1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Intra-domain accesses.
7allow domain self:process {
8    fork
9    sigchld
10    sigkill
11    sigstop
12    signull
13    signal
14    getsched
15    setsched
16    getsession
17    getpgid
18    setpgid
19    getcap
20    setcap
21    getattr
22    setrlimit
23};
24allow domain self:fd use;
25allow domain proc:dir r_dir_perms;
26allow domain proc_net:dir search;
27r_dir_file(domain, self)
28allow domain self:{ fifo_file file } rw_file_perms;
29allow domain self:unix_dgram_socket { create_socket_perms sendto };
30allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
31
32# Inherit or receive open files from others.
33allow domain init:fd use;
34
35userdebug_or_eng(`
36  allow domain su:fd use;
37  allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
38  allow domain su:unix_dgram_socket sendto;
39
40  allow { domain -init } su:binder { call transfer };
41
42  # Running something like "pm dump com.android.bluetooth" requires
43  # fifo writes
44  allow domain su:fifo_file { write getattr };
45
46  # allow "gdbserver --attach" to work for su.
47  allow domain su:process sigchld;
48
49  # Allow writing coredumps to /cores/*
50  allow domain coredump_file:file create_file_perms;
51  allow domain coredump_file:dir ra_dir_perms;
52')
53
54# Root fs.
55allow domain rootfs:dir search;
56allow domain rootfs:lnk_file { read getattr };
57
58# Device accesses.
59allow domain device:dir search;
60allow domain dev_type:lnk_file r_file_perms;
61allow domain devpts:dir search;
62allow domain socket_device:dir r_dir_perms;
63allow domain owntty_device:chr_file rw_file_perms;
64allow domain null_device:chr_file rw_file_perms;
65allow domain zero_device:chr_file rw_file_perms;
66allow domain ashmem_device:chr_file rw_file_perms;
67# /dev/binder can be accessed by non-vendor domains and by apps
68allow {
69  coredomain
70  appdomain
71  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
72  -hwservicemanager
73} binder_device:chr_file rw_file_perms;
74# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
75not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
76allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
77allow domain ptmx_device:chr_file rw_file_perms;
78allow domain alarm_device:chr_file r_file_perms;
79allow domain random_device:chr_file rw_file_perms;
80allow domain proc_random:dir r_dir_perms;
81allow domain proc_random:file r_file_perms;
82allow domain properties_device:dir { search getattr };
83allow domain properties_serial:file r_file_perms;
84allow domain property_info:file r_file_perms;
85
86# For now, everyone can access core property files
87# Device specific properties are not granted by default
88not_compatible_property(`
89    get_prop(domain, core_property_type)
90    get_prop(domain, exported_dalvik_prop)
91    get_prop(domain, exported_ffs_prop)
92    get_prop(domain, exported_system_radio_prop)
93    get_prop(domain, exported2_config_prop)
94    get_prop(domain, exported2_radio_prop)
95    get_prop(domain, exported2_system_prop)
96    get_prop(domain, exported2_vold_prop)
97    get_prop(domain, exported3_default_prop)
98    get_prop(domain, exported3_radio_prop)
99    get_prop(domain, exported3_system_prop)
100    get_prop(domain, vendor_default_prop)
101')
102compatible_property_only(`
103    get_prop({coredomain appdomain shell}, core_property_type)
104    get_prop({coredomain appdomain shell}, exported_dalvik_prop)
105    get_prop({coredomain appdomain shell}, exported_ffs_prop)
106    get_prop({coredomain appdomain shell}, exported_system_radio_prop)
107    get_prop({coredomain appdomain shell}, exported2_config_prop)
108    get_prop({coredomain appdomain shell}, exported2_radio_prop)
109    get_prop({coredomain appdomain shell}, exported2_system_prop)
110    get_prop({coredomain appdomain shell}, exported2_vold_prop)
111    get_prop({coredomain appdomain shell}, exported3_default_prop)
112    get_prop({coredomain appdomain shell}, exported3_radio_prop)
113    get_prop({coredomain appdomain shell}, exported3_system_prop)
114    userdebug_or_eng(`
115        get_prop(su, core_property_type)
116        get_prop(su, exported_dalvik_prop)
117        get_prop(su, exported_ffs_prop)
118        get_prop(su, exported_system_radio_prop)
119        get_prop(su, exported2_config_prop)
120        get_prop(su, exported2_radio_prop)
121        get_prop(su, exported2_system_prop)
122        get_prop(su, exported2_vold_prop)
123        get_prop(su, exported3_default_prop)
124        get_prop(su, exported3_radio_prop)
125        get_prop(su, exported3_system_prop)
126    ')
127    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
128')
129
130# Public readable properties
131get_prop(domain, debug_prop)
132get_prop(domain, exported_config_prop)
133get_prop(domain, exported_default_prop)
134get_prop(domain, exported_dumpstate_prop)
135get_prop(domain, exported_fingerprint_prop)
136get_prop(domain, exported_radio_prop)
137get_prop(domain, exported_secure_prop)
138get_prop(domain, exported_system_prop)
139get_prop(domain, exported_vold_prop)
140get_prop(domain, exported2_default_prop)
141get_prop(domain, logd_prop)
142
143# Let everyone read log properties, so that liblog can avoid sending unloggable
144# messages to logd.
145get_prop(domain, log_property_type)
146dontaudit domain property_type:file audit_access;
147allow domain property_contexts_file:file r_file_perms;
148
149allow domain init:key search;
150allow domain vold:key search;
151
152# logd access
153write_logd(domain)
154
155# System file accesses.
156allow domain system_file:dir { search getattr };
157allow domain system_file:file { execute read open getattr map };
158allow domain system_file:lnk_file { getattr read };
159
160# Make sure system/vendor split doesn not affect non-treble
161# devices
162not_full_treble(`
163    allow domain vendor_file_type:dir { search getattr };
164    allow domain vendor_file_type:file { execute read open getattr map };
165    allow domain vendor_file_type:lnk_file { getattr read };
166')
167
168# All domains are allowed to open and read directories
169# that contain HAL implementations (e.g. passthrough
170# HALs require clients to have these permissions)
171allow domain vendor_hal_file:dir r_dir_perms;
172
173# Everyone can read and execute all same process HALs
174allow domain same_process_hal_file:dir r_dir_perms;
175allow domain same_process_hal_file:file { execute read open getattr map };
176
177# Any process can load vndk-sp libraries, which are system libraries
178# used by same process HALs
179allow domain vndk_sp_file:dir r_dir_perms;
180allow domain vndk_sp_file:file { execute read open getattr map };
181
182# All domains get access to /vendor/etc
183allow domain vendor_configs_file:dir r_dir_perms;
184allow domain vendor_configs_file:file { read open getattr };
185
186full_treble_only(`
187    # Allow all domains to be able to follow /system/vendor and/or
188    # /vendor/odm symlinks.
189    allow domain vendor_file_type:lnk_file { getattr open read };
190
191    # This is required to be able to search & read /vendor/lib64
192    # in order to lookup vendor libraries. The execute permission
193    # for coredomains is granted *only* for same process HALs
194    allow domain vendor_file:dir { getattr search };
195
196    # Allow reading and executing out of /vendor to all vendor domains
197    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
198    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
199    allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
200')
201
202# read and stat any sysfs symlinks
203allow domain sysfs:lnk_file { getattr read };
204
205# libc references /data/misc/zoneinfo for timezone related information
206# This directory is considered to be a VNDK-stable
207allow domain zoneinfo_data_file:file r_file_perms;
208allow domain zoneinfo_data_file:dir r_dir_perms;
209
210# Lots of processes access current CPU information
211r_dir_file(domain, sysfs_devices_system_cpu)
212
213r_dir_file(domain, sysfs_usb);
214
215# files under /data.
216not_full_treble(`
217  allow domain system_data_file:dir getattr;
218')
219allow { coredomain appdomain } system_data_file:dir getattr;
220# /data has the label system_data_file. Vendor components need the search
221# permission on system_data_file for path traversal to /data/vendor.
222allow domain system_data_file:dir search;
223# TODO restrict this to non-coredomain
224allow domain vendor_data_file:dir { getattr search };
225
226# required by the dynamic linker
227allow domain proc:lnk_file { getattr read };
228
229# /proc/cpuinfo
230allow domain proc_cpuinfo:file r_file_perms;
231
232# jemalloc needs to read /proc/sys/vm/overcommit_memory
233allow domain proc_overcommit_memory:file r_file_perms;
234
235# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
236allow domain proc_perf:file r_file_perms;
237
238# toybox loads libselinux which stats /sys/fs/selinux/
239allow domain selinuxfs:dir search;
240allow domain selinuxfs:file getattr;
241allow domain sysfs:dir search;
242allow domain selinuxfs:filesystem getattr;
243
244# For /acct/uid/*/tasks.
245allow domain cgroup:dir { search write };
246allow domain cgroup:file w_file_perms;
247
248# Almost all processes log tracing information to
249# /sys/kernel/debug/tracing/trace_marker
250# The reason behind this is documented in b/6513400
251allow domain debugfs:dir search;
252allow domain debugfs_tracing:dir search;
253allow domain debugfs_tracing_debug:dir search;
254allow domain debugfs_trace_marker:file w_file_perms;
255
256# Filesystem access.
257allow domain fs_type:filesystem getattr;
258allow domain fs_type:dir getattr;
259
260# Restrict all domains to a allowlist for common socket types. Additional
261# ioctl commands may be added to individual domains, but this sets safe
262# defaults for all processes. Note that granting this allowlist to domain does
263# not grant the ioctl permission on these socket types. That must be granted
264# separately.
265allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
266  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
267# default allowlist for unix sockets.
268allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
269  ioctl unpriv_unix_sock_ioctls;
270
271# Restrict PTYs to only allowlisted ioctls.
272# Note that granting this allowlist to domain does
273# not grant the wider ioctl permission. That must be granted
274# separately.
275allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
276
277# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
278# when it's not explicitly used in allow rules
279allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
280# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
281# when it's not explicitly used in allow rules
282allow { domain -domain } vndservice_manager_type:service_manager { add find };
283
284# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
285with_asan(`allow domain system_data_file:dir getattr;')
286
287###
288### neverallow rules
289###
290
291# All socket ioctls must be restricted to a allowlist.
292neverallowxperm domain domain:socket_class_set ioctl { 0 };
293
294# b/68014825 and https://android-review.googlesource.com/516535
295# rfc6093 says that processes should not use the TCP urgent mechanism
296neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
297
298# TIOCSTI is only ever used for exploits. Block it.
299# b/33073072, b/7530569
300# http://www.openwall.com/lists/oss-security/2016/09/26/14
301neverallowxperm * devpts:chr_file ioctl TIOCSTI;
302
303# Do not allow any domain other than init to create unlabeled files.
304neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
305
306# Limit device node creation to these allowlisted domains.
307neverallow {
308  domain
309  -kernel
310  -init
311  -ueventd
312  -vold
313} self:global_capability_class_set mknod;
314
315# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
316neverallow {
317  domain
318  userdebug_or_eng(`-domain')
319  -kernel
320  -init
321  -recovery
322  -ueventd
323  -healthd
324  -uncrypt
325  -tee
326} self:global_capability_class_set sys_rawio;
327
328# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
329neverallow * self:memprotect mmap_zero;
330
331# No domain needs mac_override as it is unused by SELinux.
332neverallow * self:global_capability2_class_set mac_override;
333
334# Disallow attempts to set contexts not defined in current policy
335# This helps guarantee that unknown or dangerous contents will not ever
336# be set.
337neverallow * self:global_capability2_class_set mac_admin;
338
339# Once the policy has been loaded there shall be none to modify the policy.
340# It is sealed.
341neverallow * kernel:security load_policy;
342
343# Only init prior to switching context should be able to set enforcing mode.
344# init starts in kernel domain and switches to init domain via setcon in
345# the init.rc, so the setenforce occurs while still in kernel. After
346# switching domains, there is never any need to setenforce again by init.
347neverallow * kernel:security setenforce;
348neverallow { domain -kernel } kernel:security setcheckreqprot;
349
350# No booleans in AOSP policy, so no need to ever set them.
351neverallow * kernel:security setbool;
352
353# Adjusting the AVC cache threshold.
354# Not presently allowed to anything in policy, but possibly something
355# that could be set from init.rc.
356neverallow { domain -init } kernel:security setsecparam;
357
358# Only init, ueventd, shell and system_server should be able to access HW RNG
359neverallow {
360  domain
361  -init
362  -shell # For CTS and is restricted to getattr in shell.te
363  -system_server
364  -ueventd
365} hw_random_device:chr_file *;
366# b/78174219 b/64114943
367neverallow {
368  domain
369  -init
370  -shell # stat of /dev, getattr only
371  -vendor_init
372  -ueventd
373} keychord_device:chr_file *;
374
375# Ensure that all entrypoint executables are in exec_type or postinstall_file.
376neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
377
378# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
379neverallow {
380  domain
381  -shell # For CTS and is restricted to getattr in shell.te
382  -ueventd # Further restricted in ueventd.te
383} kmem_device:chr_file *;
384neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
385
386#Ensure that nothing in userspace can access /dev/port
387neverallow {
388  domain
389  -shell # Shell user should not have any abilities outside of getattr
390  -ueventd
391} port_device:chr_file *;
392neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
393# Only init should be able to configure kernel usermodehelpers or
394# security-sensitive proc settings.
395neverallow { domain -init } usermodehelper:file { append write };
396neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
397neverallow { domain -init -vendor_init } proc_security:file { append open read write };
398
399# No domain should be allowed to ptrace init.
400neverallow * init:process ptrace;
401
402# Init can't do anything with binder calls. If this neverallow rule is being
403# triggered, it's probably due to a service with no SELinux domain.
404neverallow * init:binder *;
405neverallow * vendor_init:binder *;
406
407# Don't allow raw read/write/open access to block_device
408# Rather force a relabel to a more specific type
409neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
410
411# Do not allow renaming of block files or character files
412# Ability to do so can lead to possible use in an exploit chain
413# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
414neverallow * *:{ blk_file chr_file } rename;
415
416# Don't allow raw read/write/open access to generic devices.
417# Rather force a relabel to a more specific type.
418neverallow domain device:chr_file { open read write };
419
420# Limit what domains can mount filesystems or change their mount flags.
421# sdcard_type / vfat is exempt as a larger set of domains need
422# this capability, including device-specific domains.
423neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
424
425#
426# Assert that, to the extent possible, we're not loading executable content from
427# outside the rootfs or /system partition except for a few allowlisted domains.
428#
429neverallow {
430    domain
431    -appdomain
432    with_asan(`-asan_extract')
433    -dumpstate
434    -shell
435    userdebug_or_eng(`-su')
436    -webview_zygote
437    -zygote
438    userdebug_or_eng(`-mediaextractor')
439} {
440    file_type
441    -system_file
442    -vendor_file_type
443    -exec_type
444    -postinstall_file
445}:file execute;
446
447neverallow {
448    domain
449    -appdomain # for oemfs
450    -bootanim # for oemfs
451    -recovery # for /tmp/update_binary in tmpfs
452} { fs_type -rootfs }:file execute;
453
454# Files from cache should never be executed
455neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
456
457# Protect most domains from executing arbitrary content from /data.
458neverallow {
459  domain
460  -appdomain
461} {
462  data_file_type
463  -dalvikcache_data_file
464  -system_data_file # shared libs in apks
465  -apk_data_file
466}:file no_x_file_perms;
467
468# The test files and executables MUST not be accessible to any domain
469neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
470neverallow domain nativetest_data_file:dir no_w_dir_perms;
471neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
472
473# Only the init property service should write to /data/property and /dev/__properties__
474neverallow { domain -init } property_data_file:dir no_w_dir_perms;
475neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
476neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
477neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
478neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
479
480# Nobody should be doing writes to /system & /vendor
481# These partitions are intended to be read-only and must never be
482# modified. Doing so would violate important Android security guarantees
483# and invalidate dm-verity signatures.
484neverallow {
485    domain
486    with_asan(`-asan_extract')
487} {
488    system_file
489    vendor_file_type
490    exec_type
491}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
492
493neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
494
495# Don't allow mounting on top of /system files or directories
496neverallow * exec_type:dir_file_class_set mounton;
497neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
498
499# Nothing should be writing to files in the rootfs.
500neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
501
502# Restrict context mounts to specific types marked with
503# the contextmount_type attribute.
504neverallow * {fs_type -contextmount_type}:filesystem relabelto;
505
506# Ensure that context mount types are not writable, to ensure that
507# the write to /system restriction above is not bypassed via context=
508# mount to another type.
509neverallow * contextmount_type:dir_file_class_set
510    { create write setattr relabelfrom relabelto append unlink link rename };
511
512# Do not allow service_manager add for default service labels.
513# Instead domains should use a more specific type such as
514# system_app_service rather than the generic type.
515# New service_types are defined in {,hw,vnd}service.te and new mappings
516# from service name to service_type are defined in {,hw,vnd}service_contexts.
517neverallow * default_android_service:service_manager add;
518neverallow * default_android_vndservice:service_manager { add find };
519neverallow * default_android_hwservice:hwservice_manager { add find };
520
521# Looking up the base class/interface of all HwBinder services is a bad idea.
522# hwservicemanager currently offer such lookups only to make it so that security
523# decisions are expressed in SELinux policy. However, it's unclear whether this
524# lookup has security implications. If it doesn't, hwservicemanager should be
525# modified to not offer this lookup.
526# This rule can be removed if hwservicemanager is modified to not permit these
527# lookups.
528neverallow * hidl_base_hwservice:hwservice_manager find;
529
530# Require that domains explicitly label unknown properties, and do not allow
531# anyone but init to modify unknown properties.
532neverallow { domain -init -vendor_init } default_prop:property_service set;
533neverallow { domain -init -vendor_init } mmc_prop:property_service set;
534
535compatible_property_only(`
536    neverallow { domain -init } default_prop:property_service set;
537    neverallow { domain -init } mmc_prop:property_service set;
538    neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
539    neverallow { domain -init } exported_secure_prop:property_service set;
540    neverallow { domain -init } exported2_default_prop:property_service set;
541    neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
542    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
543')
544
545# Only core domains are allowed to access package_manager properties
546neverallow { domain -init -system_server } pm_prop:property_service set;
547neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
548
549compatible_property_only(`
550    neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
551    neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
552')
553
554# Do not allow reading device's serial number from system properties except form
555# a few allowlisted domains.
556neverallow {
557  domain
558  -adbd
559  -dumpstate
560  -hal_drm_server
561  -hal_cas_server
562  -init
563  -mediadrmserver
564  -recovery
565  -shell
566  -system_server
567  -vendor_init
568} serialno_prop:file r_file_perms;
569
570# Do not allow reading the last boot timestamp from system properties
571neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
572
573neverallow {
574  domain
575  -init
576  -recovery
577  -system_server
578  -shell # Shell is further restricted in shell.te
579  -ueventd # Further restricted in ueventd.te
580} frp_block_device:blk_file no_rw_file_perms;
581
582# The metadata block device is set aside for device encryption and
583# verified boot metadata. It may be reset at will and should not
584# be used by other domains.
585neverallow {
586  domain
587  -init
588  -recovery
589  -vold
590  -e2fs
591  -fsck
592} metadata_block_device:blk_file { append link rename write open read ioctl lock };
593
594# No domain other than recovery and update_engine can write to system partition(s).
595neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
596
597# No domains other than install_recovery or recovery can write to recovery.
598neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
599
600# No domains other than a select few can access the misc_block_device. This
601# block device is reserved for OTA use.
602# Do not assert this rule on userdebug/eng builds, due to some devices using
603# this partition for testing purposes.
604neverallow {
605  domain
606  userdebug_or_eng(`-domain') # exclude debuggable builds
607  -hal_bootctl_server
608  -init
609  -uncrypt
610  -update_engine
611  -vendor_init
612  -vold
613  -recovery
614  -ueventd
615} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
616
617# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
618neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
619# The service managers are only allowed to access their own device node
620neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
621neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
622neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
623neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
624neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
625neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
626
627# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
628# domain apps need this because Android framework offers many of its services to apps as Binder
629# services.
630full_treble_only(`
631  neverallow {
632    domain
633    -coredomain
634    -appdomain
635    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
636  } binder_device:chr_file rw_file_perms;
637')
638full_treble_only(`
639  neverallow {
640    domain
641    -coredomain
642    -appdomain # restrictions for vendor apps are declared lower down
643    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
644  } service_manager_type:service_manager find;
645')
646full_treble_only(`
647  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
648  # services which can change any time framework/core is updated, breakage is likely.
649  neverallow {
650    appdomain
651    -coredomain
652  } {
653    service_manager_type
654    -app_api_service
655    -ephemeral_app_api_service
656    -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
657    -cameraserver_service
658    -drmserver_service
659    -keystore_service
660    -mediadrmserver_service
661    -mediaextractor_service
662    -mediametrics_service
663    -mediaserver_service
664    -nfc_service
665    -radio_service
666    -virtual_touchpad_service
667    -vr_hwc_service
668    -vr_manager_service
669  }:service_manager find;
670')
671full_treble_only(`
672  neverallow {
673    domain
674    -coredomain
675    -appdomain
676    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
677  } servicemanager:binder { call transfer };
678')
679
680# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
681full_treble_only(`
682  neverallow {
683    coredomain
684    -shell
685    userdebug_or_eng(`-su')
686    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
687  } vndbinder_device:chr_file rw_file_perms;
688')
689full_treble_only(`
690  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
691')
692full_treble_only(`
693  neverallow {
694    coredomain
695    -shell
696    userdebug_or_eng(`-su')
697  } vndservice_manager_type:service_manager *;
698')
699full_treble_only(`
700  neverallow {
701    coredomain
702    -shell
703    userdebug_or_eng(`-su')
704  } vndservicemanager:binder *;
705')
706
707# On full TREBLE devices, socket communications between core components and vendor components are
708# not permitted.
709  # Most general rules first, more specific rules below.
710
711  # Core domains are not permitted to initiate communications to vendor domain sockets.
712  # We are not restricting the use of already established sockets because it is fine for a process
713  # to obtain an already established socket via some public/official/stable API and then exchange
714  # data with its peer over that socket. The wire format in this scenario is dicatated by the API
715  # and thus does not break the core-vendor separation.
716full_treble_only(`
717  neverallow_establish_socket_comms({
718    coredomain
719    -init
720    -adbd
721  }, {
722    domain
723    -coredomain
724    -socket_between_core_and_vendor_violators
725  });
726')
727  # Vendor domains are not permitted to initiate communications to core domain sockets
728full_treble_only(`
729  neverallow_establish_socket_comms({
730    domain
731    -coredomain
732    -appdomain
733    -socket_between_core_and_vendor_violators
734  }, {
735    coredomain
736    -logd # Logging by writing to logd Unix domain socket is public API
737    -netd # netdomain needs this
738    -mdnsd # netdomain needs this
739    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
740    -init
741    -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
742    -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
743  });
744')
745
746  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
747full_treble_only(`
748  neverallow_establish_socket_comms({
749    domain
750    -coredomain
751    -netdomain
752    -socket_between_core_and_vendor_violators
753  }, netd);
754')
755
756  # Vendor domains are not permitted to initiate create/open sockets owned by core domains
757full_treble_only(`
758  neverallow {
759    domain
760    -coredomain
761    -appdomain # appdomain restrictions below
762    -data_between_core_and_vendor_violators # b/70393317
763    -socket_between_core_and_vendor_violators
764    -vendor_init
765  } {
766    coredomain_socket
767    core_data_file_type
768    unlabeled # used only by core domains
769  }:sock_file ~{ append getattr ioctl read write };
770')
771full_treble_only(`
772  neverallow {
773    appdomain
774    -coredomain
775  } {
776    coredomain_socket
777    unlabeled # used only by core domains
778    core_data_file_type
779    -app_data_file
780    -pdx_endpoint_socket_type # used by VR layer
781    -pdx_channel_socket_type # used by VR layer
782  }:sock_file ~{ append getattr ioctl read write };
783')
784
785  # Core domains are not permitted to create/open sockets owned by vendor domains
786full_treble_only(`
787  neverallow {
788    coredomain
789    -init
790    -ueventd
791    -socket_between_core_and_vendor_violators
792  } {
793    file_type
794    dev_type
795    -coredomain_socket
796    -core_data_file_type
797    -unlabeled
798  }:sock_file ~{ append getattr ioctl read write };
799')
800
801# On TREBLE devices, vendor and system components are only allowed to share
802# files by passing open FDs over hwbinder. Ban all directory access and all file
803# accesses other than what can be applied to an open FD such as
804# ioctl/stat/read/write/append. This is enforced by segregating /data.
805# Vendor domains may directly access file in /data/vendor by path, but may only
806# access files outside of /data/vendor via an open FD passed over hwbinder.
807# Likewise, core domains may only directly access files outside /data/vendor by
808# path and files in /data/vendor by open FD.
809full_treble_only(`
810  # only coredomains may only access core_data_file_type, particularly not
811  # /data/vendor
812  neverallow {
813    coredomain
814    -appdomain # TODO(b/34980020) remove exemption for appdomain
815    -data_between_core_and_vendor_violators
816    -init
817    -vold_prepare_subdirs
818  } {
819    data_file_type
820    -core_data_file_type
821  }:file_class_set ~{ append getattr ioctl read write };
822')
823full_treble_only(`
824  neverallow {
825    coredomain
826    -appdomain # TODO(b/34980020) remove exemption for appdomain
827    -data_between_core_and_vendor_violators
828    -init
829    -vold_prepare_subdirs
830    } {
831      data_file_type
832      -core_data_file_type
833      # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
834      # neverallow. Currently only getattr and search are allowed.
835      -vendor_data_file
836    }:dir *;
837
838')
839full_treble_only(`
840  # vendor domains may only access files in /data/vendor, never core_data_file_types
841  neverallow {
842    domain
843    -appdomain # TODO(b/34980020) remove exemption for appdomain
844    -coredomain
845    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
846    -vendor_init
847  } {
848    core_data_file_type
849    # libc includes functions like mktime and localtime which attempt to access
850    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
851    # vndk-stable and thus must be allowed for all processes.
852    -zoneinfo_data_file
853  }:file_class_set ~{ append getattr ioctl read write };
854  neverallow {
855    vendor_init
856    -data_between_core_and_vendor_violators
857  } {
858    core_data_file_type
859    -unencrypted_data_file
860    -zoneinfo_data_file
861  }:file_class_set ~{ append getattr ioctl read write };
862  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
863  # The vendor init binary lives on the system partition so there is not a concern with stability.
864  neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
865')
866full_treble_only(`
867  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
868  neverallow {
869    domain
870    -appdomain # TODO(b/34980020) remove exemption for appdomain
871    -coredomain
872    -data_between_core_and_vendor_violators
873    -vendor_init
874  } {
875    core_data_file_type
876    -system_data_file # default label for files on /data. Covered below...
877    -vendor_data_file
878    -zoneinfo_data_file
879  }:dir *;
880  neverallow {
881    vendor_init
882    -data_between_core_and_vendor_violators
883  } {
884    core_data_file_type
885    -unencrypted_data_file
886    -system_data_file
887    -vendor_data_file
888    -zoneinfo_data_file
889  }:dir *;
890  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
891  # The vendor init binary lives on the system partition so there is not a concern with stability.
892  neverallow vendor_init unencrypted_data_file:dir ~search;
893')
894full_treble_only(`
895  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
896  neverallow {
897    domain
898    -appdomain # TODO(b/34980020) remove exemption for appdomain
899    -coredomain
900    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
901    } {
902      system_data_file # default label for files on /data. Covered below
903    }:dir ~{ getattr search };
904')
905
906full_treble_only(`
907  #  coredomains may not access dirs in /data/vendor.
908  neverallow {
909    coredomain
910    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
911    -init
912    -vold # vold creates per-user storage for both system and vendor
913    -vold_prepare_subdirs
914    } {
915      vendor_data_file # default label for files on /data. Covered below
916    }:dir ~{ getattr search };
917')
918
919full_treble_only(`
920  #  coredomains may not access dirs in /data/vendor.
921  neverallow {
922    coredomain
923    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
924    -init
925    } {
926      vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
927    }:file_class_set ~{ append getattr ioctl read write };
928')
929
930# On TREBLE devices, a limited set of files in /vendor are accessible to
931# only a few allowlisted coredomains to keep system/vendor separation.
932full_treble_only(`
933    # Limit access to /vendor/app
934    neverallow {
935        coredomain
936        -appdomain
937        -dex2oat
938        -idmap
939        -init
940        -installd
941        userdebug_or_eng(`-perfprofd')
942        -postinstall_dexopt
943        -system_server
944    } vendor_app_file:dir { open read getattr search };
945')
946
947full_treble_only(`
948    neverallow {
949        coredomain
950        -appdomain
951        -dex2oat
952        -idmap
953        -init
954        -installd
955        userdebug_or_eng(`-perfprofd')
956        -postinstall_dexopt
957        -system_server
958    } vendor_app_file:file r_file_perms;
959')
960
961full_treble_only(`
962    # Limit access to /vendor/overlay
963    neverallow {
964        coredomain
965        -appdomain
966        -idmap
967        -init
968        -installd
969        -system_server
970        -webview_zygote
971        -zygote
972    } vendor_overlay_file:dir { getattr open read search };
973')
974
975full_treble_only(`
976    neverallow {
977        coredomain
978        -appdomain
979        -idmap
980        -init
981        -installd
982        -system_server
983        -webview_zygote
984        -zygote
985    } vendor_overlay_file:file r_file_perms;
986')
987
988full_treble_only(`
989    # Non-vendor domains are not allowed to file execute shell
990    # from vendor
991    neverallow {
992        coredomain
993        -init
994        -shell
995    } vendor_shell_exec:file { execute execute_no_trans };
996')
997
998full_treble_only(`
999    # Do not allow vendor components to execute files from system
1000    # except for the ones allowlist here.
1001    neverallow {
1002        domain
1003        -coredomain
1004        -appdomain
1005        -vendor_executes_system_violators
1006        -vendor_init
1007    } {
1008        exec_type
1009        -vendor_file_type
1010        -crash_dump_exec
1011        -netutils_wrapper_exec
1012    }:file { entrypoint execute execute_no_trans };
1013')
1014
1015full_treble_only(`
1016    # Do not allow system components to execute files from vendor
1017    # except for the ones allowlisted here.
1018    neverallow {
1019      coredomain
1020      -init
1021      -shell
1022      -system_executes_vendor_violators
1023    } {
1024      vendor_file_type
1025      -same_process_hal_file
1026      -vndk_sp_file
1027      -vendor_app_file
1028    }:file execute;
1029')
1030
1031full_treble_only(`
1032    neverallow {
1033      coredomain
1034      -shell
1035      -system_executes_vendor_violators
1036    } vendor_file_type:file execute_no_trans;
1037')
1038
1039# Only authorized processes should be writing to files in /data/dalvik-cache
1040neverallow {
1041  domain
1042  -init # TODO: limit init to relabelfrom for files
1043  -zygote
1044  -installd
1045  -postinstall_dexopt
1046  -cppreopts
1047  -dex2oat
1048  -otapreopt_slot
1049} dalvikcache_data_file:file no_w_file_perms;
1050
1051neverallow {
1052  domain
1053  -init
1054  -installd
1055  -postinstall_dexopt
1056  -cppreopts
1057  -dex2oat
1058  -zygote
1059  -otapreopt_slot
1060} dalvikcache_data_file:dir no_w_dir_perms;
1061
1062# Only system_server should be able to send commands via the zygote socket
1063neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
1064neverallow { domain -system_server } zygote_socket:sock_file write;
1065
1066neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
1067neverallow { domain -system_server } webview_zygote:sock_file write;
1068
1069neverallow {
1070  domain
1071  -tombstoned
1072  -crash_dump
1073  -dumpstate
1074  -incidentd
1075  -system_server
1076
1077  # Processes that can't exec crash_dump
1078  -mediacodec
1079  -mediaextractor
1080} tombstoned_crash_socket:unix_stream_socket connectto;
1081
1082# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
1083# the tombstoned intercept socket.
1084neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
1085neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
1086
1087# Android does not support System V IPCs.
1088#
1089# The reason for this is due to the fact that, by design, they lead to global
1090# kernel resource leakage.
1091#
1092# For example, there is no way to automatically release a SysV semaphore
1093# allocated in the kernel when:
1094#
1095# - a buggy or malicious process exits
1096# - a non-buggy and non-malicious process crashes or is explicitly killed.
1097#
1098# Killing processes automatically to make room for new ones is an
1099# important part of Android's application lifecycle implementation. This means
1100# that, even assuming only non-buggy and non-malicious code, it is very likely
1101# that over time, the kernel global tables used to implement SysV IPCs will fill
1102# up.
1103neverallow * *:{ shm sem msg msgq } *;
1104
1105# Do not mount on top of symlinks, fifos, or sockets.
1106# Feature parity with Chromium LSM.
1107neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
1108
1109# Nobody should be able to execute su on user builds.
1110# On userdebug/eng builds, only dumpstate, shell, and
1111# su itself execute su.
1112neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
1113
1114# Do not allow the introduction of new execmod rules. Text relocations
1115# and modification of executable pages are unsafe.
1116# The only exceptions are for NDK text relocations associated with
1117# https://code.google.com/p/android/issues/detail?id=23203
1118# which, long term, need to go away.
1119neverallow * {
1120  file_type
1121  -apk_data_file
1122  -app_data_file
1123  -asec_public_file
1124}:file execmod;
1125
1126# Do not allow making the stack or heap executable.
1127# We would also like to minimize execmem but it seems to be
1128# required by some device-specific service domains.
1129neverallow * self:process { execstack execheap };
1130
1131# prohibit non-zygote spawned processes from using shared libraries
1132# with text relocations. b/20013628 .
1133neverallow { domain -untrusted_app_all } file_type:file execmod;
1134
1135neverallow { domain -init } proc:{ file dir } mounton;
1136
1137# Ensure that all types assigned to processes are included
1138# in the domain attribute, so that all allow and neverallow rules
1139# written on domain are applied to all processes.
1140# This is achieved by ensuring that it is impossible to transition
1141# from a domain to a non-domain type and vice versa.
1142# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
1143neverallow ~domain domain:process { transition dyntransition };
1144
1145#
1146# Only system_app and system_server should be creating or writing
1147# their files. The proper way to share files is to setup
1148# type transitions to a more specific type or assigning a type
1149# to its parent directory via a file_contexts entry.
1150# Example type transition:
1151#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
1152#
1153neverallow {
1154  domain
1155  -system_server
1156  -system_app
1157  -init
1158  -installd # for relabelfrom and unlink, check for this in explicit neverallow
1159  -vold_prepare_subdirs # For unlink
1160  with_asan(`-asan_extract')
1161} system_data_file:file no_w_file_perms;
1162# do not grant anything greater than r_file_perms and relabelfrom unlink
1163# to installd
1164neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
1165
1166# respect system_app sandboxes
1167neverallow {
1168  domain
1169  -appdomain # finer-grained rules for appdomain are listed below
1170  -system_server #populate com.android.providers.settings/databases/settings.db.
1171  -installd # creation of app sandbox
1172  -traced_probes # resolve inodes for i/o tracing.
1173                 # only needs open and read, the rest is neverallow in
1174                 # traced_probes.te.
1175} system_app_data_file:dir_file_class_set { create unlink open };
1176neverallow {
1177  isolated_app
1178  untrusted_app_all # finer-grained rules for appdomain are listed below
1179  ephemeral_app
1180  priv_app
1181} system_app_data_file:dir_file_class_set { create unlink open };
1182
1183
1184# Services should respect app sandboxes
1185neverallow {
1186  domain
1187  -appdomain
1188  -installd # creation of sandbox
1189} app_data_file:dir_file_class_set { create unlink };
1190
1191#
1192# Only these domains should transition to shell domain. This domain is
1193# permissible for the "shell user". If you need a process to exec a shell
1194# script with differing privilege, define a domain and set up a transition.
1195#
1196neverallow {
1197  domain
1198  -adbd
1199  -init
1200  -runas
1201  -zygote
1202} shell:process { transition dyntransition };
1203
1204# Only domains spawned from zygote and runas may have the appdomain attribute.
1205neverallow { domain -runas -webview_zygote -zygote } {
1206  appdomain -shell userdebug_or_eng(`-su')
1207}:process { transition dyntransition };
1208
1209# Minimize read access to shell- or app-writable symlinks.
1210# This is to prevent malicious symlink attacks.
1211neverallow {
1212  domain
1213  -appdomain
1214  -installd
1215  -uncrypt  # TODO: see if we can remove
1216} app_data_file:lnk_file read;
1217
1218neverallow {
1219  domain
1220  -shell
1221  userdebug_or_eng(`-uncrypt')
1222  -installd
1223} shell_data_file:lnk_file read;
1224
1225# In addition to the symlink reading restrictions above, restrict
1226# write access to shell owned directories. The /data/local/tmp
1227# directory is untrustworthy, and non-allowlisted domains should
1228# not be trusting any content in those directories.
1229neverallow {
1230  domain
1231  -adbd
1232  -dumpstate
1233  -installd
1234  -init
1235  -shell
1236  -vold
1237} shell_data_file:dir no_w_dir_perms;
1238
1239neverallow {
1240  domain
1241  -adbd
1242  -appdomain
1243  -dumpstate
1244  -init
1245  -installd
1246  -system_server # why?
1247  userdebug_or_eng(`-uncrypt')
1248} shell_data_file:dir { open search };
1249
1250# Same as above for /data/local/tmp files. We allow shell files
1251# to be passed around by file descriptor, but not directly opened.
1252neverallow {
1253  domain
1254  -adbd
1255  -appdomain
1256  -dumpstate
1257  -installd
1258  userdebug_or_eng(`-uncrypt')
1259} shell_data_file:file open;
1260
1261# servicemanager and vndservicemanager are the only processes which handle the
1262# service_manager list request
1263neverallow * ~{
1264    servicemanager
1265    vndservicemanager
1266    }:service_manager list;
1267
1268# hwservicemanager is the only process which handles hw list requests
1269neverallow * ~{
1270    hwservicemanager
1271    }:hwservice_manager list;
1272
1273# only service_manager_types can be added to service_manager
1274# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
1275
1276# Prevent assigning non property types to properties
1277# TODO - rework this: neverallow * ~property_type:property_service set;
1278
1279# Domain types should never be assigned to any files other
1280# than the /proc/pid files associated with a process. The
1281# executable file used to enter a domain should be labeled
1282# with its own _exec type, not with the domain type.
1283# Conventionally, this looks something like:
1284# $ cat mydaemon.te
1285# type mydaemon, domain;
1286# type mydaemon_exec, exec_type, file_type;
1287# init_daemon_domain(mydaemon)
1288# $ grep mydaemon file_contexts
1289# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
1290neverallow * domain:file { execute execute_no_trans entrypoint };
1291
1292# Do not allow access to the generic debugfs label. This is too broad.
1293# Instead, if access to part of debugfs is desired, it should have a
1294# more specific label.
1295# TODO: fix system_server and dumpstate
1296neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
1297
1298# Profiles contain untrusted data and profman parses that. We should only run
1299# in from installd forked processes.
1300neverallow {
1301  domain
1302  -installd
1303  -profman
1304} profman_exec:file no_x_file_perms;
1305
1306# Enforce restrictions on kernel module origin.
1307# Do not allow kernel module loading except from system,
1308# vendor, and boot partitions.
1309neverallow * ~{ system_file vendor_file rootfs }:system module_load;
1310
1311# Only allow filesystem caps to be set at build time. Runtime changes
1312# to filesystem capabilities are not permitted.
1313neverallow * self:global_capability_class_set setfcap;
1314
1315# Enforce AT_SECURE for executing crash_dump.
1316neverallow domain crash_dump:process noatsecure;
1317
1318# Do not permit non-core domains to register HwBinder services which are
1319# guaranteed to be provided by core domains only.
1320neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
1321
1322# Do not permit the registeration of HwBinder services which are guaranteed to
1323# be passthrough only (i.e., run in the process of their clients instead of a
1324# separate server process).
1325neverallow * same_process_hwservice:hwservice_manager add;
1326
1327# On TREBLE devices, most coredomains should not access vendor_files.
1328# TODO(b/71553434): Remove exceptions here.
1329full_treble_only(`
1330  neverallow {
1331    coredomain
1332    -appdomain
1333    -bootanim
1334    -crash_dump
1335    -init
1336    -kernel
1337    -perfprofd
1338    -ueventd
1339  } vendor_file:file { no_w_file_perms no_x_file_perms open };
1340')
1341
1342# Minimize dac_override and dac_read_search.
1343# Instead of granting them it is usually better to add the domain to
1344# a Unix group or change the permissions of a file.
1345neverallow {
1346  domain
1347  -dnsmasq
1348  -dumpstate
1349  -init
1350  -installd
1351  -install_recovery
1352  -lmkd
1353  -netd
1354  -perfprofd
1355  -postinstall_dexopt
1356  -recovery
1357  -sdcardd
1358  -tee
1359  -ueventd
1360  -uncrypt
1361  -vendor_init
1362  -vold
1363  -vold_prepare_subdirs
1364  -zygote
1365} self:capability dac_override;
1366neverallow { domain -traced_probes } self:capability dac_read_search;
1367
1368# If an already existing file is opened with O_CREAT, the kernel might generate
1369# a false report of a create denial. Silence these denials and make sure that
1370# inappropriate permissions are not granted.
1371
1372# These filesystems don't allow files or directories to be created, so the permission
1373# to do so should never be granted.
1374neverallow domain {
1375  proc_type
1376  sysfs_type
1377}:dir { add_name create link remove_name rename reparent rmdir write };
1378
1379# cgroupfs directories can be created, but not files within them.
1380neverallow domain cgroup:file create;
1381
1382dontaudit domain proc_type:dir write;
1383dontaudit domain sysfs_type:dir write;
1384dontaudit domain cgroup:file create;
1385
1386# These are only needed in permissive mode - in enforcing mode the
1387# directory write check fails and so these are never attempted.
1388userdebug_or_eng(`
1389  dontaudit domain proc_type:dir add_name;
1390  dontaudit domain sysfs_type:dir add_name;
1391  dontaudit domain proc_type:file create;
1392  dontaudit domain sysfs_type:file create;
1393')
1394
1395# Platform must not have access to /mnt/vendor.
1396neverallow {
1397  coredomain
1398  -init
1399} mnt_vendor_file:dir *;
1400