1# Transition to crash_dump when /system/bin/crash_dump* is executed.
2# This occurs when the process crashes.
3# We do not apply this to the su domain to avoid interfering with
4# tests (b/114136122)
5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
6allow domain crash_dump:process sigchld;
7
8# Allow every process to check the heapprofd.enable properties to determine
9# whether to load the heap profiling library. This does not necessarily enable
10# heap profiling, as initialization will fail if it does not have the
11# necessary SELinux permissions.
12get_prop(domain, heapprofd_prop);
13# Allow heap profiling on debug builds.
14userdebug_or_eng(`can_profile_heap({
15  domain
16  -bpfloader
17  -init
18  -kernel
19  -keystore
20  -llkd
21  -logd
22  -logpersist
23  -recovery
24  -recovery_persist
25  -recovery_refresh
26  -ueventd
27  -vendor_init
28  -vold
29})')
30
31# As above, allow perf profiling most processes on debug builds.
32# zygote is excluded as system-wide profiling could end up with it
33# (unexpectedly) holding an open fd across a fork.
34userdebug_or_eng(`can_profile_perf({
35  domain
36  -bpfloader
37  -init
38  -kernel
39  -keystore
40  -llkd
41  -logd
42  -logpersist
43  -recovery
44  -recovery_persist
45  -recovery_refresh
46  -ueventd
47  -vendor_init
48  -vold
49  -zygote
50})')
51
52# Everyone can access the IncFS list of features.
53r_dir_file(domain, sysfs_fs_incfs_features);
54
55# Path resolution access in cgroups.
56allow domain cgroup:dir search;
57allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
58allow { domain -appdomain -rs } cgroup:file w_file_perms;
59
60allow domain cgroup_v2:dir search;
61allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
62allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
63
64allow domain cgroup_rc_file:dir search;
65allow domain cgroup_rc_file:file r_file_perms;
66allow domain task_profiles_file:file r_file_perms;
67allow domain task_profiles_api_file:file r_file_perms;
68allow domain vendor_task_profiles_file:file r_file_perms;
69
70# Allow all domains to read sys.use_memfd to determine
71# if memfd support can be used if device supports it
72get_prop(domain, use_memfd_prop);
73
74# Read access to sdkextensions props
75get_prop(domain, module_sdkextensions_prop)
76
77# Read access to bq configuration values
78get_prop(domain, bq_config_prop);
79
80# For now, everyone can access core property files
81# Device specific properties are not granted by default
82not_compatible_property(`
83    # DO NOT ADD ANY PROPERTIES HERE
84    get_prop(domain, core_property_type)
85    get_prop(domain, exported3_system_prop)
86    get_prop(domain, vendor_default_prop)
87')
88compatible_property_only(`
89    # DO NOT ADD ANY PROPERTIES HERE
90    get_prop({coredomain appdomain shell}, core_property_type)
91    get_prop({coredomain appdomain shell}, exported3_system_prop)
92    get_prop({coredomain appdomain shell}, exported_camera_prop)
93    get_prop({coredomain shell}, userspace_reboot_exported_prop)
94    get_prop({coredomain shell}, userspace_reboot_log_prop)
95    get_prop({coredomain shell}, userspace_reboot_test_prop)
96    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
97')
98
99# Allow access to fsverity keyring.
100allow domain kernel:key search;
101# Allow access to keys in the fsverity keyring that were installed at boot.
102allow domain fsverity_init:key search;
103# For testing purposes, allow access to keys installed with su.
104userdebug_or_eng(`
105  allow domain su:key search;
106')
107
108# Allow access to linkerconfig file
109allow domain linkerconfig_file:dir search;
110allow domain linkerconfig_file:file r_file_perms;
111
112# Allow all processes to check for the existence of the boringssl_self_test_marker files.
113allow domain boringssl_self_test_marker:dir search;
114
115# Limit ability to ptrace or read sensitive /proc/pid files of processes
116# with other UIDs to these allowlisted domains.
117neverallow {
118  domain
119  -vold
120  userdebug_or_eng(`-llkd')
121  -dumpstate
122  userdebug_or_eng(`-incidentd')
123  userdebug_or_eng(`-profcollectd')
124  -storaged
125  -system_server
126} self:global_capability_class_set sys_ptrace;
127
128# Limit ability to generate hardware unique device ID attestations to priv_apps
129neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
130neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
131neverallow { domain -system_server } *:keystore2_key use_dev_id;
132neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
133
134neverallow {
135  domain
136  -init
137  -vendor_init
138  userdebug_or_eng(`-domain')
139} debugfs_tracing_debug:file no_rw_file_perms;
140
141# System_server owns dropbox data, and init creates/restorecons the directory
142# Disallow direct access by other processes.
143neverallow { domain -init -system_server } dropbox_data_file:dir *;
144neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
145
146###
147# Services should respect app sandboxes
148neverallow {
149  domain
150  -appdomain
151  -installd # creation of sandbox
152} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
153
154# Only the following processes should be directly accessing private app
155# directories.
156neverallow {
157  domain
158  -adbd
159  -appdomain
160  -app_zygote
161  -dexoptanalyzer
162  -installd
163  -iorap_inode2filename
164  -iorap_prefetcherd
165  -profman
166  -rs # spawned by appdomain, so carryover the exception above
167  -runas
168  -system_server
169  -viewcompiler
170  -zygote
171} { privapp_data_file app_data_file }:dir *;
172
173# Only apps should be modifying app data. installd is exempted for
174# restorecon and package install/uninstall.
175neverallow {
176  domain
177  -appdomain
178  -installd
179  -rs # spawned by appdomain, so carryover the exception above
180} { privapp_data_file app_data_file }:dir ~r_dir_perms;
181
182neverallow {
183  domain
184  -appdomain
185  -app_zygote
186  -installd
187  -iorap_prefetcherd
188  -rs # spawned by appdomain, so carryover the exception above
189} { privapp_data_file app_data_file }:file_class_set open;
190
191neverallow {
192  domain
193  -appdomain
194  -installd # creation of sandbox
195} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
196
197neverallow {
198  domain
199  -installd
200} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
201
202# The staging directory contains APEX and APK files. It is important to ensure
203# that these files cannot be accessed by other domains to ensure that the files
204# do not change between system_server staging the files and apexd processing
205# the files.
206neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
207neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
208neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
209# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
210# except for `link` and `unlink`.
211neverallow { domain -init -system_server } staging_data_file:file
212  { append create relabelfrom rename setattr write no_x_file_perms };
213
214neverallow {
215    domain
216    -appdomain # for oemfs
217    -bootanim # for oemfs
218    -recovery # for /tmp/update_binary in tmpfs
219} { fs_type -rootfs }:file execute;
220
221#
222# Assert that, to the extent possible, we're not loading executable content from
223# outside the rootfs or /system partition except for a few allowlisted domains.
224# Executable files loaded from /data is a persistence vector
225# we want to avoid. See
226# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
227#
228neverallow {
229    domain
230    -appdomain
231    with_asan(`-asan_extract')
232    -iorap_prefetcherd
233    -shell
234    userdebug_or_eng(`-su')
235    -system_server_startup # for memfd backed executable regions
236    -app_zygote
237    -webview_zygote
238    -zygote
239    userdebug_or_eng(`-mediaextractor')
240    userdebug_or_eng(`-mediaswcodec')
241} {
242    file_type
243    -system_file_type
244    -system_lib_file
245    -system_linker_exec
246    -vendor_file_type
247    -exec_type
248    -postinstall_file
249}:file execute;
250
251# Only init is allowed to write cgroup.rc file
252neverallow {
253  domain
254  -init
255  -vendor_init
256} cgroup_rc_file:file no_w_file_perms;
257
258# Only authorized processes should be writing to files in /data/dalvik-cache
259neverallow {
260  domain
261  -init # TODO: limit init to relabelfrom for files
262  -zygote
263  -installd
264  -postinstall_dexopt
265  -cppreopts
266  -dex2oat
267  -otapreopt_slot
268} dalvikcache_data_file:file no_w_file_perms;
269
270neverallow {
271  domain
272  -init
273  -installd
274  -postinstall_dexopt
275  -cppreopts
276  -dex2oat
277  -zygote
278  -otapreopt_slot
279} dalvikcache_data_file:dir no_w_dir_perms;
280
281# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
282# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
283neverallow {
284  domain
285  # art processes
286  -odrefresh
287  -odsign
288  # others
289  -apexd
290  -init
291  -vold_prepare_subdirs
292} apex_art_data_file:file no_w_file_perms;
293
294neverallow {
295  domain
296  # art processes
297  -odrefresh
298  -odsign
299  # others
300  -apexd
301  -init
302  -vold_prepare_subdirs
303} apex_art_data_file:dir no_w_dir_perms;
304
305# Protect most domains from executing arbitrary content from /data.
306neverallow {
307  domain
308  -appdomain
309} {
310  data_file_type
311  -apex_art_data_file
312  -dalvikcache_data_file
313  -system_data_file # shared libs in apks
314  -apk_data_file
315}:file no_x_file_perms;
316
317# Minimize dac_override and dac_read_search.
318# Instead of granting them it is usually better to add the domain to
319# a Unix group or change the permissions of a file.
320define(`dac_override_allowed', `{
321  apexd
322  dnsmasq
323  dumpstate
324  init
325  installd
326  userdebug_or_eng(`llkd')
327  lmkd
328  migrate_legacy_obb_data
329  netd
330  postinstall_dexopt
331  recovery
332  rss_hwm_reset
333  sdcardd
334  tee
335  ueventd
336  uncrypt
337  vendor_init
338  vold
339  vold_prepare_subdirs
340  zygote
341}')
342neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
343# Since the kernel checks dac_read_search before dac_override, domains that
344# have dac_override should also have dac_read_search to eliminate spurious
345# denials.  Some domains have dac_read_search without having dac_override, so
346# this list should be a superset of the one above.
347neverallow ~{
348  dac_override_allowed
349  iorap_inode2filename
350  iorap_prefetcherd
351  traced_perf
352  traced_probes
353  heapprofd
354} self:global_capability_class_set dac_read_search;
355
356# Limit what domains can mount filesystems or change their mount flags.
357# sdcard_type / vfat is exempt as a larger set of domains need
358# this capability, including device-specific domains.
359neverallow {
360    domain
361    -apexd
362    recovery_only(`-fastbootd')
363    -init
364    -kernel
365    -otapreopt_chroot
366    -recovery
367    -update_engine
368    -vold
369    -zygote
370} { fs_type
371    -sdcard_type
372}:filesystem { mount remount relabelfrom relabelto };
373
374enforce_debugfs_restriction(`
375  neverallow {
376    domain userdebug_or_eng(`-init')
377  } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
378')
379
380# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
381neverallow {
382  domain
383  userdebug_or_eng(`-domain')
384  -kernel
385  -gsid
386  -init
387  -recovery
388  -ueventd
389  -healthd
390  -uncrypt
391  -tee
392  -hal_bootctl_server
393  -fastbootd
394} self:global_capability_class_set sys_rawio;
395
396# Limit directory operations that doesn't need to do app data isolation.
397neverallow {
398  domain
399  -init
400  -installd
401  -zygote
402} mirror_data_file:dir *;
403
404# This property is being removed. Remove remaining access.
405neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
406neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
407
408# Only core domains are allowed to access package_manager properties
409neverallow { domain -init -system_server } pm_prop:property_service set;
410neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
411
412# Do not allow reading the last boot timestamp from system properties
413neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
414
415# Kprobes should only be used by adb root
416neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
417
418# On TREBLE devices, most coredomains should not access vendor_files.
419# TODO(b/71553434): Remove exceptions here.
420full_treble_only(`
421  neverallow {
422    coredomain
423    -appdomain
424    -bootanim
425    -crash_dump
426    -heapprofd
427    userdebug_or_eng(`-profcollectd')
428    -init
429    -iorap_inode2filename
430    -iorap_prefetcherd
431    -kernel
432    -traced_perf
433    -ueventd
434  } vendor_file:file { no_w_file_perms no_x_file_perms open };
435')
436
437# Vendor domains are not permitted to initiate communications to core domain sockets
438full_treble_only(`
439  neverallow_establish_socket_comms({
440    domain
441    -coredomain
442    -appdomain
443    -socket_between_core_and_vendor_violators
444  }, {
445    coredomain
446    -logd # Logging by writing to logd Unix domain socket is public API
447    -netd # netdomain needs this
448    -mdnsd # netdomain needs this
449    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
450    -init
451    -tombstoned # linker to tombstoned
452    userdebug_or_eng(`-heapprofd')
453    userdebug_or_eng(`-traced_perf')
454  });
455')
456
457full_treble_only(`
458  # Do not allow system components access to /vendor files except for the
459  # ones allowed here.
460  neverallow {
461    coredomain
462    # TODO(b/37168747): clean up fwk access to /vendor
463    -crash_dump
464    -init # starts vendor executables
465    -iorap_inode2filename
466    -iorap_prefetcherd
467    -kernel # loads /vendor/firmware
468    -heapprofd
469    userdebug_or_eng(`-profcollectd')
470    -shell
471    -system_executes_vendor_violators
472    -traced_perf # library/binary access for symbolization
473    -ueventd # reads /vendor/ueventd.rc
474    -vold # loads incremental fs driver
475  } {
476    vendor_file_type
477    -same_process_hal_file
478    -vendor_app_file
479    -vendor_apex_file
480    -vendor_configs_file
481    -vendor_service_contexts_file
482    -vendor_framework_file
483    -vendor_idc_file
484    -vendor_keychars_file
485    -vendor_keylayout_file
486    -vendor_overlay_file
487    -vendor_public_framework_file
488    -vendor_public_lib_file
489    -vendor_task_profiles_file
490    -vndk_sp_file
491  }:file *;
492')
493
494# mlsvendorcompat is only for compatibility support for older vendor
495# images, and should not be granted to any domain in current policy.
496# (Every domain is allowed self:fork, so this will trigger if the
497# intsersection of domain & mlsvendorcompat is not empty.)
498neverallow domain mlsvendorcompat:process fork;
499
500# Only init and otapreopt_chroot should be mounting filesystems on locations
501# labeled system or vendor (/product and /vendor respectively).
502neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
503
504# Only allow init and vendor_init to read/write mm_events properties
505# NOTE: dumpstate is allowed to read any system property
506neverallow {
507  domain
508  -init
509  -vendor_init
510  -dumpstate
511} mm_events_config_prop:file no_rw_file_perms;
512
513# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
514# kernel traces. Addresses are not disclosed, they are repalced with symbol
515# names (if available). Traces don't disclose KASLR.
516neverallow {
517  domain
518  -init
519  userdebug_or_eng(`-profcollectd')
520  -vendor_init
521  -traced_probes
522  -traced_perf
523} proc_kallsyms:file { open read };
524
525# debugfs_kcov type is not included in this neverallow statement since the KCOV
526# tool uses it for kernel fuzzing.
527# vendor_modprobe is also exempted since the kernel modules it loads may create
528# debugfs files in its context.
529enforce_debugfs_restriction(`
530  neverallow {
531    domain
532    -vendor_modprobe
533    userdebug_or_eng(`
534      -init
535      -hal_dumpstate
536    ')
537  } { debugfs_type
538      userdebug_or_eng(`-debugfs_kcov')
539      -tracefs_type
540  }:file no_rw_file_perms;
541')
542