Lines Matching refs:domain
4 allow domain init:process sigchld;
6 # Intra-domain accesses.
7 allow domain self:process {
24 allow domain self:fd use;
25 allow domain proc:dir r_dir_perms;
26 allow domain proc_net:dir search;
27 r_dir_file(domain, self)
28 allow domain self:{ fifo_file file } rw_file_perms;
29 allow domain self:unix_dgram_socket { create_socket_perms sendto };
30 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
33 allow domain init:fd use;
36 allow domain su:fd use;
37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
38 allow domain su:unix_dgram_socket sendto;
40 allow { domain -init } su:binder { call transfer };
44 allow domain su:fifo_file { write getattr };
47 allow domain su:process sigchld;
50 allow domain coredump_file:file create_file_perms;
51 allow domain coredump_file:dir ra_dir_perms;
55 allow domain rootfs:dir search;
56 allow domain rootfs:lnk_file { read getattr };
59 allow domain device:dir search;
60 allow domain dev_type:lnk_file r_file_perms;
61 allow domain devpts:dir search;
62 allow domain socket_device:dir r_dir_perms;
63 allow domain owntty_device:chr_file rw_file_perms;
64 allow domain null_device:chr_file rw_file_perms;
65 allow domain zero_device:chr_file rw_file_perms;
66 allow domain ashmem_device:chr_file rw_file_perms;
75 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_fi…
76 allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_…
77 allow domain ptmx_device:chr_file rw_file_perms;
78 allow domain alarm_device:chr_file r_file_perms;
79 allow domain random_device:chr_file rw_file_perms;
80 allow domain proc_random:dir r_dir_perms;
81 allow domain proc_random:file r_file_perms;
82 allow domain properties_device:dir { search getattr };
83 allow domain properties_serial:file r_file_perms;
84 allow domain property_info:file r_file_perms;
89 get_prop(domain, core_property_type)
90 get_prop(domain, exported_dalvik_prop)
91 get_prop(domain, exported_ffs_prop)
92 get_prop(domain, exported_system_radio_prop)
93 get_prop(domain, exported2_config_prop)
94 get_prop(domain, exported2_radio_prop)
95 get_prop(domain, exported2_system_prop)
96 get_prop(domain, exported2_vold_prop)
97 get_prop(domain, exported3_default_prop)
98 get_prop(domain, exported3_radio_prop)
99 get_prop(domain, exported3_system_prop)
100 get_prop(domain, vendor_default_prop)
127 get_prop({domain -coredomain -appdomain}, vendor_default_prop)
131 get_prop(domain, debug_prop)
132 get_prop(domain, exported_config_prop)
133 get_prop(domain, exported_default_prop)
134 get_prop(domain, exported_dumpstate_prop)
135 get_prop(domain, exported_fingerprint_prop)
136 get_prop(domain, exported_radio_prop)
137 get_prop(domain, exported_secure_prop)
138 get_prop(domain, exported_system_prop)
139 get_prop(domain, exported_vold_prop)
140 get_prop(domain, exported2_default_prop)
141 get_prop(domain, logd_prop)
145 get_prop(domain, log_property_type)
146 dontaudit domain property_type:file audit_access;
147 allow domain property_contexts_file:file r_file_perms;
149 allow domain init:key search;
150 allow domain vold:key search;
153 write_logd(domain)
156 allow domain system_file:dir { search getattr };
157 allow domain system_file:file { execute read open getattr map };
158 allow domain system_file:lnk_file { getattr read };
163 allow domain vendor_file_type:dir { search getattr };
164 allow domain vendor_file_type:file { execute read open getattr map };
165 allow domain vendor_file_type:lnk_file { getattr read };
171 allow domain vendor_hal_file:dir r_dir_perms;
174 allow domain same_process_hal_file:dir r_dir_perms;
175 allow domain same_process_hal_file:file { execute read open getattr map };
179 allow domain vndk_sp_file:dir r_dir_perms;
180 allow domain vndk_sp_file:file { execute read open getattr map };
183 allow domain vendor_configs_file:dir r_dir_perms;
184 allow domain vendor_configs_file:file { read open getattr };
189 allow domain vendor_file_type:lnk_file { getattr open read };
194 allow domain vendor_file:dir { getattr search };
197 allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
198 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
199 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
203 allow domain sysfs:lnk_file { getattr read };
207 allow domain zoneinfo_data_file:file r_file_perms;
208 allow domain zoneinfo_data_file:dir r_dir_perms;
211 r_dir_file(domain, sysfs_devices_system_cpu)
213 r_dir_file(domain, sysfs_usb);
217 allow domain system_data_file:dir getattr;
222 allow domain system_data_file:dir search;
224 allow domain vendor_data_file:dir { getattr search };
227 allow domain proc:lnk_file { getattr read };
230 allow domain proc_cpuinfo:file r_file_perms;
233 allow domain proc_overcommit_memory:file r_file_perms;
236 allow domain proc_perf:file r_file_perms;
239 allow domain selinuxfs:dir search;
240 allow domain selinuxfs:file getattr;
241 allow domain sysfs:dir search;
242 allow domain selinuxfs:filesystem getattr;
245 allow domain cgroup:dir { search write };
246 allow domain cgroup:file w_file_perms;
251 allow domain debugfs:dir search;
252 allow domain debugfs_tracing:dir search;
253 allow domain debugfs_tracing_debug:dir search;
254 allow domain debugfs_trace_marker:file w_file_perms;
257 allow domain fs_type:filesystem getattr;
258 allow domain fs_type:dir getattr;
262 # defaults for all processes. Note that granting this allowlist to domain does
265 allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
268 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
272 # Note that granting this allowlist to domain does
275 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
279 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
282 allow { domain -domain } vndservice_manager_type:service_manager { add find };
285 with_asan(`allow domain system_data_file:dir getattr;')
292 neverallowxperm domain domain:socket_class_set ioctl { 0 };
296 neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
303 # Do not allow any domain other than init to create unlabeled files.
304 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
308 domain
317 domain
318 userdebug_or_eng(`-domain')
331 # No domain needs mac_override as it is unused by SELinux.
344 # init starts in kernel domain and switches to init domain via setcon in
348 neverallow { domain -kernel } kernel:security setcheckreqprot;
356 neverallow { domain -init } kernel:security setsecparam;
360 domain
368 domain
380 domain
388 domain
395 neverallow { domain -init } usermodehelper:file { append write };
396 neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
397 neverallow { domain -init -vendor_init } proc_security:file { append open read write };
399 # No domain should be allowed to ptrace init.
403 # triggered, it's probably due to a service with no SELinux domain.
409 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
418 neverallow domain device:chr_file { open read write };
423 neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_t…
430 domain
448 domain
455 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:fi…
459 domain
468 # The test files and executables MUST not be accessible to any domain
469 neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_per…
470 neverallow domain nativetest_data_file:dir no_w_dir_perms;
471 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
474 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
475 neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
476 neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
477 neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
478 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
485 domain
493 neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }…
497 neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
532 neverallow { domain -init -vendor_init } default_prop:property_service set;
533 neverallow { domain -init -vendor_init } mmc_prop:property_service set;
536 neverallow { domain -init } default_prop:property_service set;
537 neverallow { domain -init } mmc_prop:property_service set;
538 neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
539 neverallow { domain -init } exported_secure_prop:property_service set;
540 neverallow { domain -init } exported2_default_prop:property_service set;
541 neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
542 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
546 neverallow { domain -init -system_server } pm_prop:property_service set;
547 neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
550 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
551 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
557 domain
571 neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
574 domain
586 domain
594 # No domain other than recovery and update_engine can write to system partition(s).
595 neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
598 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
605 domain
606 userdebug_or_eng(`-domain') # exclude debuggable builds
618 neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
628 # domain apps need this because Android framework offers many of its services to apps as Binder
632 domain
640 domain
673 domain
711 # Core domains are not permitted to initiate communications to vendor domain sockets.
722 domain
727 # Vendor domains are not permitted to initiate communications to core domain sockets
730 domain
736 -logd # Logging by writing to logd Unix domain socket is public API
749 domain
759 domain
842 domain
869 domain
897 domain
1002 domain
1041 domain
1052 domain
1063 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
1064 neverallow { domain -system_server } zygote_socket:sock_file write;
1066 neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
1067 neverallow { domain -system_server } webview_zygote:sock_file write;
1070 domain
1084 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file wr…
1085 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_…
1112 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
1133 neverallow { domain -untrusted_app_all } file_type:file execmod;
1135 neverallow { domain -init } proc:{ file dir } mounton;
1138 # in the domain attribute, so that all allow and neverallow rules
1139 # written on domain are applied to all processes.
1141 # from a domain to a non-domain type and vice versa.
1142 # TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
1143 neverallow ~domain domain:process { transition dyntransition };
1154 domain
1168 domain
1186 domain
1192 # Only these domains should transition to shell domain. This domain is
1194 # script with differing privilege, define a domain and set up a transition.
1197 domain
1205 neverallow { domain -runas -webview_zygote -zygote } {
1212 domain
1219 domain
1230 domain
1240 domain
1253 domain
1281 # executable file used to enter a domain should be labeled
1282 # with its own _exec type, not with the domain type.
1285 # type mydaemon, domain;
1290 neverallow * domain:file { execute execute_no_trans entrypoint };
1296 neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
1301 domain
1316 neverallow domain crash_dump:process noatsecure;
1343 # Instead of granting them it is usually better to add the domain to
1346 domain
1366 neverallow { domain -traced_probes } self:capability dac_read_search;
1374 neverallow domain {
1380 neverallow domain cgroup:file create;
1382 dontaudit domain proc_type:dir write;
1383 dontaudit domain sysfs_type:dir write;
1384 dontaudit domain cgroup:file create;
1389 dontaudit domain proc_type:dir add_name;
1390 dontaudit domain sysfs_type:dir add_name;
1391 dontaudit domain proc_type:file create;
1392 dontaudit domain sysfs_type:file create;