1##################################### 2# domain_trans(olddomain, type, newdomain) 3# Allow a transition from olddomain to newdomain 4# upon executing a file labeled with type. 5# This only allows the transition; it does not 6# cause it to occur automatically - use domain_auto_trans 7# if that is what you want. 8# 9define(`domain_trans', ` 10# Old domain may exec the file and transition to the new domain. 11allow $1 $2:file { getattr open read execute }; 12allow $1 $3:process transition; 13# New domain is entered by executing the file. 14allow $3 $2:file { entrypoint open read execute getattr }; 15# New domain can send SIGCHLD to its caller. 16allow $3 $1:process sigchld; 17# Enable AT_SECURE, i.e. libc secure mode. 18dontaudit $1 $3:process noatsecure; 19# XXX dontaudit candidate but requires further study. 20allow $1 $3:process { siginh rlimitinh }; 21') 22 23##################################### 24# domain_auto_trans(olddomain, type, newdomain) 25# Automatically transition from olddomain to newdomain 26# upon executing a file labeled with type. 27# 28define(`domain_auto_trans', ` 29# Allow the necessary permissions. 30domain_trans($1,$2,$3) 31# Make the transition occur by default. 32type_transition $1 $2:process $3; 33') 34 35##################################### 36# file_type_trans(domain, dir_type, file_type) 37# Allow domain to create a file labeled file_type in a 38# directory labeled dir_type. 39# This only allows the transition; it does not 40# cause it to occur automatically - use file_type_auto_trans 41# if that is what you want. 42# 43define(`file_type_trans', ` 44# Allow the domain to add entries to the directory. 45allow $1 $2:dir ra_dir_perms; 46# Allow the domain to create the file. 47allow $1 $3:notdevfile_class_set create_file_perms; 48allow $1 $3:dir create_dir_perms; 49') 50 51##################################### 52# file_type_auto_trans(domain, dir_type, file_type) 53# Automatically label new files with file_type when 54# they are created by domain in directories labeled dir_type. 55# 56define(`file_type_auto_trans', ` 57# Allow the necessary permissions. 58file_type_trans($1, $2, $3) 59# Make the transition occur by default. 60type_transition $1 $2:dir $3; 61type_transition $1 $2:notdevfile_class_set $3; 62') 63 64##################################### 65# r_dir_file(domain, type) 66# Allow the specified domain to read directories, files 67# and symbolic links of the specified type. 68define(`r_dir_file', ` 69allow $1 $2:dir r_dir_perms; 70allow $1 $2:{ file lnk_file } r_file_perms; 71') 72 73##################################### 74# tmpfs_domain(domain) 75# Define and allow access to a unique type for 76# this domain when creating tmpfs / shmem / ashmem files. 77define(`tmpfs_domain', ` 78type $1_tmpfs, file_type; 79type_transition $1 tmpfs:file $1_tmpfs; 80allow $1 $1_tmpfs:file { read write }; 81') 82 83##################################### 84# init_daemon_domain(domain) 85# Set up a transition from init to the daemon domain 86# upon executing its binary. 87define(`init_daemon_domain', ` 88domain_auto_trans(init, $1_exec, $1) 89tmpfs_domain($1) 90') 91 92##################################### 93# app_domain(domain) 94# Allow a base set of permissions required for all apps. 95define(`app_domain', ` 96typeattribute $1 appdomain; 97# Label ashmem objects with our own unique type. 98tmpfs_domain($1) 99# Map with PROT_EXEC. 100allow $1 $1_tmpfs:file execute; 101') 102 103##################################### 104# net_domain(domain) 105# Allow a base set of permissions required for network access. 106define(`net_domain', ` 107typeattribute $1 netdomain; 108') 109 110##################################### 111# bluetooth_domain(domain) 112# Allow a base set of permissions required for bluetooth access. 113define(`bluetooth_domain', ` 114typeattribute $1 bluetoothdomain; 115') 116 117##################################### 118# unix_socket_connect(clientdomain, socket, serverdomain) 119# Allow a local socket connection from clientdomain via 120# socket to serverdomain. 121# 122# Note: If you see denial records that distill to the 123# following allow rules: 124# allow clientdomain property_socket:sock_file write; 125# allow clientdomain init:unix_stream_socket connectto; 126# allow clientdomain something_prop:property_service set; 127# 128# This sequence is indicative of attempting to set a property. 129# use set_prop(sourcedomain, targetproperty) 130# 131define(`unix_socket_connect', ` 132allow $1 $2_socket:sock_file write; 133allow $1 $3:unix_stream_socket connectto; 134') 135 136##################################### 137# set_prop(sourcedomain, targetproperty) 138# Allows source domain to set the 139# targetproperty. 140# 141define(`set_prop', ` 142unix_socket_connect($1, property, init) 143allow $1 $2:property_service set; 144') 145 146##################################### 147# unix_socket_send(clientdomain, socket, serverdomain) 148# Allow a local socket send from clientdomain via 149# socket to serverdomain. 150define(`unix_socket_send', ` 151allow $1 $2_socket:sock_file write; 152allow $1 $3:unix_dgram_socket sendto; 153') 154 155##################################### 156# binder_use(domain) 157# Allow domain to use Binder IPC. 158define(`binder_use', ` 159# Call the servicemanager and transfer references to it. 160allow $1 servicemanager:binder { call transfer }; 161# servicemanager performs getpidcon on clients. 162allow servicemanager $1:dir search; 163allow servicemanager $1:file { read open }; 164allow servicemanager $1:process getattr; 165# rw access to /dev/binder and /dev/ashmem is presently granted to 166# all domains in domain.te. 167') 168 169##################################### 170# binder_call(clientdomain, serverdomain) 171# Allow clientdomain to perform binder IPC to serverdomain. 172define(`binder_call', ` 173# Call the server domain and optionally transfer references to it. 174allow $1 $2:binder { call transfer }; 175# Allow the serverdomain to transfer references to the client on the reply. 176allow $2 $1:binder transfer; 177# Receive and use open files from the server. 178allow $1 $2:fd use; 179') 180 181##################################### 182# binder_service(domain) 183# Mark a domain as being a Binder service domain. 184# Used to allow binder IPC to the various system services. 185define(`binder_service', ` 186typeattribute $1 binderservicedomain; 187') 188 189##################################### 190# wakelock_use(domain) 191# Allow domain to manage wake locks 192define(`wakelock_use', ` 193# Access /sys/power/wake_lock and /sys/power/wake_unlock 194allow $1 sysfs_wake_lock:file rw_file_perms; 195# Accessing these files requires CAP_BLOCK_SUSPEND 196allow $1 self:capability2 block_suspend; 197') 198 199##################################### 200# selinux_check_access(domain) 201# Allow domain to check SELinux permissions via selinuxfs. 202define(`selinux_check_access', ` 203allow $1 selinuxfs:file rw_file_perms; 204allow $1 kernel:security compute_av; 205allow $1 self:netlink_selinux_socket *; 206') 207 208##################################### 209# selinux_check_context(domain) 210# Allow domain to check SELinux contexts via selinuxfs. 211define(`selinux_check_context', ` 212allow $1 selinuxfs:file rw_file_perms; 213allow $1 kernel:security check_context; 214') 215 216##################################### 217# selinux_setenforce(domain) 218# Allow domain to set SELinux to enforcing. 219define(`selinux_setenforce', ` 220allow $1 selinuxfs:file rw_file_perms; 221allow $1 kernel:security setenforce; 222') 223 224##################################### 225# selinux_setbool(domain) 226# Allow domain to set SELinux booleans. 227define(`selinux_setbool', ` 228allow $1 selinuxfs:file rw_file_perms; 229allow $1 kernel:security setbool; 230') 231 232##################################### 233# security_access_policy(domain) 234# Read only access to all policy files and 235# selinuxfs 236define(`security_access_policy', ` 237allow $1 security_file:dir r_dir_perms; 238allow $1 security_file:file r_file_perms; 239') 240 241##################################### 242# selinux_manage_policy(domain) 243# Ability to manage policy files and 244# trigger runtime reload. 245define(`selinux_manage_policy', ` 246security_access_policy($1) 247unix_socket_connect($1, property, init) 248allow $1 security_file:dir create_dir_perms; 249allow $1 security_file:file create_file_perms; 250allow $1 security_file:lnk_file { create rename unlink }; 251allow $1 security_prop:property_service set; 252') 253 254##################################### 255# mmac_manage_policy(domain) 256# Ability to manage mmac policy files, 257# trigger runtime reload, change 258# mmac enforcing mode and access logcat. 259define(`mmac_manage_policy', ` 260unix_socket_connect($1, property, init) 261allow $1 security_file:dir create_dir_perms; 262allow $1 security_file:file create_file_perms; 263allow $1 security_file:lnk_file { create rename unlink }; 264allow $1 security_prop:property_service set; 265') 266 267##################################### 268# access_kmsg(domain) 269# Ability to read from kernel logs 270# and execute the klogctl syscall 271# in a non destructive manner. See 272# man 2 klogctl 273define(`access_kmsg', ` 274allow $1 kernel:system syslog_read; 275') 276 277##################################### 278# create_pty(domain) 279# Allow domain to create and use a pty, isolated from any other domain ptys. 280define(`create_pty', ` 281# Each domain gets a unique devpts type. 282type $1_devpts, fs_type; 283# Label the pty with the unique type when created. 284type_transition $1 devpts:chr_file $1_devpts; 285# Allow use of the pty after creation. 286allow $1 $1_devpts:chr_file { open getattr read write ioctl }; 287# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms 288# allowed to everyone via domain.te. 289') 290 291##################################### 292# Non system_app application set 293# 294define(`non_system_app_set', `{ appdomain -system_app }') 295 296##################################### 297# Recovery only 298# SELinux rules which apply only to recovery mode 299# 300define(`recovery_only', ifelse(target_recovery, `true', $1, )) 301 302##################################### 303# Userdebug or eng builds 304# SELinux rules which apply only to userdebug or eng builds 305# 306define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) 307 308##################################### 309# write_logd(domain) 310# Ability to write to android log 311# daemon via sockets 312define(`write_logd', ` 313unix_socket_send($1, logdw, logd) 314allow $1 pmsg_device:chr_file w_file_perms; 315') 316 317##################################### 318# read_logd(domain) 319# Ability to run logcat and read from android 320# log daemon via sockets 321define(`read_logd', ` 322allow $1 logcat_exec:file rx_file_perms; 323unix_socket_connect($1, logdr, logd) 324') 325 326##################################### 327# control_logd(domain) 328# Ability to control 329# android log daemon via sockets 330define(`control_logd', ` 331# Group AID_LOG checked by filesystem & logd 332# to permit control commands 333unix_socket_connect($1, logd, logd) 334') 335 336##################################### 337# use_keystore(domain) 338# Ability to use keystore. 339# Keystore is requires the following permissions 340# to call getpidcon. 341define(`use_keystore', ` 342 allow keystore $1:dir search; 343 allow keystore $1:file { read open }; 344 allow keystore $1:process getattr; 345 allow $1 keystore_service:service_manager find; 346 binder_call($1, keystore) 347') 348 349########################################### 350# use_drmservice(domain) 351# Ability to use DrmService which requires 352# DrmService to call getpidcon. 353define(`use_drmservice', ` 354 allow drmserver $1:dir search; 355 allow drmserver $1:file { read open }; 356 allow drmserver $1:process getattr; 357') 358