1*e4a36f41SAndroid Build Coastguard Worker################################################# 2*e4a36f41SAndroid Build Coastguard Worker# MLS policy constraints 3*e4a36f41SAndroid Build Coastguard Worker# 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# 6*e4a36f41SAndroid Build Coastguard Worker# Process constraints 7*e4a36f41SAndroid Build Coastguard Worker# 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Process transition: Require equivalence unless the subject is trusted. 10*e4a36f41SAndroid Build Coastguard Workermlsconstrain process { transition dyntransition } 11*e4a36f41SAndroid Build Coastguard Worker ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Process read operations: No read up unless trusted. 14*e4a36f41SAndroid Build Coastguard Workermlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } 15*e4a36f41SAndroid Build Coastguard Worker (l1 dom l2 or t1 == mlstrustedsubject); 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# Process write operations: Require equivalence unless trusted. 18*e4a36f41SAndroid Build Coastguard Workermlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } 19*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject); 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Worker# 22*e4a36f41SAndroid Build Coastguard Worker# Socket constraints 23*e4a36f41SAndroid Build Coastguard Worker# 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# Create/relabel operations: Subject must be equivalent to object unless 26*e4a36f41SAndroid Build Coastguard Worker# the subject is trusted. Sockets inherit the range of their creator. 27*e4a36f41SAndroid Build Coastguard Workermlsconstrain socket_class_set { create relabelfrom relabelto } 28*e4a36f41SAndroid Build Coastguard Worker ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker# Datagram send: Sender must be equivalent to the receiver unless one of them 31*e4a36f41SAndroid Build Coastguard Worker# is trusted. 32*e4a36f41SAndroid Build Coastguard Workermlsconstrain unix_dgram_socket { sendto } 33*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Stream connect: Client must be equivalent to server unless one of them 36*e4a36f41SAndroid Build Coastguard Worker# is trusted. 37*e4a36f41SAndroid Build Coastguard Workermlsconstrain unix_stream_socket { connectto } 38*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker# 41*e4a36f41SAndroid Build Coastguard Worker# Directory/file constraints 42*e4a36f41SAndroid Build Coastguard Worker# 43*e4a36f41SAndroid Build Coastguard Worker 44*e4a36f41SAndroid Build Coastguard Worker# Create/relabel operations: Subject must be equivalent to object unless 45*e4a36f41SAndroid Build Coastguard Worker# the subject is trusted. Also, files should always be single-level. 46*e4a36f41SAndroid Build Coastguard Worker# Do NOT exempt mlstrustedobject types from this constraint. 47*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir_file_class_set { create relabelfrom relabelto } 48*e4a36f41SAndroid Build Coastguard Worker (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# 51*e4a36f41SAndroid Build Coastguard Worker# Constraints for app data files only. 52*e4a36f41SAndroid Build Coastguard Worker# 53*e4a36f41SAndroid Build Coastguard Worker 54*e4a36f41SAndroid Build Coastguard Worker# Only constrain open, not read/write. 55*e4a36f41SAndroid Build Coastguard Worker# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. 56*e4a36f41SAndroid Build Coastguard Worker# Subject must dominate object unless the subject is trusted. 57*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } 58*e4a36f41SAndroid Build Coastguard Worker ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject); 59*e4a36f41SAndroid Build Coastguard Workermlsconstrain { file sock_file } { open setattr unlink link rename } 60*e4a36f41SAndroid Build Coastguard Worker ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); 61*e4a36f41SAndroid Build Coastguard Worker# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read). 62*e4a36f41SAndroid Build Coastguard Workermlsconstrain { lnk_file } { open setattr unlink link rename read } 63*e4a36f41SAndroid Build Coastguard Worker ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject); 64*e4a36f41SAndroid Build Coastguard Worker# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this. 65*e4a36f41SAndroid Build Coastguard Worker# TODO: Migrate to equivalence when it's no longer needed. 66*e4a36f41SAndroid Build Coastguard Workermlsconstrain { lnk_file } { open setattr unlink link rename read } 67*e4a36f41SAndroid Build Coastguard Worker ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); 68*e4a36f41SAndroid Build Coastguard Worker 69*e4a36f41SAndroid Build Coastguard Worker# 70*e4a36f41SAndroid Build Coastguard Worker# Constraints for file types other than app data files. 71*e4a36f41SAndroid Build Coastguard Worker# 72*e4a36f41SAndroid Build Coastguard Worker 73*e4a36f41SAndroid Build Coastguard Worker# Read operations: Subject must dominate object unless the subject 74*e4a36f41SAndroid Build Coastguard Worker# or the object is trusted. 75*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir { read getattr search } 76*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 77*e4a36f41SAndroid Build Coastguard Worker 78*e4a36f41SAndroid Build Coastguard Workermlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } 79*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Worker# Write operations: Subject must be equivalent to the object unless the 82*e4a36f41SAndroid Build Coastguard Worker# subject or the object is trusted. 83*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } 84*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 85*e4a36f41SAndroid Build Coastguard Worker 86*e4a36f41SAndroid Build Coastguard Workermlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } 87*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 88*e4a36f41SAndroid Build Coastguard Worker 89*e4a36f41SAndroid Build Coastguard Worker# Special case for FIFOs. 90*e4a36f41SAndroid Build Coastguard Worker# These can be unnamed pipes, in which case they will be labeled with the 91*e4a36f41SAndroid Build Coastguard Worker# creating process' label. Thus we also have an exemption when the "object" 92*e4a36f41SAndroid Build Coastguard Worker# is a domain type, so that processes can communicate via unnamed pipes 93*e4a36f41SAndroid Build Coastguard Worker# passed by binder or local socket IPC. 94*e4a36f41SAndroid Build Coastguard Workermlsconstrain fifo_file { read getattr } 95*e4a36f41SAndroid Build Coastguard Worker (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); 96*e4a36f41SAndroid Build Coastguard Worker 97*e4a36f41SAndroid Build Coastguard Workermlsconstrain fifo_file { write setattr append unlink link rename } 98*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); 99*e4a36f41SAndroid Build Coastguard Worker 100*e4a36f41SAndroid Build Coastguard Worker# 101*e4a36f41SAndroid Build Coastguard Worker# Binder IPC constraints 102*e4a36f41SAndroid Build Coastguard Worker# 103*e4a36f41SAndroid Build Coastguard Worker# Presently commented out, as apps are expected to call one another. 104*e4a36f41SAndroid Build Coastguard Worker# This would only make sense if apps were assigned categories 105*e4a36f41SAndroid Build Coastguard Worker# based on allowable communications rather than per-app categories. 106*e4a36f41SAndroid Build Coastguard Worker#mlsconstrain binder call 107*e4a36f41SAndroid Build Coastguard Worker# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 108