1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 setpgid 19 getcap 20 setcap 21 getattr 22 setrlimit 23}; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Root fs. 61allow domain tmpfs:dir { getattr search }; 62allow domain rootfs:dir search; 63allow domain rootfs:lnk_file { read getattr }; 64 65# Device accesses. 66allow domain device:dir search; 67allow domain dev_type:lnk_file r_file_perms; 68allow domain devpts:dir search; 69allow domain dmabuf_heap_device:dir r_dir_perms; 70allow domain socket_device:dir r_dir_perms; 71allow domain owntty_device:chr_file rw_file_perms; 72allow domain null_device:chr_file rw_file_perms; 73allow domain zero_device:chr_file rw_file_perms; 74 75# /dev/ashmem is being deprecated by means of constraining and eventually 76# removing all "open" permissions. We preserve the other permissions. 77allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 78# This device is used by libcutils, which is accessible to everyone. 79allow domain ashmem_libcutils_device:chr_file rw_file_perms; 80 81# /dev/binder can be accessed by ... everyone! :) 82allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 83 84# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 85# added to individual domains, but this sets safe defaults for all processes. 86allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 87 88# /dev/binderfs needs to be accessed by everyone too! 89allow domain binderfs:dir { getattr search }; 90allow domain binderfs_logs_proc:dir search; 91 92allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 93allow domain ptmx_device:chr_file rw_file_perms; 94allow domain random_device:chr_file rw_file_perms; 95allow domain proc_random:dir r_dir_perms; 96allow domain proc_random:file r_file_perms; 97allow domain properties_device:dir { search getattr }; 98allow domain properties_serial:file r_file_perms; 99allow domain property_info:file r_file_perms; 100 101# Public readable properties 102get_prop(domain, aaudio_config_prop) 103get_prop(domain, arm64_memtag_prop) 104get_prop(domain, bootloader_prop) 105get_prop(domain, build_odm_prop) 106get_prop(domain, build_prop) 107get_prop(domain, build_vendor_prop) 108get_prop(domain, debug_prop) 109get_prop(domain, exported_config_prop) 110get_prop(domain, exported_default_prop) 111get_prop(domain, exported_dumpstate_prop) 112get_prop(domain, exported_secure_prop) 113get_prop(domain, exported_system_prop) 114get_prop(domain, fingerprint_prop) 115get_prop(domain, hal_instrumentation_prop) 116get_prop(domain, hw_timeout_multiplier_prop) 117get_prop(domain, init_service_status_prop) 118get_prop(domain, libc_debug_prop) 119get_prop(domain, logd_prop) 120get_prop(domain, mediadrm_config_prop) 121get_prop(domain, property_service_version_prop) 122get_prop(domain, soc_prop) 123get_prop(domain, socket_hook_prop) 124get_prop(domain, surfaceflinger_prop) 125get_prop(domain, telephony_status_prop) 126get_prop(domain, vendor_socket_hook_prop) 127get_prop(domain, vndk_prop) 128get_prop(domain, vold_status_prop) 129get_prop(domain, vts_config_prop) 130 131# Binder cache properties are world-readable 132get_prop(domain, binder_cache_bluetooth_server_prop) 133get_prop(domain, binder_cache_system_server_prop) 134get_prop(domain, binder_cache_telephony_server_prop) 135 136# Let everyone read log properties, so that liblog can avoid sending unloggable 137# messages to logd. 138get_prop(domain, log_property_type) 139dontaudit domain property_type:file audit_access; 140allow domain property_contexts_file:file r_file_perms; 141 142allow domain init:key search; 143allow domain vold:key search; 144 145# logd access 146write_logd(domain) 147 148# Directory/link file access for path resolution. 149allow domain { 150 system_file 151 system_lib_file 152 system_seccomp_policy_file 153 system_security_cacerts_file 154}:dir r_dir_perms; 155allow domain system_file:lnk_file { getattr read }; 156 157# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 158# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 159allow domain system_seccomp_policy_file:file r_file_perms; 160# cacerts are accessible from public Java API. 161allow domain system_security_cacerts_file:file r_file_perms; 162allow domain system_group_file:file r_file_perms; 163allow domain system_passwd_file:file r_file_perms; 164allow domain system_linker_exec:file { execute read open getattr map }; 165allow domain system_linker_config_file:file r_file_perms; 166allow domain system_lib_file:file { execute read open getattr map }; 167# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 168allow domain system_linker_exec:lnk_file { read open getattr }; 169allow domain system_lib_file:lnk_file { read open getattr }; 170 171allow domain system_event_log_tags_file:file r_file_perms; 172 173allow { appdomain coredomain } system_file:file { execute read open getattr map }; 174 175# Make sure system/vendor split doesn not affect non-treble 176# devices 177not_full_treble(` 178 allow domain system_file:file { execute read open getattr map }; 179 allow domain vendor_file_type:dir { search getattr }; 180 allow domain vendor_file_type:file { execute read open getattr map }; 181 allow domain vendor_file_type:lnk_file { getattr read }; 182') 183 184# All domains are allowed to open and read directories 185# that contain HAL implementations (e.g. passthrough 186# HALs require clients to have these permissions) 187allow domain vendor_hal_file:dir r_dir_perms; 188 189# Everyone can read and execute all same process HALs 190allow domain same_process_hal_file:dir r_dir_perms; 191allow { 192 domain 193 -coredomain # access is explicitly granted to individual coredomains 194} same_process_hal_file:file { execute read open getattr map }; 195 196# Any process can load vndk-sp libraries, which are system libraries 197# used by same process HALs 198allow domain vndk_sp_file:dir r_dir_perms; 199allow domain vndk_sp_file:file { execute read open getattr map }; 200 201# All domains get access to /vendor/etc 202allow domain vendor_configs_file:dir r_dir_perms; 203allow domain vendor_configs_file:file { read open getattr map }; 204 205full_treble_only(` 206 # Allow all domains to be able to follow /system/vendor and/or 207 # /vendor/odm symlinks. 208 allow domain vendor_file_type:lnk_file { getattr open read }; 209 210 # This is required to be able to search & read /vendor/lib64 211 # in order to lookup vendor libraries. The execute permission 212 # for coredomains is granted *only* for same process HALs 213 allow domain vendor_file:dir { getattr search }; 214 215 # Allow reading and executing out of /vendor to all vendor domains 216 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 217 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 218 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 219') 220 221# read and stat any sysfs symlinks 222allow domain sysfs:lnk_file { getattr read }; 223 224# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for 225# timezone related information. 226# This directory is considered to be a VNDK-stable 227allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms; 228allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms; 229 230# Lots of processes access current CPU information 231r_dir_file(domain, sysfs_devices_system_cpu) 232 233r_dir_file(domain, sysfs_usb); 234 235# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 236# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 237allow domain sysfs_transparent_hugepage:dir search; 238allow domain sysfs_transparent_hugepage:file r_file_perms; 239 240# files under /data. 241not_full_treble(` 242 allow domain system_data_file:dir getattr; 243') 244allow { coredomain appdomain } system_data_file:dir getattr; 245# /data has the label system_data_root_file. Vendor components need the search 246# permission on system_data_root_file for path traversal to /data/vendor. 247allow domain system_data_root_file:dir { search getattr } ; 248allow domain system_data_file:dir search; 249# TODO restrict this to non-coredomain 250allow domain vendor_data_file:dir { getattr search }; 251 252# required by the dynamic linker 253allow domain proc:lnk_file { getattr read }; 254 255# /proc/cpuinfo 256allow domain proc_cpuinfo:file r_file_perms; 257 258# /dev/cpu_variant:.* 259allow domain dev_cpu_variant:file r_file_perms; 260 261# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 262allow domain proc_perf:file r_file_perms; 263 264# toybox loads libselinux which stats /sys/fs/selinux/ 265allow domain selinuxfs:dir search; 266allow domain selinuxfs:file getattr; 267allow domain sysfs:dir search; 268allow domain selinuxfs:filesystem getattr; 269 270# Almost all processes log tracing information to 271# /sys/kernel/debug/tracing/trace_marker 272# The reason behind this is documented in b/6513400 273allow domain debugfs:dir search; 274allow domain debugfs_tracing:dir search; 275allow domain debugfs_tracing_debug:dir search; 276allow domain debugfs_trace_marker:file w_file_perms; 277 278# Linux lockdown mode offers coarse-grained definitions for access controls. 279# The "confidentiality" level detects access to tracefs or the perf subsystem. 280# This overlaps with more precise declarations in Android's policy. The 281# debugfs_trace_marker above is an example in which all processes should have 282# some access to tracefs. Therefore, allow all domains to access this level. 283# The "integrity" level is however enforced. 284allow domain self:lockdown confidentiality; 285 286# Filesystem access. 287allow domain fs_type:filesystem getattr; 288allow domain fs_type:dir getattr; 289 290# Restrict all domains to an allowlist for common socket types. Additional 291# ioctl commands may be added to individual domains, but this sets safe 292# defaults for all processes. Note that granting this allowlist to domain does 293# not grant the ioctl permission on these socket types. That must be granted 294# separately. 295allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 296 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 297# default allowlist for unix sockets. 298allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 299 ioctl unpriv_unix_sock_ioctls; 300 301# Restrict PTYs to only allowed ioctls. 302# Note that granting this allowlist to domain does 303# not grant the wider ioctl permission. That must be granted 304# separately. 305allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 306 307# All domains must clearly enumerate what ioctls they use 308# on filesystem objects (plain files, directories, symbolic links, 309# named pipes, and named sockets). We start off with a safe set. 310allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 311 312# If a domain has ioctl access to tun_device, it must clearly enumerate the 313# ioctls used. Safe defaults are listed below. 314allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 315 316# Allow a process to make a determination whether a file descriptor 317# for a plain file or pipe (fifo_file) is a tty. Note that granting 318# this allowlist to domain does not grant the ioctl permission to 319# these files. That must be granted separately. 320allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 321allowxperm domain domain:fifo_file ioctl { TCGETS }; 322 323# If a domain has access to perform an ioctl on a block device, allow these 324# very common, benign ioctls 325allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 326 327# Support sqlite F2FS specific optimizations 328# ioctl permission on the specific file type is still required 329# TODO: consider only compiling these rules if we know the 330# /data partition is F2FS 331allowxperm domain { file_type sdcard_type }:file ioctl { 332 F2FS_IOC_ABORT_VOLATILE_WRITE 333 F2FS_IOC_COMMIT_ATOMIC_WRITE 334 F2FS_IOC_GET_FEATURES 335 F2FS_IOC_GET_PIN_FILE 336 F2FS_IOC_SET_PIN_FILE 337 F2FS_IOC_START_ATOMIC_WRITE 338}; 339 340# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 341# when it's not explicitly used in allow rules 342allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 343# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 344# when it's not explicitly used in allow rules 345allow { domain -domain } vndservice_manager_type:service_manager { add find }; 346 347# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 348with_asan(`allow domain system_data_file:dir getattr;') 349# Under ASAN, /system/asan.options needs to be globally accessible. 350with_asan(`allow domain system_asan_options_file:file r_file_perms;') 351 352# read APEX dir and stat any symlink pointing to APEXs. 353allow domain apex_mnt_dir:dir { getattr search }; 354allow domain apex_mnt_dir:lnk_file r_file_perms; 355 356### 357### neverallow rules 358### 359 360# All ioctls on file-like objects (except chr_file and blk_file) and 361# sockets must be restricted to an allowlist. 362neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 363 364# b/68014825 and https://android-review.googlesource.com/516535 365# rfc6093 says that processes should not use the TCP urgent mechanism 366neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 367 368# TIOCSTI is only ever used for exploits. Block it. 369# b/33073072, b/7530569 370# http://www.openwall.com/lists/oss-security/2016/09/26/14 371neverallowxperm * devpts:chr_file ioctl TIOCSTI; 372 373# Do not allow any domain other than init to create unlabeled files. 374neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 375 376# Limit device node creation to these allowed domains. 377neverallow { 378 domain 379 -kernel 380 -init 381 -ueventd 382 -vold 383} self:global_capability_class_set mknod; 384 385# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 386neverallow * self:memprotect mmap_zero; 387 388# No domain needs mac_override as it is unused by SELinux. 389neverallow * self:global_capability2_class_set mac_override; 390 391# Disallow attempts to set contexts not defined in current policy 392# This helps guarantee that unknown or dangerous contents will not ever 393# be set. 394neverallow * self:global_capability2_class_set mac_admin; 395 396# Once the policy has been loaded there shall be none to modify the policy. 397# It is sealed. 398neverallow * kernel:security load_policy; 399 400# Only init prior to switching context should be able to set enforcing mode. 401# init starts in kernel domain and switches to init domain via setcon in 402# the init.rc, so the setenforce occurs while still in kernel. After 403# switching domains, there is never any need to setenforce again by init. 404neverallow * kernel:security setenforce; 405neverallow { domain -kernel } kernel:security setcheckreqprot; 406 407# No booleans in AOSP policy, so no need to ever set them. 408neverallow * kernel:security setbool; 409 410# Adjusting the AVC cache threshold. 411# Not presently allowed to anything in policy, but possibly something 412# that could be set from init.rc. 413neverallow { domain -init } kernel:security setsecparam; 414 415# Only the kernel hwrng thread should be able to read from the HW RNG. 416neverallow { 417 domain 418 -shell # For CTS, restricted to just getattr in shell.te 419 -ueventd # To create the /dev/hw_random file 420} hw_random_device:chr_file *; 421# b/78174219 b/64114943 422neverallow { 423 domain 424 -shell # stat of /dev, getattr only 425 -ueventd 426} keychord_device:chr_file *; 427 428# Ensure that all entrypoint executables are in exec_type or postinstall_file. 429neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 430 431# The dynamic linker always calls access(2) on the path. Don't generate SElinux 432# denials since the linker does not actually access the path in case the path 433# does not exist or isn't accessible for the process. 434dontaudit domain postinstall_mnt_dir:dir audit_access; 435 436#Ensure that nothing in userspace can access /dev/port 437neverallow { 438 domain 439 -shell # Shell user should not have any abilities outside of getattr 440 -ueventd 441} port_device:chr_file *; 442neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 443# Only init should be able to configure kernel usermodehelpers or 444# security-sensitive proc settings. 445neverallow { domain -init } usermodehelper:file { append write }; 446neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 447neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 448 449# Init can't do anything with binder calls. If this neverallow rule is being 450# triggered, it's probably due to a service with no SELinux domain. 451neverallow * init:binder *; 452neverallow * vendor_init:binder *; 453 454# Don't allow raw read/write/open access to block_device 455# Rather force a relabel to a more specific type 456neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 457 458# Do not allow renaming of block files or character files 459# Ability to do so can lead to possible use in an exploit chain 460# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 461neverallow * *:{ blk_file chr_file } rename; 462 463# Don't allow raw read/write/open access to generic devices. 464# Rather force a relabel to a more specific type. 465neverallow domain device:chr_file { open read write }; 466 467# Files from cache should never be executed 468neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 469 470# The test files and executables MUST not be accessible to any domain 471neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 472neverallow domain nativetest_data_file:dir no_w_dir_perms; 473neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 474 475neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 476neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 477neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *; 478neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 479neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 480 481# Only the init property service should write to /data/property and /dev/__properties__ 482neverallow { domain -init } property_data_file:dir no_w_dir_perms; 483neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 484neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 485neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 486neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 487 488# Nobody should be doing writes to /system & /vendor 489# These partitions are intended to be read-only and must never be 490# modified. Doing so would violate important Android security guarantees 491# and invalidate dm-verity signatures. 492neverallow { 493 domain 494 with_asan(`-asan_extract') 495 recovery_only(`userdebug_or_eng(`-fastbootd')') 496} { 497 system_file_type 498 vendor_file_type 499 exec_type 500}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 501 502neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 503 504# Don't allow mounting on top of /system files or directories 505neverallow * exec_type:dir_file_class_set mounton; 506 507# Nothing should be writing to files in the rootfs. 508neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 509 510# Restrict context mounts to specific types marked with 511# the contextmount_type attribute. 512neverallow * {fs_type -contextmount_type}:filesystem relabelto; 513 514# Ensure that context mount types are not writable, to ensure that 515# the write to /system restriction above is not bypassed via context= 516# mount to another type. 517neverallow * contextmount_type:dir_file_class_set 518 { create setattr relabelfrom relabelto append link rename }; 519neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 520 521# Do not allow service_manager add for default service labels. 522# Instead domains should use a more specific type such as 523# system_app_service rather than the generic type. 524# New service_types are defined in {,hw,vnd}service.te and new mappings 525# from service name to service_type are defined in {,hw,vnd}service_contexts. 526neverallow * default_android_service:service_manager *; 527neverallow * default_android_vndservice:service_manager *; 528neverallow * default_android_hwservice:hwservice_manager *; 529 530# Looking up the base class/interface of all HwBinder services is a bad idea. 531# hwservicemanager currently offer such lookups only to make it so that security 532# decisions are expressed in SELinux policy. However, it's unclear whether this 533# lookup has security implications. If it doesn't, hwservicemanager should be 534# modified to not offer this lookup. 535# This rule can be removed if hwservicemanager is modified to not permit these 536# lookups. 537neverallow * hidl_base_hwservice:hwservice_manager find; 538 539# Require that domains explicitly label unknown properties, and do not allow 540# anyone but init to modify unknown properties. 541neverallow { domain -init -vendor_init } mmc_prop:property_service set; 542neverallow { domain -init -vendor_init } vndk_prop:property_service set; 543 544compatible_property_only(` 545 neverallow { domain -init } mmc_prop:property_service set; 546 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 547 neverallow { domain -init } exported_secure_prop:property_service set; 548 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 549 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 550 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 551') 552 553compatible_property_only(` 554 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 555 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 556') 557 558neverallow { domain -init } aac_drc_prop:property_service set; 559neverallow { domain -init } build_prop:property_service set; 560 561# Do not allow reading device's serial number from system properties except form 562# a few allowed domains. 563neverallow { 564 domain 565 -adbd 566 -dumpstate 567 -fastbootd 568 -hal_camera_server 569 -hal_cas_server 570 -hal_drm_server 571 userdebug_or_eng(`-incidentd') 572 -init 573 -mediadrmserver 574 -mediaserver 575 -recovery 576 -shell 577 -system_server 578 -vendor_init 579} serialno_prop:file r_file_perms; 580 581neverallow { 582 domain 583 -init 584 -recovery 585 -system_server 586 -shell # Shell is further restricted in shell.te 587 -ueventd # Further restricted in ueventd.te 588} frp_block_device:blk_file no_rw_file_perms; 589 590# The metadata block device is set aside for device encryption and 591# verified boot metadata. It may be reset at will and should not 592# be used by other domains. 593neverallow { 594 domain 595 -init 596 -recovery 597 -vold 598 -e2fs 599 -fsck 600 -fastbootd 601} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 602 603# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 604neverallow { 605 domain 606 -fastbootd 607 userdebug_or_eng(`-fsck') 608 userdebug_or_eng(`-init') 609 -recovery 610 -update_engine 611} system_block_device:blk_file { write append }; 612 613# No domains other than a select few can access the misc_block_device. This 614# block device is reserved for OTA use. 615# Do not assert this rule on userdebug/eng builds, due to some devices using 616# this partition for testing purposes. 617neverallow { 618 domain 619 userdebug_or_eng(`-domain') # exclude debuggable builds 620 -fastbootd 621 -hal_bootctl_server 622 -init 623 -uncrypt 624 -update_engine 625 -vendor_init 626 -vendor_misc_writer 627 -vold 628 -recovery 629 -ueventd 630} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 631 632# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 633neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 634# The service managers are only allowed to access their own device node 635neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 636neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 637neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 638neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 639neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 640neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 641 642# system services cant add vendor services 643neverallow { 644 coredomain 645} vendor_service:service_manager add; 646 647full_treble_only(` 648 # vendor services cant add system services 649 neverallow { 650 domain 651 -coredomain 652 } { 653 service_manager_type 654 -vendor_service 655 }:service_manager add; 656') 657 658full_treble_only(` 659 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 660 # services which can change any time framework/core is updated, breakage is likely. 661 # 662 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 663 neverallow { 664 appdomain 665 -coredomain 666 } { 667 service_manager_type 668 669 -app_api_service 670 -vendor_service # must be @VintfStability to be used by an app 671 -ephemeral_app_api_service 672 673 -apc_service 674 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 675 -cameraserver_service 676 -drmserver_service 677 -credstore_service 678 -keystore_maintenance_service 679 -keystore_service 680 -legacykeystore_service 681 -mediadrmserver_service 682 -mediaextractor_service 683 -mediametrics_service 684 -mediaserver_service 685 -nfc_service 686 -radio_service 687 -virtual_touchpad_service 688 -vr_hwc_service 689 -vr_manager_service 690 userdebug_or_eng(`-hal_face_service') 691 }:service_manager find; 692') 693 694# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 695full_treble_only(` 696 neverallow { 697 coredomain 698 -shell 699 userdebug_or_eng(`-su') 700 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 701 } vndbinder_device:chr_file rw_file_perms; 702') 703full_treble_only(` 704 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 705') 706full_treble_only(` 707 neverallow { 708 coredomain 709 -shell 710 userdebug_or_eng(`-su') 711 } vndservice_manager_type:service_manager *; 712') 713full_treble_only(` 714 neverallow { 715 coredomain 716 -shell 717 userdebug_or_eng(`-su') 718 } vndservicemanager:binder *; 719') 720 721# On full TREBLE devices, socket communications between core components and vendor components are 722# not permitted. 723 # Most general rules first, more specific rules below. 724 725 # Core domains are not permitted to initiate communications to vendor domain sockets. 726 # We are not restricting the use of already established sockets because it is fine for a process 727 # to obtain an already established socket via some public/official/stable API and then exchange 728 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 729 # and thus does not break the core-vendor separation. 730full_treble_only(` 731 neverallow_establish_socket_comms({ 732 coredomain 733 -init 734 -adbd 735 }, { 736 domain 737 -coredomain 738 -socket_between_core_and_vendor_violators 739 }); 740') 741 742 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 743full_treble_only(` 744 neverallow { 745 domain 746 -coredomain 747 -appdomain # appdomain restrictions below 748 -data_between_core_and_vendor_violators # b/70393317 749 -socket_between_core_and_vendor_violators 750 -vendor_init 751 } { 752 coredomain_socket 753 core_data_file_type 754 unlabeled # used only by core domains 755 }:sock_file ~{ append getattr ioctl read write }; 756') 757full_treble_only(` 758 neverallow { 759 appdomain 760 -coredomain 761 } { 762 coredomain_socket 763 unlabeled # used only by core domains 764 core_data_file_type 765 -app_data_file 766 -privapp_data_file 767 -pdx_endpoint_socket_type # used by VR layer 768 -pdx_channel_socket_type # used by VR layer 769 }:sock_file ~{ append getattr ioctl read write }; 770') 771 772 # Core domains are not permitted to create/open sockets owned by vendor domains 773full_treble_only(` 774 neverallow { 775 coredomain 776 -init 777 -ueventd 778 -socket_between_core_and_vendor_violators 779 } { 780 file_type 781 dev_type 782 -coredomain_socket 783 -core_data_file_type 784 -app_data_file_type 785 -unlabeled 786 }:sock_file ~{ append getattr ioctl read write }; 787') 788 789# On TREBLE devices, vendor and system components are only allowed to share 790# files by passing open FDs over hwbinder. Ban all directory access and all file 791# accesses other than what can be applied to an open FD such as 792# ioctl/stat/read/write/append. This is enforced by segregating /data. 793# Vendor domains may directly access file in /data/vendor by path, but may only 794# access files outside of /data/vendor via an open FD passed over hwbinder. 795# Likewise, core domains may only directly access files outside /data/vendor by 796# path and files in /data/vendor by open FD. 797full_treble_only(` 798 # only coredomains may only access core_data_file_type, particularly not 799 # /data/vendor 800 neverallow { 801 coredomain 802 -appdomain # TODO(b/34980020) remove exemption for appdomain 803 -data_between_core_and_vendor_violators 804 -init 805 -vold_prepare_subdirs 806 } { 807 data_file_type 808 -core_data_file_type 809 -app_data_file_type 810 }:file_class_set ~{ append getattr ioctl read write map }; 811') 812full_treble_only(` 813 neverallow { 814 coredomain 815 -appdomain # TODO(b/34980020) remove exemption for appdomain 816 -data_between_core_and_vendor_violators 817 -init 818 -vold_prepare_subdirs 819 } { 820 data_file_type 821 -core_data_file_type 822 -app_data_file_type 823 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 824 # neverallow. Currently only getattr and search are allowed. 825 -vendor_data_file 826 }:dir *; 827 828') 829full_treble_only(` 830 # vendor domains may only access files in /data/vendor, never core_data_file_types 831 neverallow { 832 domain 833 -appdomain # TODO(b/34980020) remove exemption for appdomain 834 -coredomain 835 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 836 -vendor_init 837 } { 838 core_data_file_type 839 # libc includes functions like mktime and localtime which attempt to access 840 # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata. 841 # These functions are considered vndk-stable and thus must be allowed for 842 # all processes. 843 -zoneinfo_data_file 844 with_native_coverage(`-method_trace_data_file') 845 }:file_class_set ~{ append getattr ioctl read write map }; 846 neverallow { 847 vendor_init 848 -data_between_core_and_vendor_violators 849 } { 850 core_data_file_type 851 -unencrypted_data_file 852 -zoneinfo_data_file 853 with_native_coverage(`-method_trace_data_file') 854 }:file_class_set ~{ append getattr ioctl read write map }; 855 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 856 # The vendor init binary lives on the system partition so there is not a concern with stability. 857 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 858') 859full_treble_only(` 860 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 861 neverallow { 862 domain 863 -appdomain # TODO(b/34980020) remove exemption for appdomain 864 -coredomain 865 -data_between_core_and_vendor_violators 866 -vendor_init 867 } { 868 core_data_file_type 869 -system_data_file # default label for files on /data. Covered below... 870 -system_data_root_file 871 -vendor_data_file 872 -zoneinfo_data_file 873 with_native_coverage(`-method_trace_data_file') 874 }:dir *; 875 neverallow { 876 vendor_init 877 -data_between_core_and_vendor_violators 878 } { 879 core_data_file_type 880 -unencrypted_data_file 881 -system_data_file 882 -system_data_root_file 883 -vendor_data_file 884 -zoneinfo_data_file 885 with_native_coverage(`-method_trace_data_file') 886 }:dir *; 887 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 888 # The vendor init binary lives on the system partition so there is not a concern with stability. 889 neverallow vendor_init unencrypted_data_file:dir ~search; 890') 891full_treble_only(` 892 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 893 neverallow { 894 domain 895 -appdomain # TODO(b/34980020) remove exemption for appdomain 896 -coredomain 897 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 898 } { 899 system_data_file # default label for files on /data. Covered below 900 }:dir ~{ getattr search }; 901') 902 903full_treble_only(` 904 # coredomains may not access dirs in /data/vendor. 905 neverallow { 906 coredomain 907 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 908 -init 909 -vold # vold creates per-user storage for both system and vendor 910 -vold_prepare_subdirs 911 } { 912 vendor_data_file # default label for files on /data. Covered below 913 }:dir ~{ getattr search }; 914') 915 916full_treble_only(` 917 # coredomains may not access dirs in /data/vendor. 918 neverallow { 919 coredomain 920 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 921 -init 922 } { 923 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 924 }:file_class_set ~{ append getattr ioctl read write map }; 925') 926 927full_treble_only(` 928 # Non-vendor domains are not allowed to file execute shell 929 # from vendor 930 neverallow { 931 coredomain 932 -init 933 -shell 934 -ueventd 935 } vendor_shell_exec:file { execute execute_no_trans }; 936') 937 938full_treble_only(` 939 # Do not allow vendor components to execute files from system 940 # except for the ones allowed here. 941 neverallow { 942 domain 943 -coredomain 944 -appdomain 945 -vendor_executes_system_violators 946 -vendor_init 947 } { 948 system_file_type 949 -system_lib_file 950 -system_linker_exec 951 -crash_dump_exec 952 -iorap_prefetcherd_exec 953 -iorap_inode2filename_exec 954 -netutils_wrapper_exec 955 userdebug_or_eng(`-tcpdump_exec') 956 }:file { entrypoint execute execute_no_trans }; 957') 958 959full_treble_only(` 960 # Do not allow coredomain to access entrypoint for files other 961 # than system_file_type and postinstall_file 962 neverallow coredomain { 963 file_type 964 -system_file_type 965 -postinstall_file 966 }:file entrypoint; 967 # Do not allow domains other than coredomain to access entrypoint 968 # for anything but vendor_file_type and init_exec for vendor_init. 969 neverallow { domain -coredomain } { 970 file_type 971 -vendor_file_type 972 -init_exec 973 }:file entrypoint; 974') 975 976full_treble_only(` 977 # Do not allow system components to execute files from vendor 978 # except for the ones allowed here. 979 neverallow { 980 coredomain 981 -init 982 -shell 983 -system_executes_vendor_violators 984 -ueventd 985 } { 986 vendor_file_type 987 -same_process_hal_file 988 -vndk_sp_file 989 -vendor_app_file 990 -vendor_public_framework_file 991 -vendor_public_lib_file 992 }:file execute; 993') 994 995full_treble_only(` 996 neverallow { 997 coredomain 998 -shell 999 -system_executes_vendor_violators 1000 } { 1001 vendor_file_type 1002 -same_process_hal_file 1003 }:file execute_no_trans; 1004') 1005 1006full_treble_only(` 1007 # Do not allow vendor components access to /system files except for the 1008 # ones allowed here. 1009 neverallow { 1010 domain 1011 -appdomain 1012 -coredomain 1013 -vendor_executes_system_violators 1014 # vendor_init needs access to init_exec for domain transition. vendor_init 1015 # neverallows are covered in public/vendor_init.te 1016 -vendor_init 1017 } { 1018 system_file_type 1019 -crash_dump_exec 1020 -file_contexts_file 1021 -iorap_inode2filename_exec 1022 -netutils_wrapper_exec 1023 -property_contexts_file 1024 -system_event_log_tags_file 1025 -system_group_file 1026 -system_lib_file 1027 with_asan(`-system_asan_options_file') 1028 -system_linker_exec 1029 -system_linker_config_file 1030 -system_passwd_file 1031 -system_seccomp_policy_file 1032 -system_security_cacerts_file 1033 -system_zoneinfo_file 1034 -task_profiles_api_file 1035 -task_profiles_file 1036 userdebug_or_eng(`-tcpdump_exec') 1037 }:file *; 1038') 1039 1040# Only system_server should be able to send commands via the zygote socket 1041neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1042neverallow { domain -system_server } zygote_socket:sock_file write; 1043 1044neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1045neverallow { domain -system_server } webview_zygote:sock_file write; 1046neverallow { domain -system_server } app_zygote:sock_file write; 1047 1048neverallow { 1049 domain 1050 -tombstoned 1051 -crash_dump 1052 -dumpstate 1053 -incidentd 1054 -system_server 1055 1056 # Processes that can't exec crash_dump 1057 -hal_codec2_server 1058 -hal_omx_server 1059 -mediaextractor 1060} tombstoned_crash_socket:unix_stream_socket connectto; 1061 1062# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1063# the tombstoned intercept socket. 1064neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1065neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1066 1067# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1068neverallow { domain -init -system_server } heapdump_data_file:file read; 1069 1070# Android does not support System V IPCs. 1071# 1072# The reason for this is due to the fact that, by design, they lead to global 1073# kernel resource leakage. 1074# 1075# For example, there is no way to automatically release a SysV semaphore 1076# allocated in the kernel when: 1077# 1078# - a buggy or malicious process exits 1079# - a non-buggy and non-malicious process crashes or is explicitly killed. 1080# 1081# Killing processes automatically to make room for new ones is an 1082# important part of Android's application lifecycle implementation. This means 1083# that, even assuming only non-buggy and non-malicious code, it is very likely 1084# that over time, the kernel global tables used to implement SysV IPCs will fill 1085# up. 1086neverallow * *:{ shm sem msg msgq } *; 1087 1088# Do not mount on top of symlinks, fifos, or sockets. 1089# Feature parity with Chromium LSM. 1090neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1091 1092# Nobody should be able to execute su on user builds. 1093# On userdebug/eng builds, only dumpstate, shell, and 1094# su itself execute su. 1095neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1096 1097# Do not allow the introduction of new execmod rules. Text relocations 1098# and modification of executable pages are unsafe. 1099# The only exceptions are for NDK text relocations associated with 1100# https://code.google.com/p/android/issues/detail?id=23203 1101# which, long term, need to go away. 1102neverallow * { 1103 file_type 1104 -apk_data_file 1105 -app_data_file 1106 -asec_public_file 1107}:file execmod; 1108 1109# Do not allow making the stack or heap executable. 1110# We would also like to minimize execmem but it seems to be 1111# required by some device-specific service domains. 1112neverallow * self:process { execstack execheap }; 1113 1114# Do not allow the introduction of new execmod rules. Text relocations 1115# and modification of executable pages are unsafe. 1116neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1117 1118neverallow { domain -init } proc:{ file dir } mounton; 1119 1120# Ensure that all types assigned to processes are included 1121# in the domain attribute, so that all allow and neverallow rules 1122# written on domain are applied to all processes. 1123# This is achieved by ensuring that it is impossible to transition 1124# from a domain to a non-domain type and vice versa. 1125# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1126neverallow ~domain domain:process { transition dyntransition }; 1127 1128# 1129# Only system_app and system_server should be creating or writing 1130# their files. The proper way to share files is to setup 1131# type transitions to a more specific type or assigning a type 1132# to its parent directory via a file_contexts entry. 1133# Example type transition: 1134# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1135# 1136neverallow { 1137 domain 1138 -system_server 1139 -system_app 1140 -init 1141 -toolbox # TODO(b/141108496) We want to remove toolbox 1142 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1143 -vold_prepare_subdirs # For unlink 1144 with_asan(`-asan_extract') 1145} system_data_file:file no_w_file_perms; 1146# do not grant anything greater than r_file_perms and relabelfrom unlink 1147# to installd 1148neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1149 1150# respect system_app sandboxes 1151neverallow { 1152 domain 1153 -appdomain # finer-grained rules for appdomain are listed below 1154 -system_server #populate com.android.providers.settings/databases/settings.db. 1155 -installd # creation of app sandbox 1156 -iorap_inode2filename 1157 -traced_probes # resolve inodes for i/o tracing. 1158 # only needs open and read, the rest is neverallow in 1159 # traced_probes.te. 1160} system_app_data_file:dir_file_class_set { create unlink open }; 1161neverallow { 1162 isolated_app 1163 untrusted_app_all # finer-grained rules for appdomain are listed below 1164 ephemeral_app 1165 priv_app 1166} system_app_data_file:dir_file_class_set { create unlink open }; 1167 1168# 1169# Only these domains should transition to shell domain. This domain is 1170# permissible for the "shell user". If you need a process to exec a shell 1171# script with differing privilege, define a domain and set up a transition. 1172# 1173neverallow { 1174 domain 1175 -adbd 1176 -init 1177 -runas 1178 -zygote 1179} shell:process { transition dyntransition }; 1180 1181# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1182# the appdomain attribute. simpleperf is excluded as a domain transitioned to 1183# when running an app-scoped profiling session. 1184neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1185 appdomain -shell -simpleperf userdebug_or_eng(`-su') 1186}:process { transition dyntransition }; 1187 1188# Minimize read access to shell- or app-writable symlinks. 1189# This is to prevent malicious symlink attacks. 1190neverallow { 1191 domain 1192 -appdomain 1193 -installd 1194} { app_data_file privapp_data_file }:lnk_file read; 1195 1196neverallow { 1197 domain 1198 -shell 1199 userdebug_or_eng(`-uncrypt') 1200 -installd 1201} shell_data_file:lnk_file read; 1202 1203# In addition to the symlink reading restrictions above, restrict 1204# write access to shell owned directories. The /data/local/tmp 1205# directory is untrustworthy, and non-allowed domains should 1206# not be trusting any content in those directories. 1207neverallow { 1208 domain 1209 -adbd 1210 -dumpstate 1211 -installd 1212 -init 1213 -shell 1214 -vold 1215} shell_data_file:dir no_w_dir_perms; 1216 1217neverallow { 1218 domain 1219 -adbd 1220 -appdomain 1221 -dumpstate 1222 -init 1223 -installd 1224 -iorap_inode2filename 1225 -simpleperf_app_runner 1226 -system_server # why? 1227 userdebug_or_eng(`-uncrypt') 1228} shell_data_file:dir { open search }; 1229 1230# Same as above for /data/local/tmp files. We allow shell files 1231# to be passed around by file descriptor, but not directly opened. 1232neverallow { 1233 domain 1234 -adbd 1235 -appdomain 1236 -dumpstate 1237 -installd 1238 userdebug_or_eng(`-uncrypt') 1239} shell_data_file:file open; 1240 1241# servicemanager and vndservicemanager are the only processes which handle the 1242# service_manager list request 1243neverallow * ~{ 1244 servicemanager 1245 vndservicemanager 1246 }:service_manager list; 1247 1248# hwservicemanager is the only process which handles hw list requests 1249neverallow * ~{ 1250 hwservicemanager 1251 }:hwservice_manager list; 1252 1253# only service_manager_types can be added to service_manager 1254# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1255 1256# Prevent assigning non property types to properties 1257# TODO - rework this: neverallow * ~property_type:property_service set; 1258 1259# Domain types should never be assigned to any files other 1260# than the /proc/pid files associated with a process. The 1261# executable file used to enter a domain should be labeled 1262# with its own _exec type, not with the domain type. 1263# Conventionally, this looks something like: 1264# $ cat mydaemon.te 1265# type mydaemon, domain; 1266# type mydaemon_exec, exec_type, file_type; 1267# init_daemon_domain(mydaemon) 1268# $ grep mydaemon file_contexts 1269# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1270neverallow * domain:file { execute execute_no_trans entrypoint }; 1271 1272# Do not allow access to the generic debugfs label. This is too broad. 1273# Instead, if access to part of debugfs is desired, it should have a 1274# more specific label. 1275# TODO: fix dumpstate 1276neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1277 1278# Do not allow executable files in debugfs. 1279neverallow domain debugfs_type:file { execute execute_no_trans }; 1280 1281# Don't allow access to the FUSE control filesystem, except to vold and init's 1282neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1283 1284# Profiles contain untrusted data and profman parses that. We should only run 1285# in from installd forked processes. 1286neverallow { 1287 domain 1288 -installd 1289 -profman 1290} profman_exec:file no_x_file_perms; 1291 1292# Enforce restrictions on kernel module origin. 1293# Do not allow kernel module loading except from system, 1294# vendor, and boot partitions. 1295neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load; 1296 1297# Only allow filesystem caps to be set at build time. Runtime changes 1298# to filesystem capabilities are not permitted. 1299neverallow * self:global_capability_class_set setfcap; 1300 1301# Enforce AT_SECURE for executing crash_dump. 1302neverallow domain crash_dump:process noatsecure; 1303 1304# Do not permit non-core domains to register HwBinder services which are 1305# guaranteed to be provided by core domains only. 1306neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1307 1308# Do not permit the registeration of HwBinder services which are guaranteed to 1309# be passthrough only (i.e., run in the process of their clients instead of a 1310# separate server process). 1311neverallow * same_process_hwservice:hwservice_manager add; 1312 1313# If an already existing file is opened with O_CREAT, the kernel might generate 1314# a false report of a create denial. Silence these denials and make sure that 1315# inappropriate permissions are not granted. 1316 1317# These filesystems don't allow files or directories to be created, so the permission 1318# to do so should never be granted. 1319neverallow domain { 1320 proc_type 1321 sysfs_type 1322}:dir { add_name create link remove_name rename reparent rmdir write }; 1323 1324# cgroupfs directories can be created, but not files within them. 1325neverallow domain cgroup:file create; 1326neverallow domain cgroup_v2:file create; 1327 1328dontaudit domain proc_type:dir write; 1329dontaudit domain sysfs_type:dir write; 1330dontaudit domain cgroup:file create; 1331dontaudit domain cgroup_v2:file create; 1332 1333# These are only needed in permissive mode - in enforcing mode the 1334# directory write check fails and so these are never attempted. 1335userdebug_or_eng(` 1336 dontaudit domain proc_type:dir add_name; 1337 dontaudit domain sysfs_type:dir add_name; 1338 dontaudit domain proc_type:file create; 1339 dontaudit domain sysfs_type:file create; 1340') 1341 1342# Platform must not have access to /mnt/vendor. 1343neverallow { 1344 coredomain 1345 -init 1346 -ueventd 1347 -vold 1348 -system_writes_mnt_vendor_violators 1349} mnt_vendor_file:dir *; 1350 1351# Only apps are allowed access to vendor public libraries. 1352full_treble_only(` 1353 neverallow { 1354 coredomain 1355 -appdomain 1356 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1357') 1358 1359# Vendor domian must not have access to /mnt/product. 1360neverallow { 1361 domain 1362 -coredomain 1363} mnt_product_file:dir *; 1364 1365# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd 1366full_treble_only(` 1367 neverallow { 1368 coredomain 1369 -healthd 1370 -shell 1371 # Generate uevents for health info 1372 -ueventd 1373 # Recovery uses health HAL passthrough implementation. 1374 -recovery 1375 # Charger uses health HAL passthrough implementation. 1376 -charger 1377 # TODO(b/110891300): remove this exception 1378 -incidentd 1379 } sysfs_batteryinfo:file { open read }; 1380') 1381 1382neverallow { 1383 domain 1384 -hal_codec2_server 1385 -hal_omx_server 1386} hal_codec2_hwservice:hwservice_manager add; 1387 1388# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1389# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1390neverallow { 1391 domain 1392 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1393 -untrusted_app_25 1394 -untrusted_app_27 1395} ashmem_device:chr_file open; 1396 1397neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1398 1399# Linux lockdown "integrity" level is enforced for user builds. 1400neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; 1401