1# Transition to crash_dump when /system/bin/crash_dump* is executed.
2# This occurs when the process crashes.
3domain_auto_trans(domain, crash_dump_exec, crash_dump);
4allow domain crash_dump:process sigchld;
5
6# Limit ability to ptrace or read sensitive /proc/pid files of processes
7# with other UIDs to these allowlisted domains.
8neverallow {
9  domain
10  -vold
11  -dumpstate
12  userdebug_or_eng(`-incidentd')
13  -storaged
14  -system_server
15  userdebug_or_eng(`-perfprofd')
16} self:global_capability_class_set sys_ptrace;
17
18# Limit ability to generate hardware unique device ID attestations to priv_apps
19neverallow { domain -priv_app } *:keystore_key gen_unique_id;
20
21neverallow {
22  domain
23  -init
24  -vendor_init
25  userdebug_or_eng(`-domain')
26} debugfs_tracing_debug:file no_rw_file_perms;
27
28# Core domains are not permitted to use kernel interfaces which are not
29# explicitly labeled.
30# TODO(b/65643247): Apply these neverallow rules to all coredomain.
31full_treble_only(`
32  # /proc
33  neverallow {
34    coredomain
35    -vold
36  } proc:file no_rw_file_perms;
37
38  # /sys
39  neverallow {
40    coredomain
41    -init
42    -ueventd
43    -vold
44  } sysfs:file no_rw_file_perms;
45
46  # /dev
47  neverallow {
48    coredomain
49    -fsck
50    -init
51    -ueventd
52  } device:{ blk_file file } no_rw_file_perms;
53
54  # debugfs
55  neverallow {
56    coredomain
57    -dumpstate
58    -init
59    -system_server
60  } debugfs:file no_rw_file_perms;
61
62  # tracefs
63  neverallow {
64    coredomain
65    -atrace
66    -dumpstate
67    -init
68    userdebug_or_eng(`-perfprofd')
69    -traced_probes
70    -shell
71    -traceur_app
72  } debugfs_tracing:file no_rw_file_perms;
73
74  # inotifyfs
75  neverallow {
76    coredomain
77    -init
78  } inotify:file no_rw_file_perms;
79
80  # pstorefs
81  neverallow {
82    coredomain
83    -bootstat
84    -charger
85    -dumpstate
86    -healthd
87    userdebug_or_eng(`-incidentd')
88    -init
89    -logd
90    -logpersist
91    -recovery_persist
92    -recovery_refresh
93    -shell
94    -system_server
95  } pstorefs:file no_rw_file_perms;
96
97  # configfs
98  neverallow {
99    coredomain
100    -init
101    -system_server
102  } configfs:file no_rw_file_perms;
103
104  # functionfs
105  neverallow {
106    coredomain
107    -adbd
108    -init
109    -mediaprovider
110    -system_server
111  } functionfs:file no_rw_file_perms;
112
113  # usbfs and binfmt_miscfs
114  neverallow {
115    coredomain
116    -init
117  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
118')
119