1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Read access to properties mapping.
7allow domain kernel:fd use;
8allow domain tmpfs:file { read getattr };
9
10# Search /storage/emulated tmpfs mount.
11allow domain tmpfs:dir r_dir_perms;
12
13# Intra-domain accesses.
14allow domain self:process {
15    fork
16    sigchld
17    sigkill
18    sigstop
19    signull
20    signal
21    getsched
22    setsched
23    getsession
24    getpgid
25    setpgid
26    getcap
27    setcap
28    getattr
29    setrlimit
30};
31allow domain self:fd use;
32allow domain self:dir r_dir_perms;
33allow domain self:lnk_file r_file_perms;
34allow domain self:{ fifo_file file } rw_file_perms;
35allow domain self:unix_dgram_socket { create_socket_perms sendto };
36allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
37
38# Inherit or receive open files from others.
39allow domain init:fd use;
40allow domain system_server:fd use;
41
42# Connect to adbd and use a socket transferred from it.
43# This is used for e.g. adb backup/restore.
44allow domain adbd:unix_stream_socket connectto;
45allow domain adbd:fd use;
46allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
47
48userdebug_or_eng(`
49  # Same as adbd rules above, except allow su to do the same thing
50  allow domain su:unix_stream_socket connectto;
51  allow domain su:fd use;
52  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
53
54  binder_call(domain, su)
55
56  # Running something like "pm dump com.android.bluetooth" requires
57  # fifo writes
58  allow domain su:fifo_file { write getattr };
59
60  # allow "gdbserver --attach" to work for su.
61  allow domain su:process sigchld;
62
63  # Allow writing coredumps to /cores/*
64  allow domain coredump_file:file create_file_perms;
65  allow domain coredump_file:dir ra_dir_perms;
66')
67
68###
69### Talk to debuggerd.
70###
71allow domain debuggerd:process sigchld;
72allow domain debuggerd:unix_stream_socket connectto;
73
74# Root fs.
75allow domain rootfs:dir r_dir_perms;
76allow domain rootfs:file r_file_perms;
77allow domain rootfs:lnk_file r_file_perms;
78
79# Device accesses.
80allow domain device:dir search;
81allow domain dev_type:lnk_file r_file_perms;
82allow domain devpts:dir search;
83allow domain device:file read;
84allow domain socket_device:dir r_dir_perms;
85allow domain owntty_device:chr_file rw_file_perms;
86allow domain null_device:chr_file rw_file_perms;
87allow domain zero_device:chr_file rw_file_perms;
88allow domain ashmem_device:chr_file rw_file_perms;
89allow domain binder_device:chr_file rw_file_perms;
90allow domain ptmx_device:chr_file rw_file_perms;
91allow domain log_device:dir search;
92allow domain log_device:chr_file rw_file_perms;
93allow domain alarm_device:chr_file r_file_perms;
94allow domain urandom_device:chr_file rw_file_perms;
95allow domain random_device:chr_file rw_file_perms;
96allow domain properties_device:file r_file_perms;
97
98# logd access
99write_logd(domain)
100
101# Filesystem accesses.
102allow domain fs_type:filesystem getattr;
103allow domain fs_type:dir getattr;
104
105# System file accesses.
106allow domain system_file:dir r_dir_perms;
107allow domain system_file:file r_file_perms;
108allow domain system_file:file execute;
109allow domain system_file:lnk_file r_file_perms;
110
111# Read files already opened under /data.
112allow domain system_data_file:dir { search getattr };
113allow domain system_data_file:file { getattr read };
114allow domain system_data_file:lnk_file r_file_perms;
115
116# Read apk files under /data/app.
117allow domain apk_data_file:dir { getattr search };
118allow domain apk_data_file:file r_file_perms;
119allow domain apk_data_file:lnk_file r_file_perms;
120
121# Read /data/dalvik-cache.
122allow domain dalvikcache_data_file:dir { search getattr };
123allow domain dalvikcache_data_file:file r_file_perms;
124
125# Read already opened /cache files.
126allow domain cache_file:dir r_dir_perms;
127allow domain cache_file:file { getattr read };
128allow domain cache_file:lnk_file r_file_perms;
129
130# Read timezone related information
131r_dir_file(domain, zoneinfo_data_file)
132
133# For /acct/uid/*/tasks.
134allow domain cgroup:dir { search write };
135allow domain cgroup:file w_file_perms;
136
137#Allow access to ion memory allocation device
138allow domain ion_device:chr_file rw_file_perms;
139
140# Read access to pseudo filesystems.
141r_dir_file(domain, proc)
142r_dir_file(domain, sysfs)
143r_dir_file(domain, sysfs_devices_system_cpu)
144r_dir_file(domain, inotify)
145r_dir_file(domain, cgroup)
146r_dir_file(domain, proc_net)
147allow domain proc_cpuinfo:file r_file_perms;
148
149# debugfs access
150allow domain debugfs:dir r_dir_perms;
151allow domain debugfs:file w_file_perms;
152
153# Get SELinux enforcing status.
154allow domain selinuxfs:dir r_dir_perms;
155allow domain selinuxfs:file r_file_perms;
156
157# /data/security files
158allow domain security_file:dir { search getattr };
159allow domain security_file:file getattr;
160allow domain security_file:lnk_file r_file_perms;
161
162# World readable asec image contents
163allow domain asec_public_file:file r_file_perms;
164allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
165
166allow domain servicemanager:service_manager list;
167allow domain service_manager_type:service_manager find;
168
169###
170### neverallow rules
171###
172
173# Do not allow any confined domain to create new unlabeled files.
174neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
175
176# Limit ability to ptrace or read sensitive /proc/pid files of processes
177# with other UIDs to these whitelisted domains.
178neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
179
180# Limit device node creation to these whitelisted domains.
181neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
182
183# Limit raw I/O to these whitelisted domains.
184neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
185
186# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
187neverallow domain self:memprotect mmap_zero;
188
189# No domain needs mac_override as it is unused by SELinux.
190neverallow domain self:capability2 mac_override;
191
192# Only recovery needs mac_admin to set contexts not defined in current policy.
193neverallow { domain -recovery } self:capability2 mac_admin;
194
195# Only init should be able to load SELinux policies.
196# The first load technically occurs while still in the kernel domain,
197# but this does not trigger a denial since there is no policy yet.
198# Policy reload requires allowing this to the init domain.
199neverallow { domain -init } kernel:security load_policy;
200
201# Only init and the system_server can set selinux.reload_policy 1
202# to trigger a policy reload.
203neverallow { domain -init -system_server } security_prop:property_service set;
204
205# Only init and system_server can write to /data/security, where runtime
206# policy updates live.
207# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
208neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
209# Only init and system_server can create/setattr directories with this type.
210# init is for init.rc mkdir /data/security.
211# system_server is for creating subdirectories under /data/security.
212neverallow { domain -init -system_server } security_file:dir { create setattr };
213# Only system_server can create subdirectories and files under /data/security.
214neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
215neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
216neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
217
218# Only init prior to switching context should be able to set enforcing mode.
219# init starts in kernel domain and switches to init domain via setcon in
220# the init.rc, so the setenforce occurs while still in kernel. After
221# switching domains, there is never any need to setenforce again by init.
222neverallow domain kernel:security setenforce;
223neverallow { domain -kernel } kernel:security setcheckreqprot;
224
225# No booleans in AOSP policy, so no need to ever set them.
226neverallow domain kernel:security setbool;
227
228# Adjusting the AVC cache threshold.
229# Not presently allowed to anything in policy, but possibly something
230# that could be set from init.rc.
231neverallow { domain -init } kernel:security setsecparam;
232
233# Only init, ueventd and system_server should be able to access HW RNG
234neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
235
236# Ensure that all entrypoint executables are in exec_type.
237neverallow domain { file_type -exec_type }:file entrypoint;
238
239# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
240neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
241neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
242
243# Only init should be able to configure kernel usermodehelpers or
244# security-sensitive proc settings.
245neverallow { domain -init } usermodehelper:file { append write };
246neverallow { domain -init } proc_security:file { append write };
247
248# No domain should be allowed to ptrace init.
249neverallow domain init:process ptrace;
250
251# Init can't receive binder calls. If this neverallow rule is being
252# triggered, it's probably due to a service with no SELinux domain.
253neverallow domain init:binder call;
254
255# Don't allow raw read/write/open access to block_device
256# Rather force a relabel to a more specific type
257neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
258
259# Don't allow raw read/write/open access to generic devices.
260# Rather force a relabel to a more specific type.
261# ueventd is exempt from this, as its managing these devices.
262neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write };
263
264# Limit what domains can mount filesystems or change their mount flags.
265# sdcard_type / vfat is exempt as a larger set of domains need
266# this capability, including device-specific domains.
267neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
268
269#
270# Assert that, to the extent possible, we're not loading executable content from
271# outside the rootfs or /system partition except for a few whitelisted domains.
272#
273neverallow {
274    domain
275    -appdomain
276    -dumpstate
277    -shell
278    userdebug_or_eng(`-su')
279    -system_server
280    -zygote
281} { file_type -system_file -exec_type }:file execute;
282neverallow {
283    domain
284    -appdomain # for oemfs
285    -recovery # for /tmp/update_binary in tmpfs
286} { fs_type -rootfs }:file execute;
287
288# Only the init property service should write to /data/property.
289neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
290neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
291
292# Only recovery should be doing writes to /system
293neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
294    { create write setattr relabelfrom relabelto append unlink link rename };
295
296# Nothing should be writing to files in the rootfs.
297neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
298
299# Restrict context mounts to specific types marked with
300# the contextmount_type attribute.
301neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
302
303# Ensure that context mount types are not writable, to ensure that
304# the write to /system restriction above is not bypassed via context=
305# mount to another type.
306neverallow { domain -recovery } contextmount_type:dir_file_class_set
307    { create write setattr relabelfrom relabelto append unlink link rename };
308
309# Do not allow service_manager add for default_android_service.
310# Instead domains should use a more specific type such as
311# system_app_service rather than the generic type.
312# New service_types are defined in service.te and new mappings
313# from service name to service_type are defined in service_contexts.
314neverallow domain default_android_service:service_manager add;
315
316neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
317