1get_prop(coredomain, boot_status_prop)
2get_prop(coredomain, camera_config_prop)
3get_prop(coredomain, dalvik_config_prop)
4get_prop(coredomain, dalvik_runtime_prop)
5get_prop(coredomain, exported_pm_prop)
6get_prop(coredomain, ffs_config_prop)
7get_prop(coredomain, graphics_config_prop)
8get_prop(coredomain, hdmi_config_prop)
9get_prop(coredomain, init_service_status_private_prop)
10get_prop(coredomain, lmkd_config_prop)
11get_prop(coredomain, localization_prop)
12get_prop(coredomain, pm_prop)
13get_prop(coredomain, radio_control_prop)
14get_prop(coredomain, rollback_test_prop)
15get_prop(coredomain, setupwizard_prop)
16get_prop(coredomain, sqlite_log_prop)
17get_prop(coredomain, storagemanager_config_prop)
18get_prop(coredomain, surfaceflinger_color_prop)
19get_prop(coredomain, systemsound_config_prop)
20get_prop(coredomain, telephony_config_prop)
21get_prop(coredomain, usb_config_prop)
22get_prop(coredomain, usb_control_prop)
23get_prop(coredomain, userspace_reboot_config_prop)
24get_prop(coredomain, vold_config_prop)
25get_prop(coredomain, vts_status_prop)
26get_prop(coredomain, zygote_config_prop)
27get_prop(coredomain, zygote_wrap_prop)
28
29# TODO(b/170590987): remove this after cleaning up default_prop
30get_prop(coredomain, default_prop)
31
32full_treble_only(`
33neverallow {
34    coredomain
35
36    # for chowning
37    -init
38
39    # generic access to sysfs_type
40    -ueventd
41    -vold
42} sysfs_leds:file *;
43')
44
45# On TREBLE devices, a limited set of files in /vendor are accessible to
46# only a few allowlisted coredomains to keep system/vendor separation.
47full_treble_only(`
48    # Limit access to /vendor/app
49    neverallow {
50        coredomain
51        -appdomain
52        -dex2oat
53        -dexoptanalyzer
54        -idmap
55        -init
56        -installd
57        -heapprofd
58        -postinstall_dexopt
59        -rs # spawned by appdomain, so carryover the exception above
60        -system_server
61        -traced_perf
62    } vendor_app_file:dir { open read getattr search };
63')
64
65full_treble_only(`
66    neverallow {
67        coredomain
68        -appdomain
69        -dex2oat
70        -dexoptanalyzer
71        -idmap
72        -init
73        -installd
74        -heapprofd
75        userdebug_or_eng(`-profcollectd')
76        -postinstall_dexopt
77        -rs # spawned by appdomain, so carryover the exception above
78        -system_server
79        -traced_perf
80        -mediaserver
81    } vendor_app_file:file r_file_perms;
82')
83
84full_treble_only(`
85    # Limit access to /vendor/overlay
86    neverallow {
87        coredomain
88        -appdomain
89        -idmap
90        -init
91        -installd
92        -iorap_inode2filename
93        -iorap_prefetcherd
94        -postinstall_dexopt
95        -rs # spawned by appdomain, so carryover the exception above
96        -system_server
97        -traced_perf
98        -app_zygote
99        -webview_zygote
100        -zygote
101        -heapprofd
102    } vendor_overlay_file:dir { getattr open read search };
103')
104
105full_treble_only(`
106    neverallow {
107        coredomain
108        -appdomain
109        -idmap
110        -init
111        -installd
112        -iorap_inode2filename
113        -iorap_prefetcherd
114        -postinstall_dexopt
115        -rs # spawned by appdomain, so carryover the exception above
116        -system_server
117        -traced_perf
118        -app_zygote
119        -webview_zygote
120        -zygote
121        -heapprofd
122        userdebug_or_eng(`-profcollectd')
123    } vendor_overlay_file:file open;
124')
125
126# Core domains are not permitted to use kernel interfaces which are not
127# explicitly labeled.
128# TODO(b/65643247): Apply these neverallow rules to all coredomain.
129full_treble_only(`
130  # /proc
131  neverallow {
132    coredomain
133    -init
134    -vold
135  } proc:file no_rw_file_perms;
136
137  # /sys
138  neverallow {
139    coredomain
140    -init
141    -ueventd
142    -vold
143  } sysfs:file no_rw_file_perms;
144
145  # /dev
146  neverallow {
147    coredomain
148    -fsck
149    -init
150    -ueventd
151  } device:{ blk_file file } no_rw_file_perms;
152
153  # debugfs
154  neverallow {
155    coredomain
156    no_debugfs_restriction(`
157      -dumpstate
158      -init
159      -system_server
160    ')
161  } debugfs:file no_rw_file_perms;
162
163  # tracefs
164  neverallow {
165    coredomain
166    -atrace
167    -dumpstate
168    -gpuservice
169    -init
170    -traced_perf
171    -traced_probes
172    -shell
173    -system_server
174    -traceur_app
175    userdebug_or_eng(`-profcollectd')
176  } debugfs_tracing:file no_rw_file_perms;
177
178  # inotifyfs
179  neverallow {
180    coredomain
181    -init
182  } inotify:file no_rw_file_perms;
183
184  # pstorefs
185  neverallow {
186    coredomain
187    -bootstat
188    -charger
189    -dumpstate
190    -healthd
191    userdebug_or_eng(`-incidentd')
192    -init
193    -logd
194    -logpersist
195    -recovery_persist
196    -recovery_refresh
197    -shell
198    -system_server
199  } pstorefs:file no_rw_file_perms;
200
201  # configfs
202  neverallow {
203    coredomain
204    -init
205    -system_server
206  } configfs:file no_rw_file_perms;
207
208  # functionfs
209  neverallow {
210    coredomain
211    -adbd
212    -init
213    -mediaprovider
214    -system_server
215  } functionfs:file no_rw_file_perms;
216
217  # usbfs and binfmt_miscfs
218  neverallow {
219    coredomain
220    -init
221  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
222
223  # dmabuf heaps
224  neverallow {
225    coredomain
226    -init
227    -ueventd
228  }{
229    dmabuf_heap_device_type
230    -dmabuf_system_heap_device
231    -dmabuf_system_secure_heap_device
232  }:chr_file no_rw_file_perms;
233')
234
235# Following /dev nodes must not be directly accessed by coredomain, but should
236# instead be wrapped by HALs.
237neverallow coredomain {
238  iio_device
239  radio_device
240}:chr_file { open read append write ioctl };
241
242# TODO(b/120243891): HAL permission to tee_device is included into coredomain
243# on non-Treble devices.
244full_treble_only(`
245  neverallow coredomain tee_device:chr_file { open read append write ioctl };
246')
247