302  netd
303  postinstall_dexopt
304  recovery
305  rss_hwm_reset
306  sdcardd
307  tee
308  ueventd
309  uncrypt
310  vendor_init
311  vold
312  vold_prepare_subdirs
313  zygote
314}')
315neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
316# Since the kernel checks dac_read_search before dac_override, domains that
317# have dac_override should also have dac_read_search to eliminate spurious
318# denials.  Some domains have dac_read_search without having dac_override, so
319# this list should be a superset of the one above.
320neverallow ~{
321  dac_override_allowed
322  iorap_inode2filename
323  iorap_prefetcherd
324  traced_perf
325  traced_probes
326  userdebug_or_eng(`heapprofd')
327} self:global_capability_class_set dac_read_search;
328
329# Limit what domains can mount filesystems or change their mount flags.
330# sdcard_type / vfat is exempt as a larger set of domains need
331# this capability, including device-specific domains.
332neverallow {
333    domain
334    -apexd
335    recovery_only(`userdebug_or_eng(`-fastbootd')')
336    -init
337    -kernel
338    -otapreopt_chroot
339    -recovery
340    -update_engine
341    -vold
342    -zygote
343} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
344
345# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
346neverallow {
347  domain
348  userdebug_or_eng(`-domain')
349  -kernel
350  -gsid
351  -init
352  -recovery
353  -ueventd
354  -healthd
355  -uncrypt
356  -tee
357  -hal_bootctl_server
358  -fastbootd
359} self:global_capability_class_set sys_rawio;
360
361# Limit directory operations that doesn't need to do app data isolation.
362neverallow {
363  domain
364  -init
365  -installd
366  -zygote
367} mirror_data_file:dir *;
368
369# This property is being removed. Remove remaining access.
370neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
371neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
372
373# Kprobes should only be used by adb root
374neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
375