1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint open read execute getattr };
15# New domain can send SIGCHLD to its caller.
16allow $3 $1:process sigchld;
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# unconfined_domain(domain)
75# Allow the specified domain to perform more privileged operations
76# than would be typically allowed. Please see the comments at the
77# top of unconfined.te.
78#
79define(`unconfined_domain', `
80typeattribute $1 mlstrustedsubject;
81typeattribute $1 unconfineddomain;
82')
83
84#####################################
85# tmpfs_domain(domain)
86# Define and allow access to a unique type for
87# this domain when creating tmpfs / shmem / ashmem files.
88define(`tmpfs_domain', `
89type $1_tmpfs, file_type;
90type_transition $1 tmpfs:file $1_tmpfs;
91allow $1 $1_tmpfs:file { read write };
92')
93
94#####################################
95# init_daemon_domain(domain)
96# Set up a transition from init to the daemon domain
97# upon executing its binary.
98define(`init_daemon_domain', `
99domain_auto_trans(init, $1_exec, $1)
100tmpfs_domain($1)
101')
102
103#####################################
104# app_domain(domain)
105# Allow a base set of permissions required for all apps.
106define(`app_domain', `
107typeattribute $1 appdomain;
108# Label ashmem objects with our own unique type.
109tmpfs_domain($1)
110# Map with PROT_EXEC.
111allow $1 $1_tmpfs:file execute;
112')
113
114#####################################
115# net_domain(domain)
116# Allow a base set of permissions required for network access.
117define(`net_domain', `
118typeattribute $1 netdomain;
119')
120
121#####################################
122# bluetooth_domain(domain)
123# Allow a base set of permissions required for bluetooth access.
124define(`bluetooth_domain', `
125typeattribute $1 bluetoothdomain;
126')
127
128#####################################
129# unix_socket_connect(clientdomain, socket, serverdomain)
130# Allow a local socket connection from clientdomain via
131# socket to serverdomain.
132define(`unix_socket_connect', `
133allow $1 $2_socket:sock_file write;
134allow $1 $3:unix_stream_socket connectto;
135')
136
137#####################################
138# unix_socket_send(clientdomain, socket, serverdomain)
139# Allow a local socket send from clientdomain via
140# socket to serverdomain.
141define(`unix_socket_send', `
142allow $1 $2_socket:sock_file write;
143allow $1 $3:unix_dgram_socket sendto;
144')
145
146#####################################
147# binder_use(domain)
148# Allow domain to use Binder IPC.
149define(`binder_use', `
150# Call the servicemanager and transfer references to it.
151allow $1 servicemanager:binder { call transfer };
152# servicemanager performs getpidcon on clients.
153allow servicemanager $1:dir search;
154allow servicemanager $1:file { read open };
155allow servicemanager $1:process getattr;
156# rw access to /dev/binder and /dev/ashmem is presently granted to
157# all domains in domain.te.
158')
159
160#####################################
161# binder_call(clientdomain, serverdomain)
162# Allow clientdomain to perform binder IPC to serverdomain.
163define(`binder_call', `
164# Call the server domain and optionally transfer references to it.
165allow $1 $2:binder { call transfer };
166# Allow the serverdomain to transfer references to the client on the reply.
167allow $2 $1:binder transfer;
168# Receive and use open files from the server.
169allow $1 $2:fd use;
170')
171
172#####################################
173# binder_service(domain)
174# Mark a domain as being a Binder service domain.
175# Used to allow binder IPC to the various system services.
176define(`binder_service', `
177typeattribute $1 binderservicedomain;
178')
179
180#####################################
181# wakelock_use(domain)
182# Allow domain to manage wake locks
183define(`wakelock_use', `
184# Access /sys/power/wake_lock and /sys/power/wake_unlock
185allow $1 sysfs_wake_lock:file rw_file_perms;
186# Accessing these files requires CAP_BLOCK_SUSPEND
187allow $1 self:capability2 block_suspend;
188')
189
190#####################################
191# selinux_check_access(domain)
192# Allow domain to check SELinux permissions via selinuxfs.
193define(`selinux_check_access', `
194allow $1 selinuxfs:file rw_file_perms;
195allow $1 kernel:security compute_av;
196allow $1 self:netlink_selinux_socket *;
197')
198
199#####################################
200# selinux_check_context(domain)
201# Allow domain to check SELinux contexts via selinuxfs.
202define(`selinux_check_context', `
203allow $1 selinuxfs:file rw_file_perms;
204allow $1 kernel:security check_context;
205')
206
207#####################################
208# selinux_setenforce(domain)
209# Allow domain to set SELinux to enforcing.
210define(`selinux_setenforce', `
211allow $1 selinuxfs:file rw_file_perms;
212allow $1 kernel:security setenforce;
213')
214
215#####################################
216# selinux_setbool(domain)
217# Allow domain to set SELinux booleans.
218define(`selinux_setbool', `
219allow $1 selinuxfs:file rw_file_perms;
220allow $1 kernel:security setbool;
221')
222
223#####################################
224# security_access_policy(domain)
225# Read only access to all policy files and
226# selinuxfs
227define(`security_access_policy', `
228allow $1 security_file:dir r_dir_perms;
229allow $1 security_file:file r_file_perms;
230')
231
232#####################################
233# selinux_manage_policy(domain)
234# Ability to manage policy files and
235# trigger runtime reload.
236define(`selinux_manage_policy', `
237security_access_policy($1)
238unix_socket_connect($1, property, init)
239allow $1 security_file:dir create_dir_perms;
240allow $1 security_file:file create_file_perms;
241allow $1 security_file:lnk_file { create rename unlink };
242allow $1 security_prop:property_service set;
243')
244
245#####################################
246# mmac_manage_policy(domain)
247# Ability to manage mmac policy files,
248# trigger runtime reload, change
249# mmac enforcing mode and access logcat.
250define(`mmac_manage_policy', `
251unix_socket_connect($1, property, init)
252allow $1 security_file:dir create_dir_perms;
253allow $1 security_file:file create_file_perms;
254allow $1 security_file:lnk_file { create rename unlink };
255allow $1 security_prop:property_service set;
256')
257
258#####################################
259# access_kmsg(domain)
260# Ability to read from kernel logs
261# and execute the klogctl syscall
262# in a non destructive manner. See
263# man 2 klogctl
264define(`access_kmsg', `
265allow $1 kernel:system syslog_read;
266')
267
268#####################################
269# write_klog(domain)
270# Ability to write to kernel log via
271# klog_write()
272# See system/core/libcutil/klog.c
273define(`write_klog', `
274type_transition $1 device:chr_file klog_device "__kmsg__";
275allow $1 klog_device:chr_file { create open write unlink };
276allow $1 device:dir { write add_name remove_name };
277')
278
279#####################################
280# create_pty(domain)
281# Allow domain to create and use a pty, isolated from any other domain ptys.
282define(`create_pty', `
283# Each domain gets a unique devpts type.
284type $1_devpts, fs_type;
285# Label the pty with the unique type when created.
286type_transition $1 devpts:chr_file $1_devpts;
287# Allow use of the pty after creation.
288allow $1 $1_devpts:chr_file { open getattr read write ioctl };
289# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
290# allowed to everyone via domain.te.
291')
292
293#####################################
294# Non system_app application set
295#
296define(`non_system_app_set', `{ appdomain -system_app }')
297
298#####################################
299# Recovery only
300# SELinux rules which apply only to recovery mode
301#
302define(`recovery_only', ifelse(target_recovery, `true', $1, ))
303
304#####################################
305# Userdebug or eng builds
306# SELinux rules which apply only to userdebug or eng builds
307#
308define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
309
310#####################################
311# permissive_or_unconfined
312# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
313# and "unconfined($1)" otherwise.
314#
315# This is used for experimental domains, where we want to ensure
316# the domain is unconfined+enforcing once new SELinux policy development
317# has ceased.
318#
319define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
320
321#####################################
322# write_logd(domain)
323# Ability to write to android log
324# daemon via sockets
325define(`write_logd', `
326userdebug_or_eng(`
327  allow $1 logd_debug:file w_file_perms;
328')
329unix_socket_send($1, logdw, logd)
330')
331
332#####################################
333# read_logd(domain)
334# Ability to read from android
335# log daemon via sockets
336define(`read_logd', `
337unix_socket_connect($1, logdr, logd)
338')
339
340#####################################
341# control_logd(domain)
342# Ability to control
343# android log daemon via sockets
344define(`control_logd', `
345# Group AID_LOG checked by filesystem & logd
346# to permit control commands
347unix_socket_connect($1, logd, logd)
348')
349
350#####################################
351# use_keystore(domain)
352# Ability to use keystore.
353# Keystore is requires the following permissions
354# to call getpidcon.
355define(`use_keystore', `
356  allow keystore $1:dir search;
357  allow keystore $1:file { read open };
358  allow keystore $1:process getattr;
359  binder_call($1, keystore)
360')
361