1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Intra-domain accesses.
7allow domain self:process {
8    fork
9    sigchld
10    sigkill
11    sigstop
12    signull
13    signal
14    getsched
15    setsched
16    getsession
17    getpgid
18    setpgid
19    getcap
20    setcap
21    getattr
22    setrlimit
23};
24allow domain self:fd use;
25allow domain proc:dir r_dir_perms;
26allow domain proc_net:dir search;
27r_dir_file(domain, self)
28allow domain self:{ fifo_file file } rw_file_perms;
29allow domain self:unix_dgram_socket { create_socket_perms sendto };
30allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
31allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
32
33# Inherit or receive open files from others.
34allow domain init:fd use;
35
36userdebug_or_eng(`
37  # Same as adbd rules above, except allow su to do the same thing
38  allow domain su:unix_stream_socket connectto;
39  allow domain su:fd use;
40  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
41
42  allow { domain -init } su:binder { call transfer };
43  allow { domain -init } su:fd use;
44
45  # Running something like "pm dump com.android.bluetooth" requires
46  # fifo writes
47  allow domain su:fifo_file { write getattr };
48
49  # allow "gdbserver --attach" to work for su.
50  allow domain su:process sigchld;
51
52  # Allow writing coredumps to /cores/*
53  allow domain coredump_file:file create_file_perms;
54  allow domain coredump_file:dir ra_dir_perms;
55')
56
57###
58### Talk to debuggerd.
59###
60allow domain debuggerd:process sigchld;
61allow domain debuggerd:unix_stream_socket connectto;
62
63# Root fs.
64allow domain rootfs:dir search;
65allow domain rootfs:lnk_file read;
66
67# Device accesses.
68allow domain device:dir search;
69allow domain dev_type:lnk_file r_file_perms;
70allow domain devpts:dir search;
71allow domain socket_device:dir r_dir_perms;
72allow domain owntty_device:chr_file rw_file_perms;
73allow domain null_device:chr_file rw_file_perms;
74allow domain zero_device:chr_file rw_file_perms;
75allow domain ashmem_device:chr_file rw_file_perms;
76allow domain binder_device:chr_file rw_file_perms;
77allow domain ptmx_device:chr_file rw_file_perms;
78allow domain alarm_device:chr_file r_file_perms;
79allow domain urandom_device:chr_file rw_file_perms;
80allow domain random_device:chr_file rw_file_perms;
81allow domain properties_device:dir r_dir_perms;
82allow domain properties_serial:file r_file_perms;
83
84# For now, everyone can access core property files
85# Device specific properties are not granted by default
86get_prop(domain, core_property_type)
87# Let everyone read log properties, so that liblog can avoid sending unloggable
88# messages to logd.
89get_prop(domain, log_property_type)
90dontaudit domain property_type:file audit_access;
91allow domain property_contexts:file r_file_perms;
92
93allow domain init:key search;
94allow domain vold:key search;
95
96# logd access
97write_logd(domain)
98
99# System file accesses.
100allow domain system_file:dir { search getattr };
101allow domain system_file:file { execute read open getattr };
102allow domain system_file:lnk_file read;
103
104# read any sysfs symlinks
105allow domain sysfs:lnk_file read;
106
107# libc references /data/misc/zoneinfo for timezone related information
108r_dir_file(domain, zoneinfo_data_file)
109
110# Lots of processes access current CPU information
111r_dir_file(domain, sysfs_devices_system_cpu)
112
113r_dir_file(domain, sysfs_usb);
114
115# files under /data.
116allow domain system_data_file:dir { search getattr };
117allow domain system_data_file:lnk_file read;
118
119# required by the dynamic linker
120allow domain proc:lnk_file { getattr read };
121
122# /proc/cpuinfo
123allow domain proc_cpuinfo:file r_file_perms;
124
125# toybox loads libselinux which stats /sys/fs/selinux/
126allow domain selinuxfs:dir search;
127allow domain selinuxfs:file getattr;
128allow domain sysfs:dir search;
129allow domain selinuxfs:filesystem getattr;
130
131# For /acct/uid/*/tasks.
132allow domain cgroup:dir { search write };
133allow domain cgroup:file w_file_perms;
134
135# Almost all processes log tracing information to
136# /sys/kernel/debug/tracing/trace_marker
137# The reason behind this is documented in b/6513400
138allow domain debugfs:dir search;
139allow domain debugfs_tracing:dir search;
140allow domain debugfs_trace_marker:file w_file_perms;
141
142# Filesystem access.
143allow domain fs_type:filesystem getattr;
144allow domain fs_type:dir getattr;
145
146###
147### neverallow rules
148###
149
150# Do not allow any domain other than init or recovery to create unlabeled files.
151neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
152
153# Limit ability to ptrace or read sensitive /proc/pid files of processes
154# with other UIDs to these whitelisted domains.
155neverallow {
156  domain
157  -debuggerd
158  -vold
159  -dumpstate
160  -system_server
161  userdebug_or_eng(`-perfprofd')
162} self:capability sys_ptrace;
163
164# Limit device node creation to these whitelisted domains.
165neverallow {
166  domain
167  -kernel
168  -init
169  -ueventd
170  -vold
171} self:capability mknod;
172
173# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
174neverallow {
175  domain
176  userdebug_or_eng(`-domain')
177  -kernel
178  -init
179  -recovery
180  -ueventd
181  -healthd
182  -uncrypt
183  -tee
184} self:capability sys_rawio;
185
186# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
187neverallow * self:memprotect mmap_zero;
188
189# No domain needs mac_override as it is unused by SELinux.
190neverallow * self:capability2 mac_override;
191
192# Only recovery needs mac_admin to set contexts not defined in current policy.
193neverallow { domain -recovery } self:capability2 mac_admin;
194
195# Only init should be able to load SELinux policies.
196# The first load technically occurs while still in the kernel domain,
197# but this does not trigger a denial since there is no policy yet.
198# Policy reload requires allowing this to the init domain.
199neverallow { domain -init } kernel:security load_policy;
200
201# Only init and the system_server can set selinux.reload_policy 1
202# to trigger a policy reload.
203neverallow { domain -init -system_server } security_prop:property_service set;
204
205# Only init and system_server can write to /data/security, where runtime
206# policy updates live.
207# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
208neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
209# Only init and system_server can create/setattr directories with this type.
210# init is for init.rc mkdir /data/security.
211# system_server is for creating subdirectories under /data/security.
212neverallow { domain -init -system_server } security_file:dir { create setattr };
213# Only system_server can create subdirectories and files under /data/security.
214neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
215neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
216neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
217
218# Only init prior to switching context should be able to set enforcing mode.
219# init starts in kernel domain and switches to init domain via setcon in
220# the init.rc, so the setenforce occurs while still in kernel. After
221# switching domains, there is never any need to setenforce again by init.
222neverallow * kernel:security setenforce;
223neverallow { domain -kernel } kernel:security setcheckreqprot;
224
225# No booleans in AOSP policy, so no need to ever set them.
226neverallow * kernel:security setbool;
227
228# Adjusting the AVC cache threshold.
229# Not presently allowed to anything in policy, but possibly something
230# that could be set from init.rc.
231neverallow { domain -init } kernel:security setsecparam;
232
233# Only init, ueventd and system_server should be able to access HW RNG
234neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
235
236# Ensure that all entrypoint executables are in exec_type or postinstall_file.
237neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
238
239# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
240neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
241neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
242
243# Only init should be able to configure kernel usermodehelpers or
244# security-sensitive proc settings.
245neverallow { domain -init } usermodehelper:file { append write };
246neverallow { domain -init } proc_security:file { append write };
247
248# No domain should be allowed to ptrace init.
249neverallow * init:process ptrace;
250
251# Init can't do anything with binder calls. If this neverallow rule is being
252# triggered, it's probably due to a service with no SELinux domain.
253neverallow * init:binder *;
254
255# Don't allow raw read/write/open access to block_device
256# Rather force a relabel to a more specific type
257neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
258
259# Don't allow raw read/write/open access to generic devices.
260# Rather force a relabel to a more specific type.
261# init is exempt from this as there are character devices that only it uses.
262# ueventd is exempt from this, as it is managing these devices.
263neverallow { domain -init -ueventd } device:chr_file { open read write };
264
265# Limit what domains can mount filesystems or change their mount flags.
266# sdcard_type / vfat is exempt as a larger set of domains need
267# this capability, including device-specific domains.
268neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
269
270#
271# Assert that, to the extent possible, we're not loading executable content from
272# outside the rootfs or /system partition except for a few whitelisted domains.
273#
274neverallow {
275    domain
276    -appdomain
277    -autoplay_app
278    -dumpstate
279    -shell
280    userdebug_or_eng(`-su')
281    -system_server
282    -zygote
283} { file_type -system_file -exec_type -postinstall_file }:file execute;
284neverallow {
285    domain
286    -appdomain # for oemfs
287    -recovery # for /tmp/update_binary in tmpfs
288} { fs_type -rootfs }:file execute;
289# Files from cache should never be executed
290neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
291
292# Protect most domains from executing arbitrary content from /data.
293neverallow {
294  domain
295  -untrusted_app
296  -priv_app
297  -shell
298} {
299  data_file_type
300  -dalvikcache_data_file
301  -system_data_file # shared libs in apks
302  -apk_data_file
303}:file no_x_file_perms;
304
305neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
306
307# Only the init property service should write to /data/property and /dev/__properties__
308neverallow { domain -init } property_data_file:dir no_w_dir_perms;
309neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
310neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
311neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
312neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
313
314# Only recovery should be doing writes to /system
315neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
316    { create write setattr relabelfrom append unlink link rename };
317neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
318
319# Don't allow mounting on top of /system files or directories
320neverallow * exec_type:dir_file_class_set mounton;
321neverallow { domain -init } system_file:dir_file_class_set mounton;
322
323# Nothing should be writing to files in the rootfs.
324neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
325
326# Restrict context mounts to specific types marked with
327# the contextmount_type attribute.
328neverallow * {fs_type -contextmount_type}:filesystem relabelto;
329
330# Ensure that context mount types are not writable, to ensure that
331# the write to /system restriction above is not bypassed via context=
332# mount to another type.
333neverallow { domain -recovery } contextmount_type:dir_file_class_set
334    { create write setattr relabelfrom relabelto append unlink link rename };
335
336# Do not allow service_manager add for default_android_service.
337# Instead domains should use a more specific type such as
338# system_app_service rather than the generic type.
339# New service_types are defined in service.te and new mappings
340# from service name to service_type are defined in service_contexts.
341neverallow * default_android_service:service_manager add;
342
343# Require that domains explicitly label unknown properties, and do not allow
344# anyone but init to modify unknown properties.
345neverallow { domain -init } default_prop:property_service set;
346neverallow { domain -init } mmc_prop:property_service set;
347
348neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
349
350# No domain other than recovery and update_engine can write to system partition(s).
351neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
352
353# No domains other than install_recovery or recovery can write to recovery.
354neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
355
356# No domains other than a select few can access the misc_block_device. This
357# block device is reserved for OTA use.
358# Do not assert this rule on userdebug/eng builds, due to some devices using
359# this partition for testing purposes.
360neverallow {
361  domain
362  userdebug_or_eng(`-domain') # exclude debuggable builds
363  -init
364  -uncrypt
365  -update_engine
366  -vold
367  -recovery
368  -ueventd
369} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
370
371# Only servicemanager should be able to register with binder as the context manager
372neverallow { domain -servicemanager } *:binder set_context_mgr;
373
374# Only authorized processes should be writing to files in /data/dalvik-cache
375neverallow {
376  domain
377  -init # TODO: limit init to relabelfrom for files
378  -zygote
379  -installd
380  -postinstall_dexopt
381  -dex2oat
382} dalvikcache_data_file:file no_w_file_perms;
383
384neverallow {
385  domain
386  -init
387  -installd
388  -postinstall_dexopt
389  -dex2oat
390  -zygote
391} dalvikcache_data_file:dir no_w_dir_perms;
392
393# Only system_server should be able to send commands via the zygote socket
394neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
395neverallow { domain -system_server } zygote_socket:sock_file write;
396
397# Android does not support System V IPCs.
398#
399# The reason for this is due to the fact that, by design, they lead to global
400# kernel resource leakage.
401#
402# For example, there is no way to automatically release a SysV semaphore
403# allocated in the kernel when:
404#
405# - a buggy or malicious process exits
406# - a non-buggy and non-malicious process crashes or is explicitly killed.
407#
408# Killing processes automatically to make room for new ones is an
409# important part of Android's application lifecycle implementation. This means
410# that, even assuming only non-buggy and non-malicious code, it is very likely
411# that over time, the kernel global tables used to implement SysV IPCs will fill
412# up.
413neverallow * *:{ shm sem msg msgq } *;
414
415# Do not mount on top of symlinks, fifos, or sockets.
416# Feature parity with Chromium LSM.
417neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
418
419# Nobody should be able to execute su on user builds.
420# On userdebug/eng builds, only dumpstate, shell, and
421# su itself execute su.
422neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
423
424# Do not allow the introduction of new execmod rules. Text relocations
425# and modification of executable pages are unsafe.
426# The only exceptions are for NDK text relocations associated with
427# https://code.google.com/p/android/issues/detail?id=23203
428# which, long term, need to go away.
429neverallow * {
430  file_type
431  -system_data_file
432  -apk_data_file
433  -app_data_file
434  -asec_public_file
435}:file execmod;
436
437# Do not allow making the stack or heap executable.
438# We would also like to minimize execmem but it seems to be
439# required by some device-specific service domains.
440neverallow * self:process { execstack execheap };
441
442# prohibit non-zygote spawned processes from using shared libraries
443# with text relocations. b/20013628 .
444neverallow { domain -appdomain } file_type:file execmod;
445
446neverallow { domain -init } proc:{ file dir } mounton;
447
448# Ensure that all types assigned to processes are included
449# in the domain attribute, so that all allow and neverallow rules
450# written on domain are applied to all processes.
451# This is achieved by ensuring that it is impossible to transition
452# from a domain to a non-domain type and vice versa.
453neverallow domain ~domain:process { transition dyntransition };
454neverallow ~domain domain:process { transition dyntransition };
455
456#
457# Only system_app and system_server should be creating or writing
458# their files. The proper way to share files is to setup
459# type transitions to a more specific type or assigning a type
460# to its parent directory via a file_contexts entry.
461# Example type transition:
462#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
463#
464neverallow {
465  domain
466  -system_server
467  -system_app
468  -init
469  -installd # for relabelfrom and unlink, check for this in explicit neverallow
470} system_data_file:file no_w_file_perms;
471# do not grant anything greater than r_file_perms and relabelfrom unlink
472# to installd
473neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
474
475#
476# Only these domains should transition to shell domain. This domain is
477# permissible for the "shell user". If you need a process to exec a shell
478# script with differing privilege, define a domain and set up a transition.
479#
480neverallow {
481  domain
482  -adbd
483  -init
484  -runas
485  -zygote
486} shell:process { transition dyntransition };
487
488# Minimize read access to shell- or app-writable symlinks.
489# This is to prevent malicious symlink attacks.
490neverallow {
491  domain
492  -appdomain
493  -installd
494  -uncrypt  # TODO: see if we can remove
495} app_data_file:lnk_file read;
496
497neverallow {
498  domain
499  -shell
500  userdebug_or_eng(`-uncrypt')
501  -installd
502} shell_data_file:lnk_file read;
503
504# In addition to the symlink reading restrictions above, restrict
505# write access to shell owned directories. The /data/local/tmp
506# directory is untrustworthy, and non-whitelisted domains should
507# not be trusting any content in those directories.
508neverallow {
509  domain
510  -adbd
511  -dumpstate
512  -installd
513  -init
514  -shell
515  -vold
516} shell_data_file:dir no_w_dir_perms;
517
518neverallow {
519  domain
520  -adbd
521  -appdomain
522  -dumpstate
523  -init
524  -installd
525  -system_server # why?
526  userdebug_or_eng(`-uncrypt')
527} shell_data_file:dir { open search };
528
529# Same as above for /data/local/tmp files. We allow shell files
530# to be passed around by file descriptor, but not directly opened.
531neverallow {
532  domain
533  -adbd
534  -appdomain
535  -dumpstate
536  -installd
537  userdebug_or_eng(`-uncrypt')
538} shell_data_file:file open;
539
540# servicemanager is the only process which handles list request
541neverallow * ~servicemanager:service_manager list;
542
543# only service_manager_types can be added to service_manager
544neverallow * ~service_manager_type:service_manager { add find };
545
546# Prevent assigning non property types to properties
547neverallow * ~property_type:property_service set;
548
549# Domain types should never be assigned to any files other
550# than the /proc/pid files associated with a process. The
551# executable file used to enter a domain should be labeled
552# with its own _exec type, not with the domain type.
553# Conventionally, this looks something like:
554# $ cat mydaemon.te
555# type mydaemon, domain;
556# type mydaemon_exec, exec_type, file_type;
557# init_daemon_domain(mydaemon)
558# $ grep mydaemon file_contexts
559# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
560neverallow * domain:file { execute execute_no_trans entrypoint };
561
562# Do not allow access to the generic debugfs label. This is too broad.
563# Instead, if access to part of debugfs is desired, it should have a
564# more specific label.
565# TODO: fix system_server and dumpstate
566neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
567
568neverallow {
569  domain
570  -init
571  -recovery
572  -sdcardd
573  -vold
574} fuse_device:chr_file open;
575neverallow {
576  domain
577  -dumpstate
578  -init
579  -priv_app
580  -recovery
581  -sdcardd
582  -system_server
583  -ueventd
584  -vold
585} fuse_device:chr_file *;
586
587# Profiles contain untrusted data and profman parses that. We should only run
588# in from installd forked processes.
589neverallow {
590  domain
591  -installd
592  -profman
593} profman_exec:file no_x_file_perms;
594
595# Enforce restrictions on kernel module origin.
596# Do not allow kernel module loading except from system,
597# vendor, and boot partitions.
598neverallow * ~{ system_file rootfs }:system module_load;
599