1# Transition to crash_dump when /system/bin/crash_dump* is executed. 2# This occurs when the process crashes. 3# We do not apply this to the su domain to avoid interfering with 4# tests (b/114136122) 5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); 6allow domain crash_dump:process sigchld; 7 8# Allow every process to check the heapprofd.enable properties to determine 9# whether to load the heap profiling library. This does not necessarily enable 10# heap profiling, as initialization will fail if it does not have the 11# necessary SELinux permissions. 12get_prop(domain, heapprofd_prop); 13# Allow heap profiling on debug builds. 14userdebug_or_eng(`can_profile_heap({ 15 domain 16 -bpfloader 17 -init 18 -kernel 19 -keystore 20 -llkd 21 -logd 22 -logpersist 23 -recovery 24 -recovery_persist 25 -recovery_refresh 26 -ueventd 27 -vendor_init 28 -vold 29})') 30 31# As above, allow perf profiling most processes on debug builds. 32# zygote is excluded as system-wide profiling could end up with it 33# (unexpectedly) holding an open fd across a fork. 34userdebug_or_eng(`can_profile_perf({ 35 domain 36 -bpfloader 37 -init 38 -kernel 39 -keystore 40 -llkd 41 -logd 42 -logpersist 43 -recovery 44 -recovery_persist 45 -recovery_refresh 46 -ueventd 47 -vendor_init 48 -vold 49 -zygote 50})') 51 52# Everyone can access the IncFS list of features. 53r_dir_file(domain, sysfs_fs_incfs_features); 54 55# Path resolution access in cgroups. 56allow domain cgroup:dir search; 57allow { domain -appdomain -rs } cgroup:dir w_dir_perms; 58allow { domain -appdomain -rs } cgroup:file w_file_perms; 59 60allow domain cgroup_v2:dir search; 61allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; 62allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; 63 64allow domain cgroup_rc_file:dir search; 65allow domain cgroup_rc_file:file r_file_perms; 66allow domain task_profiles_file:file r_file_perms; 67allow domain task_profiles_api_file:file r_file_perms; 68allow domain vendor_task_profiles_file:file r_file_perms; 69 70# Allow all domains to read sys.use_memfd to determine 71# if memfd support can be used if device supports it 72get_prop(domain, use_memfd_prop); 73 74# Read access to sdkextensions props 75get_prop(domain, module_sdkextensions_prop) 76 77# Read access to bq configuration values 78get_prop(domain, bq_config_prop); 79 80# For now, everyone can access core property files 81# Device specific properties are not granted by default 82not_compatible_property(` 83 # DO NOT ADD ANY PROPERTIES HERE 84 get_prop(domain, core_property_type) 85 get_prop(domain, exported3_system_prop) 86 get_prop(domain, vendor_default_prop) 87') 88compatible_property_only(` 89 # DO NOT ADD ANY PROPERTIES HERE 90 get_prop({coredomain appdomain shell}, core_property_type) 91 get_prop({coredomain appdomain shell}, exported3_system_prop) 92 get_prop({coredomain appdomain shell}, exported_camera_prop) 93 get_prop({coredomain shell}, userspace_reboot_exported_prop) 94 get_prop({coredomain shell}, userspace_reboot_log_prop) 95 get_prop({coredomain shell}, userspace_reboot_test_prop) 96 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 97') 98 99# Allow access to fsverity keyring. 100allow domain kernel:key search; 101# Allow access to keys in the fsverity keyring that were installed at boot. 102allow domain fsverity_init:key search; 103# For testing purposes, allow access to keys installed with su. 104userdebug_or_eng(` 105 allow domain su:key search; 106') 107 108# Allow access to linkerconfig file 109allow domain linkerconfig_file:dir search; 110allow domain linkerconfig_file:file r_file_perms; 111 112# Allow all processes to check for the existence of the boringssl_self_test_marker files. 113allow domain boringssl_self_test_marker:dir search; 114 115# Allow all processes to connect to PRNG seeder daemon. 116unix_socket_connect(domain, prng_seeder, prng_seeder) 117 118# No domains other than a select few can access the misc_block_device. This 119# block device is reserved for OTA use. 120# Do not assert this rule on userdebug/eng builds, due to some devices using 121# this partition for testing purposes. 122neverallow { 123 domain 124 userdebug_or_eng(`-domain') # exclude debuggable builds 125 -fastbootd 126 -hal_bootctl_server 127 -init 128 -uncrypt 129 -update_engine 130 -vendor_init 131 -vendor_misc_writer 132 -vold 133 -recovery 134 -ueventd 135 -mtectrl 136} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 137 138# Limit ability to ptrace or read sensitive /proc/pid files of processes 139# with other UIDs to these allowlisted domains. 140neverallow { 141 domain 142 -vold 143 userdebug_or_eng(`-llkd') 144 -dumpstate 145 userdebug_or_eng(`-incidentd') 146 userdebug_or_eng(`-profcollectd') 147 userdebug_or_eng(`-simpleperf_boot') 148 -storaged 149 -system_server 150} self:global_capability_class_set sys_ptrace; 151 152# Limit ability to generate hardware unique device ID attestations to priv_apps 153neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id; 154neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; 155neverallow { domain -system_server } *:keystore2_key use_dev_id; 156neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; 157 158neverallow { 159 domain 160 -init 161 -vendor_init 162 userdebug_or_eng(`-domain') 163} debugfs_tracing_debug:file no_rw_file_perms; 164 165# System_server owns dropbox data, and init creates/restorecons the directory 166# Disallow direct access by other processes. 167neverallow { domain -init -system_server } dropbox_data_file:dir *; 168neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; 169 170### 171# Services should respect app sandboxes 172neverallow { 173 domain 174 -appdomain 175 -installd # creation of sandbox 176} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 177 178# Only the following processes should be directly accessing private app 179# directories. 180neverallow { 181 domain 182 -adbd 183 -appdomain 184 -app_zygote 185 -dexoptanalyzer 186 -installd 187 -iorap_inode2filename 188 -iorap_prefetcherd 189 -profman 190 -rs # spawned by appdomain, so carryover the exception above 191 -runas 192 -system_server 193 -viewcompiler 194 -zygote 195} { privapp_data_file app_data_file }:dir *; 196 197# Only apps should be modifying app data. installd is exempted for 198# restorecon and package install/uninstall. 199neverallow { 200 domain 201 -appdomain 202 -installd 203 -rs # spawned by appdomain, so carryover the exception above 204} { privapp_data_file app_data_file }:dir ~r_dir_perms; 205 206neverallow { 207 domain 208 -appdomain 209 -app_zygote 210 -installd 211 -iorap_prefetcherd 212 -rs # spawned by appdomain, so carryover the exception above 213} { privapp_data_file app_data_file }:file_class_set open; 214 215neverallow { 216 domain 217 -appdomain 218 -installd # creation of sandbox 219} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 220 221neverallow { 222 domain 223 -installd 224} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; 225 226# The staging directory contains APEX and APK files. It is important to ensure 227# that these files cannot be accessed by other domains to ensure that the files 228# do not change between system_server staging the files and apexd processing 229# the files. 230neverallow { 231 domain 232 -init 233 -system_server 234 -apexd 235 -installd 236 -iorap_inode2filename 237 -priv_app 238 -virtualizationservice 239} staging_data_file:dir *; 240neverallow { 241 domain 242 -init 243 -system_app 244 -system_server 245 -apexd 246 -adbd 247 -kernel 248 -installd 249 -iorap_inode2filename 250 -priv_app 251 -shell 252 -virtualizationservice 253 -crosvm 254} staging_data_file:file *; 255neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; 256# apexd needs the link and unlink permissions, so list every `no_w_file_perms` 257# except for `link` and `unlink`. 258neverallow { domain -init -system_server } staging_data_file:file 259 { append create relabelfrom rename setattr write no_x_file_perms }; 260 261neverallow { 262 domain 263 -appdomain # for oemfs 264 -bootanim # for oemfs 265 -recovery # for /tmp/update_binary in tmpfs 266} { fs_type -rootfs }:file execute; 267 268# 269# Assert that, to the extent possible, we're not loading executable content from 270# outside the rootfs or /system partition except for a few allowlisted domains. 271# Executable files loaded from /data is a persistence vector 272# we want to avoid. See 273# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 274# 275neverallow { 276 domain 277 -appdomain 278 with_asan(`-asan_extract') 279 -iorap_prefetcherd 280 -shell 281 userdebug_or_eng(`-su') 282 -system_server_startup # for memfd backed executable regions 283 -app_zygote 284 -webview_zygote 285 -zygote 286 userdebug_or_eng(`-mediaextractor') 287 userdebug_or_eng(`-mediaswcodec') 288} { 289 file_type 290 -system_file_type 291 -system_lib_file 292 -system_linker_exec 293 -vendor_file_type 294 -exec_type 295 -postinstall_file 296}:file execute; 297 298# Only init is allowed to write cgroup.rc file 299neverallow { 300 domain 301 -init 302 -vendor_init 303} cgroup_rc_file:file no_w_file_perms; 304 305# Only authorized processes should be writing to files in /data/dalvik-cache 306neverallow { 307 domain 308 -init # TODO: limit init to relabelfrom for files 309 -zygote 310 -installd 311 -postinstall_dexopt 312 -cppreopts 313 -dex2oat 314 -otapreopt_slot 315} dalvikcache_data_file:file no_w_file_perms; 316 317neverallow { 318 domain 319 -init 320 -installd 321 -postinstall_dexopt 322 -cppreopts 323 -dex2oat 324 -zygote 325 -otapreopt_slot 326} dalvikcache_data_file:dir no_w_dir_perms; 327 328# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it 329# contains boot class path and system server AOT artifacts following an ART APEX Mainline update. 330neverallow { 331 domain 332 # art-related processes 333 -composd 334 -compos_fd_server 335 -odrefresh 336 -odsign 337 # others 338 -apexd 339 -init 340 -vold_prepare_subdirs 341} apex_art_data_file:file no_w_file_perms; 342 343neverallow { 344 domain 345 # art-related processes 346 -composd 347 -compos_fd_server 348 -odrefresh 349 -odsign 350 # others 351 -apexd 352 -init 353 -vold_prepare_subdirs 354} apex_art_data_file:dir no_w_dir_perms; 355 356# Protect most domains from executing arbitrary content from /data. 357neverallow { 358 domain 359 -appdomain 360} { 361 data_file_type 362 -apex_art_data_file 363 -dalvikcache_data_file 364 -system_data_file # shared libs in apks 365 -apk_data_file 366}:file no_x_file_perms; 367 368# Minimize dac_override and dac_read_search. 369# Instead of granting them it is usually better to add the domain to 370# a Unix group or change the permissions of a file. 371define(`dac_override_allowed', `{ 372 apexd 373 dnsmasq 374 dumpstate 375 init 376 installd 377 userdebug_or_eng(`llkd') 378 lmkd 379 migrate_legacy_obb_data 380 netd 381 postinstall_dexopt 382 recovery 383 rss_hwm_reset 384 sdcardd 385 tee 386 ueventd 387 uncrypt 388 vendor_init 389 vold 390 vold_prepare_subdirs 391 zygote 392}') 393neverallow ~dac_override_allowed self:global_capability_class_set dac_override; 394# Since the kernel checks dac_read_search before dac_override, domains that 395# have dac_override should also have dac_read_search to eliminate spurious 396# denials. Some domains have dac_read_search without having dac_override, so 397# this list should be a superset of the one above. 398neverallow ~{ 399 dac_override_allowed 400 iorap_inode2filename 401 iorap_prefetcherd 402 traced_perf 403 traced_probes 404 heapprofd 405} self:global_capability_class_set dac_read_search; 406 407# Limit what domains can mount filesystems or change their mount flags. 408# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger 409# set of domains need this capability, including device-specific domains. 410neverallow { 411 domain 412 -apexd 413 recovery_only(`-fastbootd') 414 -init 415 -kernel 416 -otapreopt_chroot 417 -recovery 418 -update_engine 419 -vold 420 -zygote 421} { fs_type 422 -sdcard_type 423 -fusefs_type 424}:filesystem { mount remount relabelfrom relabelto }; 425 426enforce_debugfs_restriction(` 427 neverallow { 428 domain userdebug_or_eng(`-init') 429 } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; 430') 431 432# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. 433neverallow { 434 domain 435 userdebug_or_eng(`-domain') 436 -kernel 437 -gsid 438 -init 439 -recovery 440 -ueventd 441 -uncrypt 442 -tee 443 -hal_bootctl_server 444 -fastbootd 445} self:global_capability_class_set sys_rawio; 446 447# Limit directory operations that doesn't need to do app data isolation. 448neverallow { 449 domain 450 -fsck 451 -init 452 -installd 453 -zygote 454} mirror_data_file:dir *; 455 456# This property is being removed. Remove remaining access. 457neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; 458neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; 459 460# Only core domains are allowed to access package_manager properties 461neverallow { domain -init -system_server } pm_prop:property_service set; 462neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 463 464# Do not allow reading the last boot timestamp from system properties 465neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 466 467# Kprobes should only be used by adb root 468neverallow { domain -init -vendor_init } debugfs_kprobes:file *; 469 470# On TREBLE devices, most coredomains should not access vendor_files. 471# TODO(b/71553434): Remove exceptions here. 472full_treble_only(` 473 neverallow { 474 coredomain 475 -appdomain 476 -bootanim 477 -crash_dump 478 -heapprofd 479 userdebug_or_eng(`-profcollectd') 480 -init 481 -iorap_inode2filename 482 -iorap_prefetcherd 483 -kernel 484 userdebug_or_eng(`-simpleperf_boot') 485 -traced_perf 486 -ueventd 487 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 488') 489 490# Vendor domains are not permitted to initiate communications to core domain sockets 491full_treble_only(` 492 neverallow_establish_socket_comms({ 493 domain 494 -coredomain 495 -appdomain 496 -socket_between_core_and_vendor_violators 497 }, { 498 coredomain 499 -logd # Logging by writing to logd Unix domain socket is public API 500 -netd # netdomain needs this 501 -mdnsd # netdomain needs this 502 -prng_seeder # Any process using libcrypto needs this 503 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 504 -init 505 -tombstoned # linker to tombstoned 506 userdebug_or_eng(`-heapprofd') 507 userdebug_or_eng(`-traced') 508 userdebug_or_eng(`-traced_perf') 509 }); 510') 511 512full_treble_only(` 513 # Do not allow system components access to /vendor files except for the 514 # ones allowed here. 515 neverallow { 516 coredomain 517 # TODO(b/37168747): clean up fwk access to /vendor 518 -crash_dump 519 -crosvm # loads vendor-specific disk images 520 -init # starts vendor executables 521 -iorap_inode2filename 522 -iorap_prefetcherd 523 -kernel # loads /vendor/firmware 524 -heapprofd 525 userdebug_or_eng(`-profcollectd') 526 -shell 527 userdebug_or_eng(`-simpleperf_boot') 528 -system_executes_vendor_violators 529 -traced_perf # library/binary access for symbolization 530 -ueventd # reads /vendor/ueventd.rc 531 -vold # loads incremental fs driver 532 } { 533 vendor_file_type 534 -same_process_hal_file 535 -vendor_app_file 536 -vendor_apex_file 537 -vendor_configs_file 538 -vendor_service_contexts_file 539 -vendor_framework_file 540 -vendor_idc_file 541 -vendor_keychars_file 542 -vendor_keylayout_file 543 -vendor_overlay_file 544 -vendor_public_framework_file 545 -vendor_public_lib_file 546 -vendor_task_profiles_file 547 -vendor_uuid_mapping_config_file 548 -vndk_sp_file 549 }:file *; 550') 551 552# mlsvendorcompat is only for compatibility support for older vendor 553# images, and should not be granted to any domain in current policy. 554# (Every domain is allowed self:fork, so this will trigger if the 555# intsersection of domain & mlsvendorcompat is not empty.) 556neverallow domain mlsvendorcompat:process fork; 557 558# Only init and otapreopt_chroot should be mounting filesystems on locations 559# labeled system or vendor (/product and /vendor respectively). 560neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton; 561 562# Only allow init and vendor_init to read/write mm_events properties 563# NOTE: dumpstate is allowed to read any system property 564neverallow { 565 domain 566 -init 567 -vendor_init 568 -dumpstate 569} mm_events_config_prop:file no_rw_file_perms; 570 571# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize 572# kernel traces. Addresses are not disclosed, they are repalced with symbol 573# names (if available). Traces don't disclose KASLR. 574neverallow { 575 domain 576 -init 577 userdebug_or_eng(`-profcollectd') 578 -vendor_init 579 userdebug_or_eng(`-simpleperf_boot') 580 -traced_probes 581 -traced_perf 582} proc_kallsyms:file { open read }; 583 584# debugfs_kcov type is not included in this neverallow statement since the KCOV 585# tool uses it for kernel fuzzing. 586# vendor_modprobe is also exempted since the kernel modules it loads may create 587# debugfs files in its context. 588enforce_debugfs_restriction(` 589 neverallow { 590 domain 591 -vendor_modprobe 592 userdebug_or_eng(` 593 -init 594 -hal_dumpstate 595 ') 596 } { debugfs_type 597 userdebug_or_eng(`-debugfs_kcov') 598 -tracefs_type 599 }:file no_rw_file_perms; 600') 601 602# Restrict write access to etm sysfs interface. 603neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms; 604 605# Restrict write access to shell owned files. The /data/local/tmp directory is 606# untrustworthy, and non-allowed domains should not be trusting any content in 607# those directories. We allow shell files to be passed around by file 608# descriptor, but not directly opened. 609neverallow { 610 domain 611 -adbd 612 -appdomain 613 -dumpstate 614 -installd 615 userdebug_or_eng(`-uncrypt') 616 userdebug_or_eng(`-virtualizationservice') 617 userdebug_or_eng(`-crosvm') 618} shell_data_file:file open; 619 620# respect system_app sandboxes 621neverallow { 622 domain 623 -appdomain 624 -system_server #populate com.android.providers.settings/databases/settings.db. 625 -installd # creation of app sandbox 626 -iorap_inode2filename 627 -traced_probes # resolve inodes for i/o tracing. 628 # only needs open and read, the rest is neverallow in 629 # traced_probes.te. 630} system_app_data_file:dir_file_class_set { create unlink open }; 631neverallow { 632 isolated_app 633 ephemeral_app 634 priv_app 635 sdk_sandbox 636 untrusted_app_all 637} system_app_data_file:dir_file_class_set { create unlink open }; 638