xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/private/domain.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# Transition to crash_dump when /system/bin/crash_dump* is executed.
2# This occurs when the process crashes.
3# We do not apply this to the su domain to avoid interfering with
4# tests (b/114136122)
5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
6allow domain crash_dump:process sigchld;
7
8# Allow every process to check the heapprofd.enable properties to determine
9# whether to load the heap profiling library. This does not necessarily enable
10# heap profiling, as initialization will fail if it does not have the
11# necessary SELinux permissions.
12get_prop(domain, heapprofd_prop);
13
14# See private/crash_dump.te
15define(`dumpable_domain',`{
16  domain
17  -apexd
18  -bpfloader
19  -crash_dump
20  -crosvm # TODO(b/236672526): Remove exception for crosvm
21  -init
22  -kernel
23  -keystore
24  -llkd
25  -logd
26  -ueventd
27  -vendor_init
28  -vold
29}')
30
31# Allow heap profiling by heapprofd.
32# Zygotes are excluded due to potential issues with holding open file
33# descriptors or other state across forks. Other exclusions conflict with
34# neverallows, and are not considered important to profile.
35can_profile_heap({
36  dumpable_domain
37  -app_zygote
38  -hal_configstore_server
39  -logpersist
40  -recovery
41  -recovery_persist
42  -recovery_refresh
43  -webview_zygote
44  -zygote
45})
46
47# Allow profiling using perf_event_open by traced_perf.
48can_profile_perf({
49  dumpable_domain
50  -app_zygote
51  -hal_configstore_server
52  -webview_zygote
53  -zygote
54})
55
56# Everyone can access the IncFS list of features.
57r_dir_file(domain, sysfs_fs_incfs_features);
58
59# Everyone can access the fuse list of features.
60r_dir_file(domain, sysfs_fs_fuse_features);
61
62# Path resolution access in cgroups.
63allow domain cgroup:dir search;
64allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
65allow { domain -appdomain -rs } cgroup:file w_file_perms;
66
67allow domain cgroup_v2:dir search;
68allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
69allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
70
71allow domain cgroup_rc_file:dir search;
72allow domain cgroup_rc_file:file r_file_perms;
73allow domain task_profiles_file:file r_file_perms;
74allow domain task_profiles_api_file:file r_file_perms;
75allow domain vendor_task_profiles_file:file r_file_perms;
76
77# Allow all domains to read sys.use_memfd to determine
78# if memfd support can be used if device supports it
79get_prop(domain, use_memfd_prop);
80
81# Read access to sdkextensions props
82get_prop(domain, module_sdkextensions_prop)
83
84# Read access to bq configuration values
85get_prop(domain, bq_config_prop);
86
87# Allow all domains to check whether MTE is set to permissive mode.
88get_prop(domain, permissive_mte_prop);
89
90# Allow ART to be configurable via device_config properties
91# (ART "runs" inside the app process), and MTE bootloader override to be
92# observed by everything
93get_prop(domain, device_config_memory_safety_native_boot_prop);
94get_prop(domain, device_config_memory_safety_native_prop);
95get_prop(domain, device_config_runtime_native_boot_prop);
96get_prop(domain, device_config_runtime_native_prop);
97
98# For now, everyone can access core property files
99# Device specific properties are not granted by default
100not_compatible_property(`
101    # DO NOT ADD ANY PROPERTIES HERE
102    get_prop(domain, core_property_type)
103    get_prop(domain, exported3_system_prop)
104    get_prop(domain, vendor_default_prop)
105')
106compatible_property_only(`
107    # DO NOT ADD ANY PROPERTIES HERE
108    get_prop({coredomain appdomain shell}, core_property_type)
109    get_prop({coredomain appdomain shell}, exported3_system_prop)
110    get_prop({coredomain appdomain shell}, exported_camera_prop)
111    get_prop({coredomain shell}, userspace_reboot_exported_prop)
112    get_prop({coredomain shell}, userspace_reboot_log_prop)
113    get_prop({coredomain shell}, userspace_reboot_test_prop)
114    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
115')
116
117# Public readable properties
118get_prop(domain, aaudio_config_prop)
119get_prop(domain, apexd_select_prop)
120get_prop(domain, arm64_memtag_prop)
121get_prop(domain, bluetooth_config_prop)
122get_prop(domain, bootloader_prop)
123get_prop(domain, build_odm_prop)
124get_prop(domain, build_prop)
125get_prop(domain, build_vendor_prop)
126get_prop(domain, debug_prop)
127get_prop(domain, exported_config_prop)
128get_prop(domain, exported_default_prop)
129get_prop(domain, exported_dumpstate_prop)
130get_prop(domain, exported_secure_prop)
131get_prop(domain, exported_system_prop)
132get_prop(domain, fingerprint_prop)
133get_prop(domain, framework_status_prop)
134get_prop(domain, gwp_asan_prop)
135get_prop(domain, hal_instrumentation_prop)
136get_prop(domain, hw_timeout_multiplier_prop)
137get_prop(domain, init_service_status_prop)
138get_prop(domain, libc_debug_prop)
139get_prop(domain, locale_prop)
140get_prop(domain, logd_prop)
141get_prop(domain, mediadrm_config_prop)
142get_prop(domain, property_service_version_prop)
143get_prop(domain, soc_prop)
144get_prop(domain, socket_hook_prop)
145get_prop(domain, surfaceflinger_prop)
146get_prop(domain, telephony_status_prop)
147get_prop(domain, timezone_prop)
148get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app },  userdebug_or_eng_prop)
149get_prop(domain, vendor_socket_hook_prop)
150get_prop(domain, vndk_prop)
151get_prop(domain, vold_status_prop)
152get_prop(domain, vts_config_prop)
153
154# Binder cache properties are world-readable
155get_prop(domain, binder_cache_bluetooth_server_prop)
156get_prop(domain, binder_cache_system_server_prop)
157get_prop(domain, binder_cache_telephony_server_prop)
158
159# Allow access to fsverity keyring.
160allow domain kernel:key search;
161# Allow access to keys in the fsverity keyring that were installed at boot.
162allow domain fsverity_init:key search;
163# For testing purposes, allow access to keys installed with su.
164userdebug_or_eng(`
165  allow domain su:key search;
166')
167
168# Allow access to linkerconfig file
169allow domain linkerconfig_file:dir search;
170allow domain linkerconfig_file:file r_file_perms;
171
172# Allow all processes to check for the existence of the boringssl_self_test_marker files.
173allow domain boringssl_self_test_marker:dir search;
174
175# Allow all processes to read the file_logger property that liblog uses to check if file_logger
176# should be used.
177get_prop(domain, log_file_logger_prop)
178
179# Allow all processes to connect to PRNG seeder daemon.
180unix_socket_connect(domain, prng_seeder, prng_seeder)
181
182# Allow calls to system(3), popen(3), ...
183allow {
184  domain
185  # Except domains that explicitly neverallow it.
186  -kernel
187  -init
188  -vendor_init
189  -app_zygote
190  -webview_zygote
191  -system_server
192  -artd
193  -audioserver
194  -cameraserver
195  -mediadrmserver
196  -mediaextractor
197  -mediametrics
198  -mediaserver
199  -mediatuner
200  -mediatranscoding
201  -ueventd
202  -hal_audio_server
203  -hal_camera_server
204  -hal_cas_server
205  -hal_codec2_server
206  -hal_configstore_server
207  -hal_drm_server
208  -hal_omx_server
209} {shell_exec toolbox_exec}:file rx_file_perms;
210
211# No domains other than a select few can access the misc_block_device. This
212# block device is reserved for OTA use.
213# Do not assert this rule on userdebug/eng builds, due to some devices using
214# this partition for testing purposes.
215neverallow {
216  domain
217  userdebug_or_eng(`-domain') # exclude debuggable builds
218  -fastbootd
219  -hal_bootctl_server
220  -init
221  -uncrypt
222  -update_engine
223  -vendor_init
224  -vendor_misc_writer
225  -vold
226  -recovery
227  -ueventd
228  -mtectrl
229  -misctrl
230} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
231
232# Limit ability to ptrace or read sensitive /proc/pid files of processes
233# with other UIDs to these allowlisted domains.
234neverallow {
235  domain
236  -vold
237  userdebug_or_eng(`-llkd')
238  -dumpstate
239  userdebug_or_eng(`-incidentd')
240  userdebug_or_eng(`-profcollectd')
241  userdebug_or_eng(`-simpleperf_boot')
242  -storaged
243  -system_server
244} self:global_capability_class_set sys_ptrace;
245
246# Limit ability to generate hardware unique device ID attestations to priv_apps
247neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
248neverallow { domain -system_server } *:keystore2_key use_dev_id;
249neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
250
251neverallow {
252  domain
253  -init
254  -vendor_init
255  userdebug_or_eng(`-domain')
256} debugfs_tracing_debug:file no_rw_file_perms;
257
258# System_server owns dropbox data, and init creates/restorecons the directory
259# Disallow direct access by other processes.
260neverallow {
261  domain
262  -init
263  -system_server
264  userdebug_or_eng(`-dumpstate')
265} dropbox_data_file:dir *;
266neverallow {
267  domain
268  -init
269  -system_server
270  userdebug_or_eng(`-dumpstate')
271} dropbox_data_file:file ~{ getattr read };
272
273###
274# Services should respect app sandboxes
275neverallow {
276  domain
277  -appdomain
278  -artd # compile secondary dex files
279  -installd # creation of sandbox
280} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
281
282# Only the following processes should be directly accessing private app
283# directories.
284neverallow {
285  domain
286  -adbd
287  -appdomain
288  -app_zygote
289  -artd # compile secondary dex files
290  -dexoptanalyzer
291  -installd
292  -profman
293  -rs # spawned by appdomain, so carryover the exception above
294  -runas
295  -system_server
296  -viewcompiler
297  -zygote
298} { privapp_data_file app_data_file }:dir *;
299
300# Only apps should be modifying app data. installd is exempted for
301# restorecon and package install/uninstall.
302neverallow {
303  domain
304  -appdomain
305  -artd # compile secondary dex files
306  -installd
307  -rs # spawned by appdomain, so carryover the exception above
308} { privapp_data_file app_data_file }:dir ~r_dir_perms;
309
310neverallow {
311  domain
312  -appdomain
313  -app_zygote
314  -artd # compile secondary dex files
315  -installd
316  -rs # spawned by appdomain, so carryover the exception above
317} { privapp_data_file app_data_file }:file_class_set open;
318
319neverallow {
320  domain
321  -appdomain
322  -artd # compile secondary dex files
323  -installd # creation of sandbox
324} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
325
326neverallow {
327  domain
328  -artd # compile secondary dex files
329  -installd
330} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
331
332# The staging directory contains APEX and APK files. It is important to ensure
333# that these files cannot be accessed by other domains to ensure that the files
334# do not change between system_server staging the files and apexd processing
335# the files.
336neverallow {
337  domain
338  -init
339  -system_server
340  -apexd
341  -installd
342  -priv_app
343  -virtualizationmanager
344} staging_data_file:dir *;
345neverallow {
346  domain
347  -init
348  -system_app
349  -system_server
350  -apexd
351  -adbd
352  -kernel
353  -installd
354  -priv_app
355  -shell
356  -virtualizationmanager
357  -crosvm
358} staging_data_file:file *;
359neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
360# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
361# except for `link` and `unlink`.
362neverallow { domain -init -system_server } staging_data_file:file
363  { append create relabelfrom rename setattr write no_x_file_perms };
364
365neverallow {
366    domain
367    -appdomain # for oemfs
368    -bootanim # for oemfs
369    -recovery # for /tmp/update_binary in tmpfs
370} { fs_type -rootfs }:file execute;
371
372#
373# Assert that, to the extent possible, we're not loading executable content from
374# outside the rootfs or /system partition except for a few allowlisted domains.
375# Executable files loaded from /data is a persistence vector
376# we want to avoid. See
377# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
378#
379neverallow {
380    domain
381    -appdomain
382    with_asan(`-asan_extract')
383    -shell
384    userdebug_or_eng(`-su')
385    -system_server_startup # for memfd backed executable regions
386    -app_zygote
387    -webview_zygote
388    -zygote
389    userdebug_or_eng(`-mediaextractor')
390    userdebug_or_eng(`-mediaswcodec')
391} {
392    file_type
393    -system_file_type
394    -system_lib_file
395    -system_linker_exec
396    -vendor_file_type
397    -exec_type
398    -postinstall_file
399}:file execute;
400
401# Only init is allowed to write cgroup.rc file
402neverallow {
403  domain
404  -init
405  -vendor_init
406} cgroup_rc_file:file no_w_file_perms;
407
408# Only authorized processes should be writing to files in /data/dalvik-cache
409neverallow {
410  domain
411  -init # TODO: limit init to relabelfrom for files
412  -zygote
413  -installd
414  -postinstall_dexopt
415  -cppreopts
416  -dex2oat
417  -otapreopt_slot
418  -artd
419} dalvikcache_data_file:file no_w_file_perms;
420
421neverallow {
422  domain
423  -init
424  -installd
425  -postinstall_dexopt
426  -cppreopts
427  -dex2oat
428  -zygote
429  -otapreopt_slot
430  -artd
431} dalvikcache_data_file:dir no_w_dir_perms;
432
433# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
434# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
435neverallow {
436  domain
437  # art-related processes
438  -composd
439  -compos_fd_server
440  -odrefresh
441  -odsign
442  # others
443  -apexd
444  -init
445  -vold_prepare_subdirs
446} apex_art_data_file:file no_w_file_perms;
447
448neverallow {
449  domain
450  # art-related processes
451  -composd
452  -compos_fd_server
453  -odrefresh
454  -odsign
455  # others
456  -apexd
457  -init
458  -vold_prepare_subdirs
459} apex_art_data_file:dir no_w_dir_perms;
460
461# Protect most domains from executing arbitrary content from /data.
462neverallow {
463  domain
464  -appdomain
465} {
466  data_file_type
467  -apex_art_data_file
468  -dalvikcache_data_file
469  -system_data_file # shared libs in apks
470  -apk_data_file
471}:file no_x_file_perms;
472
473# Minimize dac_override and dac_read_search.
474# Instead of granting them it is usually better to add the domain to
475# a Unix group or change the permissions of a file.
476define(`dac_override_allowed', `{
477  apexd
478  artd
479  dnsmasq
480  dumpstate
481  init
482  installd
483  userdebug_or_eng(`llkd')
484  lmkd
485  migrate_legacy_obb_data
486  netd
487  postinstall_dexopt
488  recovery
489  rss_hwm_reset
490  sdcardd
491  tee
492  ueventd
493  uncrypt
494  vendor_init
495  vold
496  vold_prepare_subdirs
497  zygote
498}')
499neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
500# Since the kernel checks dac_read_search before dac_override, domains that
501# have dac_override should also have dac_read_search to eliminate spurious
502# denials.  Some domains have dac_read_search without having dac_override, so
503# this list should be a superset of the one above.
504neverallow ~{
505  dac_override_allowed
506  traced_perf
507  traced_probes
508  heapprofd
509} self:global_capability_class_set dac_read_search;
510
511# Limit what domains can mount filesystems or change their mount flags.
512# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
513# set of domains need this capability, including device-specific domains.
514neverallow {
515    domain
516    -apexd
517    recovery_only(`-fastbootd')
518    -init
519    -kernel
520    -otapreopt_chroot
521    -recovery
522    -update_engine
523    -vold
524    -zygote
525} { fs_type
526    -sdcard_type
527    -fusefs_type
528}:filesystem { mount remount relabelfrom relabelto };
529
530enforce_debugfs_restriction(`
531  neverallow {
532    domain userdebug_or_eng(`-init')
533  } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
534')
535
536# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
537neverallow {
538  domain
539  userdebug_or_eng(`-domain')
540  -kernel
541  -gsid
542  -init
543  -recovery
544  -ueventd
545  -uncrypt
546  -tee
547  -hal_bootctl_server
548  -fastbootd
549} self:global_capability_class_set sys_rawio;
550
551# Limit directory operations that doesn't need to do app data isolation.
552neverallow {
553  domain
554  -fsck
555  -init
556  -installd
557  -zygote
558} mirror_data_file:dir *;
559
560# This property is being removed. Remove remaining access.
561neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
562neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
563
564# Only core domains are allowed to access package_manager properties
565neverallow { domain -init -system_server } pm_prop:property_service set;
566neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
567
568# Do not allow reading the last boot timestamp from system properties
569neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
570
571# Allow ART to set its config properties in its oneshot boot service, in
572# addition to the common init and vendor_init access.
573neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
574
575# Kprobes should only be used by adb root
576neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
577
578# On TREBLE devices, most coredomains should not access vendor_files.
579# TODO(b/71553434): Remove exceptions here.
580full_treble_only(`
581  neverallow {
582    coredomain
583    -appdomain
584    -bootanim
585    -crash_dump
586    -heapprofd
587    userdebug_or_eng(`-profcollectd')
588    -init
589    -kernel
590    userdebug_or_eng(`-simpleperf_boot')
591    -traced_perf
592    -ueventd
593  } vendor_file:file { no_w_file_perms no_x_file_perms open };
594')
595
596# Vendor domains are not permitted to initiate communications to core domain sockets
597full_treble_only(`
598  neverallow_establish_socket_comms({
599    domain
600    -coredomain
601    -appdomain
602    -socket_between_core_and_vendor_violators
603  }, {
604    coredomain
605    -logd # Logging by writing to logd Unix domain socket is public API
606    -netd # netdomain needs this
607    -mdnsd # netdomain needs this
608    -prng_seeder # Any process using libcrypto needs this
609    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
610    -init
611    -tombstoned # linker to tombstoned
612    -heapprofd
613    -traced
614    -traced_perf
615  });
616')
617
618full_treble_only(`
619  # Do not allow system components access to /vendor files except for the
620  # ones allowed here.
621  neverallow {
622    coredomain
623    # TODO(b/37168747): clean up fwk access to /vendor
624    -crash_dump
625    -crosvm # loads vendor-specific disk images
626    -init # starts vendor executables
627    -kernel # loads /vendor/firmware
628    -heapprofd
629    userdebug_or_eng(`-profcollectd')
630    -shell
631    userdebug_or_eng(`-simpleperf_boot')
632    -system_executes_vendor_violators
633    -traced_perf # library/binary access for symbolization
634    -ueventd # reads /vendor/ueventd.rc
635    -vold # loads incremental fs driver
636  } {
637    vendor_file_type
638    -same_process_hal_file
639    -vendor_app_file
640    -vendor_apex_file
641    -vendor_apex_metadata_file
642    -vendor_configs_file
643    -vendor_microdroid_file
644    -vendor_service_contexts_file
645    -vendor_framework_file
646    -vendor_idc_file
647    -vendor_keychars_file
648    -vendor_keylayout_file
649    -vendor_overlay_file
650    -vendor_public_framework_file
651    -vendor_public_lib_file
652    -vendor_task_profiles_file
653    -vendor_uuid_mapping_config_file
654    -vndk_sp_file
655    -vendor_aconfig_storage_file
656  }:file *;
657')
658
659# mlsvendorcompat is only for compatibility support for older vendor
660# images, and should not be granted to any domain in current policy.
661# (Every domain is allowed self:fork, so this will trigger if the
662# intsersection of domain & mlsvendorcompat is not empty.)
663neverallow domain mlsvendorcompat:process fork;
664
665# Only init and otapreopt_chroot should be mounting filesystems on locations
666# labeled system or vendor (/product and /vendor respectively).
667neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
668
669# Only allow init and vendor_init to read/write mm_events properties
670# NOTE: dumpstate is allowed to read any system property
671neverallow {
672  domain
673  -init
674  -vendor_init
675  -dumpstate
676} mm_events_config_prop:file no_rw_file_perms;
677
678# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
679# kernel traces. Addresses are not disclosed, they are repalced with symbol
680# names (if available). Traces don't disclose KASLR.
681neverallow {
682  domain
683  -init
684  userdebug_or_eng(`-profcollectd')
685  -vendor_init
686  userdebug_or_eng(`-simpleperf_boot')
687  -traced_probes
688  -traced_perf
689} proc_kallsyms:file { open read };
690
691# debugfs_kcov type is not included in this neverallow statement since the KCOV
692# tool uses it for kernel fuzzing.
693# vendor_modprobe is also exempted since the kernel modules it loads may create
694# debugfs files in its context.
695enforce_debugfs_restriction(`
696  neverallow {
697    domain
698    -vendor_modprobe
699    userdebug_or_eng(`
700      -init
701      -hal_dumpstate
702      -incidentd
703    ')
704  } { debugfs_type
705      userdebug_or_eng(`-debugfs_kcov')
706      -tracefs_type
707  }:file no_rw_file_perms;
708')
709
710# Restrict write access to etm sysfs interface.
711neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
712
713# Restrict CAP_PERFMON.
714neverallow {
715  domain
716  -init
717  -vendor_modprobe
718  userdebug_or_eng(`-simpleperf_boot')
719  -kernel
720  -uprobestats
721} self:capability2 perfmon;
722
723# Restrict direct access to shell owned files. The /data/local/tmp directory is
724# untrustworthy, and non-allowed domains should not be trusting any content in
725# those directories. We allow shell files to be passed around by file
726# descriptor, but not directly opened.
727# artd doesn't need to access /data/local/tmp, but it needs to access
728# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
729# dex files.
730neverallow {
731  domain
732  -adbd
733  -appdomain
734  -artd
735  -dumpstate
736  -installd
737  userdebug_or_eng(`-uncrypt')
738  userdebug_or_eng(`-virtualizationmanager')
739  userdebug_or_eng(`-virtualizationservice')
740  userdebug_or_eng(`-crosvm')
741} shell_data_file:file open;
742
743# In addition to the symlink reading restrictions above, restrict
744# write access to shell owned directories. The /data/local/tmp
745# directory is untrustworthy, and non-allowed domains should
746# not be trusting any content in those directories.
747# artd doesn't need to access /data/local/tmp, but it needs to access
748# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
749# dex files.
750neverallow {
751  domain
752  -adbd
753  -artd
754  -dumpstate
755  -installd
756  -init
757  -shell
758  -vold
759} shell_data_file:dir no_w_dir_perms;
760
761neverallow {
762  domain
763  -adbd
764  -appdomain
765  -artd
766  -dumpstate
767  -init
768  -installd
769  -simpleperf_app_runner
770  -system_server # why?
771  userdebug_or_eng(`-uncrypt')
772} shell_data_file:dir open;
773
774neverallow {
775  domain
776  -adbd
777  -appdomain
778  -artd
779  -dumpstate
780  -init
781  -installd
782  -simpleperf_app_runner
783  -system_server # why?
784  userdebug_or_eng(`-uncrypt')
785  userdebug_or_eng(`-virtualizationmanager')
786  userdebug_or_eng(`-crosvm')
787} shell_data_file:dir search;
788
789# respect system_app sandboxes
790neverallow {
791  domain
792  -appdomain
793  -artd # compile secondary dex files
794  -system_server #populate com.android.providers.settings/databases/settings.db.
795  -installd # creation of app sandbox
796  -traced_probes # resolve inodes for i/o tracing.
797                 # only needs open and read, the rest is neverallow in
798                 # traced_probes.te.
799} system_app_data_file:dir_file_class_set { create unlink open };
800neverallow {
801  isolated_app_all
802  ephemeral_app
803  priv_app
804  sdk_sandbox_all
805  untrusted_app_all
806} system_app_data_file:dir_file_class_set { create unlink open };
807
808neverallow { domain -init } mtectrl:process { dyntransition transition };
809
810# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
811neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
812
813# Do not allow write access to aconfig flag value files except init and aconfigd
814neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
815neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms;
816