#line 1 "external/sepolicy/security_classes" # FLASK # # Define the security object classes # # Classes marked as userspace are classes # for userspace object managers class security class process class system class capability # file-related classes class filesystem class file class dir class fd class lnk_file class chr_file class blk_file class sock_file class fifo_file # network-related classes class socket class tcp_socket class udp_socket class rawip_socket class node class netif class netlink_socket class packet_socket class key_socket class unix_stream_socket class unix_dgram_socket # sysv-ipc-related classes class sem class msg class msgq class shm class ipc # # userspace object manager classes # # passwd/chfn/chsh class passwd # userspace # SE-X Windows stuff (more classes below) class x_drawable # userspace class x_screen # userspace class x_gc # userspace class x_font # userspace class x_colormap # userspace class x_property # userspace class x_selection # userspace class x_cursor # userspace class x_client # userspace class x_device # userspace class x_server # userspace class x_extension # userspace # extended netlink sockets class netlink_route_socket class netlink_firewall_socket class netlink_tcpdiag_socket class netlink_nflog_socket class netlink_xfrm_socket class netlink_selinux_socket class netlink_audit_socket class netlink_ip6fw_socket class netlink_dnrt_socket class dbus # userspace class nscd # userspace # IPSec association class association # Updated Netlink class for KOBJECT_UEVENT family. class netlink_kobject_uevent_socket class appletalk_socket class packet # Kernel access key retention class key class context # userspace class dccp_socket class memprotect class db_database # userspace class db_table # userspace class db_procedure # userspace class db_column # userspace class db_tuple # userspace class db_blob # userspace # network peer labels class peer # Capabilities >= 32 class capability2 # More SE-X Windows stuff class x_resource # userspace class x_event # userspace class x_synthetic_event # userspace class x_application_data # userspace # kernel services that need to override task security, e.g. cachefiles class kernel_service class tun_socket # Still More SE-X Windows stuff class x_pointer # userspace class x_keyboard # userspace # More Database stuff class db_schema # userspace class db_view # userspace class db_sequence # userspace class db_language # userspace class binder class zygote # Property service class property_service # userspace # FLASK #line 1 "external/sepolicy/initial_sids" # FLASK # # Define initial security identifiers # sid kernel sid security sid unlabeled sid fs sid file sid file_labels sid init sid any_socket sid port sid netif sid netmsg sid node sid igmp_packet sid icmp_socket sid tcp_socket sid sysctl_modprobe sid sysctl sid sysctl_fs sid sysctl_kernel sid sysctl_net sid sysctl_net_unix sid sysctl_vm sid sysctl_dev sid kmod sid policy sid scmp_packet sid devnull # FLASK #line 1 "external/sepolicy/access_vectors" # # Define common prefixes for access vectors # # common common_name { permission_name ... } # # Define a common prefix for file access vectors. # common file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } # # Define a common prefix for socket access vectors. # common socket { # inherited from file ioctl read write create getattr setattr lock relabelfrom relabelto append # socket-specific bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind } # # Define a common prefix for ipc access vectors. # common ipc { create destroy getattr setattr read write associate unix_read unix_write } # # Define a common prefix for userspace database object access vectors. # common database { create drop getattr setattr relabelfrom relabelto } # # Define a common prefix for pointer and keyboard access vectors. # common x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy } # # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } # # Define the access vector interpretation for file-related objects. # class filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } class dir inherits file { add_name remove_name reparent search rmdir open audit_access execmod } class file inherits file { execute_no_trans entrypoint execmod open audit_access } class lnk_file inherits file { open audit_access execmod } class chr_file inherits file { execute_no_trans entrypoint execmod open audit_access } class blk_file inherits file { open audit_access execmod } class sock_file inherits file { open audit_access execmod } class fifo_file inherits file { open audit_access execmod } class fd { use } # # Define the access vector interpretation for network-related objects. # class socket inherits socket class tcp_socket inherits socket { connectto newconn acceptfrom node_bind name_connect } class udp_socket inherits socket { node_bind } class rawip_socket inherits socket { node_bind } class node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto } class netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress } class netlink_socket inherits socket class packet_socket inherits socket class key_socket inherits socket class unix_stream_socket inherits socket { connectto newconn acceptfrom } class unix_dgram_socket inherits socket # # Define the access vector interpretation for process-related objects # class process { fork transition sigchld # commonly granted from child to parent sigkill # cannot be caught or ignored sigstop # cannot be caught or ignored signull # for kill(pid, 0) signal # all other signals ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate } # # Define the access vector interpretation for ipc-related objects # class ipc inherits ipc class sem inherits ipc class msgq inherits ipc { enqueue } class msg { send receive } class shm inherits ipc { lock } # # Define the access vector interpretation for the security server. # class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce # was avc_toggle in system class setbool setsecparam setcheckreqprot read_policy } # # Define the access vector interpretation for system operations. # class system { ipc_info syslog_read syslog_mod syslog_console module_request } # # Define the access vector interpretation for controling capabilies # class capability { # The capabilities are defined in include/linux/capability.h # Capabilities >= 32 are defined in the capability2 class. # Care should be taken to ensure that these are consistent with # those definitions. (Order matters) chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } class capability2 { mac_override # unused by SELinux mac_admin # unused by SELinux syslog wake_alarm block_suspend } # # Define the access vector interpretation for controlling # changes to passwd information. # class passwd { passwd # change another user passwd chfn # change another user finger info chsh # change another user shell rootok # pam_rootok check (skip auth) crontab # crontab on another user } # # SE-X Windows stuff # class x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive } class x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show } class x_gc { create destroy getattr setattr use } class x_font { create destroy getattr add_glyph remove_glyph use } class x_colormap { create destroy read write getattr add_color remove_color install uninstall use } class x_property { create destroy read write append getattr setattr } class x_selection { read write getattr setattr } class x_cursor { create destroy read write getattr setattr use } class x_client { destroy getattr setattr manage } class x_device inherits x_device class x_server { getattr setattr record debug grab manage } class x_extension { query use } class x_resource { read write } class x_event { send receive } class x_synthetic_event { send receive } # # Extended Netlink classes # class netlink_route_socket inherits socket { nlmsg_read nlmsg_write } class netlink_firewall_socket inherits socket { nlmsg_read nlmsg_write } class netlink_tcpdiag_socket inherits socket { nlmsg_read nlmsg_write } class netlink_nflog_socket inherits socket class netlink_xfrm_socket inherits socket { nlmsg_read nlmsg_write } class netlink_selinux_socket inherits socket class netlink_audit_socket inherits socket { nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit } class netlink_ip6fw_socket inherits socket { nlmsg_read nlmsg_write } class netlink_dnrt_socket inherits socket # Define the access vector interpretation for controlling # access and communication through the D-BUS messaging # system. # class dbus { acquire_svc send_msg } # Define the access vector interpretation for controlling # access through the name service cache daemon (nscd). # class nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv } # Define the access vector interpretation for controlling # access to IPSec network data by association # class association { sendto recvfrom setcontext polmatch } # Updated Netlink class for KOBJECT_UEVENT family. class netlink_kobject_uevent_socket inherits socket class appletalk_socket inherits socket class packet { send recv relabelto flow_in # deprecated flow_out # deprecated forward_in forward_out } class key { view read write search link setattr create } class context { translate contains } class dccp_socket inherits socket { node_bind name_connect } class memprotect { mmap_zero } class db_database inherits database { access install_module load_module get_param # deprecated set_param # deprecated } class db_table inherits database { use # deprecated select update insert delete lock } class db_procedure inherits database { execute entrypoint install } class db_column inherits database { use # deprecated select update insert } class db_tuple { relabelfrom relabelto use # deprecated select update insert delete } class db_blob inherits database { read write import export } # network peer labels class peer { recv } class x_application_data { paste paste_after_confirm copy } class kernel_service { use_as_override create_files_as } class tun_socket inherits socket class x_pointer inherits x_device class x_keyboard inherits x_device class db_schema inherits database { search add_name remove_name } class db_view inherits database { expand } class db_sequence inherits database { get_value next_value set_value } class db_language inherits database { implement execute } class binder { impersonate call set_context_mgr transfer } class zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } class property_service { set } #line 1 "external/sepolicy/global_macros" ##################################### # Common groupings of object classes. # ##################################### # Common groupings of permissions. # ##################################### # Common socket permission sets. #line 1 "external/sepolicy/mls_macros" ######################################## # # gen_cats(N) # # declares categores c0 to c(N-1) # #line 10 ######################################## # # gen_sens(N) # # declares sensitivites s0 to s(N-1) with dominance # in increasing numeric order with s0 lowest, s(N-1) highest # #line 24 #line 34 ######################################## # # gen_levels(N,M) # # levels from s0 to (N-1) with categories c0 to (M-1) # #line 45 ######################################## # # Basic level names for system low and high # #line 1 "external/sepolicy/mls" ######################################### # MLS declarations # # Generate the desired number of sensitivities and categories. #line 6 # Each sensitivity has a name and zero or more aliases. #line 6 sensitivity s0; #line 6 #line 6 #line 6 # Define the ordering of the sensitivity levels (least to greatest) #line 6 dominance { s0 } #line 6 category c0; #line 7 category c1; #line 7 category c2; #line 7 category c3; #line 7 category c4; #line 7 category c5; #line 7 category c6; #line 7 category c7; #line 7 category c8; #line 7 category c9; #line 7 category c10; #line 7 category c11; #line 7 category c12; #line 7 category c13; #line 7 category c14; #line 7 category c15; #line 7 category c16; #line 7 category c17; #line 7 category c18; #line 7 category c19; #line 7 category c20; #line 7 category c21; #line 7 category c22; #line 7 category c23; #line 7 category c24; #line 7 category c25; #line 7 category c26; #line 7 category c27; #line 7 category c28; #line 7 category c29; #line 7 category c30; #line 7 category c31; #line 7 category c32; #line 7 category c33; #line 7 category c34; #line 7 category c35; #line 7 category c36; #line 7 category c37; #line 7 category c38; #line 7 category c39; #line 7 category c40; #line 7 category c41; #line 7 category c42; #line 7 category c43; #line 7 category c44; #line 7 category c45; #line 7 category c46; #line 7 category c47; #line 7 category c48; #line 7 category c49; #line 7 category c50; #line 7 category c51; #line 7 category c52; #line 7 category c53; #line 7 category c54; #line 7 category c55; #line 7 category c56; #line 7 category c57; #line 7 category c58; #line 7 category c59; #line 7 category c60; #line 7 category c61; #line 7 category c62; #line 7 category c63; #line 7 category c64; #line 7 category c65; #line 7 category c66; #line 7 category c67; #line 7 category c68; #line 7 category c69; #line 7 category c70; #line 7 category c71; #line 7 category c72; #line 7 category c73; #line 7 category c74; #line 7 category c75; #line 7 category c76; #line 7 category c77; #line 7 category c78; #line 7 category c79; #line 7 category c80; #line 7 category c81; #line 7 category c82; #line 7 category c83; #line 7 category c84; #line 7 category c85; #line 7 category c86; #line 7 category c87; #line 7 category c88; #line 7 category c89; #line 7 category c90; #line 7 category c91; #line 7 category c92; #line 7 category c93; #line 7 category c94; #line 7 category c95; #line 7 category c96; #line 7 category c97; #line 7 category c98; #line 7 category c99; #line 7 category c100; #line 7 category c101; #line 7 category c102; #line 7 category c103; #line 7 category c104; #line 7 category c105; #line 7 category c106; #line 7 category c107; #line 7 category c108; #line 7 category c109; #line 7 category c110; #line 7 category c111; #line 7 category c112; #line 7 category c113; #line 7 category c114; #line 7 category c115; #line 7 category c116; #line 7 category c117; #line 7 category c118; #line 7 category c119; #line 7 category c120; #line 7 category c121; #line 7 category c122; #line 7 category c123; #line 7 category c124; #line 7 category c125; #line 7 category c126; #line 7 category c127; #line 7 category c128; #line 7 category c129; #line 7 category c130; #line 7 category c131; #line 7 category c132; #line 7 category c133; #line 7 category c134; #line 7 category c135; #line 7 category c136; #line 7 category c137; #line 7 category c138; #line 7 category c139; #line 7 category c140; #line 7 category c141; #line 7 category c142; #line 7 category c143; #line 7 category c144; #line 7 category c145; #line 7 category c146; #line 7 category c147; #line 7 category c148; #line 7 category c149; #line 7 category c150; #line 7 category c151; #line 7 category c152; #line 7 category c153; #line 7 category c154; #line 7 category c155; #line 7 category c156; #line 7 category c157; #line 7 category c158; #line 7 category c159; #line 7 category c160; #line 7 category c161; #line 7 category c162; #line 7 category c163; #line 7 category c164; #line 7 category c165; #line 7 category c166; #line 7 category c167; #line 7 category c168; #line 7 category c169; #line 7 category c170; #line 7 category c171; #line 7 category c172; #line 7 category c173; #line 7 category c174; #line 7 category c175; #line 7 category c176; #line 7 category c177; #line 7 category c178; #line 7 category c179; #line 7 category c180; #line 7 category c181; #line 7 category c182; #line 7 category c183; #line 7 category c184; #line 7 category c185; #line 7 category c186; #line 7 category c187; #line 7 category c188; #line 7 category c189; #line 7 category c190; #line 7 category c191; #line 7 category c192; #line 7 category c193; #line 7 category c194; #line 7 category c195; #line 7 category c196; #line 7 category c197; #line 7 category c198; #line 7 category c199; #line 7 category c200; #line 7 category c201; #line 7 category c202; #line 7 category c203; #line 7 category c204; #line 7 category c205; #line 7 category c206; #line 7 category c207; #line 7 category c208; #line 7 category c209; #line 7 category c210; #line 7 category c211; #line 7 category c212; #line 7 category c213; #line 7 category c214; #line 7 category c215; #line 7 category c216; #line 7 category c217; #line 7 category c218; #line 7 category c219; #line 7 category c220; #line 7 category c221; #line 7 category c222; #line 7 category c223; #line 7 category c224; #line 7 category c225; #line 7 category c226; #line 7 category c227; #line 7 category c228; #line 7 category c229; #line 7 category c230; #line 7 category c231; #line 7 category c232; #line 7 category c233; #line 7 category c234; #line 7 category c235; #line 7 category c236; #line 7 category c237; #line 7 category c238; #line 7 category c239; #line 7 category c240; #line 7 category c241; #line 7 category c242; #line 7 category c243; #line 7 category c244; #line 7 category c245; #line 7 category c246; #line 7 category c247; #line 7 category c248; #line 7 category c249; #line 7 category c250; #line 7 category c251; #line 7 category c252; #line 7 category c253; #line 7 category c254; #line 7 category c255; #line 7 category c256; #line 7 category c257; #line 7 category c258; #line 7 category c259; #line 7 category c260; #line 7 category c261; #line 7 category c262; #line 7 category c263; #line 7 category c264; #line 7 category c265; #line 7 category c266; #line 7 category c267; #line 7 category c268; #line 7 category c269; #line 7 category c270; #line 7 category c271; #line 7 category c272; #line 7 category c273; #line 7 category c274; #line 7 category c275; #line 7 category c276; #line 7 category c277; #line 7 category c278; #line 7 category c279; #line 7 category c280; #line 7 category c281; #line 7 category c282; #line 7 category c283; #line 7 category c284; #line 7 category c285; #line 7 category c286; #line 7 category c287; #line 7 category c288; #line 7 category c289; #line 7 category c290; #line 7 category c291; #line 7 category c292; #line 7 category c293; #line 7 category c294; #line 7 category c295; #line 7 category c296; #line 7 category c297; #line 7 category c298; #line 7 category c299; #line 7 category c300; #line 7 category c301; #line 7 category c302; #line 7 category c303; #line 7 category c304; #line 7 category c305; #line 7 category c306; #line 7 category c307; #line 7 category c308; #line 7 category c309; #line 7 category c310; #line 7 category c311; #line 7 category c312; #line 7 category c313; #line 7 category c314; #line 7 category c315; #line 7 category c316; #line 7 category c317; #line 7 category c318; #line 7 category c319; #line 7 category c320; #line 7 category c321; #line 7 category c322; #line 7 category c323; #line 7 category c324; #line 7 category c325; #line 7 category c326; #line 7 category c327; #line 7 category c328; #line 7 category c329; #line 7 category c330; #line 7 category c331; #line 7 category c332; #line 7 category c333; #line 7 category c334; #line 7 category c335; #line 7 category c336; #line 7 category c337; #line 7 category c338; #line 7 category c339; #line 7 category c340; #line 7 category c341; #line 7 category c342; #line 7 category c343; #line 7 category c344; #line 7 category c345; #line 7 category c346; #line 7 category c347; #line 7 category c348; #line 7 category c349; #line 7 category c350; #line 7 category c351; #line 7 category c352; #line 7 category c353; #line 7 category c354; #line 7 category c355; #line 7 category c356; #line 7 category c357; #line 7 category c358; #line 7 category c359; #line 7 category c360; #line 7 category c361; #line 7 category c362; #line 7 category c363; #line 7 category c364; #line 7 category c365; #line 7 category c366; #line 7 category c367; #line 7 category c368; #line 7 category c369; #line 7 category c370; #line 7 category c371; #line 7 category c372; #line 7 category c373; #line 7 category c374; #line 7 category c375; #line 7 category c376; #line 7 category c377; #line 7 category c378; #line 7 category c379; #line 7 category c380; #line 7 category c381; #line 7 category c382; #line 7 category c383; #line 7 category c384; #line 7 category c385; #line 7 category c386; #line 7 category c387; #line 7 category c388; #line 7 category c389; #line 7 category c390; #line 7 category c391; #line 7 category c392; #line 7 category c393; #line 7 category c394; #line 7 category c395; #line 7 category c396; #line 7 category c397; #line 7 category c398; #line 7 category c399; #line 7 category c400; #line 7 category c401; #line 7 category c402; #line 7 category c403; #line 7 category c404; #line 7 category c405; #line 7 category c406; #line 7 category c407; #line 7 category c408; #line 7 category c409; #line 7 category c410; #line 7 category c411; #line 7 category c412; #line 7 category c413; #line 7 category c414; #line 7 category c415; #line 7 category c416; #line 7 category c417; #line 7 category c418; #line 7 category c419; #line 7 category c420; #line 7 category c421; #line 7 category c422; #line 7 category c423; #line 7 category c424; #line 7 category c425; #line 7 category c426; #line 7 category c427; #line 7 category c428; #line 7 category c429; #line 7 category c430; #line 7 category c431; #line 7 category c432; #line 7 category c433; #line 7 category c434; #line 7 category c435; #line 7 category c436; #line 7 category c437; #line 7 category c438; #line 7 category c439; #line 7 category c440; #line 7 category c441; #line 7 category c442; #line 7 category c443; #line 7 category c444; #line 7 category c445; #line 7 category c446; #line 7 category c447; #line 7 category c448; #line 7 category c449; #line 7 category c450; #line 7 category c451; #line 7 category c452; #line 7 category c453; #line 7 category c454; #line 7 category c455; #line 7 category c456; #line 7 category c457; #line 7 category c458; #line 7 category c459; #line 7 category c460; #line 7 category c461; #line 7 category c462; #line 7 category c463; #line 7 category c464; #line 7 category c465; #line 7 category c466; #line 7 category c467; #line 7 category c468; #line 7 category c469; #line 7 category c470; #line 7 category c471; #line 7 category c472; #line 7 category c473; #line 7 category c474; #line 7 category c475; #line 7 category c476; #line 7 category c477; #line 7 category c478; #line 7 category c479; #line 7 category c480; #line 7 category c481; #line 7 category c482; #line 7 category c483; #line 7 category c484; #line 7 category c485; #line 7 category c486; #line 7 category c487; #line 7 category c488; #line 7 category c489; #line 7 category c490; #line 7 category c491; #line 7 category c492; #line 7 category c493; #line 7 category c494; #line 7 category c495; #line 7 category c496; #line 7 category c497; #line 7 category c498; #line 7 category c499; #line 7 category c500; #line 7 category c501; #line 7 category c502; #line 7 category c503; #line 7 category c504; #line 7 category c505; #line 7 category c506; #line 7 category c507; #line 7 category c508; #line 7 category c509; #line 7 category c510; #line 7 category c511; #line 7 category c512; #line 7 category c513; #line 7 category c514; #line 7 category c515; #line 7 category c516; #line 7 category c517; #line 7 category c518; #line 7 category c519; #line 7 category c520; #line 7 category c521; #line 7 category c522; #line 7 category c523; #line 7 category c524; #line 7 category c525; #line 7 category c526; #line 7 category c527; #line 7 category c528; #line 7 category c529; #line 7 category c530; #line 7 category c531; #line 7 category c532; #line 7 category c533; #line 7 category c534; #line 7 category c535; #line 7 category c536; #line 7 category c537; #line 7 category c538; #line 7 category c539; #line 7 category c540; #line 7 category c541; #line 7 category c542; #line 7 category c543; #line 7 category c544; #line 7 category c545; #line 7 category c546; #line 7 category c547; #line 7 category c548; #line 7 category c549; #line 7 category c550; #line 7 category c551; #line 7 category c552; #line 7 category c553; #line 7 category c554; #line 7 category c555; #line 7 category c556; #line 7 category c557; #line 7 category c558; #line 7 category c559; #line 7 category c560; #line 7 category c561; #line 7 category c562; #line 7 category c563; #line 7 category c564; #line 7 category c565; #line 7 category c566; #line 7 category c567; #line 7 category c568; #line 7 category c569; #line 7 category c570; #line 7 category c571; #line 7 category c572; #line 7 category c573; #line 7 category c574; #line 7 category c575; #line 7 category c576; #line 7 category c577; #line 7 category c578; #line 7 category c579; #line 7 category c580; #line 7 category c581; #line 7 category c582; #line 7 category c583; #line 7 category c584; #line 7 category c585; #line 7 category c586; #line 7 category c587; #line 7 category c588; #line 7 category c589; #line 7 category c590; #line 7 category c591; #line 7 category c592; #line 7 category c593; #line 7 category c594; #line 7 category c595; #line 7 category c596; #line 7 category c597; #line 7 category c598; #line 7 category c599; #line 7 category c600; #line 7 category c601; #line 7 category c602; #line 7 category c603; #line 7 category c604; #line 7 category c605; #line 7 category c606; #line 7 category c607; #line 7 category c608; #line 7 category c609; #line 7 category c610; #line 7 category c611; #line 7 category c612; #line 7 category c613; #line 7 category c614; #line 7 category c615; #line 7 category c616; #line 7 category c617; #line 7 category c618; #line 7 category c619; #line 7 category c620; #line 7 category c621; #line 7 category c622; #line 7 category c623; #line 7 category c624; #line 7 category c625; #line 7 category c626; #line 7 category c627; #line 7 category c628; #line 7 category c629; #line 7 category c630; #line 7 category c631; #line 7 category c632; #line 7 category c633; #line 7 category c634; #line 7 category c635; #line 7 category c636; #line 7 category c637; #line 7 category c638; #line 7 category c639; #line 7 category c640; #line 7 category c641; #line 7 category c642; #line 7 category c643; #line 7 category c644; #line 7 category c645; #line 7 category c646; #line 7 category c647; #line 7 category c648; #line 7 category c649; #line 7 category c650; #line 7 category c651; #line 7 category c652; #line 7 category c653; #line 7 category c654; #line 7 category c655; #line 7 category c656; #line 7 category c657; #line 7 category c658; #line 7 category c659; #line 7 category c660; #line 7 category c661; #line 7 category c662; #line 7 category c663; #line 7 category c664; #line 7 category c665; #line 7 category c666; #line 7 category c667; #line 7 category c668; #line 7 category c669; #line 7 category c670; #line 7 category c671; #line 7 category c672; #line 7 category c673; #line 7 category c674; #line 7 category c675; #line 7 category c676; #line 7 category c677; #line 7 category c678; #line 7 category c679; #line 7 category c680; #line 7 category c681; #line 7 category c682; #line 7 category c683; #line 7 category c684; #line 7 category c685; #line 7 category c686; #line 7 category c687; #line 7 category c688; #line 7 category c689; #line 7 category c690; #line 7 category c691; #line 7 category c692; #line 7 category c693; #line 7 category c694; #line 7 category c695; #line 7 category c696; #line 7 category c697; #line 7 category c698; #line 7 category c699; #line 7 category c700; #line 7 category c701; #line 7 category c702; #line 7 category c703; #line 7 category c704; #line 7 category c705; #line 7 category c706; #line 7 category c707; #line 7 category c708; #line 7 category c709; #line 7 category c710; #line 7 category c711; #line 7 category c712; #line 7 category c713; #line 7 category c714; #line 7 category c715; #line 7 category c716; #line 7 category c717; #line 7 category c718; #line 7 category c719; #line 7 category c720; #line 7 category c721; #line 7 category c722; #line 7 category c723; #line 7 category c724; #line 7 category c725; #line 7 category c726; #line 7 category c727; #line 7 category c728; #line 7 category c729; #line 7 category c730; #line 7 category c731; #line 7 category c732; #line 7 category c733; #line 7 category c734; #line 7 category c735; #line 7 category c736; #line 7 category c737; #line 7 category c738; #line 7 category c739; #line 7 category c740; #line 7 category c741; #line 7 category c742; #line 7 category c743; #line 7 category c744; #line 7 category c745; #line 7 category c746; #line 7 category c747; #line 7 category c748; #line 7 category c749; #line 7 category c750; #line 7 category c751; #line 7 category c752; #line 7 category c753; #line 7 category c754; #line 7 category c755; #line 7 category c756; #line 7 category c757; #line 7 category c758; #line 7 category c759; #line 7 category c760; #line 7 category c761; #line 7 category c762; #line 7 category c763; #line 7 category c764; #line 7 category c765; #line 7 category c766; #line 7 category c767; #line 7 category c768; #line 7 category c769; #line 7 category c770; #line 7 category c771; #line 7 category c772; #line 7 category c773; #line 7 category c774; #line 7 category c775; #line 7 category c776; #line 7 category c777; #line 7 category c778; #line 7 category c779; #line 7 category c780; #line 7 category c781; #line 7 category c782; #line 7 category c783; #line 7 category c784; #line 7 category c785; #line 7 category c786; #line 7 category c787; #line 7 category c788; #line 7 category c789; #line 7 category c790; #line 7 category c791; #line 7 category c792; #line 7 category c793; #line 7 category c794; #line 7 category c795; #line 7 category c796; #line 7 category c797; #line 7 category c798; #line 7 category c799; #line 7 category c800; #line 7 category c801; #line 7 category c802; #line 7 category c803; #line 7 category c804; #line 7 category c805; #line 7 category c806; #line 7 category c807; #line 7 category c808; #line 7 category c809; #line 7 category c810; #line 7 category c811; #line 7 category c812; #line 7 category c813; #line 7 category c814; #line 7 category c815; #line 7 category c816; #line 7 category c817; #line 7 category c818; #line 7 category c819; #line 7 category c820; #line 7 category c821; #line 7 category c822; #line 7 category c823; #line 7 category c824; #line 7 category c825; #line 7 category c826; #line 7 category c827; #line 7 category c828; #line 7 category c829; #line 7 category c830; #line 7 category c831; #line 7 category c832; #line 7 category c833; #line 7 category c834; #line 7 category c835; #line 7 category c836; #line 7 category c837; #line 7 category c838; #line 7 category c839; #line 7 category c840; #line 7 category c841; #line 7 category c842; #line 7 category c843; #line 7 category c844; #line 7 category c845; #line 7 category c846; #line 7 category c847; #line 7 category c848; #line 7 category c849; #line 7 category c850; #line 7 category c851; #line 7 category c852; #line 7 category c853; #line 7 category c854; #line 7 category c855; #line 7 category c856; #line 7 category c857; #line 7 category c858; #line 7 category c859; #line 7 category c860; #line 7 category c861; #line 7 category c862; #line 7 category c863; #line 7 category c864; #line 7 category c865; #line 7 category c866; #line 7 category c867; #line 7 category c868; #line 7 category c869; #line 7 category c870; #line 7 category c871; #line 7 category c872; #line 7 category c873; #line 7 category c874; #line 7 category c875; #line 7 category c876; #line 7 category c877; #line 7 category c878; #line 7 category c879; #line 7 category c880; #line 7 category c881; #line 7 category c882; #line 7 category c883; #line 7 category c884; #line 7 category c885; #line 7 category c886; #line 7 category c887; #line 7 category c888; #line 7 category c889; #line 7 category c890; #line 7 category c891; #line 7 category c892; #line 7 category c893; #line 7 category c894; #line 7 category c895; #line 7 category c896; #line 7 category c897; #line 7 category c898; #line 7 category c899; #line 7 category c900; #line 7 category c901; #line 7 category c902; #line 7 category c903; #line 7 category c904; #line 7 category c905; #line 7 category c906; #line 7 category c907; #line 7 category c908; #line 7 category c909; #line 7 category c910; #line 7 category c911; #line 7 category c912; #line 7 category c913; #line 7 category c914; #line 7 category c915; #line 7 category c916; #line 7 category c917; #line 7 category c918; #line 7 category c919; #line 7 category c920; #line 7 category c921; #line 7 category c922; #line 7 category c923; #line 7 category c924; #line 7 category c925; #line 7 category c926; #line 7 category c927; #line 7 category c928; #line 7 category c929; #line 7 category c930; #line 7 category c931; #line 7 category c932; #line 7 category c933; #line 7 category c934; #line 7 category c935; #line 7 category c936; #line 7 category c937; #line 7 category c938; #line 7 category c939; #line 7 category c940; #line 7 category c941; #line 7 category c942; #line 7 category c943; #line 7 category c944; #line 7 category c945; #line 7 category c946; #line 7 category c947; #line 7 category c948; #line 7 category c949; #line 7 category c950; #line 7 category c951; #line 7 category c952; #line 7 category c953; #line 7 category c954; #line 7 category c955; #line 7 category c956; #line 7 category c957; #line 7 category c958; #line 7 category c959; #line 7 category c960; #line 7 category c961; #line 7 category c962; #line 7 category c963; #line 7 category c964; #line 7 category c965; #line 7 category c966; #line 7 category c967; #line 7 category c968; #line 7 category c969; #line 7 category c970; #line 7 category c971; #line 7 category c972; #line 7 category c973; #line 7 category c974; #line 7 category c975; #line 7 category c976; #line 7 category c977; #line 7 category c978; #line 7 category c979; #line 7 category c980; #line 7 category c981; #line 7 category c982; #line 7 category c983; #line 7 category c984; #line 7 category c985; #line 7 category c986; #line 7 category c987; #line 7 category c988; #line 7 category c989; #line 7 category c990; #line 7 category c991; #line 7 category c992; #line 7 category c993; #line 7 category c994; #line 7 category c995; #line 7 category c996; #line 7 category c997; #line 7 category c998; #line 7 category c999; #line 7 category c1000; #line 7 category c1001; #line 7 category c1002; #line 7 category c1003; #line 7 category c1004; #line 7 category c1005; #line 7 category c1006; #line 7 category c1007; #line 7 category c1008; #line 7 category c1009; #line 7 category c1010; #line 7 category c1011; #line 7 category c1012; #line 7 category c1013; #line 7 category c1014; #line 7 category c1015; #line 7 category c1016; #line 7 category c1017; #line 7 category c1018; #line 7 category c1019; #line 7 category c1020; #line 7 category c1021; #line 7 category c1022; #line 7 category c1023; #line 7 # Generate level definitions for each sensitivity and category. level s0:c0.c1023; #line 10 ################################################# # MLS policy constraints # # # Process constraints # # Process transition: Require equivalence unless the subject is trusted. mlsconstrain process { transition dyntransition } ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); # Process read operations: No read up unless trusted. mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } (l1 dom l2 or t1 == mlstrustedsubject); # Process write operations: No write down unless trusted. mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } (l1 domby l2 or t1 == mlstrustedsubject); # # Socket constraints # # Create/relabel operations: Subject must be equivalent to object unless # the subject is trusted. Sockets inherit the range of their creator. mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } { create relabelfrom relabelto } ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); # Datagram send: Sender must be dominated by receiver unless one of them is # trusted. mlsconstrain unix_dgram_socket { sendto } (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); # Stream connect: Client must be equivalent to server unless one of them # is trusted. mlsconstrain unix_stream_socket { connectto } (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); # # Directory/file constraints # # Create/relabel operations: Subject must be equivalent to object unless # the subject is trusted. Also, files should always be single-level. # Do NOT exempt mlstrustedobject types from this constraint. mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto } (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); # # Constraints for app data files only. # # Only constrain open, not read/write. # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. # Subject must be equivalent to object unless the subject is trusted. mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); # # Constraints for file types other than app data files. # # Read operations: Subject must dominate object unless the subject # or the object is trusted. mlsconstrain dir { read getattr search } (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Write operations: Subject must be dominated by the object unless the # subject or the object is trusted. mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Special case for FIFOs. # These can be unnamed pipes, in which case they will be labeled with the # creating process' label. Thus we also have an exemption when the "object" # is a MLS trusted subject and can receive data at any level. mlsconstrain fifo_file { read getattr } (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); mlsconstrain fifo_file { write setattr append unlink link rename } (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); # # IPC constraints # # Create/destroy: equivalence or trusted. mlsconstrain { sem msgq shm ipc } { create destroy } (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); # Read ops: No read up unless trusted. mlsconstrain { sem msgq shm ipc } { getattr read associate unix_read } (l1 dom l2 or t1 == mlstrustedsubject); # Write ops: No write down unless trusted. mlsconstrain { sem msgq shm ipc } { write unix_write } (l1 domby l2 or t1 == mlstrustedsubject); # # Binder IPC constraints # # Presently commented out, as apps are expected to call one another. # This would only make sense if apps were assigned categories # based on allowable communications rather than per-app categories. #mlsconstrain binder call # (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); #line 1 "external/sepolicy/policy_capabilities" # Enable new networking controls. policycap network_peer_controls; # Enable open permission check. policycap open_perms; #line 1 "external/sepolicy/te_macros" ##################################### # domain_trans(olddomain, type, newdomain) # Allow a transition from olddomain to newdomain # upon executing a file labeled with type. # This only allows the transition; it does not # cause it to occur automatically - use domain_auto_trans # if that is what you want. # #line 21 ##################################### # domain_auto_trans(olddomain, type, newdomain) # Automatically transition from olddomain to newdomain # upon executing a file labeled with type. # #line 33 ##################################### # file_type_trans(domain, dir_type, file_type) # Allow domain to create a file labeled file_type in a # directory labeled dir_type. # This only allows the transition; it does not # cause it to occur automatically - use file_type_auto_trans # if that is what you want. # #line 49 ##################################### # file_type_auto_trans(domain, dir_type, file_type) # Automatically label new files with file_type when # they are created by domain in directories labeled dir_type. # #line 62 ##################################### # r_dir_file(domain, type) # Allow the specified domain to read directories, files # and symbolic links of the specified type. #line 71 ##################################### # unconfined_domain(domain) # Allow the specified domain to perform more privileged operations # than would be typically allowed. Please see the comments at the # top of unconfined.te. # #line 82 ##################################### # tmpfs_domain(domain) # Define and allow access to a unique type for # this domain when creating tmpfs / shmem / ashmem files. #line 92 ##################################### # init_daemon_domain(domain) # Set up a transition from init to the daemon domain # upon executing its binary. #line 101 ##################################### # app_domain(domain) # Allow a base set of permissions required for all apps. #line 112 ##################################### # relabelto_domain(domain) # Allows this domain to use the relabelto permission #line 119 ##################################### # platform_app_domain(domain) # Allow permissions specific to platform apps. #line 127 ##################################### # net_domain(domain) # Allow a base set of permissions required for network access. #line 134 ##################################### # bluetooth_domain(domain) # Allow a base set of permissions required for bluetooth access. #line 141 ##################################### # unix_socket_connect(clientdomain, socket, serverdomain) # Allow a local socket connection from clientdomain via # socket to serverdomain. #line 150 ##################################### # unix_socket_send(clientdomain, socket, serverdomain) # Allow a local socket send from clientdomain via # socket to serverdomain. #line 159 ##################################### # binder_use(domain) # Allow domain to use Binder IPC. #line 169 ##################################### # binder_call(clientdomain, serverdomain) # Allow clientdomain to perform binder IPC to serverdomain. #line 181 ##################################### # binder_service(domain) # Mark a domain as being a Binder service domain. # Used to allow binder IPC to the various system services. #line 189 ##################################### # selinux_check_access(domain) # Allow domain to check SELinux permissions via selinuxfs. #line 199 ##################################### # selinux_check_context(domain) # Allow domain to check SELinux contexts via selinuxfs. #line 208 ##################################### # selinux_getenforce(domain) # Allow domain to check whether SELinux is enforcing. #line 216 ##################################### # selinux_setenforce(domain) # Allow domain to set SELinux to enforcing. #line 225 ##################################### # selinux_setbool(domain) # Allow domain to set SELinux booleans. #line 234 ##################################### # security_access_policy(domain) # Read only access to all policy files and # selinuxfs #line 248 ##################################### # selinux_manage_policy(domain) # Ability to manage policy files and # trigger runtime reload. #line 261 ##################################### # mmac_manage_policy(domain) # Ability to manage mmac policy files, # trigger runtime reload, change # mmac enforcing mode and access logcat. #line 274 ##################################### # access_kmsg(domain) # Ability to read from kernel logs # and execute the klogctl syscall # in a non destructive manner. See # man 2 klogctl #line 284 ##################################### # write_klog(domain) # Ability to write to kernel log via # klog_write() # See system/core/libcutil/klog.c #line 295 ##################################### # create_pty(domain) # Allow domain to create and use a pty, isolated from any other domain ptys. #line 309 ##################################### # Non system_app application set # ##################################### # Userdebug or eng builds # SELinux rules which apply only to userdebug or eng builds # ##################################### # permissive_or_unconfined # Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, # and "unconfined($1)" otherwise. # # This is used for experimental domains, where we want to ensure # the domain is unconfined+enforcing once new SELinux policy development # has ceased. # ##################################### # write_logd(domain) # Ability to write to android log # daemon via sockets #line 345 ##################################### # read_logd(domain) # Ability to read from android # log daemon via sockets #line 353 ##################################### # control_logd(domain) # Ability to control # android log daemon via sockets #line 363 #line 1 "external/sepolicy/attributes" ###################################### # Attribute declarations # # All types used for devices. attribute dev_type; # All types used for processes. attribute domain; # All types used for filesystems. attribute fs_type; # All types used for files that can exist on a labeled fs. # Do not use for pseudo file types. attribute file_type; # All types used for domain entry points. attribute exec_type; # All types used for /data files. attribute data_file_type; # All types use for sysfs files. attribute sysfs_type; # Attribute used for all sdcards attribute sdcard_type; # All types used for nodes/hosts. attribute node_type; # All types used for network interfaces. attribute netif_type; # All types used for network ports. attribute port_type; # All types used for property service attribute property_type; # All domains that can override MLS restrictions. # i.e. processes that can read up and write down. attribute mlstrustedsubject; # All types that can override MLS restrictions. # i.e. files that can be read by lower and written by higher attribute mlstrustedobject; # Domains that are allowed all permissions ("unconfined"). attribute unconfineddomain; # All domains used for shells. attribute shelldomain; # All domains used for apps. attribute appdomain; # All domains used for apps with network access. attribute netdomain; # All domains used for apps with bluetooth access. attribute bluetoothdomain; # All domains used for binder service domains. attribute binderservicedomain; # Allow domains used for platform (signed by build key) apps. attribute platformappdomain; # All domains which are allowed the "relabelto" permission attribute relabeltodomain; #line 1 "external/sepolicy/adbd.te" # adbd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type adbd, domain; #line 7 #line 9 # Allow the necessary permissions. #line 9 #line 9 # Old domain may exec the file and transition to the new domain. #line 9 allow adbd shell_exec:file { getattr open read execute }; #line 9 allow adbd shell:process transition; #line 9 # New domain is entered by executing the file. #line 9 allow shell shell_exec:file { entrypoint read execute }; #line 9 # New domain can send SIGCHLD to its caller. #line 9 allow shell adbd:process sigchld; #line 9 # Enable AT_SECURE, i.e. libc secure mode. #line 9 dontaudit adbd shell:process noatsecure; #line 9 # XXX dontaudit candidate but requires further study. #line 9 allow adbd shell:process { siginh rlimitinh }; #line 9 #line 9 # Make the transition occur by default. #line 9 type_transition adbd shell_exec:process shell; #line 9 # this is an entrypoint allow adbd rootfs:file entrypoint; # Do not sanitize the environment or open fds of the shell. allow adbd shell:process noatsecure; # Set UID and GID to shell. Set supplementary groups. allow adbd self:capability { setuid setgid }; # Drop capabilities from bounding set on user builds. allow adbd self:capability setpcap; # Create and use network sockets. #line 23 typeattribute adbd netdomain; #line 23 # Access /dev/android_adb. allow adbd adb_device:chr_file { { getattr open read ioctl lock } { open append write } }; # On emulator, access /dev/qemu*. allow adbd qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Use a pseudo tty. allow adbd devpts:chr_file { { getattr open read ioctl lock } { open append write } }; # adb push/pull /data/local/tmp. allow adbd shell_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow adbd shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # adb push/pull sdcard. allow adbd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow adbd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Set service.adb.*, sys.powerctl properties. #line 43 allow adbd property_socket:sock_file write; #line 43 allow adbd init:unix_stream_socket connectto; #line 43 allow adbd shell_prop:property_service set; allow adbd powerctl_prop:property_service set; # XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? # Also covers running /system/bin/bu. allow adbd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; #line 50 allow adbd vold_socket:sock_file write; #line 50 allow adbd vold:unix_stream_socket connectto; #line 50 # Perform binder IPC to surfaceflinger (screencap) # XXX Run screencap in a separate domain? #line 54 # Call the servicemanager and transfer references to it. #line 54 allow adbd servicemanager:binder { call transfer }; #line 54 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 54 # all domains in domain.te. #line 54 #line 55 # Call the server domain and optionally transfer references to it. #line 55 allow adbd surfaceflinger:binder { call transfer }; #line 55 # Allow the serverdomain to transfer references to the client on the reply. #line 55 allow surfaceflinger adbd:binder transfer; #line 55 # Receive and use open files from the server. #line 55 allow adbd surfaceflinger:fd use; #line 55 # Read /data/misc/adb/adb_keys. allow adbd adb_keys_file:dir search; allow adbd adb_keys_file:file { getattr open read ioctl lock }; # Allow access in case /data/misc/adb still has the old type. allow adbd system_data_file:dir search; allow adbd system_data_file:file { getattr open read ioctl lock }; # ndk-gdb invokes adb forward to forward the gdbserver socket. allow adbd app_data_file:dir search; allow adbd app_data_file:sock_file write; allow adbd appdomain:unix_stream_socket connectto; # ndk-gdb invokes adb pull of app_process, linker, and libc.so. allow adbd zygote_exec:file { getattr open read ioctl lock }; allow adbd system_file:file { getattr open read ioctl lock }; #line 1 "external/sepolicy/app.te" ### ### Domain for all zygote spawned apps ### ### This file is the base policy for all zygote spawned apps. ### Other policy files, such as isolated_app.te, untrusted_app.te, etc ### extend from this policy. Only policies which should apply to ALL ### zygote spawned apps should be added here. ### # Dalvik Compiler JIT Mapping. allow appdomain self:process execmem; allow appdomain ashmem_device:chr_file execute; # Allow apps to connect to the keystore #line 15 allow appdomain keystore_socket:sock_file write; #line 15 allow appdomain keystore:unix_stream_socket connectto; #line 15 # Receive and use open file descriptors inherited from zygote. allow appdomain zygote:fd use; # gdbserver for ndk-gdb reads the zygote. allow appdomain zygote_exec:file { getattr open read ioctl lock }; # gdbserver for ndk-gdb ptrace attaches to app process. allow appdomain self:process ptrace; # Read system properties managed by zygote. allow appdomain zygote_tmpfs:file read; # Notify zygote of death; allow appdomain zygote:process sigchld; # Notify shell and adbd of death when spawned via runas for ndk-gdb. allow appdomain shell:process sigchld; allow appdomain adbd:process sigchld; # child shell or gdbserver pty access for runas. allow appdomain devpts:chr_file { getattr read write ioctl }; # Communicate with system_server. allow appdomain system_server:fifo_file { { getattr open read ioctl lock } { open append write } }; allow appdomain system_server:unix_stream_socket { read write setopt }; #line 42 # Call the server domain and optionally transfer references to it. #line 42 allow appdomain system_server:binder { call transfer }; #line 42 # Allow the serverdomain to transfer references to the client on the reply. #line 42 allow system_server appdomain:binder transfer; #line 42 # Receive and use open files from the server. #line 42 allow appdomain system_server:fd use; #line 42 # Communication with other apps via fifos allow appdomain appdomain:fifo_file { { getattr open read ioctl lock } { open append write } }; # Communicate with surfaceflinger. allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; #line 49 # Call the server domain and optionally transfer references to it. #line 49 allow appdomain surfaceflinger:binder { call transfer }; #line 49 # Allow the serverdomain to transfer references to the client on the reply. #line 49 allow surfaceflinger appdomain:binder transfer; #line 49 # Receive and use open files from the server. #line 49 allow appdomain surfaceflinger:fd use; #line 49 # App sandbox file accesses. allow appdomain app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow appdomain app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Read/write data files created by the platform apps if they # were passed to the app via binder or local IPC. Do not allow open. allow appdomain platform_app_data_file:file { getattr read write }; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir { open getattr read search ioctl }; allow appdomain system_data_file:file { execute execute_no_trans open }; # Execute the shell or other system executables. allow appdomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow appdomain system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; # Read/write wallpaper file (opened by system). allow appdomain wallpaper_file:file { getattr read write }; # Write to /data/anr/traces.txt. allow appdomain anr_data_file:dir search; allow appdomain anr_data_file:file { open append }; # Allow apps to send dump information to dumpstate allow appdomain dumpstate:fd use; allow appdomain dumpstate:unix_stream_socket { read write getopt getattr }; allow appdomain shell_data_file:file { write getattr }; # Write to /proc/net/xt_qtaguid/ctrl file. allow appdomain qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; # Everybody can read the xt_qtaguid resource tracking misc dev. # So allow all apps to read from /dev/xt_qtaguid. allow appdomain qtaguid_device:chr_file { getattr open read ioctl lock }; # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. allow appdomain gpu_device:chr_file { { { getattr open read ioctl lock } { open append write } } execute }; # Use the Binder. #line 90 # Call the servicemanager and transfer references to it. #line 90 allow appdomain servicemanager:binder { call transfer }; #line 90 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 90 # all domains in domain.te. #line 90 # Perform binder IPC to binder services. #line 92 # Call the server domain and optionally transfer references to it. #line 92 allow appdomain binderservicedomain:binder { call transfer }; #line 92 # Allow the serverdomain to transfer references to the client on the reply. #line 92 allow binderservicedomain appdomain:binder transfer; #line 92 # Receive and use open files from the server. #line 92 allow appdomain binderservicedomain:fd use; #line 92 # Perform binder IPC to other apps. #line 94 # Call the server domain and optionally transfer references to it. #line 94 allow appdomain appdomain:binder { call transfer }; #line 94 # Allow the serverdomain to transfer references to the client on the reply. #line 94 allow appdomain appdomain:binder transfer; #line 94 # Receive and use open files from the server. #line 94 allow appdomain appdomain:fd use; #line 94 # Appdomain interaction with isolated apps #line 97 allow appdomain isolated_app:dir { open getattr read search ioctl }; #line 97 allow appdomain isolated_app:{ file lnk_file } { getattr open read ioctl lock }; #line 97 # Already connected, unnamed sockets being passed over some other IPC # hence no sock_file or connectto permission. This appears to be how # Chrome works, may need to be updated as more apps using isolated services # are examined. allow appdomain isolated_app:unix_stream_socket { read write }; # Backup ability for every app. BMS opens and passes the fd # to any app that has backup ability. Hence, no open permissions here. allow appdomain backup_data_file:file { read write getattr }; allow appdomain cache_backup_file:file { read write getattr }; # Backup ability using 'adb backup' allow appdomain system_data_file:lnk_file getattr; # Allow all applications to read downloaded files allow appdomain download_file:dir search; allow appdomain download_file:file { getattr open read ioctl lock }; # Allow applications to communicate with netd via /dev/socket/dnsproxyd # to do DNS resolution #line 118 allow appdomain dnsproxyd_socket:sock_file write; #line 118 allow appdomain netd:unix_stream_socket connectto; #line 118 # Allow applications to communicate with drmserver over binder #line 121 # Call the server domain and optionally transfer references to it. #line 121 allow appdomain drmserver:binder { call transfer }; #line 121 # Allow the serverdomain to transfer references to the client on the reply. #line 121 allow drmserver appdomain:binder transfer; #line 121 # Receive and use open files from the server. #line 121 allow appdomain drmserver:fd use; #line 121 # Allow applications to communicate with mediaserver over binder #line 124 # Call the server domain and optionally transfer references to it. #line 124 allow appdomain mediaserver:binder { call transfer }; #line 124 # Allow the serverdomain to transfer references to the client on the reply. #line 124 allow mediaserver appdomain:binder transfer; #line 124 # Receive and use open files from the server. #line 124 allow appdomain mediaserver:fd use; #line 124 # Allow applications to make outbound tcp connections to any port allow appdomain port_type:tcp_socket name_connect; # Allow apps to see changes to the routing table. allow appdomain self:netlink_route_socket { read bind create nlmsg_read ioctl getattr setattr getopt setopt shutdown }; # Allow apps to use rawip sockets. This is needed for apps which execute # /system/bin/ping, for example. allow appdomain self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html # # USB devices are first opened by the system server (USBDeviceManagerService) # and the file descriptor is passed to the right Activity via binder. allow appdomain usb_device:chr_file { read write getattr ioctl }; allow appdomain usbaccessory_device:chr_file { read write getattr }; # For art. allow appdomain dalvikcache_data_file:file execute; # For legacy unlabeled userdata on existing devices. # See discussion of Unlabeled files in domain.te for more information. allow appdomain unlabeled:file { getattr execute execute_no_trans }; ### ### CTS-specific rules ### # For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. # Reads /proc/pid/status and statm entries to check that # no unexpected root processes are running. # Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java # Reads /proc/pid/cmdline of vold. allow appdomain domain:dir { open read search getattr }; allow appdomain domain:{ file lnk_file } { open read getattr }; # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. # testRunAsHasCorrectCapabilities allow appdomain runas_exec:file getattr; # Others are either allowed elsewhere or not desired. # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java # Check SELinux policy and contexts. #line 181 allow appdomain selinuxfs:dir { open getattr read search ioctl }; #line 181 allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } }; #line 181 allow appdomain kernel:security compute_av; #line 181 allow appdomain self:netlink_selinux_socket *; #line 181 #line 182 allow appdomain selinuxfs:dir { open getattr read search ioctl }; #line 182 allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } }; #line 182 allow appdomain kernel:security check_context; #line 182 # Validate that each process is running in the correct security context. allow appdomain domain:process getattr; # logd access #line 187 #line 187 allow appdomain logdr_socket:sock_file write; #line 187 allow appdomain logd:unix_stream_socket connectto; #line 187 #line 187 # application inherit logd write socket (urge is to deprecate this long term) allow appdomain zygote:unix_dgram_socket write; ### ### Neverallow rules ### ### These are things that Android apps should NEVER be able to do ### # Superuser capabilities. # bluetooth requires net_admin. neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; neverallow { appdomain -unconfineddomain } self:capability2 *; # Block device access. neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; # Access to any of the following character devices. neverallow { appdomain -unconfineddomain } { audio_device camera_device dm_device radio_device gps_device rpmsg_device }:chr_file { read write }; # Note: Try expanding list of app domains in the future. neverallow { untrusted_app isolated_app shell -unconfineddomain } graphics_device:chr_file { read write }; neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file { read write }; neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file { read write }; neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; # Set SELinux enforcing mode, booleans or any other SELinux settings. neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool setsecparam setcheckreqprot }; # Load security policy. neverallow appdomain kernel:security load_policy; # Privileged netlink socket interfaces. neverallow { appdomain -unconfineddomain } self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *; # Sockets under /dev/socket that are not specifically typed. neverallow { appdomain -unconfineddomain } socket_device:sock_file write; # Unix domain sockets. neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } property_socket:sock_file write; neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; # ptrace access to non-app domains. neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; # Write access to /proc/pid entries for any non-app domain. neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; # signal access to non-app domains. # sigchld allowed for parent death notification. # signull allowed for kill(pid, 0) existence test. # All others prohibited. neverallow { appdomain -unconfineddomain } { domain -appdomain }:process { sigkill sigstop signal }; # Transition to a non-app domain. # Exception for the shell domain, can transition to runas, etc. neverallow { appdomain -shell -unconfineddomain } ~appdomain:process { transition dyntransition }; # Map low memory. # Note: Take to domain.te and apply to all domains in the future. neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; # Write to rootfs. neverallow { appdomain -unconfineddomain } rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # Write to /system. neverallow { appdomain -unconfineddomain } system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # Write to entrypoint executables. neverallow { appdomain -unconfineddomain } exec_type:file { create write setattr relabelfrom relabelto append unlink link rename }; # Write to system-owned parts of /data. # This is the default type for anything under /data not otherwise # specified in file_contexts. Define a different type for portions # that should be writable by apps. # Exception for system_app for Settings. neverallow { appdomain -unconfineddomain -system_app } system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # Write to various other parts of /data. neverallow { appdomain -system_app -unconfineddomain } security_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } gps_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app -unconfineddomain } apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -shell -unconfineddomain } shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -bluetooth -unconfineddomain } bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -unconfineddomain } dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # Access to factory files. neverallow { appdomain -unconfineddomain } efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { read write }; # Write to various pseudo file systems. neverallow { appdomain -bluetooth -nfc -unconfineddomain } sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; neverallow { appdomain -unconfineddomain } proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Access to syslog(2) or /proc/kmsg. neverallow { appdomain -system_app -unconfineddomain } kernel:system { syslog_read syslog_mod syslog_console }; # Ability to perform any filesystem operation other than statfs(2). # i.e. no mount(2), unmount(2), etc. neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; # Ability to set system properties. neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } property_type:property_service set; #line 1 "external/sepolicy/binderservicedomain.te" # Rules common to all binder service domains # Allow dumpstate to collect information from binder services allow binderservicedomain dumpstate:fd use; allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr }; allow binderservicedomain shell_data_file:file { getattr write }; # Allow dumpsys to work from adb shell allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock } { open append write } }; #line 1 "external/sepolicy/bluetooth.te" # bluetooth subsystem type bluetooth, domain; #line 3 typeattribute bluetooth appdomain; #line 3 # Label ashmem objects with our own unique type. #line 3 #line 3 type bluetooth_tmpfs, file_type; #line 3 type_transition bluetooth tmpfs:file bluetooth_tmpfs; #line 3 allow bluetooth bluetooth_tmpfs:file { read write }; #line 3 #line 3 # Map with PROT_EXEC. #line 3 allow bluetooth bluetooth_tmpfs:file execute; #line 3 # Data file accesses. allow bluetooth bluetooth_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Socket creation under /data/misc/bluedroid. type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; allow bluetooth bluetooth_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # bluetooth factory file accesses. #line 14 allow bluetooth bluetooth_efs_file:dir { open getattr read search ioctl }; #line 14 allow bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock }; #line 14 # Device accesses. allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock } { open append write } }; # Other domains that can create and use bluetooth sockets. # SELinux does not presently define a specific socket class for # bluetooth sockets, nor does it distinguish among the bluetooth protocols. allow bluetoothdomain self:socket *; # sysfs access. allow bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } }; allow bluetooth self:capability net_admin; # Allow clients to use a socket provided by the bluetooth app. allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown }; # tethering allow bluetooth self:{ tun_socket udp_socket } { ioctl create }; allow bluetooth efs_file:dir search; # Talk to init over the property socket. #line 36 allow bluetooth property_socket:sock_file write; #line 36 allow bluetooth init:unix_stream_socket connectto; #line 36 # proc access. allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } }; # bluetooth file transfers allow bluetooth sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow bluetooth sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Allow reading of media_rw_data_file file descriptors # passed to bluetooth allow bluetooth media_rw_data_file:file { read getattr }; # Allow write access to bluetooth specific properties allow bluetooth bluetooth_prop:property_service set; ### ### Neverallow rules ### ### These are things that the bluetooth app should NEVER be able to do ### # Superuser capabilities. # bluetooth requires net_admin. neverallow { bluetooth -unconfineddomain } self:capability ~net_admin; #line 1 "external/sepolicy/bootanim.te" # bootanimation oneshot service type bootanim, domain; type bootanim_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init bootanim_exec:file { getattr open read execute }; #line 5 allow init bootanim:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow bootanim bootanim_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow bootanim init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init bootanim:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init bootanim:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init bootanim_exec:process bootanim; #line 5 #line 5 #line 5 type bootanim_tmpfs, file_type; #line 5 type_transition bootanim tmpfs:file bootanim_tmpfs; #line 5 allow bootanim bootanim_tmpfs:file { read write }; #line 5 #line 5 #line 7 # Call the servicemanager and transfer references to it. #line 7 allow bootanim servicemanager:binder { call transfer }; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow bootanim surfaceflinger:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow surfaceflinger bootanim:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow bootanim surfaceflinger:fd use; #line 8 allow bootanim gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; #line 1 "external/sepolicy/clatd.te" # 464xlat daemon type clatd, domain; #line 3 typeattribute clatd mlstrustedsubject; #line 3 typeattribute clatd unconfineddomain; #line 3 type clatd_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init clatd_exec:file { getattr open read execute }; #line 6 allow init clatd:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow clatd clatd_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow clatd init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init clatd:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init clatd:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init clatd_exec:process clatd; #line 6 #line 6 #line 6 type clatd_tmpfs, file_type; #line 6 type_transition clatd tmpfs:file clatd_tmpfs; #line 6 allow clatd clatd_tmpfs:file { read write }; #line 6 #line 6 #line 7 typeattribute clatd netdomain; #line 7 #line 1 "external/sepolicy/debuggerd.te" # debugger interface type debuggerd, domain; type debuggerd_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init debuggerd_exec:file { getattr open read execute }; #line 5 allow init debuggerd:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow debuggerd debuggerd_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow debuggerd init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init debuggerd:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init debuggerd:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init debuggerd_exec:process debuggerd; #line 5 #line 5 #line 5 type debuggerd_tmpfs, file_type; #line 5 type_transition debuggerd tmpfs:file debuggerd_tmpfs; #line 5 allow debuggerd debuggerd_tmpfs:file { read write }; #line 5 #line 5 typeattribute debuggerd mlstrustedsubject; allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner }; allow debuggerd self:capability2 { syslog }; allow debuggerd domain:dir { open getattr read search ioctl }; allow debuggerd domain:file { getattr open read ioctl lock }; allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace; #line 12 allow debuggerd security_file:dir { open getattr read search ioctl }; #line 12 allow debuggerd security_file:file { getattr open read ioctl lock }; #line 12 allow debuggerd security_file:lnk_file { getattr open read ioctl lock }; #line 12 allow debuggerd selinuxfs:dir { open getattr read search ioctl }; #line 12 allow debuggerd selinuxfs:file { getattr open read ioctl lock }; #line 12 allow debuggerd rootfs:dir { open getattr read search ioctl }; #line 12 allow debuggerd rootfs:file { getattr open read ioctl lock }; #line 12 allow debuggerd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow debuggerd system_data_file:dir relabelfrom; #line 15 typeattribute debuggerd relabeltodomain; #line 15 allow debuggerd tombstone_data_file:dir relabelto; allow debuggerd tombstone_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow debuggerd tombstone_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow debuggerd domain:process { sigstop signal }; allow debuggerd exec_type:file { getattr open read ioctl lock }; # Access app library allow debuggerd system_data_file:file open; # Connect to system_server via /data/system/ndebugsocket. #line 25 allow debuggerd system_ndebug_socket:sock_file write; #line 25 allow debuggerd system_server:unix_stream_socket connectto; #line 25 #line 30 # logd access #line 33 #line 33 allow debuggerd logdr_socket:sock_file write; #line 33 allow debuggerd logd:unix_stream_socket connectto; #line 33 #line 33 #line 1 "external/sepolicy/device.te" # Device types type device, dev_type, fs_type; type alarm_device, dev_type, mlstrustedobject; type adb_device, dev_type; type ashmem_device, dev_type, mlstrustedobject; type audio_device, dev_type; type binder_device, dev_type, mlstrustedobject; type block_device, dev_type; type camera_device, dev_type; type dm_device, dev_type; type loop_device, dev_type; type radio_device, dev_type; type ram_device, dev_type; type console_device, dev_type; type cpuctl_device, dev_type; type fscklogs, dev_type; type full_device, dev_type; # GPU (used by most UI apps) type gpu_device, dev_type, mlstrustedobject; type graphics_device, dev_type; type hw_random_device, dev_type; type input_device, dev_type; type kmem_device, dev_type; type log_device, dev_type, mlstrustedobject; type mtd_device, dev_type; type mtp_device, dev_type, mlstrustedobject; type nfc_device, dev_type; type ptmx_device, dev_type, mlstrustedobject; type qemu_device, dev_type; type kmsg_device, dev_type; type null_device, dev_type, mlstrustedobject; type random_device, dev_type; type sensors_device, dev_type; type serial_device, dev_type; type socket_device, dev_type; type owntty_device, dev_type, mlstrustedobject; type tty_device, dev_type; type urandom_device, dev_type; type video_device, dev_type; type vcs_device, dev_type; type zero_device, dev_type; type fuse_device, dev_type; type iio_device, dev_type; type ion_device, dev_type, mlstrustedobject; type gps_device, dev_type; type qtaguid_device, dev_type; type watchdog_device, dev_type; type uhid_device, dev_type; type tun_device, dev_type, mlstrustedobject; type usbaccessory_device, dev_type; type usb_device, dev_type; type klog_device, dev_type; type properties_device, dev_type; # All devices have a uart for the hci # attach service. The uart dev node # varies per device. This type # is used in per device policy type hci_attach_dev, dev_type; # All devices have a rpmsg device for # achieving remoteproc and rpmsg modules type rpmsg_device, dev_type; # Partition layout block device type root_block_device, dev_type; #line 1 "external/sepolicy/dhcp.te" type dhcp, domain; #line 2 typeattribute dhcp mlstrustedsubject; #line 2 typeattribute dhcp unconfineddomain; #line 2 type dhcp_exec, exec_type, file_type; type dhcp_data_file, file_type, data_file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init dhcp_exec:file { getattr open read execute }; #line 6 allow init dhcp:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow dhcp dhcp_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow dhcp init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init dhcp:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init dhcp:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init dhcp_exec:process dhcp; #line 6 #line 6 #line 6 type dhcp_tmpfs, file_type; #line 6 type_transition dhcp tmpfs:file dhcp_tmpfs; #line 6 allow dhcp dhcp_tmpfs:file { read write }; #line 6 #line 6 #line 7 typeattribute dhcp netdomain; #line 7 allow dhcp cgroup:dir { create write add_name }; allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service }; allow dhcp self:packet_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow dhcp self:netlink_route_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_write }; allow dhcp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow dhcp shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow dhcp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; # For /proc/sys/net/ipv4/conf/*/promote_secondaries allow dhcp proc_net:file write; allow dhcp system_prop:property_service set ; #line 19 allow dhcp property_socket:sock_file write; #line 19 allow dhcp init:unix_stream_socket connectto; #line 19 allow dhcp owntty_device:chr_file { { getattr open read ioctl lock } { open append write } }; type_transition dhcp system_data_file:{ dir file } dhcp_data_file; allow dhcp dhcp_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow dhcp dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # PAN connections allow dhcp netd:fd use; allow dhcp netd:fifo_file { { getattr open read ioctl lock } { open append write } }; allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write }; allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; #line 1 "external/sepolicy/dnsmasq.te" # DNS, DHCP services type dnsmasq, domain; #line 3 typeattribute dnsmasq mlstrustedsubject; #line 3 typeattribute dnsmasq unconfineddomain; #line 3 type dnsmasq_exec, exec_type, file_type; allow dnsmasq self:capability { net_bind_service setgid setuid }; allow dnsmasq self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name }; allow dnsmasq dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow dnsmasq port:tcp_socket name_bind; allow dnsmasq node:tcp_socket node_bind; #line 1 "external/sepolicy/domain.te" # Rules for all domains. # Allow reaping by init. allow domain init:process sigchld; # Read access to properties mapping. allow domain kernel:fd use; allow domain tmpfs:file { read getattr }; # Search /storage/emulated tmpfs mount. allow domain tmpfs:dir { open getattr read search ioctl }; # Intra-domain accesses. allow domain self:process ~{ execmem execstack execheap ptrace }; allow domain self:fd use; allow domain self:dir { open getattr read search ioctl }; allow domain self:lnk_file { getattr open read ioctl lock }; allow domain self:{ fifo_file file } { { getattr open read ioctl lock } { open append write } }; allow domain self:{ unix_dgram_socket unix_stream_socket } *; # Inherit or receive open files from others. allow domain init:fd use; allow domain system_server:fd use; # Connect to adbd and use a socket transferred from it. # This is used for e.g. adb backup/restore. allow domain adbd:unix_stream_socket connectto; allow domain adbd:fd use; allow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; #line 43 ### ### Talk to debuggerd. ### allow domain debuggerd:process sigchld; allow domain debuggerd:unix_stream_socket connectto; # Root fs. allow domain rootfs:dir { open getattr read search ioctl }; allow domain rootfs:file { getattr open read ioctl lock }; allow domain rootfs:lnk_file { getattr open read ioctl lock }; # Device accesses. allow domain device:dir search; allow domain dev_type:lnk_file { getattr open read ioctl lock }; allow domain devpts:dir search; allow domain device:file read; allow domain socket_device:dir search; allow domain owntty_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain null_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain zero_device:chr_file { getattr open read ioctl lock }; allow domain ashmem_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain binder_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain ptmx_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain log_device:dir search; allow domain log_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain alarm_device:chr_file { getattr open read ioctl lock }; allow domain urandom_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain random_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow domain properties_device:file { getattr open read ioctl lock }; # logd access #line 76 #line 76 #line 76 allow domain logdw_socket:sock_file write; #line 76 allow domain logd:unix_dgram_socket sendto; #line 76 #line 76 # Filesystem accesses. allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; # System file accesses. allow domain system_file:dir { open getattr read search ioctl }; allow domain system_file:file { getattr open read ioctl lock }; allow domain system_file:file execute; allow domain system_file:lnk_file { getattr open read ioctl lock }; # Read files already opened under /data. allow domain system_data_file:dir { search getattr }; allow domain system_data_file:file { getattr read }; allow domain system_data_file:lnk_file { getattr open read ioctl lock }; # Read apk files under /data/app. allow domain apk_data_file:dir { getattr search }; allow domain apk_data_file:file { getattr open read ioctl lock }; # Read /data/dalvik-cache. allow domain dalvikcache_data_file:dir { search getattr }; allow domain dalvikcache_data_file:file { getattr open read ioctl lock }; # Read already opened /cache files. allow domain cache_file:dir { open getattr read search ioctl }; allow domain cache_file:file { getattr read }; allow domain cache_file:lnk_file { getattr open read ioctl lock }; # Read timezone related information #line 107 allow domain zoneinfo_data_file:dir { open getattr read search ioctl }; #line 107 allow domain zoneinfo_data_file:{ file lnk_file } { getattr open read ioctl lock }; #line 107 # For /acct/uid/*/tasks. allow domain cgroup:dir { search write }; allow domain cgroup:file { open append write }; #Allow access to ion memory allocation device allow domain ion_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Read access to pseudo filesystems. #line 117 allow domain proc:dir { open getattr read search ioctl }; #line 117 allow domain proc:{ file lnk_file } { getattr open read ioctl lock }; #line 117 #line 118 allow domain sysfs:dir { open getattr read search ioctl }; #line 118 allow domain sysfs:{ file lnk_file } { getattr open read ioctl lock }; #line 118 #line 119 allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl }; #line 119 allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock }; #line 119 #line 120 allow domain inotify:dir { open getattr read search ioctl }; #line 120 allow domain inotify:{ file lnk_file } { getattr open read ioctl lock }; #line 120 #line 121 allow domain cgroup:dir { open getattr read search ioctl }; #line 121 allow domain cgroup:{ file lnk_file } { getattr open read ioctl lock }; #line 121 #line 122 allow domain proc_net:dir { open getattr read search ioctl }; #line 122 allow domain proc_net:{ file lnk_file } { getattr open read ioctl lock }; #line 122 # debugfs access allow domain debugfs:dir { open getattr read search ioctl }; allow domain debugfs:file { open append write }; # Get SELinux enforcing status. #line 129 allow domain selinuxfs:dir { open getattr read search ioctl }; #line 129 allow domain selinuxfs:file { getattr open read ioctl lock }; #line 129 # security files allow domain security_file:dir { search getattr }; allow domain security_file:file getattr; # World readable asec image contents allow domain asec_public_file:file { getattr open read ioctl lock }; allow domain { asec_public_file asec_apk_file }:dir { open getattr read search ioctl }; ######## Backwards compatibility - Unlabeled files ############ # Revert to DAC rules when looking at unlabeled files. Over time, the number # of unlabeled files should decrease. # TODO: delete these rules in the future. # # Note on relabelfrom: We allow any app relabelfrom, but without the relabelto # capability, it's essentially useless. This is needed to allow an app with # relabelto to relabel unlabeled files. # allow domain unlabeled:{ file lnk_file sock_file fifo_file } { { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } relabelfrom }; allow domain unlabeled:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom }; neverallow { domain -relabeltodomain } *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; ### ### neverallow rules ### # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these whitelisted domains. neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; # Limit device node creation and raw I/O to these whitelisted domains. neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod }; # No domain needs mac_override as it is unused by SELinux. neverallow domain self:capability2 mac_override; # Only recovery needs mac_admin to set contexts not defined in current policy. neverallow { domain -recovery } self:capability2 mac_admin; # Only init should be able to load SELinux policies. # The first load technically occurs while still in the kernel domain, # but this does not trigger a denial since there is no policy yet. # Policy reload requires allowing this to the init domain. neverallow { domain -init } kernel:security load_policy; # Only init prior to switching context should be able to set enforcing mode. # init starts in kernel domain and switches to init domain via setcon in # the init.rc, so the setenforce occurs while still in kernel. After # switching domains, there is never any need to setenforce again by init. neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot }; # Only init, ueventd and system_server should be able to access HW RNG neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; # Ensure that all entrypoint executables are in exec_type. neverallow domain { file_type -exec_type }:file entrypoint; # Ensure that nothing in userspace can access /dev/mem or /dev/kmem neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; # Only init should be able to configure kernel usermodehelpers or # security-sensitive proc settings. neverallow { domain -init } usermodehelper:file { append write }; neverallow { domain -init } proc_security:file { append write }; # No domain should be allowed to ptrace init. neverallow domain init:process ptrace; # Init can't receive binder calls. If this neverallow rule is being # triggered, it's probably due to a service with no SELinux domain. neverallow domain init:binder call; # Don't allow raw read/write/open access to block_device # Rather force a relabel to a more specific type neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write }; # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. # ueventd is exempt from this, as its managing these devices. neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need # this capability, including device-specific domains. neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; #line 1 "external/sepolicy/drmserver.te" # drmserver - DRM service type drmserver, domain; type drmserver_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init drmserver_exec:file { getattr open read execute }; #line 5 allow init drmserver:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow drmserver drmserver_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow drmserver init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init drmserver:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init drmserver:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init drmserver_exec:process drmserver; #line 5 #line 5 #line 5 type drmserver_tmpfs, file_type; #line 5 type_transition drmserver tmpfs:file drmserver_tmpfs; #line 5 allow drmserver drmserver_tmpfs:file { read write }; #line 5 #line 5 typeattribute drmserver mlstrustedsubject; # Perform Binder IPC to system server. #line 9 # Call the servicemanager and transfer references to it. #line 9 allow drmserver servicemanager:binder { call transfer }; #line 9 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow drmserver system_server:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow system_server drmserver:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow drmserver system_server:fd use; #line 10 #line 11 # Call the server domain and optionally transfer references to it. #line 11 allow drmserver appdomain:binder { call transfer }; #line 11 # Allow the serverdomain to transfer references to the client on the reply. #line 11 allow appdomain drmserver:binder transfer; #line 11 # Receive and use open files from the server. #line 11 allow drmserver appdomain:fd use; #line 11 #line 12 typeattribute drmserver binderservicedomain; #line 12 # Perform Binder IPC to mediaserver #line 15 # Call the server domain and optionally transfer references to it. #line 15 allow drmserver mediaserver:binder { call transfer }; #line 15 # Allow the serverdomain to transfer references to the client on the reply. #line 15 allow mediaserver drmserver:binder transfer; #line 15 # Receive and use open files from the server. #line 15 allow drmserver mediaserver:fd use; #line 15 allow drmserver sdcard_type:dir search; allow drmserver drm_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow drmserver drm_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow drmserver self:{ tcp_socket udp_socket } *; allow drmserver port:tcp_socket name_connect; allow drmserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow drmserver platform_app_data_file:file { read write getattr }; allow drmserver app_data_file:file { read write getattr }; allow drmserver sdcard_type:file { read write getattr }; #line 26 allow drmserver efs_file:dir { open getattr read search ioctl }; #line 26 allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock }; #line 26 type drmserver_socket, file_type; # /data/app/tlcd_sock socket file. # Clearly, /data/app is the most logical place to create a socket. Not. allow drmserver apk_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; type_transition drmserver apk_data_file:sock_file drmserver_socket; allow drmserver drmserver_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow drmserver tee:unix_stream_socket connectto; # Delete old socket file if present. allow drmserver apk_data_file:sock_file unlink; # After taking a video, drmserver looks at the video file. #line 40 allow drmserver media_rw_data_file:dir { open getattr read search ioctl }; #line 40 allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock }; #line 40 #line 1 "external/sepolicy/dumpstate.te" # dumpstate type dumpstate, domain; #line 3 typeattribute dumpstate mlstrustedsubject; #line 3 typeattribute dumpstate unconfineddomain; #line 3 type dumpstate_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init dumpstate_exec:file { getattr open read execute }; #line 6 allow init dumpstate:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow dumpstate dumpstate_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow dumpstate init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init dumpstate:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init dumpstate:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init dumpstate_exec:process dumpstate; #line 6 #line 6 #line 6 type dumpstate_tmpfs, file_type; #line 6 type_transition dumpstate tmpfs:file dumpstate_tmpfs; #line 6 allow dumpstate dumpstate_tmpfs:file { read write }; #line 6 #line 6 #line 7 typeattribute dumpstate netdomain; #line 7 #line 8 typeattribute dumpstate relabeltodomain; #line 8 #line 9 # Call the servicemanager and transfer references to it. #line 9 allow dumpstate servicemanager:binder { call transfer }; #line 9 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 # Drop privileges by switching UID / GID allow dumpstate self:capability { setuid setgid }; # Allow dumpstate to scan through /proc/pid for all processes #line 15 allow dumpstate domain:dir { open getattr read search ioctl }; #line 15 allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock }; #line 15 # Send signals to processes allow dumpstate self:capability kill; # Allow executing files on system, such as: # /system/bin/toolbox # /system/bin/logcat # /system/bin/dumpsys allow dumpstate system_file:file execute_no_trans; # Create and write into /data/anr/ allow dumpstate self:capability { dac_override chown fowner fsetid }; allow dumpstate anr_data_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } relabelto }; allow dumpstate anr_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow dumpstate system_data_file:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom }; # Allow reading /data/system/uiderrors.txt # TODO: scope this down. allow dumpstate system_data_file:file { getattr open read ioctl lock }; # Read dmesg allow dumpstate self:capability2 syslog; allow dumpstate kernel:system syslog_read; # Get process attributes allow dumpstate domain:process getattr; # Signal java processes to dump their stack allow dumpstate { appdomain system_server }:process signal; # Signal native processes to dump their stack. # This list comes from native_processes_to_dump in dumpstate/utils.c allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; # The /system/bin/ip command needs this for routing table information. allow dumpstate self:netlink_route_socket { write getattr setopt }; # The vdc command needs to talk to the vold socket. #line 54 allow dumpstate vold_socket:sock_file write; #line 54 allow dumpstate vold:unix_stream_socket connectto; #line 54 # Vibrate the device after we're done collecting the bugreport # /sys/class/timed_output/vibrator/enable # TODO: create a new file class, instead of allowing write access to all of /sys allow dumpstate sysfs:file { open append write }; # Other random bits of data we want to collect allow dumpstate qtaguid_proc:file { getattr open read ioctl lock }; allow dumpstate debugfs:file { getattr open read ioctl lock }; # Allow dumpstate to make binder calls to any binder service #line 66 # Call the server domain and optionally transfer references to it. #line 66 allow dumpstate binderservicedomain:binder { call transfer }; #line 66 # Allow the serverdomain to transfer references to the client on the reply. #line 66 allow binderservicedomain dumpstate:binder transfer; #line 66 # Receive and use open files from the server. #line 66 allow dumpstate binderservicedomain:fd use; #line 66 #line 67 # Call the server domain and optionally transfer references to it. #line 67 allow dumpstate appdomain:binder { call transfer }; #line 67 # Allow the serverdomain to transfer references to the client on the reply. #line 67 allow appdomain dumpstate:binder transfer; #line 67 # Receive and use open files from the server. #line 67 allow dumpstate appdomain:fd use; #line 67 # Reading /proc/PID/maps of other processes allow dumpstate self:capability sys_ptrace; # Allow the bugreport service to create a file in # /data/data/com.android.shell/files/bugreports/bugreport allow dumpstate shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow dumpstate shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Run a shell. allow dumpstate shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; # For running am and similar framework commands. # Run /system/bin/app_process. allow dumpstate zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; # Dalvik Compiler JIT. allow dumpstate ashmem_device:chr_file execute; allow dumpstate dumpstate_tmpfs:file execute; allow dumpstate self:process execmem; # For art. allow dumpstate dalvikcache_data_file:file execute; # logd access #line 91 #line 91 allow dumpstate logdr_socket:sock_file write; #line 91 allow dumpstate logd:unix_stream_socket connectto; #line 91 #line 91 #line 92 # Group AID_LOG checked by filesystem & logd #line 92 # to permit control commands #line 92 #line 92 allow dumpstate logd_socket:sock_file write; #line 92 allow dumpstate logd:unix_stream_socket connectto; #line 92 #line 92 #line 1 "external/sepolicy/file.te" # Filesystem types type labeledfs, fs_type; type pipefs, fs_type; type sockfs, fs_type; type rootfs, fs_type; type proc, fs_type; # Security-sensitive proc nodes that should not be writable to most. type proc_security, fs_type; # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. type usermodehelper, fs_type, sysfs_type; type qtaguid_proc, fs_type, mlstrustedobject; type proc_bluetooth_writable, fs_type; type proc_net, fs_type; type selinuxfs, fs_type; type cgroup, fs_type, mlstrustedobject; type sysfs, fs_type, mlstrustedobject; type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_wake_lock, fs_type, sysfs_type; # /sys/devices/system/cpu type sysfs_devices_system_cpu, fs_type, sysfs_type; # /sys/module/lowmemorykiller type sysfs_lowmemorykiller, fs_type, sysfs_type; type inotify, fs_type, mlstrustedobject; type devpts, fs_type, mlstrustedobject; type tmpfs, fs_type; type shm, fs_type; type mqueue, fs_type; type sdcard_internal, sdcard_type, fs_type, mlstrustedobject; type sdcard_external, sdcard_type, fs_type, mlstrustedobject; type debugfs, fs_type, mlstrustedobject; # File types type unlabeled, file_type; # Default type for anything under /system. type system_file, file_type; # Default type for anything under /data. type system_data_file, file_type, data_file_type; # /data/drm - DRM plugin data type drm_data_file, file_type, data_file_type; # /data/anr - ANR traces type anr_data_file, file_type, data_file_type, mlstrustedobject; # /data/tombstones - core dumps type tombstone_data_file, file_type, data_file_type; # /data/app - user-installed apps type apk_data_file, file_type, data_file_type; type apk_tmp_file, file_type, data_file_type, mlstrustedobject; # /data/app-private - forward-locked apps type apk_private_data_file, file_type, data_file_type; type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; # /data/dalvik-cache type dalvikcache_data_file, file_type, data_file_type; # /data/local - writable by shell type shell_data_file, file_type, data_file_type; # /data/gps type gps_data_file, file_type, data_file_type; # /data/misc subdirectories type adb_keys_file, file_type, data_file_type; type audio_data_file, file_type, data_file_type; type bluetooth_data_file, file_type, data_file_type; type camera_data_file, file_type, data_file_type; type keystore_data_file, file_type, data_file_type; type media_data_file, file_type, data_file_type; type media_rw_data_file, file_type, data_file_type; type nfc_data_file, file_type, data_file_type; type radio_data_file, file_type, data_file_type; type systemkeys_data_file, file_type, data_file_type; type vpn_data_file, file_type, data_file_type; type wifi_data_file, file_type, data_file_type; type zoneinfo_data_file, file_type, data_file_type; # Compatibility with type names used in vanilla Android 4.3 and 4.4. typealias audio_data_file alias audio_firmware_file; # /data/data subdirectories - app sandboxes type app_data_file, file_type, data_file_type; type platform_app_data_file, file_type, data_file_type, mlstrustedobject; # Default type for anything under /cache type cache_file, file_type, mlstrustedobject; # Type for /cache/.*\.{data|restore} and default # type for anything under /cache/backup type cache_backup_file, file_type, mlstrustedobject; # Default type for anything under /efs type efs_file, file_type; # Type for wallpaper file. type wallpaper_file, file_type, mlstrustedobject; # /mnt/asec type asec_apk_file, file_type, data_file_type; # Elements of asec files (/mnt/asec) that are world readable type asec_public_file, file_type, data_file_type; # /data/app-asec type asec_image_file, file_type, data_file_type; # /data/backup and /data/secure/backup type backup_data_file, file_type, data_file_type, mlstrustedobject; # For /data/security type security_file, file_type; # All devices have bluetooth efs files. But they # vary per device, so this type is used in per # device policy type bluetooth_efs_file, file_type; # Downloaded files type download_file, file_type; # Socket types type adbd_socket, file_type; type bluetooth_socket, file_type; type dnsproxyd_socket, file_type, mlstrustedobject; type dumpstate_socket, file_type; type gps_socket, file_type; type installd_socket, file_type; type keystore_socket, file_type; type lmkd_socket, file_type; type logd_debug, file_type; type logd_socket, file_type; type logdr_socket, file_type; type logdw_socket, file_type; type mdns_socket, file_type; type netd_socket, file_type; type property_socket, file_type; type qemud_socket, file_type; type racoon_socket, file_type; type rild_socket, file_type; type rild_debug_socket, file_type; type system_wpa_socket, file_type; type system_ndebug_socket, file_type; type vold_socket, file_type; type wpa_socket, file_type; type zygote_socket, file_type; # UART (for GPS) control proc file type gps_control, file_type; # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow sysfs_type sysfs:filesystem associate; allow file_type labeledfs:filesystem associate; allow file_type tmpfs:filesystem associate; allow file_type rootfs:filesystem associate; allow dev_type tmpfs:filesystem associate; #line 1 "external/sepolicy/gpsd.te" # gpsd - GPS daemon type gpsd, domain; #line 3 typeattribute gpsd mlstrustedsubject; #line 3 typeattribute gpsd unconfineddomain; #line 3 type gpsd_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init gpsd_exec:file { getattr open read execute }; #line 6 allow init gpsd:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow gpsd gpsd_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow gpsd init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init gpsd:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init gpsd:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init gpsd_exec:process gpsd; #line 6 #line 6 #line 6 type gpsd_tmpfs, file_type; #line 6 type_transition gpsd tmpfs:file gpsd_tmpfs; #line 6 allow gpsd gpsd_tmpfs:file { read write }; #line 6 #line 6 #line 7 typeattribute gpsd netdomain; #line 7 allow gpsd gps_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow gpsd gps_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Socket is created by the daemon, not by init, and under /data/gps, # not under /dev/socket. type_transition gpsd gps_data_file:sock_file gps_socket; allow gpsd gps_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # XXX Label sysfs files with a specific type? allow gpsd sysfs:file { { getattr open read ioctl lock } { open append write } }; allow gpsd gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Execute the shell or system commands. allow gpsd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow gpsd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; #line 1 "external/sepolicy/hci_attach.te" type hci_attach, domain; type hci_attach_exec, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init hci_attach_exec:file { getattr open read execute }; #line 4 allow init hci_attach:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow hci_attach hci_attach_exec:file { entrypoint read execute }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 allow hci_attach init:process sigchld; #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init hci_attach:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init hci_attach:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init hci_attach_exec:process hci_attach; #line 4 #line 4 #line 4 type hci_attach_tmpfs, file_type; #line 4 type_transition hci_attach tmpfs:file hci_attach_tmpfs; #line 4 allow hci_attach hci_attach_tmpfs:file { read write }; #line 4 #line 4 allow hci_attach kernel:system module_request; allow hci_attach hci_attach_dev:chr_file { { getattr open read ioctl lock } { open append write } }; allow hci_attach bluetooth_efs_file:dir { open getattr read search ioctl }; allow hci_attach bluetooth_efs_file:file { getattr open read ioctl lock }; #line 1 "external/sepolicy/healthd.te" # healthd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type healthd, domain; allow healthd rootfs:file { read entrypoint }; #line 6 type_transition healthd device:chr_file klog_device "__kmsg__"; #line 6 allow healthd klog_device:chr_file { create open write unlink }; #line 6 allow healthd device:dir { write add_name remove_name }; #line 6 # /dev/__null__ created by init prior to policy load, # open fd inherited by healthd. allow healthd tmpfs:chr_file { read write }; allow healthd self:capability { net_admin mknod }; allow healthd self:capability2 block_suspend; allow healthd self:netlink_kobject_uevent_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; #line 14 # Call the servicemanager and transfer references to it. #line 14 allow healthd servicemanager:binder { call transfer }; #line 14 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 14 # all domains in domain.te. #line 14 #line 15 typeattribute healthd binderservicedomain; #line 15 #line 16 # Call the server domain and optionally transfer references to it. #line 16 allow healthd system_server:binder { call transfer }; #line 16 # Allow the serverdomain to transfer references to the client on the reply. #line 16 allow system_server healthd:binder transfer; #line 16 # Receive and use open files from the server. #line 16 allow healthd system_server:fd use; #line 16 ### ### healthd: charger mode ### allow healthd graphics_device:dir { open getattr read search ioctl }; allow healthd graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow healthd input_device:dir { open getattr read search ioctl }; allow healthd input_device:chr_file { getattr open read ioctl lock }; allow healthd ashmem_device:chr_file execute; allow healthd self:process execmem; #line 1 "external/sepolicy/hostapd.te" # userspace wifi access points type hostapd, domain; #line 3 typeattribute hostapd mlstrustedsubject; #line 3 typeattribute hostapd unconfineddomain; #line 3 type hostapd_exec, exec_type, file_type; allow hostapd self:capability { net_admin net_raw setuid setgid }; allow hostapd self:netlink_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow hostapd self:packet_socket { create write read }; allow hostapd self:netlink_route_socket { bind create write nlmsg_write read }; allow hostapd self:udp_socket { create ioctl }; allow hostapd wifi_data_file:file { { getattr open read ioctl lock } { open append write } }; allow hostapd wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow hostapd wpa_socket:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow hostapd wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow hostapd netd:fd use; allow hostapd netd:udp_socket { read write }; allow hostapd netd:netlink_kobject_uevent_socket { read write }; allow hostapd netd:netlink_nflog_socket { read write }; allow hostapd netd:netlink_route_socket { read write }; allow hostapd netd:unix_stream_socket { read write }; allow hostapd netd:fifo_file { read write }; #line 1 "external/sepolicy/init_shell.te" # Restricted domain for shell processes spawned by init type init_shell, domain, shelldomain; #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init shell_exec:file { getattr open read execute }; #line 3 allow init init_shell:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow init_shell shell_exec:file { entrypoint read execute }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 allow init_shell init:process sigchld; #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init init_shell:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init init_shell:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init shell_exec:process init_shell; #line 3 #line 4 typeattribute init_shell mlstrustedsubject; #line 4 typeattribute init_shell unconfineddomain; #line 4 # inherits from shelldomain.te #line 1 "external/sepolicy/init.te" # init switches to init domain (via init.rc). type init, domain; # init is unconfined. #line 4 typeattribute init mlstrustedsubject; #line 4 typeattribute init unconfineddomain; #line 4 #line 5 type init_tmpfs, file_type; #line 5 type_transition init tmpfs:file init_tmpfs; #line 5 allow init init_tmpfs:file { read write }; #line 5 #line 6 typeattribute init relabeltodomain; #line 6 # add a rule to handle unlabelled mounts allow init unlabeled:filesystem mount; allow init self:capability { sys_rawio mknod }; allow init dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; allow init fs_type:filesystem *; allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; allow init kernel:security load_policy; allow init usermodehelper:file { { getattr open read ioctl lock } { open append write } }; allow init proc_security:file { { getattr open read ioctl lock } { open append write } }; # Transitions to seclabel processes in init.rc allow init adbd:process transition; allow init healthd:process transition; allow init recovery:process transition; allow init shell:process transition; allow init ueventd:process transition; allow init watchdogd:process transition; #line 1 "external/sepolicy/inputflinger.te" # inputflinger type inputflinger, domain; #line 3 typeattribute inputflinger mlstrustedsubject; #line 3 typeattribute inputflinger unconfineddomain; #line 3 type inputflinger_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init inputflinger_exec:file { getattr open read execute }; #line 6 allow init inputflinger:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow inputflinger inputflinger_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow inputflinger init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init inputflinger:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init inputflinger:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init inputflinger_exec:process inputflinger; #line 6 #line 6 #line 6 type inputflinger_tmpfs, file_type; #line 6 type_transition inputflinger tmpfs:file inputflinger_tmpfs; #line 6 allow inputflinger inputflinger_tmpfs:file { read write }; #line 6 #line 6 #line 7 # Call the servicemanager and transfer references to it. #line 7 allow inputflinger servicemanager:binder { call transfer }; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 typeattribute inputflinger binderservicedomain; #line 8 #line 1 "external/sepolicy/installd.te" # installer daemon type installd, domain; type installd_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init installd_exec:file { getattr open read execute }; #line 5 allow init installd:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow installd installd_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow installd init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init installd:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init installd:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init installd_exec:process installd; #line 5 #line 5 #line 5 type installd_tmpfs, file_type; #line 5 type_transition installd tmpfs:file installd_tmpfs; #line 5 allow installd installd_tmpfs:file { read write }; #line 5 #line 5 #line 6 typeattribute installd relabeltodomain; #line 6 typeattribute installd mlstrustedsubject; allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; allow installd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow installd system_data_file:lnk_file create; allow installd dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow installd data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow installd data_file_type:dir { relabelfrom relabelto }; allow installd data_file_type:{ { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { getattr unlink }; allow installd apk_data_file:file { getattr open read ioctl lock }; allow installd apk_tmp_file:file { getattr open read ioctl lock }; allow installd system_file:file { getattr execute execute_no_trans }; allow installd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow installd download_file:dir { { open getattr read search ioctl } write remove_name }; allow installd download_file:file { { getattr open read ioctl lock } unlink }; dontaudit installd self:capability sys_admin; # Check validity of SELinux context before use. #line 23 allow installd selinuxfs:dir { open getattr read search ioctl }; #line 23 allow installd selinuxfs:file { { getattr open read ioctl lock } { open append write } }; #line 23 allow installd kernel:security check_context; #line 23 # Read /seapp_contexts and /data/security/seapp_contexts #line 25 allow installd security_file:dir { open getattr read search ioctl }; #line 25 allow installd security_file:file { getattr open read ioctl lock }; #line 25 allow installd security_file:lnk_file { getattr open read ioctl lock }; #line 25 allow installd selinuxfs:dir { open getattr read search ioctl }; #line 25 allow installd selinuxfs:file { getattr open read ioctl lock }; #line 25 allow installd rootfs:dir { open getattr read search ioctl }; #line 25 allow installd rootfs:file { getattr open read ioctl lock }; #line 25 # ASEC allow installd platform_app_data_file:lnk_file { create setattr }; allow installd app_data_file:lnk_file { create setattr }; allow installd asec_apk_file:file { getattr open read ioctl lock }; allow installd bluetooth_data_file:lnk_file { create setattr }; allow installd nfc_data_file:lnk_file { create setattr }; allow installd radio_data_file:lnk_file { create setattr }; allow installd shell_data_file:lnk_file { create setattr }; #line 1 "external/sepolicy/isolated_app.te" ### ### Services with isolatedProcess=true in their manifest. ### ### This file defines the rules for isolated apps. An "isolated ### app" is an APP with UID between AID_ISOLATED_START (99000) ### and AID_ISOLATED_END (99999). ### ### isolated_app includes all the appdomain rules, plus the ### additional following rules: ### type isolated_app, domain; #line 13 typeattribute isolated_app appdomain; #line 13 # Label ashmem objects with our own unique type. #line 13 #line 13 type isolated_app_tmpfs, file_type; #line 13 type_transition isolated_app tmpfs:file isolated_app_tmpfs; #line 13 allow isolated_app isolated_app_tmpfs:file { read write }; #line 13 #line 13 # Map with PROT_EXEC. #line 13 allow isolated_app isolated_app_tmpfs:file execute; #line 13 # Already connected, unnamed sockets being passed over some other IPC # hence no sock_file or connectto permission. This appears to be how # Chrome works, may need to be updated as more apps using isolated services # are examined. allow isolated_app appdomain:unix_stream_socket { read write }; allow isolated_app dalvikcache_data_file:file execute; allow isolated_app apk_data_file:dir getattr; #line 1 "external/sepolicy/kernel.te" # Life begins with the kernel. type kernel, domain; allow kernel init:process dyntransition; # The kernel is unconfined. #line 7 typeattribute kernel mlstrustedsubject; #line 7 typeattribute kernel unconfineddomain; #line 7 #line 8 typeattribute kernel relabeltodomain; #line 8 allow kernel {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; allow kernel unlabeled:filesystem mount; allow kernel fs_type:filesystem *; # Initial setenforce by init prior to switching to init domain. allow kernel self:security setenforce; # Set checkreqprot by init.rc prior to switching to init domain. allow kernel self:security setcheckreqprot; # For operations performed by kernel or init prior to switching to init domain. ## TODO: Investigate whether it is safe to remove these allow kernel self:capability { sys_rawio mknod }; auditallow kernel self:capability { sys_rawio mknod }; allow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; auditallow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; #line 1 "external/sepolicy/keystore.te" type keystore, domain; type keystore_exec, exec_type, file_type; # keystore daemon #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init keystore_exec:file { getattr open read execute }; #line 5 allow init keystore:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow keystore keystore_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow keystore init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init keystore:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init keystore:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init keystore_exec:process keystore; #line 5 #line 5 #line 5 type keystore_tmpfs, file_type; #line 5 type_transition keystore tmpfs:file keystore_tmpfs; #line 5 allow keystore keystore_tmpfs:file { read write }; #line 5 #line 5 typeattribute keystore mlstrustedsubject; #line 7 # Call the servicemanager and transfer references to it. #line 7 allow keystore servicemanager:binder { call transfer }; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 typeattribute keystore binderservicedomain; #line 8 allow keystore keystore_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow keystore keystore_exec:file { getattr }; allow keystore tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow keystore tee:unix_stream_socket connectto; #line 1 "external/sepolicy/lmkd.te" # lmkd low memory killer daemon type lmkd, domain; type lmkd_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init lmkd_exec:file { getattr open read execute }; #line 5 allow init lmkd:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow lmkd lmkd_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow lmkd init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init lmkd:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init lmkd:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init lmkd_exec:process lmkd; #line 5 #line 5 #line 5 type lmkd_tmpfs, file_type; #line 5 type_transition lmkd tmpfs:file lmkd_tmpfs; #line 5 allow lmkd lmkd_tmpfs:file { read write }; #line 5 #line 5 allow lmkd self:capability { dac_override sys_resource }; ## Open and write to /proc/PID/oom_score_adj ## TODO: maybe scope this down? #line 11 allow lmkd appdomain:dir { open getattr read search ioctl }; #line 11 allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock }; #line 11 allow lmkd appdomain:file write; #line 13 allow lmkd system_server:dir { open getattr read search ioctl }; #line 13 allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock }; #line 13 allow lmkd system_server:file write; ## Writes to /sys/module/lowmemorykiller/parameters/minfree allow lmkd sysfs_lowmemorykiller:file { open append write }; #line 1 "external/sepolicy/logd.te" # android user-space log manager type logd, domain; type logd_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init logd_exec:file { getattr open read execute }; #line 5 allow init logd:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow logd logd_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow logd init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init logd:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init logd:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init logd_exec:process logd; #line 5 #line 5 #line 5 type logd_tmpfs, file_type; #line 5 type_transition logd tmpfs:file logd_tmpfs; #line 5 allow logd logd_tmpfs:file { read write }; #line 5 #line 5 allow logd self:unix_stream_socket *; allow logd self:capability { setuid setgid sys_nice }; #line 10 allow logd domain:dir { open getattr read search ioctl }; #line 10 allow logd domain:{ file lnk_file } { getattr open read ioctl lock }; #line 10 #line 17 ### ### Neverallow rules ### ### logd should NEVER do any of this # Block device access. neverallow logd dev_type:blk_file { read write }; # ptrace any other app neverallow logd domain:process ptrace; # Write to /system. neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Write to files in /data/data or system files on /data neverallow logd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; #line 1 "external/sepolicy/media_app.te" ### ### Apps signed with the media key. ### type media_app, domain; #line 6 typeattribute media_app appdomain; #line 6 # Label ashmem objects with our own unique type. #line 6 #line 6 type media_app_tmpfs, file_type; #line 6 type_transition media_app tmpfs:file media_app_tmpfs; #line 6 allow media_app media_app_tmpfs:file { read write }; #line 6 #line 6 # Map with PROT_EXEC. #line 6 allow media_app media_app_tmpfs:file execute; #line 6 #line 7 typeattribute media_app platformappdomain; #line 7 typeattribute media_app mlstrustedsubject; #line 7 #line 8 typeattribute media_app binderservicedomain; #line 8 # Access the network. #line 10 typeattribute media_app netdomain; #line 10 # Access /dev/mtp_usb. allow media_app mtp_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Write to /cache. allow media_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow media_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Stat /cache/lost+found allow media_app unlabeled:file getattr; allow media_app unlabeled:dir getattr; # Stat /cache/backup allow media_app cache_backup_file:file getattr; allow media_app cache_backup_file:dir getattr; # Read files in the rootdir (in particular, file_contexts for restorecon). allow media_app rootfs:file { getattr open read ioctl lock }; allow media_app download_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow media_app download_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Allow platform apps to mark platform app data files as download files #line 27 typeattribute media_app relabeltodomain; #line 27 allow media_app platform_app_data_file:dir relabelfrom; allow media_app download_file:dir relabelto; #line 1 "external/sepolicy/mediaserver.te" # mediaserver - multimedia daemon type mediaserver, domain; #line 3 typeattribute mediaserver mlstrustedsubject; #line 3 typeattribute mediaserver unconfineddomain; #line 3 type mediaserver_exec, exec_type, file_type; typeattribute mediaserver mlstrustedsubject; #line 8 typeattribute mediaserver netdomain; #line 8 #line 9 #line 9 # Allow the necessary permissions. #line 9 #line 9 # Old domain may exec the file and transition to the new domain. #line 9 allow init mediaserver_exec:file { getattr open read execute }; #line 9 allow init mediaserver:process transition; #line 9 # New domain is entered by executing the file. #line 9 allow mediaserver mediaserver_exec:file { entrypoint read execute }; #line 9 # New domain can send SIGCHLD to its caller. #line 9 allow mediaserver init:process sigchld; #line 9 # Enable AT_SECURE, i.e. libc secure mode. #line 9 dontaudit init mediaserver:process noatsecure; #line 9 # XXX dontaudit candidate but requires further study. #line 9 allow init mediaserver:process { siginh rlimitinh }; #line 9 #line 9 # Make the transition occur by default. #line 9 type_transition init mediaserver_exec:process mediaserver; #line 9 #line 9 #line 9 type mediaserver_tmpfs, file_type; #line 9 type_transition mediaserver tmpfs:file mediaserver_tmpfs; #line 9 allow mediaserver mediaserver_tmpfs:file { read write }; #line 9 #line 9 #line 10 allow mediaserver property_socket:sock_file write; #line 10 allow mediaserver init:unix_stream_socket connectto; #line 10 #line 12 allow mediaserver sdcard_type:dir { open getattr read search ioctl }; #line 12 allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock }; #line 12 #line 14 # Call the servicemanager and transfer references to it. #line 14 allow mediaserver servicemanager:binder { call transfer }; #line 14 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 14 # all domains in domain.te. #line 14 #line 15 # Call the server domain and optionally transfer references to it. #line 15 allow mediaserver binderservicedomain:binder { call transfer }; #line 15 # Allow the serverdomain to transfer references to the client on the reply. #line 15 allow binderservicedomain mediaserver:binder transfer; #line 15 # Receive and use open files from the server. #line 15 allow mediaserver binderservicedomain:fd use; #line 15 #line 16 # Call the server domain and optionally transfer references to it. #line 16 allow mediaserver appdomain:binder { call transfer }; #line 16 # Allow the serverdomain to transfer references to the client on the reply. #line 16 allow appdomain mediaserver:binder transfer; #line 16 # Receive and use open files from the server. #line 16 allow mediaserver appdomain:fd use; #line 16 #line 17 typeattribute mediaserver binderservicedomain; #line 17 allow mediaserver self:process execmem; allow mediaserver kernel:system module_request; allow mediaserver media_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow mediaserver media_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow mediaserver app_data_file:dir search; allow mediaserver app_data_file:file { { getattr open read ioctl lock } { open append write } }; allow mediaserver platform_app_data_file:file { getattr read }; allow mediaserver sdcard_type:file write; allow mediaserver { gpu_device graphics_device }:chr_file { { getattr open read ioctl lock } { open append write } }; allow mediaserver video_device:dir { open getattr read search ioctl }; allow mediaserver video_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow mediaserver audio_device:dir { open getattr read search ioctl }; allow mediaserver qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow mediaserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow mediaserver audio_prop:property_service set; # Access audio devices at all. allow mediaserver audio_device:chr_file { { getattr open read ioctl lock } { open append write } }; # XXX Label with a specific type? allow mediaserver sysfs:file { { getattr open read ioctl lock } { open append write } }; # XXX Why? allow mediaserver apk_data_file:file { read getattr }; # Access camera device. allow mediaserver camera_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Inter System processes communicate over named pipe (FIFO) allow mediaserver system_server:fifo_file { getattr open read ioctl lock }; # Camera data #line 52 allow mediaserver camera_data_file:dir { open getattr read search ioctl }; #line 52 allow mediaserver camera_data_file:{ file lnk_file } { getattr open read ioctl lock }; #line 52 #line 53 allow mediaserver media_rw_data_file:dir { open getattr read search ioctl }; #line 53 allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock }; #line 53 # Grant access to audio files to mediaserver allow mediaserver audio_data_file:dir { { open getattr read search ioctl } add_name write }; allow mediaserver audio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid allow mediaserver qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; allow mediaserver qtaguid_device:chr_file { getattr open read ioctl lock }; # Allow abstract socket connection allow mediaserver rild:unix_stream_socket { connectto read write setopt }; # Needed on some devices for playing DRM protected content, # but seems expected and appropriate for all devices. #line 68 allow mediaserver drmserver_socket:sock_file write; #line 68 allow mediaserver drmserver:unix_stream_socket connectto; #line 68 # Needed on some devices for playing audio on paired BT device, # but seems appropriate for all devices. #line 72 allow mediaserver bluetooth_socket:sock_file write; #line 72 allow mediaserver bluetooth:unix_stream_socket connectto; #line 72 #line 1 "external/sepolicy/mtp.te" # vpn tunneling protocol manager type mtp, domain; #line 3 typeattribute mtp mlstrustedsubject; #line 3 typeattribute mtp unconfineddomain; #line 3 type mtp_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init mtp_exec:file { getattr open read execute }; #line 6 allow init mtp:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow mtp mtp_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow mtp init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init mtp:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init mtp:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init mtp_exec:process mtp; #line 6 #line 6 #line 6 type mtp_tmpfs, file_type; #line 6 type_transition mtp tmpfs:file mtp_tmpfs; #line 6 allow mtp mtp_tmpfs:file { read write }; #line 6 #line 6 #line 7 typeattribute mtp netdomain; #line 7 # pptp policy allow mtp self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow mtp self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow mtp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow mtp self:capability net_raw; allow mtp ppp:process signal; allow mtp port:tcp_socket name_connect; allow mtp vpn_data_file:dir search; #line 1 "external/sepolicy/netd.te" # network manager type netd, domain; type netd_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init netd_exec:file { getattr open read execute }; #line 5 allow init netd:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow netd netd_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow netd init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init netd:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init netd:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init netd_exec:process netd; #line 5 #line 5 #line 5 type netd_tmpfs, file_type; #line 5 type_transition netd tmpfs:file netd_tmpfs; #line 5 allow netd netd_tmpfs:file { read write }; #line 5 #line 5 #line 6 typeattribute netd netdomain; #line 6 allow netd self:capability { net_admin net_raw kill fsetid }; allow netd self:netlink_kobject_uevent_socket *; allow netd self:netlink_route_socket *; allow netd self:netlink_nflog_socket *; allow netd self:rawip_socket *; allow netd self:unix_stream_socket *; allow netd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow netd system_file:file { getattr execute execute_no_trans }; allow netd devpts:chr_file { { getattr open read ioctl lock } { open append write } }; # For /proc/sys/net/ipv[46]/route/flush. allow netd proc_net:file write; # For /sys/modules/bcmdhd/parameters/firmware_path # XXX Split into its own type. allow netd sysfs:file write; # Set dhcp lease for PAN connection #line 26 allow netd property_socket:sock_file write; #line 26 allow netd init:unix_stream_socket connectto; #line 26 allow netd system_prop:property_service set; # Connect to PAN #line 30 # Allow the necessary permissions. #line 30 #line 30 # Old domain may exec the file and transition to the new domain. #line 30 allow netd dhcp_exec:file { getattr open read execute }; #line 30 allow netd dhcp:process transition; #line 30 # New domain is entered by executing the file. #line 30 allow dhcp dhcp_exec:file { entrypoint read execute }; #line 30 # New domain can send SIGCHLD to its caller. #line 30 allow dhcp netd:process sigchld; #line 30 # Enable AT_SECURE, i.e. libc secure mode. #line 30 dontaudit netd dhcp:process noatsecure; #line 30 # XXX dontaudit candidate but requires further study. #line 30 allow netd dhcp:process { siginh rlimitinh }; #line 30 #line 30 # Make the transition occur by default. #line 30 type_transition netd dhcp_exec:process dhcp; #line 30 allow netd dhcp:process signal; # Needed to update /data/misc/wifi/hostapd.conf # TODO: See what we can do to reduce the need for # these capabilities allow netd self:capability { dac_override chown fowner }; allow netd wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow netd wifi_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; # Allow netd to spawn hostapd in it's own domain #line 41 # Allow the necessary permissions. #line 41 #line 41 # Old domain may exec the file and transition to the new domain. #line 41 allow netd hostapd_exec:file { getattr open read execute }; #line 41 allow netd hostapd:process transition; #line 41 # New domain is entered by executing the file. #line 41 allow hostapd hostapd_exec:file { entrypoint read execute }; #line 41 # New domain can send SIGCHLD to its caller. #line 41 allow hostapd netd:process sigchld; #line 41 # Enable AT_SECURE, i.e. libc secure mode. #line 41 dontaudit netd hostapd:process noatsecure; #line 41 # XXX dontaudit candidate but requires further study. #line 41 allow netd hostapd:process { siginh rlimitinh }; #line 41 #line 41 # Make the transition occur by default. #line 41 type_transition netd hostapd_exec:process hostapd; #line 41 allow netd hostapd:process signal; # Allow netd to spawn dnsmasq in it's own domain #line 45 # Allow the necessary permissions. #line 45 #line 45 # Old domain may exec the file and transition to the new domain. #line 45 allow netd dnsmasq_exec:file { getattr open read execute }; #line 45 allow netd dnsmasq:process transition; #line 45 # New domain is entered by executing the file. #line 45 allow dnsmasq dnsmasq_exec:file { entrypoint read execute }; #line 45 # New domain can send SIGCHLD to its caller. #line 45 allow dnsmasq netd:process sigchld; #line 45 # Enable AT_SECURE, i.e. libc secure mode. #line 45 dontaudit netd dnsmasq:process noatsecure; #line 45 # XXX dontaudit candidate but requires further study. #line 45 allow netd dnsmasq:process { siginh rlimitinh }; #line 45 #line 45 # Make the transition occur by default. #line 45 type_transition netd dnsmasq_exec:process dnsmasq; #line 45 allow netd dnsmasq:process signal; # Allow netd to start clatd in its own domain #line 49 # Allow the necessary permissions. #line 49 #line 49 # Old domain may exec the file and transition to the new domain. #line 49 allow netd clatd_exec:file { getattr open read execute }; #line 49 allow netd clatd:process transition; #line 49 # New domain is entered by executing the file. #line 49 allow clatd clatd_exec:file { entrypoint read execute }; #line 49 # New domain can send SIGCHLD to its caller. #line 49 allow clatd netd:process sigchld; #line 49 # Enable AT_SECURE, i.e. libc secure mode. #line 49 dontaudit netd clatd:process noatsecure; #line 49 # XXX dontaudit candidate but requires further study. #line 49 allow netd clatd:process { siginh rlimitinh }; #line 49 #line 49 # Make the transition occur by default. #line 49 type_transition netd clatd_exec:process clatd; #line 49 allow netd clatd:process signal; # Support netd running mdnsd # TODO: prune this back further allow netd ctl_default_prop:property_service set; allow netd device:sock_file write; ### ### Neverallow rules ### ### netd should NEVER do any of this # Block device access. neverallow netd dev_type:blk_file { read write }; # Setting SELinux enforcing status or booleans. neverallow netd kernel:security { setenforce setbool }; # Load security policy. neverallow netd kernel:security load_policy; # ptrace any other app neverallow netd { domain }:process ptrace; # Write to /system. neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Write to files in /data/data or system files on /data neverallow netd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; #line 1 "external/sepolicy/net.te" # Network types type node, node_type; type netif, netif_type; type port, port_type; # Use network sockets. allow netdomain self:{ tcp_socket udp_socket } *; # Connect to ports. allow netdomain port_type:tcp_socket name_connect; # Bind to ports. allow netdomain node_type:{ tcp_socket udp_socket } node_bind; allow netdomain port_type:udp_socket name_bind; allow netdomain port_type:tcp_socket name_bind; # Get route information. allow netdomain self:netlink_route_socket { create bind read nlmsg_read }; # Talks to netd via dnsproxyd socket. #line 18 allow netdomain dnsproxyd_socket:sock_file write; #line 18 allow netdomain netd:unix_stream_socket connectto; #line 18 #line 1 "external/sepolicy/nfc.te" # nfc subsystem type nfc, domain; #line 3 typeattribute nfc appdomain; #line 3 # Label ashmem objects with our own unique type. #line 3 #line 3 type nfc_tmpfs, file_type; #line 3 type_transition nfc tmpfs:file nfc_tmpfs; #line 3 allow nfc nfc_tmpfs:file { read write }; #line 3 #line 3 # Map with PROT_EXEC. #line 3 allow nfc nfc_tmpfs:file execute; #line 3 #line 4 typeattribute nfc binderservicedomain; #line 4 # NFC device access. allow nfc nfc_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Data file accesses. allow nfc nfc_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow nfc sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } }; allow nfc sysfs:file write; allow nfc sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow nfc sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; #line 1 "external/sepolicy/platform_app.te" ### ### Apps signed with the platform key. ### type platform_app, domain; #line 6 typeattribute platform_app mlstrustedsubject; #line 6 typeattribute platform_app unconfineddomain; #line 6 #line 7 typeattribute platform_app appdomain; #line 7 # Label ashmem objects with our own unique type. #line 7 #line 7 type platform_app_tmpfs, file_type; #line 7 type_transition platform_app tmpfs:file platform_app_tmpfs; #line 7 allow platform_app platform_app_tmpfs:file { read write }; #line 7 #line 7 # Map with PROT_EXEC. #line 7 allow platform_app platform_app_tmpfs:file execute; #line 7 #line 8 typeattribute platform_app platformappdomain; #line 8 typeattribute platform_app mlstrustedsubject; #line 8 # Access the network. #line 10 typeattribute platform_app netdomain; #line 10 # Access bluetooth. #line 12 typeattribute platform_app bluetoothdomain; #line 12 # Write to /cache. allow platform_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow platform_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Read from /data/local. allow platform_app shell_data_file:dir search; allow platform_app shell_data_file:file { open getattr read }; allow platform_app shell_data_file:lnk_file read; # Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files # created by system server. allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock } { open append write } }; allow platform_app apk_private_data_file:dir search; # ASEC allow platform_app asec_apk_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow platform_app asec_apk_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Access download files. allow platform_app download_file:file { { getattr open read ioctl lock } { open append write } }; # Allow BackupManagerService to backup all app domains allow platform_app appdomain:fifo_file write; # # Rules for all platform app domains. # # App sandbox file accesses. allow platformappdomain platform_app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow platformappdomain platform_app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow platformappdomain platform_app_data_file:file execute; # App sdcard file accesses allow platformappdomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow platformappdomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Access to /data/media. allow platformappdomain media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow platformappdomain media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; #line 1 "external/sepolicy/ppp.te" # Point to Point Protocol daemon type ppp, domain; #line 3 typeattribute ppp mlstrustedsubject; #line 3 typeattribute ppp unconfineddomain; #line 3 type ppp_device, dev_type; type ppp_exec, exec_type, file_type; #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow mtp ppp_exec:file { getattr open read execute }; #line 6 allow mtp ppp:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow ppp ppp_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow ppp mtp:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit mtp ppp:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow mtp ppp:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition mtp ppp_exec:process ppp; #line 6 allow ppp mtp:socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow ppp ppp_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow ppp self:capability net_admin; allow ppp self:udp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow ppp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow ppp vpn_data_file:dir { open search write add_name remove_name }; allow ppp vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow ppp mtp:fd use; #line 1 "external/sepolicy/property.te" type default_prop, property_type; type shell_prop, property_type; type debug_prop, property_type; type debuggerd_prop, property_type; type radio_prop, property_type; type system_prop, property_type; type vold_prop, property_type; type rild_prop, property_type; type ctl_default_prop, property_type; type ctl_dumpstate_prop, property_type; type ctl_rildaemon_prop, property_type; type audio_prop, property_type; type security_prop, property_type; type bluetooth_prop, property_type; type powerctl_prop, property_type; #line 1 "external/sepolicy/qemud.te" # qemu support daemon type qemud, domain; type qemud_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init qemud_exec:file { getattr open read execute }; #line 5 allow init qemud:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow qemud qemud_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow qemud init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init qemud:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init qemud:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init qemud_exec:process qemud; #line 5 #line 5 #line 5 type qemud_tmpfs, file_type; #line 5 type_transition qemud tmpfs:file qemud_tmpfs; #line 5 allow qemud qemud_tmpfs:file { read write }; #line 5 #line 5 #line 6 typeattribute qemud mlstrustedsubject; #line 6 typeattribute qemud unconfineddomain; #line 1 "external/sepolicy/racoon.te" # IKE key management daemon type racoon, domain; #line 3 typeattribute racoon mlstrustedsubject; #line 3 typeattribute racoon unconfineddomain; #line 3 type racoon_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init racoon_exec:file { getattr open read execute }; #line 6 allow init racoon:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow racoon racoon_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow racoon init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init racoon:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init racoon:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init racoon_exec:process racoon; #line 6 #line 6 #line 6 type racoon_tmpfs, file_type; #line 6 type_transition racoon tmpfs:file racoon_tmpfs; #line 6 allow racoon racoon_tmpfs:file { read write }; #line 6 #line 6 typeattribute racoon mlstrustedsubject; #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow racoon servicemanager:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow servicemanager racoon:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow racoon servicemanager:fd use; #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow racoon keystore:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow keystore racoon:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow racoon keystore:fd use; #line 10 allow racoon tun_device:chr_file { getattr open read ioctl lock }; allow racoon cgroup:dir { add_name create }; allow racoon kernel:system module_request; allow racoon port:udp_socket name_bind; allow racoon node:udp_socket node_bind; allow racoon self:{ key_socket udp_socket } { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; allow racoon self:tun_socket create; allow racoon self:capability { net_admin net_bind_service net_raw setuid }; # XXX: should we give ip-up-vpn its own label (currently racoon domain) allow racoon system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow racoon vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow racoon vpn_data_file:dir { open search write add_name remove_name }; #line 1 "external/sepolicy/radio.te" # phone subsystem type radio, domain; #line 3 typeattribute radio appdomain; #line 3 # Label ashmem objects with our own unique type. #line 3 #line 3 type radio_tmpfs, file_type; #line 3 type_transition radio tmpfs:file radio_tmpfs; #line 3 allow radio radio_tmpfs:file { read write }; #line 3 #line 3 # Map with PROT_EXEC. #line 3 allow radio radio_tmpfs:file execute; #line 3 #line 4 typeattribute radio netdomain; #line 4 #line 5 typeattribute radio bluetoothdomain; #line 5 #line 6 typeattribute radio binderservicedomain; #line 6 # Talks to init via the property socket. #line 9 allow radio property_socket:sock_file write; #line 9 allow radio init:unix_stream_socket connectto; #line 9 # Talks to rild via the rild socket. #line 12 allow radio rild_socket:sock_file write; #line 12 allow radio rild:unix_stream_socket connectto; #line 12 # Data file accesses. allow radio radio_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow radio alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Property service allow radio radio_prop:property_service set; # ctl interface allow radio ctl_rildaemon_prop:property_service set; #line 1 "external/sepolicy/recovery.te" # recovery console (used in recovery init.rc for /sbin/recovery) type recovery, domain; allow recovery rootfs:file entrypoint; #line 4 typeattribute recovery mlstrustedsubject; #line 4 typeattribute recovery unconfineddomain; #line 4 #line 5 typeattribute recovery relabeltodomain; #line 5 allow recovery self:capability2 mac_admin; allow recovery {fs_type dev_type -kmem_device file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; allow recovery unlabeled:filesystem mount; allow recovery fs_type:filesystem *; # Required to e.g. wipe userdata/cache. allow recovery dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; allow recovery self:process execmem; allow recovery ashmem_device:chr_file execute; allow recovery tmpfs:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; ## TODO: Investigate whether it is safe to remove these allow recovery self:capability { sys_rawio mknod }; auditallow recovery self:capability { sys_rawio mknod }; #line 1 "external/sepolicy/release_app.te" ### ### Apps signed with the release key (testkey in AOSP). ### type release_app, domain; #line 6 typeattribute release_app mlstrustedsubject; #line 6 typeattribute release_app unconfineddomain; #line 6 #line 7 typeattribute release_app appdomain; #line 7 # Label ashmem objects with our own unique type. #line 7 #line 7 type release_app_tmpfs, file_type; #line 7 type_transition release_app tmpfs:file release_app_tmpfs; #line 7 allow release_app release_app_tmpfs:file { read write }; #line 7 #line 7 # Map with PROT_EXEC. #line 7 allow release_app release_app_tmpfs:file execute; #line 7 #line 8 typeattribute release_app platformappdomain; #line 8 typeattribute release_app mlstrustedsubject; #line 8 # Access the network. #line 10 typeattribute release_app netdomain; #line 10 # Access bluetooth. #line 12 typeattribute release_app bluetoothdomain; #line 12 # Write to /cache. allow release_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow release_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; #line 1 "external/sepolicy/rild.te" # rild - radio interface layer daemon type rild, domain; #line 3 typeattribute rild mlstrustedsubject; #line 3 typeattribute rild unconfineddomain; #line 3 type rild_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init rild_exec:file { getattr open read execute }; #line 6 allow init rild:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow rild rild_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow rild init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init rild:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init rild:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init rild_exec:process rild; #line 6 #line 6 #line 6 type rild_tmpfs, file_type; #line 6 type_transition rild tmpfs:file rild_tmpfs; #line 6 allow rild rild_tmpfs:file { read write }; #line 6 #line 6 #line 7 typeattribute rild netdomain; #line 7 allow rild self:netlink_route_socket { setopt write }; allow rild kernel:system module_request; #line 10 allow rild property_socket:sock_file write; #line 10 allow rild init:unix_stream_socket connectto; #line 10 #line 11 allow rild qemud_socket:sock_file write; #line 11 allow rild qemud:unix_stream_socket connectto; #line 11 allow rild self:capability { setuid net_admin net_raw }; allow rild alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow rild cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow rild radio_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow rild radio_device:blk_file { getattr open read ioctl lock }; allow rild qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow rild mtd_device:dir search; allow rild efs_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow rild efs_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow rild shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow rild bluetooth_efs_file:file { getattr open read ioctl lock }; allow rild bluetooth_efs_file:dir { open getattr read search ioctl }; allow rild radio_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow rild radio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow rild sdcard_type:dir { open getattr read search ioctl }; allow rild system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow rild system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow rild system_file:file { getattr execute execute_no_trans }; dontaudit rild self:capability sys_admin; # property service allow rild rild_prop:property_service set; allow rild radio_prop:property_service set; # Read/Write to uart driver (for GPS) allow rild gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow rild tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Allow rild to create, bind, read, write to itself through a netlink socket allow rild self:netlink_socket { create bind read write }; allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt }; # Access to wake locks allow rild sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; allow rild self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; #line 1 "external/sepolicy/runas.te" type runas, domain, mlstrustedsubject; type runas_exec, exec_type, file_type; # ndk-gdb invokes adb shell run-as. #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow shell runas_exec:file { getattr open read execute }; #line 5 allow shell runas:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow runas runas_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow runas shell:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit shell runas:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow shell runas:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition shell runas_exec:process runas; #line 5 allow runas adbd:process sigchld; allow runas shell:fd use; allow runas devpts:chr_file { read write ioctl }; # run-as reads package information. allow runas system_data_file:file { getattr open read ioctl lock }; # run-as checks and changes to the app data dir. dontaudit runas self:capability dac_override; allow runas app_data_file:dir { getattr search }; # run-as switches to the app UID/GID. allow runas self:capability { setuid setgid }; # run-as switches to the app security context. # read /seapp_contexts and /data/security/seapp_contexts #line 22 allow runas security_file:dir { open getattr read search ioctl }; #line 22 allow runas security_file:file { getattr open read ioctl lock }; #line 22 allow runas security_file:lnk_file { getattr open read ioctl lock }; #line 22 allow runas selinuxfs:dir { open getattr read search ioctl }; #line 22 allow runas selinuxfs:file { getattr open read ioctl lock }; #line 22 allow runas rootfs:dir { open getattr read search ioctl }; #line 22 allow runas rootfs:file { getattr open read ioctl lock }; #line 22 #line 23 allow runas selinuxfs:dir { open getattr read search ioctl }; #line 23 allow runas selinuxfs:file { { getattr open read ioctl lock } { open append write } }; #line 23 allow runas kernel:security check_context; #line 23 # validate context allow runas { appdomain -system_app }:process dyntransition; # setcon #line 1 "external/sepolicy/sdcardd.te" type sdcardd, domain; type sdcardd_exec, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init sdcardd_exec:file { getattr open read execute }; #line 4 allow init sdcardd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow sdcardd sdcardd_exec:file { entrypoint read execute }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 allow sdcardd init:process sigchld; #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init sdcardd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init sdcardd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init sdcardd_exec:process sdcardd; #line 4 #line 4 #line 4 type sdcardd_tmpfs, file_type; #line 4 type_transition sdcardd tmpfs:file sdcardd_tmpfs; #line 4 allow sdcardd sdcardd_tmpfs:file { read write }; #line 4 #line 4 allow sdcardd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow sdcardd rootfs:dir mounton; allow sdcardd sdcard_type:filesystem mount; allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; allow sdcardd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow sdcardd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; allow sdcardd media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow sdcardd media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Read /data/system/packages.list. allow sdcardd system_data_file:file { getattr open read ioctl lock }; # Compatibility for existing devices with /data/media in system_data_file. # TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file. allow sdcardd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow sdcardd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; #line 1 "external/sepolicy/servicemanager.te" # servicemanager - the Binder context manager type servicemanager, domain; type servicemanager_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init servicemanager_exec:file { getattr open read execute }; #line 5 allow init servicemanager:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow servicemanager servicemanager_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow servicemanager init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init servicemanager:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init servicemanager:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init servicemanager_exec:process servicemanager; #line 5 #line 5 #line 5 type servicemanager_tmpfs, file_type; #line 5 type_transition servicemanager tmpfs:file servicemanager_tmpfs; #line 5 allow servicemanager servicemanager_tmpfs:file { read write }; #line 5 #line 5 # Note that we do not use the binder_* macros here. # servicemanager is unique in that it only provides # name service (aka context manager) for Binder. # As such, it only ever receives and transfers other references # created by other domains. It never passes its own references # or initiates a Binder IPC. allow servicemanager self:binder set_context_mgr; allow servicemanager domain:binder transfer; #line 1 "external/sepolicy/shared_app.te" ### ### Apps signed with the shared key. ### type shared_app, domain; #line 6 typeattribute shared_app mlstrustedsubject; #line 6 typeattribute shared_app unconfineddomain; #line 6 #line 7 typeattribute shared_app appdomain; #line 7 # Label ashmem objects with our own unique type. #line 7 #line 7 type shared_app_tmpfs, file_type; #line 7 type_transition shared_app tmpfs:file shared_app_tmpfs; #line 7 allow shared_app shared_app_tmpfs:file { read write }; #line 7 #line 7 # Map with PROT_EXEC. #line 7 allow shared_app shared_app_tmpfs:file execute; #line 7 #line 8 typeattribute shared_app platformappdomain; #line 8 typeattribute shared_app mlstrustedsubject; #line 8 # Access the network. #line 10 typeattribute shared_app netdomain; #line 10 # Access bluetooth. #line 12 typeattribute shared_app bluetoothdomain; #line 12 #line 1 "external/sepolicy/shelldomain.te" # Rules for all shell domains (e.g. console service and adb shell). # Access /data/local/tmp. allow shelldomain shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow shelldomain shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow shelldomain shell_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; # Access sdcard. allow shelldomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow shelldomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # adb bugreport #line 13 allow shelldomain dumpstate_socket:sock_file write; #line 13 allow shelldomain dumpstate:unix_stream_socket connectto; #line 13 allow shelldomain rootfs:dir { open getattr read search ioctl }; allow shelldomain devpts:chr_file { { getattr open read ioctl lock } { open append write } }; allow shelldomain tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow shelldomain console_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow shelldomain input_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow shelldomain system_file:file { getattr execute execute_no_trans }; allow shelldomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow shelldomain zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; #line 24 allow shelldomain apk_data_file:dir { open getattr read search ioctl }; #line 24 allow shelldomain apk_data_file:{ file lnk_file } { getattr open read ioctl lock }; #line 24 # Set properties. #line 27 allow shelldomain property_socket:sock_file write; #line 27 allow shelldomain init:unix_stream_socket connectto; #line 27 allow shelldomain shell_prop:property_service set; allow shelldomain ctl_dumpstate_prop:property_service set; allow shelldomain debug_prop:property_service set; allow shelldomain powerctl_prop:property_service set; # ndk-gdb invokes adb shell ps to find the app PID. #line 34 allow shelldomain { appdomain -system_app }:dir { open getattr read search ioctl }; #line 34 allow shelldomain { appdomain -system_app }:{ file lnk_file } { getattr open read ioctl lock }; #line 34 # ndk-gdb invokes adb shell ls to check the app data dir. allow shelldomain app_data_file:dir search; # ps and ps -Z output for app processes. #line 40 allow shelldomain appdomain:dir { open getattr read search ioctl }; #line 40 allow shelldomain appdomain:{ file lnk_file } { getattr open read ioctl lock }; #line 40 allow shelldomain appdomain:process getattr; #line 1 "external/sepolicy/shell.te" # Domain for shell processes spawned by ADB type shell, domain, shelldomain, mlstrustedsubject; type shell_exec, exec_type, file_type; # Create and use network sockets. #line 6 typeattribute shell netdomain; #line 6 # Run app_process. # XXX Transition into its own domain? #line 10 typeattribute shell appdomain; #line 10 # Label ashmem objects with our own unique type. #line 10 #line 10 type shell_tmpfs, file_type; #line 10 type_transition shell tmpfs:file shell_tmpfs; #line 10 allow shell shell_tmpfs:file { read write }; #line 10 #line 10 # Map with PROT_EXEC. #line 10 allow shell shell_tmpfs:file execute; #line 10 # inherits from shelldomain.te #line 1 "external/sepolicy/surfaceflinger.te" # surfaceflinger - display compositor service type surfaceflinger, domain; #line 3 typeattribute surfaceflinger mlstrustedsubject; #line 3 typeattribute surfaceflinger unconfineddomain; #line 3 type surfaceflinger_exec, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init surfaceflinger_exec:file { getattr open read execute }; #line 6 allow init surfaceflinger:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow surfaceflinger surfaceflinger_exec:file { entrypoint read execute }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow surfaceflinger init:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init surfaceflinger:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init surfaceflinger:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init surfaceflinger_exec:process surfaceflinger; #line 6 #line 6 #line 6 type surfaceflinger_tmpfs, file_type; #line 6 type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs; #line 6 allow surfaceflinger surfaceflinger_tmpfs:file { read write }; #line 6 #line 6 typeattribute surfaceflinger mlstrustedsubject; # Talk to init over the property socket. #line 10 allow surfaceflinger property_socket:sock_file write; #line 10 allow surfaceflinger init:unix_stream_socket connectto; #line 10 # Perform Binder IPC. #line 13 # Call the servicemanager and transfer references to it. #line 13 allow surfaceflinger servicemanager:binder { call transfer }; #line 13 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 13 # all domains in domain.te. #line 13 #line 14 # Call the server domain and optionally transfer references to it. #line 14 allow surfaceflinger system_server:binder { call transfer }; #line 14 # Allow the serverdomain to transfer references to the client on the reply. #line 14 allow system_server surfaceflinger:binder transfer; #line 14 # Receive and use open files from the server. #line 14 allow surfaceflinger system_server:fd use; #line 14 #line 15 # Call the server domain and optionally transfer references to it. #line 15 allow surfaceflinger nfc:binder { call transfer }; #line 15 # Allow the serverdomain to transfer references to the client on the reply. #line 15 allow nfc surfaceflinger:binder transfer; #line 15 # Receive and use open files from the server. #line 15 allow surfaceflinger nfc:fd use; #line 15 #line 16 # Call the server domain and optionally transfer references to it. #line 16 allow surfaceflinger mediaserver:binder { call transfer }; #line 16 # Allow the serverdomain to transfer references to the client on the reply. #line 16 allow mediaserver surfaceflinger:binder transfer; #line 16 # Receive and use open files from the server. #line 16 allow surfaceflinger mediaserver:fd use; #line 16 #line 17 typeattribute surfaceflinger binderservicedomain; #line 17 # Access the GPU. allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Access /dev/graphics/fb0. allow surfaceflinger graphics_device:dir search; allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Access /dev/video1. allow surfaceflinger video_device:dir { open getattr read search ioctl }; allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Create and use netlink kobject uevent sockets. allow surfaceflinger self:netlink_kobject_uevent_socket *; # Set properties. allow surfaceflinger system_prop:property_service set; allow surfaceflinger ctl_default_prop:property_service set; # Use open files supplied by an app. allow surfaceflinger appdomain:fd use; allow surfaceflinger platform_app_data_file:file { read write }; allow surfaceflinger app_data_file:file { read write }; # Use open file provided by bootanim. allow surfaceflinger bootanim:fd use; # Allow a dumpstate triggered screenshot #line 46 # Call the server domain and optionally transfer references to it. #line 46 allow surfaceflinger dumpstate:binder { call transfer }; #line 46 # Allow the serverdomain to transfer references to the client on the reply. #line 46 allow dumpstate surfaceflinger:binder transfer; #line 46 # Receive and use open files from the server. #line 46 allow surfaceflinger dumpstate:fd use; #line 46 #line 47 # Call the server domain and optionally transfer references to it. #line 47 allow surfaceflinger shell:binder { call transfer }; #line 47 # Allow the serverdomain to transfer references to the client on the reply. #line 47 allow shell surfaceflinger:binder transfer; #line 47 # Receive and use open files from the server. #line 47 allow surfaceflinger shell:fd use; #line 47 # Needed on some devices for playing DRM protected content, # but seems expected and appropriate for all devices. allow surfaceflinger tee:unix_stream_socket connectto; allow surfaceflinger tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; #line 1 "external/sepolicy/su.te" # File types must be defined for file_contexts. type su_exec, exec_type, file_type; #line 23 #line 1 "external/sepolicy/system_app.te" # # Apps that run with the system UID, e.g. com.android.system.ui, # com.android.settings. These are not as privileged as the system # server. # type system_app, domain; #line 7 typeattribute system_app mlstrustedsubject; #line 7 typeattribute system_app unconfineddomain; #line 7 #line 8 typeattribute system_app appdomain; #line 8 # Label ashmem objects with our own unique type. #line 8 #line 8 type system_app_tmpfs, file_type; #line 8 type_transition system_app tmpfs:file system_app_tmpfs; #line 8 allow system_app system_app_tmpfs:file { read write }; #line 8 #line 8 # Map with PROT_EXEC. #line 8 allow system_app system_app_tmpfs:file execute; #line 8 #line 9 typeattribute system_app binderservicedomain; #line 9 # Perform binder IPC to any app domain. #line 12 # Call the server domain and optionally transfer references to it. #line 12 allow system_app appdomain:binder { call transfer }; #line 12 # Allow the serverdomain to transfer references to the client on the reply. #line 12 allow appdomain system_app:binder transfer; #line 12 # Receive and use open files from the server. #line 12 allow system_app appdomain:fd use; #line 12 # Read and write system data files. # May want to split into separate types. allow system_app system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow system_app system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Read wallpaper file. allow system_app wallpaper_file:file { getattr open read ioctl lock }; # Write to dalvikcache. allow system_app dalvikcache_data_file:file { write setattr }; # Talk to keystore. #line 26 allow system_app keystore_socket:sock_file write; #line 26 allow system_app keystore:unix_stream_socket connectto; #line 26 # Read SELinux enforcing status. #line 29 allow system_app selinuxfs:dir { open getattr read search ioctl }; #line 29 allow system_app selinuxfs:file { getattr open read ioctl lock }; #line 29 # Settings app reads sdcard for storage stats allow system_app sdcard_type:dir { open getattr read search ioctl }; # Write to properties #line 35 allow system_app property_socket:sock_file write; #line 35 allow system_app init:unix_stream_socket connectto; #line 35 allow system_app debug_prop:property_service set; allow system_app radio_prop:property_service set; allow system_app system_prop:property_service set; #line 1 "external/sepolicy/system_server.te" # # System Server aka system_server spawned by zygote. # Most of the framework services run in this process. # type system_server, domain, mlstrustedsubject; #line 6 typeattribute system_server mlstrustedsubject; #line 6 typeattribute system_server unconfineddomain; #line 6 # Define a type for tmpfs-backed ashmem regions. #line 9 type system_server_tmpfs, file_type; #line 9 type_transition system_server tmpfs:file system_server_tmpfs; #line 9 allow system_server system_server_tmpfs:file { read write }; #line 9 # Dalvik Compiler JIT Mapping. allow system_server self:process execmem; allow system_server ashmem_device:chr_file execute; allow system_server system_server_tmpfs:file execute; # For art. allow system_server dalvikcache_data_file:file execute; # Child of the zygote. allow system_server zygote:fd use; allow system_server zygote:process sigchld; allow system_server zygote_tmpfs:file read; # Needed to close the zygote socket, which involves getopt / getattr # This should be deleted after b/12061011 is fixed allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. #line 29 typeattribute system_server netdomain; #line 29 #line 30 typeattribute system_server bluetoothdomain; #line 30 # These are the capabilities assigned by the zygote to the # system server. allow system_server self:capability { kill net_admin net_bind_service net_broadcast net_raw sys_boot sys_module sys_nice sys_resource sys_time sys_tty_config }; allow system_server self:capability2 block_suspend; # Triggered by /proc/pid accesses, not allowed. dontaudit system_server self:capability sys_ptrace; # Trigger module auto-load. allow system_server kernel:system module_request; # Use netlink uevent sockets. allow system_server self:netlink_kobject_uevent_socket *; # Kill apps. allow system_server appdomain:process { sigkill signal }; # Set scheduling info for apps. allow system_server appdomain:process { getsched setsched }; allow system_server mediaserver:process { getsched setsched }; # Read /proc data for apps. allow system_server appdomain:dir { open getattr read search ioctl }; allow system_server appdomain:{ file lnk_file } { { getattr open read ioctl lock } { open append write } }; # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. allow system_server qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; allow system_server qtaguid_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs:file { getattr open read ioctl lock }; # WifiWatchdog uses a packet_socket allow system_server self:packet_socket *; # 3rd party VPN clients require a tun_socket to be created allow system_server self:tun_socket create; # Notify init of death. allow system_server init:process sigchld; # Talk to init and various daemons via sockets. #line 87 allow system_server property_socket:sock_file write; #line 87 allow system_server init:unix_stream_socket connectto; #line 87 #line 88 allow system_server qemud_socket:sock_file write; #line 88 allow system_server qemud:unix_stream_socket connectto; #line 88 #line 89 allow system_server installd_socket:sock_file write; #line 89 allow system_server installd:unix_stream_socket connectto; #line 89 #line 90 allow system_server lmkd_socket:sock_file write; #line 90 allow system_server lmkd:unix_stream_socket connectto; #line 90 #line 91 allow system_server netd_socket:sock_file write; #line 91 allow system_server netd:unix_stream_socket connectto; #line 91 #line 92 allow system_server vold_socket:sock_file write; #line 92 allow system_server vold:unix_stream_socket connectto; #line 92 #line 93 allow system_server zygote_socket:sock_file write; #line 93 allow system_server zygote:unix_stream_socket connectto; #line 93 #line 94 allow system_server keystore_socket:sock_file write; #line 94 allow system_server keystore:unix_stream_socket connectto; #line 94 #line 95 allow system_server gps_socket:sock_file write; #line 95 allow system_server gpsd:unix_stream_socket connectto; #line 95 #line 96 allow system_server racoon_socket:sock_file write; #line 96 allow system_server racoon:unix_stream_socket connectto; #line 96 #line 97 allow system_server wpa_socket:sock_file write; #line 97 allow system_server wpa:unix_dgram_socket sendto; #line 97 # Communicate over a socket created by surfaceflinger. allow system_server surfaceflinger:unix_stream_socket { read write setopt }; # Perform Binder IPC. #line 103 # Call the servicemanager and transfer references to it. #line 103 allow system_server servicemanager:binder { call transfer }; #line 103 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 103 # all domains in domain.te. #line 103 #line 104 # Call the server domain and optionally transfer references to it. #line 104 allow system_server binderservicedomain:binder { call transfer }; #line 104 # Allow the serverdomain to transfer references to the client on the reply. #line 104 allow binderservicedomain system_server:binder transfer; #line 104 # Receive and use open files from the server. #line 104 allow system_server binderservicedomain:fd use; #line 104 #line 105 # Call the server domain and optionally transfer references to it. #line 105 allow system_server appdomain:binder { call transfer }; #line 105 # Allow the serverdomain to transfer references to the client on the reply. #line 105 allow appdomain system_server:binder transfer; #line 105 # Receive and use open files from the server. #line 105 allow system_server appdomain:fd use; #line 105 #line 106 # Call the server domain and optionally transfer references to it. #line 106 allow system_server healthd:binder { call transfer }; #line 106 # Allow the serverdomain to transfer references to the client on the reply. #line 106 allow healthd system_server:binder transfer; #line 106 # Receive and use open files from the server. #line 106 allow system_server healthd:fd use; #line 106 #line 107 # Call the server domain and optionally transfer references to it. #line 107 allow system_server dumpstate:binder { call transfer }; #line 107 # Allow the serverdomain to transfer references to the client on the reply. #line 107 allow dumpstate system_server:binder transfer; #line 107 # Receive and use open files from the server. #line 107 allow system_server dumpstate:fd use; #line 107 #line 108 typeattribute system_server binderservicedomain; #line 108 # Read /proc/pid files for Binder clients. #line 111 allow system_server appdomain:dir { open getattr read search ioctl }; #line 111 allow system_server appdomain:{ file lnk_file } { getattr open read ioctl lock }; #line 111 #line 112 allow system_server mediaserver:dir { open getattr read search ioctl }; #line 112 allow system_server mediaserver:{ file lnk_file } { getattr open read ioctl lock }; #line 112 allow system_server appdomain:process getattr; allow system_server mediaserver:process getattr; # Check SELinux permissions. #line 117 allow system_server selinuxfs:dir { open getattr read search ioctl }; #line 117 allow system_server selinuxfs:file { { getattr open read ioctl lock } { open append write } }; #line 117 allow system_server kernel:security compute_av; #line 117 allow system_server self:netlink_selinux_socket *; #line 117 # XXX Label sysfs files with a specific type? allow system_server sysfs:file { { getattr open read ioctl lock } { open append write } }; allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } }; # Access devices. allow system_server device:dir { open getattr read search ioctl }; allow system_server mdns_socket:sock_file { { getattr open read ioctl lock } { open append write } }; allow system_server alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server graphics_device:dir search; allow system_server graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server iio_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server input_device:dir { open getattr read search ioctl }; allow system_server input_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server urandom_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server video_device:dir { open getattr read search ioctl }; allow system_server video_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server adbd_socket:sock_file { { getattr open read ioctl lock } { open append write } }; # tun device used for 3rd party vpn apps allow system_server tun_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Manage data files. allow system_server data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow system_server data_file_type:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Read /file_contexts and /data/security/file_contexts #line 149 allow system_server security_file:dir { open getattr read search ioctl }; #line 149 allow system_server security_file:file { getattr open read ioctl lock }; #line 149 allow system_server security_file:lnk_file { getattr open read ioctl lock }; #line 149 allow system_server selinuxfs:dir { open getattr read search ioctl }; #line 149 allow system_server selinuxfs:file { getattr open read ioctl lock }; #line 149 allow system_server rootfs:dir { open getattr read search ioctl }; #line 149 allow system_server rootfs:file { getattr open read ioctl lock }; #line 149 # Relabel apk files. #line 152 typeattribute system_server relabeltodomain; #line 152 allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto }; allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto }; # Relabel wallpaper. allow system_server system_data_file:file relabelfrom; allow system_server wallpaper_file:file relabelto; allow system_server wallpaper_file:file { { getattr open read ioctl lock } { open append write } }; # Relabel /data/anr. allow system_server system_data_file:dir relabelfrom; allow system_server anr_data_file:dir relabelto; # Property Service write allow system_server system_prop:property_service set; allow system_server radio_prop:property_service set; allow system_server debug_prop:property_service set; allow system_server powerctl_prop:property_service set; # ctl interface allow system_server ctl_default_prop:property_service set; # Create a socket for receiving info from wpa. type_transition system_server wifi_data_file:sock_file system_wpa_socket; type_transition system_server wpa_socket:sock_file system_wpa_socket; allow system_server wpa_socket:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow system_server system_wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Remove sockets created by wpa_supplicant allow system_server wpa_socket:sock_file unlink; # Create a socket for connections from debuggerd. type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; allow system_server system_ndebug_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Specify any arguments to zygote. allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; # Manage cache files. allow system_server cache_file:dir { relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } }; allow system_server cache_file:file { relabelfrom { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } }; # Run system programs, e.g. dexopt. allow system_server system_file:file { getattr execute execute_no_trans }; # Allow reading of /proc/pid data for other domains. # XXX dontaudit candidate allow system_server domain:dir { open getattr read search ioctl }; allow system_server domain:file { getattr open read ioctl lock }; # LocationManager(e.g, GPS) needs to read and write # to uart driver and ctrl proc entry allow system_server gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server gps_control:file { { getattr open read ioctl lock } { open append write } }; # Allow system_server to use app-created sockets. allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write }; # Allow abstract socket connection allow system_server rild:unix_stream_socket connectto; # connect to vpn tunnel allow system_server mtp:unix_stream_socket { connectto }; # BackupManagerService lets PMS create a data backup file allow system_server cache_backup_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Relabel /data/backup allow system_server backup_data_file:dir { relabelto relabelfrom }; # Relabel /cache/.*\.{data|restore} allow system_server cache_backup_file:file { relabelto relabelfrom }; # LocalTransport creates and relabels /cache/backup allow system_server cache_backup_file:dir { relabelto relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } }; # Allow system to talk to usb device allow system_server usb_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow system_server usb_device:dir { open getattr read search ioctl }; # Allow system to talk to sensors allow system_server sensors_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Read from HW RNG (needed by EntropyMixer). allow system_server hw_random_device:chr_file { getattr open read ioctl lock }; # Access to wake locks allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; # Read and delete files under /dev/fscklogs. #line 239 allow system_server fscklogs:dir { open getattr read search ioctl }; #line 239 allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock }; #line 239 allow system_server fscklogs:dir { write remove_name }; allow system_server fscklogs:file unlink; # For SELinuxPolicyInstallReceiver #line 244 #line 244 allow system_server security_file:dir { open getattr read search ioctl }; #line 244 allow system_server security_file:file { getattr open read ioctl lock }; #line 244 allow system_server security_file:lnk_file { getattr open read ioctl lock }; #line 244 allow system_server selinuxfs:dir { open getattr read search ioctl }; #line 244 allow system_server selinuxfs:file { getattr open read ioctl lock }; #line 244 allow system_server rootfs:dir { open getattr read search ioctl }; #line 244 allow system_server rootfs:file { getattr open read ioctl lock }; #line 244 #line 244 #line 244 allow system_server property_socket:sock_file write; #line 244 allow system_server init:unix_stream_socket connectto; #line 244 #line 244 allow system_server security_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; #line 244 allow system_server security_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; #line 244 allow system_server security_file:lnk_file { create rename unlink }; #line 244 allow system_server security_prop:property_service set; #line 244 # For legacy unlabeled userdata on existing devices. # See discussion of Unlabeled files in domain.te for more information. # This rule is for dalvikcache mmap/mprotect PROT_EXEC. allow system_server unlabeled:file execute; # logd access, system_server inherit logd write socket # (urge is to deprecate this long term) allow system_server zygote:unix_dgram_socket write; # Be consistent with DAC permissions. Allow system_server to write to # /sys/module/lowmemorykiller/parameters/adj # /sys/module/lowmemorykiller/parameters/minfree allow system_server sysfs_lowmemorykiller:file { open append write }; #line 1 "external/sepolicy/tee.te" ## # trusted execution environment (tee) daemon # type tee, domain; type tee_exec, exec_type, file_type; type tee_device, dev_type; type tee_data_file, file_type, data_file_type; #line 9 #line 9 # Allow the necessary permissions. #line 9 #line 9 # Old domain may exec the file and transition to the new domain. #line 9 allow init tee_exec:file { getattr open read execute }; #line 9 allow init tee:process transition; #line 9 # New domain is entered by executing the file. #line 9 allow tee tee_exec:file { entrypoint read execute }; #line 9 # New domain can send SIGCHLD to its caller. #line 9 allow tee init:process sigchld; #line 9 # Enable AT_SECURE, i.e. libc secure mode. #line 9 dontaudit init tee:process noatsecure; #line 9 # XXX dontaudit candidate but requires further study. #line 9 allow init tee:process { siginh rlimitinh }; #line 9 #line 9 # Make the transition occur by default. #line 9 type_transition init tee_exec:process tee; #line 9 #line 9 #line 9 type tee_tmpfs, file_type; #line 9 type_transition tee tmpfs:file tee_tmpfs; #line 9 allow tee tee_tmpfs:file { read write }; #line 9 #line 9 allow tee self:capability { dac_override }; allow tee tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; allow tee tee_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow tee tee_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow tee self:netlink_socket { create bind read }; #line 1 "external/sepolicy/ueventd.te" # ueventd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type ueventd, domain; #line 4 type ueventd_tmpfs, file_type; #line 4 type_transition ueventd tmpfs:file ueventd_tmpfs; #line 4 allow ueventd ueventd_tmpfs:file { read write }; #line 4 #line 5 type_transition ueventd device:chr_file klog_device "__kmsg__"; #line 5 allow ueventd klog_device:chr_file { create open write unlink }; #line 5 allow ueventd device:dir { write add_name remove_name }; #line 5 #line 6 allow ueventd security_file:dir { open getattr read search ioctl }; #line 6 allow ueventd security_file:file { getattr open read ioctl lock }; #line 6 allow ueventd security_file:lnk_file { getattr open read ioctl lock }; #line 6 allow ueventd selinuxfs:dir { open getattr read search ioctl }; #line 6 allow ueventd selinuxfs:file { getattr open read ioctl lock }; #line 6 allow ueventd rootfs:dir { open getattr read search ioctl }; #line 6 allow ueventd rootfs:file { getattr open read ioctl lock }; #line 6 #line 7 typeattribute ueventd relabeltodomain; #line 7 allow ueventd rootfs:file entrypoint; allow ueventd init:process sigchld; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; allow ueventd device:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow ueventd device:chr_file { { getattr open read ioctl lock } { open append write } }; allow ueventd sysfs:file { { getattr open read ioctl lock } { open append write } }; allow ueventd sysfs:file setattr; allow ueventd sysfs_type:file { relabelfrom relabelto }; allow ueventd sysfs_devices_system_cpu:file { { getattr open read ioctl lock } { open append write } }; allow ueventd tmpfs:chr_file { { getattr open read ioctl lock } { open append write } }; allow ueventd dev_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow ueventd dev_type:lnk_file { create unlink }; allow ueventd dev_type:chr_file { create setattr unlink }; allow ueventd dev_type:blk_file { create setattr unlink }; allow ueventd self:netlink_kobject_uevent_socket *; allow ueventd efs_file:dir search; allow ueventd efs_file:file { getattr open read ioctl lock }; #line 1 "external/sepolicy/unconfined.te" ####################################################### # # This is the unconfined template. This template is the base policy # which is used by daemons and other privileged components of # Android. # # Historically, this template was called "unconfined" because it # allowed the domain to do anything it wanted. Over time, # this has changed, and will continue to change in the future. # The rules in this file will be removed when no remaining # unconfined domains require it, or when the rules contradict # Android security best practices. Domains which need rules not # provided by the unconfined template should add them directly to # the relevant policy. # # The use of this template is discouraged. ###################################################### allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module }; allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot }; allow unconfineddomain kernel:system *; allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition }; allow unconfineddomain domain:fd *; allow unconfineddomain domain:dir { open getattr read search ioctl }; allow unconfineddomain domain:lnk_file { getattr open read ioctl lock }; allow unconfineddomain domain:{ fifo_file file } { { getattr open read ioctl lock } { open append write } }; allow unconfineddomain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } *; allow unconfineddomain domain:{ sem msgq shm ipc } *; allow unconfineddomain domain:key *; allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto}; allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto}; allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto}; allow unconfineddomain { rootfs system_file exec_type }:file execute; allow unconfineddomain node_type:node *; allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind; allow unconfineddomain netif_type:netif *; allow unconfineddomain port_type:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } name_bind; allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; allow unconfineddomain domain:peer recv; allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; allow unconfineddomain property_type:property_service set; #line 1 "external/sepolicy/uncrypt.te" # uncrypt type uncrypt, domain; type uncrypt_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init uncrypt_exec:file { getattr open read execute }; #line 5 allow init uncrypt:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow uncrypt uncrypt_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow uncrypt init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init uncrypt:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init uncrypt:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init uncrypt_exec:process uncrypt; #line 5 #line 5 #line 5 type uncrypt_tmpfs, file_type; #line 5 type_transition uncrypt tmpfs:file uncrypt_tmpfs; #line 5 allow uncrypt uncrypt_tmpfs:file { read write }; #line 5 #line 5 #line 6 typeattribute uncrypt mlstrustedsubject; #line 6 typeattribute uncrypt unconfineddomain; #line 6 allow uncrypt self:capability dac_override; # Read OTA zip file from /data/data/com.google.android.gsf/app_download #line 11 allow uncrypt app_data_file:dir { open getattr read search ioctl }; #line 11 allow uncrypt app_data_file:{ file lnk_file } { getattr open read ioctl lock }; #line 11 #line 16 # Create tmp file /cache/recovery/command.tmp # Read /cache/recovery/command # Rename /cache/recovery/command.tmp to /cache/recovery/command allow uncrypt cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow uncrypt cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Set a property to reboot the device. #line 25 allow uncrypt property_socket:sock_file write; #line 25 allow uncrypt init:unix_stream_socket connectto; #line 25 allow uncrypt powerctl_prop:property_service set; # Raw writes to block device allow uncrypt self:capability sys_rawio; allow uncrypt block_device:blk_file { open append write }; #line 1 "external/sepolicy/untrusted_app.te" ### ### Untrusted apps. ### ### This file defines the rules for untrusted apps. An "untrusted ### app" is an APP with UID between APP_AID (10000) ### and AID_ISOLATED_START (99000). ### ### untrusted_app includes all the appdomain rules, plus the ### additional following rules: ### type untrusted_app, domain; #line 13 typeattribute untrusted_app mlstrustedsubject; #line 13 typeattribute untrusted_app unconfineddomain; #line 13 #line 14 typeattribute untrusted_app appdomain; #line 14 # Label ashmem objects with our own unique type. #line 14 #line 14 type untrusted_app_tmpfs, file_type; #line 14 type_transition untrusted_app tmpfs:file untrusted_app_tmpfs; #line 14 allow untrusted_app untrusted_app_tmpfs:file { read write }; #line 14 #line 14 # Map with PROT_EXEC. #line 14 allow untrusted_app untrusted_app_tmpfs:file execute; #line 14 #line 15 typeattribute untrusted_app netdomain; #line 15 #line 16 typeattribute untrusted_app bluetoothdomain; #line 16 # Some apps ship with shared libraries and binaries that they write out # to their sandbox directory and then execute. allow untrusted_app app_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; allow untrusted_app tun_device:chr_file { { getattr open read ioctl lock } { open append write } }; # Internal SDCard rw access. allow untrusted_app sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow untrusted_app sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # External SDCard rw access. allow untrusted_app sdcard_external:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow untrusted_app sdcard_external:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # ASEC allow untrusted_app asec_apk_file:dir { getattr }; allow untrusted_app asec_apk_file:file { getattr open read ioctl lock }; # Execute libs in asec containers. allow untrusted_app asec_public_file:file execute; # Create tcp/udp sockets allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind; allow untrusted_app self:{ tcp_socket udp_socket } { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } accept listen }; # Bind to a particular hostname/address/interface (e.g., localhost) instead of # ANY. Normally, apps should not be listening on all interfaces. allow untrusted_app port:{ tcp_socket udp_socket } name_bind; # Allow the allocation and use of ptys # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm #line 47 # Each domain gets a unique devpts type. #line 47 type untrusted_app_devpts, fs_type; #line 47 # Label the pty with the unique type when created. #line 47 type_transition untrusted_app devpts:chr_file untrusted_app_devpts; #line 47 # Allow use of the pty after creation. #line 47 allow untrusted_app untrusted_app_devpts:chr_file { open getattr read write ioctl }; #line 47 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms #line 47 # allowed to everyone via domain.te. #line 47 # Used by Finsky / Android "Verify Apps" functionality when # running "adb install foo.apk". # TODO: Long term, we don't want apps probing into shell data files. # Figure out a way to remove these rules. allow untrusted_app shell_data_file:file { getattr open read ioctl lock }; allow untrusted_app shell_data_file:dir { open getattr read search ioctl }; #line 1 "external/sepolicy/vold.te" # volume manager type vold, domain; type vold_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init vold_exec:file { getattr open read execute }; #line 5 allow init vold:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow vold vold_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow vold init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init vold:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init vold:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init vold_exec:process vold; #line 5 #line 5 #line 5 type vold_tmpfs, file_type; #line 5 type_transition vold tmpfs:file vold_tmpfs; #line 5 allow vold vold_tmpfs:file { read write }; #line 5 #line 5 typeattribute vold mlstrustedsubject; allow vold system_file:file { getattr execute execute_no_trans }; allow vold block_device:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow vold block_device:blk_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow vold device:dir write; allow vold devpts:chr_file { { getattr open read ioctl lock } { open append write } }; allow vold rootfs:dir mounton; allow vold sdcard_type:dir mounton; allow vold sdcard_type:filesystem { mount remount unmount }; allow vold sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow vold sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow vold tmpfs:dir mounton; allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; allow vold self:netlink_kobject_uevent_socket *; allow vold app_data_file:dir search; allow vold app_data_file:file { { getattr open read ioctl lock } { open append write } }; allow vold loop_device:blk_file { { getattr open read ioctl lock } { open append write } }; allow vold dm_device:chr_file { { getattr open read ioctl lock } { open append write } }; # For vold Process::killProcessesWithOpenFiles function. allow vold domain:dir { open getattr read search ioctl }; allow vold domain:{ file lnk_file } { getattr open read ioctl lock }; allow vold domain:process { signal sigkill }; allow vold self:capability { sys_ptrace kill }; # For blkid allow vold shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; # XXX Label sysfs files with a specific type? allow vold sysfs:file { { getattr open read ioctl lock } { open append write } }; #line 39 type_transition vold device:chr_file klog_device "__kmsg__"; #line 39 allow vold klog_device:chr_file { create open write unlink }; #line 39 allow vold device:dir { write add_name remove_name }; #line 39 # Log fsck results allow vold fscklogs:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow vold fscklogs:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # # Rules to support encrypted fs support. # # Set property. #line 50 allow vold property_socket:sock_file write; #line 50 allow vold init:unix_stream_socket connectto; #line 50 # Unmount and mount the fs. allow vold labeledfs:filesystem { mount unmount remount }; # Access /efs/userdata_footer. # XXX Split into a separate type? allow vold efs_file:file { { getattr open read ioctl lock } { open append write } }; # Create and mount on /data/tmp_mnt. allow vold system_data_file:dir { create { { open getattr read search ioctl } { open search write add_name remove_name } } mounton }; # Set scheduling policy of kernel processes allow vold kernel:process setsched; # Property Service allow vold vold_prop:property_service set; allow vold powerctl_prop:property_service set; allow vold ctl_default_prop:property_service set; # ASEC allow vold asec_image_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow vold asec_image_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; #line 73 allow vold security_file:dir { open getattr read search ioctl }; #line 73 allow vold security_file:file { getattr open read ioctl lock }; #line 73 allow vold security_file:lnk_file { getattr open read ioctl lock }; #line 73 allow vold selinuxfs:dir { open getattr read search ioctl }; #line 73 allow vold selinuxfs:file { getattr open read ioctl lock }; #line 73 allow vold rootfs:dir { open getattr read search ioctl }; #line 73 allow vold rootfs:file { getattr open read ioctl lock }; #line 73 #line 74 typeattribute vold relabeltodomain; #line 74 allow vold asec_apk_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr relabelfrom }; allow vold asec_public_file:dir { relabelto setattr }; allow vold asec_apk_file:file { { getattr open read ioctl lock } setattr relabelfrom }; allow vold asec_public_file:file { relabelto setattr }; # Handle wake locks (used for device encryption) allow vold sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; allow vold self:capability2 block_suspend; #line 1 "external/sepolicy/watchdogd.te" # watchdogd seclabel is specified in init..rc type watchdogd, domain; allow watchdogd rootfs:file { entrypoint { getattr open read ioctl lock } }; allow watchdogd self:capability mknod; allow watchdogd device:dir { add_name write remove_name }; allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock } { open append write } }; # because of /dev/__kmsg__ and /dev/__null__ #line 8 type_transition watchdogd device:chr_file klog_device "__kmsg__"; #line 8 allow watchdogd klog_device:chr_file { create open write unlink }; #line 8 allow watchdogd device:dir { write add_name remove_name }; #line 8 type_transition watchdogd device:chr_file null_device "__null__"; allow watchdogd null_device:chr_file { create unlink }; #line 1 "external/sepolicy/wpa_supplicant.te" # wpa - wpa supplicant or equivalent type wpa, domain; type wpa_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init wpa_exec:file { getattr open read execute }; #line 5 allow init wpa:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow wpa wpa_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow wpa init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init wpa:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init wpa:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init wpa_exec:process wpa; #line 5 #line 5 #line 5 type wpa_tmpfs, file_type; #line 5 type_transition wpa tmpfs:file wpa_tmpfs; #line 5 allow wpa wpa_tmpfs:file { read write }; #line 5 #line 5 allow wpa kernel:system module_request; allow wpa self:capability { setuid net_admin setgid net_raw }; allow wpa cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow wpa self:netlink_route_socket *; allow wpa self:netlink_socket *; allow wpa self:packet_socket *; allow wpa self:udp_socket *; allow wpa wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow wpa wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; #line 15 allow wpa system_wpa_socket:sock_file write; #line 15 allow wpa system_server:unix_dgram_socket sendto; #line 15 allow wpa random_device:chr_file { getattr open read ioctl lock }; # Create a socket for receiving info from wpa type_transition wpa wifi_data_file:sock_file wpa_socket; allow wpa wpa_socket:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr }; allow wpa wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # Allow wpa_cli to work. wpa_cli creates a socket in # /data/misc/wifi/sockets which wpa supplicant communicates with. #line 27 #line 1 "external/sepolicy/zygote.te" # zygote type zygote, domain; type zygote_exec, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init zygote_exec:file { getattr open read execute }; #line 5 allow init zygote:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow zygote zygote_exec:file { entrypoint read execute }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow zygote init:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init zygote:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init zygote:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init zygote_exec:process zygote; #line 5 #line 5 #line 5 type zygote_tmpfs, file_type; #line 5 type_transition zygote tmpfs:file zygote_tmpfs; #line 5 allow zygote zygote_tmpfs:file { read write }; #line 5 #line 5 typeattribute zygote mlstrustedsubject; # Override DAC on files and switch uid/gid. allow zygote self:capability { dac_override setgid setuid fowner }; # Drop capabilities from bounding set. allow zygote self:capability setpcap; # Switch SELinux context to app domains. allow zygote system_server:process dyntransition; allow zygote appdomain:process dyntransition; # Allow zygote to read app /proc/pid dirs (b/10455872) allow zygote appdomain:dir { getattr search }; allow zygote appdomain:file { { getattr open read ioctl lock } }; # Move children into the peer process group. allow zygote system_server:process { getpgid setpgid }; allow zygote appdomain:process { getpgid setpgid }; # Write to system data. allow zygote system_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow zygote system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; allow zygote dalvikcache_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; allow zygote dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; # For art. allow zygote dalvikcache_data_file:file execute; # Execute dexopt. allow zygote system_file:file { getattr execute execute_no_trans }; # Control cgroups. allow zygote cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; allow zygote self:capability sys_admin; # Check validity of SELinux context before use. #line 33 allow zygote selinuxfs:dir { open getattr read search ioctl }; #line 33 allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } }; #line 33 allow zygote kernel:security check_context; #line 33 # Check SELinux permissions. #line 35 allow zygote selinuxfs:dir { open getattr read search ioctl }; #line 35 allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } }; #line 35 allow zygote kernel:security compute_av; #line 35 allow zygote self:netlink_selinux_socket *; #line 35 # Read /seapp_contexts and /data/security/seapp_contexts #line 37 allow zygote security_file:dir { open getattr read search ioctl }; #line 37 allow zygote security_file:file { getattr open read ioctl lock }; #line 37 allow zygote security_file:lnk_file { getattr open read ioctl lock }; #line 37 allow zygote selinuxfs:dir { open getattr read search ioctl }; #line 37 allow zygote selinuxfs:file { getattr open read ioctl lock }; #line 37 allow zygote rootfs:dir { open getattr read search ioctl }; #line 37 allow zygote rootfs:file { getattr open read ioctl lock }; #line 37 # Setting up /storage/emulated. allow zygote rootfs:dir mounton; allow zygote sdcard_type:dir { write search setattr create add_name mounton }; dontaudit zygote self:capability fsetid; allow zygote tmpfs:dir { write create add_name setattr mounton search }; allow zygote tmpfs:filesystem mount; allow zygote labeledfs:filesystem remount; # Handle --invoke-with command when launching Zygote with a wrapper command. allow zygote zygote_exec:file { execute_no_trans open }; # handle bugreports b/10498304 allow zygote ashmem_device:chr_file execute; allow zygote shell_data_file:file { write getattr }; allow zygote system_server:binder { transfer call }; allow zygote servicemanager:binder { call }; # For legacy unlabeled userdata on existing devices. # See discussion of Unlabeled files in domain.te for more information. # This rule is for dalvikcache mmap/mprotect PROT_EXEC. allow zygote unlabeled:file execute; #line 1 "build/target/board/generic/sepolicy/bootanim.te" allow bootanim self:process execmem; allow bootanim ashmem_device:chr_file execute; #line 1 "build/target/board/generic/sepolicy/domain.te" # For /sys/qemu_trace files in the emulator. allow domain sysfs_writable:file { { getattr open read ioctl lock } { open append write } }; #line 1 "build/target/board/generic/sepolicy/surfaceflinger.te" allow surfaceflinger self:process execmem; allow surfaceflinger ashmem_device:chr_file execute; #line 1 "external/sepolicy/roles" role r; role r types domain; #line 1 "external/sepolicy/users" user u roles { r } level s0 range s0 - s0:c0.c1023; #line 1 "external/sepolicy/initial_sid_contexts" sid kernel u:r:kernel:s0 sid security u:object_r:kernel:s0 sid unlabeled u:object_r:unlabeled:s0 sid fs u:object_r:labeledfs:s0 sid file u:object_r:unlabeled:s0 sid file_labels u:object_r:unlabeled:s0 sid init u:object_r:unlabeled:s0 sid any_socket u:object_r:unlabeled:s0 sid port u:object_r:port:s0 sid netif u:object_r:netif:s0 sid netmsg u:object_r:unlabeled:s0 sid node u:object_r:node:s0 sid igmp_packet u:object_r:unlabeled:s0 sid icmp_socket u:object_r:unlabeled:s0 sid tcp_socket u:object_r:unlabeled:s0 sid sysctl_modprobe u:object_r:unlabeled:s0 sid sysctl u:object_r:proc:s0 sid sysctl_fs u:object_r:unlabeled:s0 sid sysctl_kernel u:object_r:unlabeled:s0 sid sysctl_net u:object_r:unlabeled:s0 sid sysctl_net_unix u:object_r:unlabeled:s0 sid sysctl_vm u:object_r:unlabeled:s0 sid sysctl_dev u:object_r:unlabeled:s0 sid kmod u:object_r:unlabeled:s0 sid policy u:object_r:unlabeled:s0 sid scmp_packet u:object_r:unlabeled:s0 sid devnull u:object_r:null_device:s0 #line 1 "external/sepolicy/fs_use" # Label inodes via getxattr. fs_use_xattr yaffs2 u:object_r:labeledfs:s0; fs_use_xattr jffs2 u:object_r:labeledfs:s0; fs_use_xattr ext2 u:object_r:labeledfs:s0; fs_use_xattr ext3 u:object_r:labeledfs:s0; fs_use_xattr ext4 u:object_r:labeledfs:s0; fs_use_xattr xfs u:object_r:labeledfs:s0; fs_use_xattr btrfs u:object_r:labeledfs:s0; # Label inodes from task label. fs_use_task pipefs u:object_r:pipefs:s0; fs_use_task sockfs u:object_r:sockfs:s0; # Label inodes from combination of task label and fs label. # Define type_transition rules if you want per-domain types. fs_use_trans devpts u:object_r:devpts:s0; fs_use_trans tmpfs u:object_r:tmpfs:s0; fs_use_trans devtmpfs u:object_r:device:s0; fs_use_trans shm u:object_r:shm:s0; fs_use_trans mqueue u:object_r:mqueue:s0; #line 1 "external/sepolicy/genfs_contexts" # Label inodes with the fs label. genfscon rootfs / u:object_r:rootfs:s0 # proc labeling can be further refined (longest matching prefix). genfscon proc / u:object_r:proc:s0 genfscon proc /net u:object_r:proc_net:s0 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 # sysfs labels can be set by userspace. genfscon sysfs / u:object_r:sysfs:s0 genfscon inotifyfs / u:object_r:inotify:s0 genfscon vfat / u:object_r:sdcard_external:s0 genfscon debugfs / u:object_r:debugfs:s0 genfscon fuse / u:object_r:sdcard_internal:s0 #line 1 "external/sepolicy/port_contexts" # portcon statements go here, e.g. # portcon tcp 80 u:object_r:http_port:s0