1*e4a36f41SAndroid Build Coastguard Worker################################################# 2*e4a36f41SAndroid Build Coastguard Worker# MLS policy constraints 3*e4a36f41SAndroid Build Coastguard Worker# 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# 6*e4a36f41SAndroid Build Coastguard Worker# Process constraints 7*e4a36f41SAndroid Build Coastguard Worker# 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Process transition: Require equivalence unless the subject is trusted. 10*e4a36f41SAndroid Build Coastguard Workermlsconstrain process { transition dyntransition } 11*e4a36f41SAndroid Build Coastguard Worker ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Process read operations: No read up unless trusted. 14*e4a36f41SAndroid Build Coastguard Workermlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } 15*e4a36f41SAndroid Build Coastguard Worker (l1 dom l2 or t1 == mlstrustedsubject); 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# Process write operations: Require equivalence unless trusted. 18*e4a36f41SAndroid Build Coastguard Workermlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } 19*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject); 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Worker# 22*e4a36f41SAndroid Build Coastguard Worker# Socket constraints 23*e4a36f41SAndroid Build Coastguard Worker# 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# Create/relabel operations: Subject must be equivalent to object unless 26*e4a36f41SAndroid Build Coastguard Worker# the subject is trusted. Sockets inherit the range of their creator. 27*e4a36f41SAndroid Build Coastguard Workermlsconstrain socket_class_set { create relabelfrom relabelto } 28*e4a36f41SAndroid Build Coastguard Worker ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker# Datagram send: Sender must be equivalent to the receiver unless one of them 31*e4a36f41SAndroid Build Coastguard Worker# is trusted. 32*e4a36f41SAndroid Build Coastguard Workermlsconstrain unix_dgram_socket { sendto } 33*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Stream connect: Client must be equivalent to server unless one of them 36*e4a36f41SAndroid Build Coastguard Worker# is trusted. 37*e4a36f41SAndroid Build Coastguard Workermlsconstrain unix_stream_socket { connectto } 38*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker# 41*e4a36f41SAndroid Build Coastguard Worker# Directory/file constraints 42*e4a36f41SAndroid Build Coastguard Worker# 43*e4a36f41SAndroid Build Coastguard Worker 44*e4a36f41SAndroid Build Coastguard Worker# Create/relabel operations: Subject must be equivalent to object unless 45*e4a36f41SAndroid Build Coastguard Worker# the subject is trusted. Also, files should always be single-level. 46*e4a36f41SAndroid Build Coastguard Worker# Do NOT exempt mlstrustedobject types from this constraint. 47*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir_file_class_set { create relabelfrom relabelto } 48*e4a36f41SAndroid Build Coastguard Worker (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# 51*e4a36f41SAndroid Build Coastguard Worker# Userfaultfd constraints 52*e4a36f41SAndroid Build Coastguard Worker# 53*e4a36f41SAndroid Build Coastguard Worker# To enforce that anonymous inodes are self contained in the application's process. 54*e4a36f41SAndroid Build Coastguard Workermlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod } 55*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2); 56*e4a36f41SAndroid Build Coastguard Worker 57*e4a36f41SAndroid Build Coastguard Worker# 58*e4a36f41SAndroid Build Coastguard Worker# Constraints for app data files only. 59*e4a36f41SAndroid Build Coastguard Worker# 60*e4a36f41SAndroid Build Coastguard Worker 61*e4a36f41SAndroid Build Coastguard Worker# Only constrain open, not read/write, so already open fds can be used. 62*e4a36f41SAndroid Build Coastguard Worker# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. 63*e4a36f41SAndroid Build Coastguard Worker# Subject must dominate object unless the subject is trusted. 64*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir } 65*e4a36f41SAndroid Build Coastguard Worker (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject); 66*e4a36f41SAndroid Build Coastguard Workermlsconstrain { file sock_file } { open setattr unlink link rename } 67*e4a36f41SAndroid Build Coastguard Worker ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); 68*e4a36f41SAndroid Build Coastguard Worker 69*e4a36f41SAndroid Build Coastguard Worker# For symlinks in app data files, require equivalence in order to manipulate or follow (read). 70*e4a36f41SAndroid Build Coastguard Workermlsconstrain { lnk_file } { open setattr unlink link rename read } 71*e4a36f41SAndroid Build Coastguard Worker ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject); 72*e4a36f41SAndroid Build Coastguard Worker# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this. 73*e4a36f41SAndroid Build Coastguard Worker# TODO: Migrate to equivalence when it's no longer needed. 74*e4a36f41SAndroid Build Coastguard Workermlsconstrain { lnk_file } { open setattr unlink link rename read } 75*e4a36f41SAndroid Build Coastguard Worker ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); 76*e4a36f41SAndroid Build Coastguard Worker 77*e4a36f41SAndroid Build Coastguard Worker# 78*e4a36f41SAndroid Build Coastguard Worker# Constraints for file types other than app data files. 79*e4a36f41SAndroid Build Coastguard Worker# 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Worker# Read operations: Subject must dominate object unless the subject 82*e4a36f41SAndroid Build Coastguard Worker# or the object is trusted. 83*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir { read getattr search } 84*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject 85*e4a36f41SAndroid Build Coastguard Worker or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) ); 86*e4a36f41SAndroid Build Coastguard Worker 87*e4a36f41SAndroid Build Coastguard Workermlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } 88*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 89*e4a36f41SAndroid Build Coastguard Worker 90*e4a36f41SAndroid Build Coastguard Worker# Write operations: Subject must be equivalent to the object unless the 91*e4a36f41SAndroid Build Coastguard Worker# subject or the object is trusted. 92*e4a36f41SAndroid Build Coastguard Workermlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } 93*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 94*e4a36f41SAndroid Build Coastguard Worker 95*e4a36f41SAndroid Build Coastguard Workermlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } 96*e4a36f41SAndroid Build Coastguard Worker (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 97*e4a36f41SAndroid Build Coastguard Worker 98*e4a36f41SAndroid Build Coastguard Worker# Special case for FIFOs. 99*e4a36f41SAndroid Build Coastguard Worker# These can be unnamed pipes, in which case they will be labeled with the 100*e4a36f41SAndroid Build Coastguard Worker# creating process' label. Thus we also have an exemption when the "object" 101*e4a36f41SAndroid Build Coastguard Worker# is a domain type, so that processes can communicate via unnamed pipes 102*e4a36f41SAndroid Build Coastguard Worker# passed by binder or local socket IPC. 103*e4a36f41SAndroid Build Coastguard Workermlsconstrain fifo_file { read getattr } 104*e4a36f41SAndroid Build Coastguard Worker (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); 105*e4a36f41SAndroid Build Coastguard Worker 106*e4a36f41SAndroid Build Coastguard Workermlsconstrain fifo_file { write setattr append unlink link rename } 107*e4a36f41SAndroid Build Coastguard Worker (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); 108*e4a36f41SAndroid Build Coastguard Worker 109*e4a36f41SAndroid Build Coastguard Worker# 110*e4a36f41SAndroid Build Coastguard Worker# Binder IPC constraints 111*e4a36f41SAndroid Build Coastguard Worker# 112*e4a36f41SAndroid Build Coastguard Worker# Presently commented out, as apps are expected to call one another. 113*e4a36f41SAndroid Build Coastguard Worker# This would only make sense if apps were assigned categories 114*e4a36f41SAndroid Build Coastguard Worker# based on allowable communications rather than per-app categories. 115*e4a36f41SAndroid Build Coastguard Worker#mlsconstrain binder call 116*e4a36f41SAndroid Build Coastguard Worker# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 117