1typeattribute apexd coredomain; 2 3init_daemon_domain(apexd) 4 5binder_use(apexd) 6add_service(apexd, apex_service) 7 8# Allow creating, reading and writing of APEX files/dirs in the APEX data dir 9allow apexd apex_data_file:dir create_dir_perms; 10allow apexd apex_data_file:file create_file_perms; 11# Allow relabeling file created in /data/apex/decompressed 12allow apexd apex_data_file:file relabelfrom; 13 14# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir 15allow apexd metadata_file:dir search; 16allow apexd apex_metadata_file:dir create_dir_perms; 17allow apexd apex_metadata_file:file create_file_perms; 18 19# Allow reserving space on /data/apex/ota_reserved for apex decompression 20allow apexd apex_ota_reserved_file:dir create_dir_perms; 21allow apexd apex_ota_reserved_file:file create_file_perms; 22 23# Allow apexd to create files and directories for snapshots of apex data 24allow apexd apex_data_file_type:dir { create_dir_perms relabelto }; 25allow apexd apex_data_file_type:file { create_file_perms relabelto }; 26allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom }; 27allow apexd apex_module_data_file:file { create_file_perms relabelfrom }; 28allow apexd apex_rollback_data_file:dir create_dir_perms; 29allow apexd apex_rollback_data_file:file create_file_perms; 30 31# Allow apexd to read /data/misc_de and the directories under it, in order to 32# snapshot and restore apex data for all users. 33allow apexd { 34 system_userdir_file 35 system_data_file 36}:dir r_dir_perms; 37 38# allow apexd to create loop devices with /dev/loop-control 39allow apexd loop_control_device:chr_file rw_file_perms; 40# allow apexd to access loop devices 41allow apexd loop_device:blk_file rw_file_perms; 42allowxperm apexd loop_device:blk_file ioctl { 43 LOOP_GET_STATUS64 44 LOOP_SET_STATUS64 45 LOOP_SET_FD 46 LOOP_SET_BLOCK_SIZE 47 LOOP_SET_DIRECT_IO 48 LOOP_CLR_FD 49 BLKFLSBUF 50 LOOP_CONFIGURE 51}; 52# Allow apexd to access /dev/block 53allow apexd dev_type:dir r_dir_perms; 54allow apexd dev_type:blk_file getattr; 55 56#allow apexd to access virtual disks 57allow apexd vd_device:blk_file r_file_perms; 58 59# allow apexd to access /dev/block/dm-* (device-mapper entries) 60allow apexd dm_device:chr_file rw_file_perms; 61allow apexd dm_device:blk_file rw_file_perms; 62 63# sys_admin is required to access the device-mapper and mount 64# dac_override, chown, and fowner are needed for snapshot and restore 65allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner }; 66 67# Note: fsetid is deliberately not included above. fsetid checks are 68# triggered by chmod on a directory or file owned by a group other 69# than one of the groups assigned to the current process to see if 70# the setgid bit should be cleared, regardless of whether the setgid 71# bit was even set. We do not appear to truly need this capability 72# for apexd to operate. 73dontaudit apexd self:global_capability_class_set fsetid; 74 75# allow apexd to create a mount point in /apex 76allow apexd apex_mnt_dir:dir create_dir_perms; 77# allow apexd to mount in /apex 78allow apexd apex_mnt_dir:filesystem { mount unmount }; 79allow apexd apex_mnt_dir:dir mounton; 80# allow apexd to create symlinks in /apex 81allow apexd apex_mnt_dir:lnk_file create_file_perms; 82# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file 83allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton }; 84allow apexd apex_info_file:file relabelto; 85# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update. 86allow apexd apex_info_file:file rw_file_perms; 87 88# allow apexd to unlink apex files in /data/apex/active 89# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX, 90# because it doesn't have write permission for staging_data_file object. 91allow apexd staging_data_file:file unlink; 92 93# allow apexd to read files from /data/app-staging and hardlink them to /data/apex. 94allow apexd staging_data_file:dir r_dir_perms; 95allow apexd staging_data_file:file { r_file_perms link }; 96# # Allow relabeling file created in /data/apex/decompressed 97allow apexd staging_data_file:file relabelto; 98# Allow renaming files in /data/apex/decompressed (from .ota.apex to .decompressed.apex) 99allow apexd staging_data_file:file rename; 100 101# allow apexd to read files from /vendor/apex 102r_dir_file(apexd, vendor_apex_file) 103r_dir_file(apexd, vendor_apex_metadata_file) 104 105# Unmount and mount filesystems 106allow apexd labeledfs:filesystem { mount unmount }; 107 108# /sys directory tree traversal 109allow apexd sysfs_type:dir search; 110# Access to /sys/class/block 111allow apexd sysfs_type:dir r_dir_perms; 112allow apexd sysfs_type:file r_file_perms; 113# Configure read-ahead of dm-verity and loop devices 114# for dm-X 115allow apexd sysfs_dm:dir r_dir_perms; 116allow apexd sysfs_dm:file rw_file_perms; 117# for loopX 118allow apexd sysfs_loop:dir r_dir_perms; 119allow apexd sysfs_loop:file rw_file_perms; 120 121# Allow apexd to log to the kernel. 122allow apexd kmsg_device:chr_file w_file_perms; 123 124# Allow apexd to reboot device. Required for rollbacks of apexes that are 125# not covered by rollback manager. 126set_prop(apexd, powerctl_prop) 127 128# Allow apexd to stop itself 129set_prop(apexd, ctl_apexd_prop) 130 131# Allow apexd to send control messages to load/unload apex from init 132set_prop(apexd, ctl_apex_load_prop) 133 134# Find the vold service, and call into vold to manage FS checkpoints 135allow apexd vold_service:service_manager find; 136binder_call(apexd, vold) 137 138# apexd is using bootstrap bionic 139use_bootstrap_libs(apexd) 140 141# Allow apexd to be invoked with logwrapper from init during userspace reboot. 142allow apexd devpts:chr_file { read write }; 143 144# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to 145# other processes 146create_pty(apexd) 147 148# Allow apexd to read file contexts when performing restorecon of snapshots. 149allow apexd file_contexts_file:file r_file_perms; 150 151# Allow apexd to execute toybox for snapshot & restore 152allow apexd toolbox_exec:file rx_file_perms; 153 154# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs. 155allowxperm apexd staging_data_file:file ioctl { 156 FS_IOC_GETFLAGS 157 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 158}; 159 160# Allow apexd to read ro.cold_boot_done prop. 161# apexd uses it to decide whether it needs to keep retrying polling for loop device. 162get_prop(apexd, cold_boot_done_prop) 163 164# Allow apexd to read per-device configuration properties. 165get_prop(apexd, apexd_config_prop) 166 167# Allow apexd to read apex selection properties. 168# These are used to choose between multi-installed APEXes at activation time. 169get_prop(apexd, apexd_select_prop) 170# 171# Allow apexd to read apexd_payload_metadata_prop 172get_prop(apexd, apexd_payload_metadata_prop) 173 174set_prop(apexd, apexd_prop) 175 176# Allow for use in postinstall 177allow apexd otapreopt_chroot:fd use; 178allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton }; 179allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom }; 180allow apexd postinstall_apex_mnt_dir:lnk_file create; 181allow apexd proc_filesystems:file r_file_perms; 182 183# Allow for use in Pre-reboot Dexopt. 184allow apexd dexopt_chroot_setup:fd use; 185 186# Allow calling derive_classpath to gather BCP information for staged sessions 187domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath); 188 189# Allow set apex ready property 190set_prop(apexd, apex_ready_prop) 191 192# Allow apexd to write to statsd. 193unix_socket_send(apexd, statsdw, statsd) 194# Allow apexd to call 195allow apexd statsbootstrap_service:service_manager find; 196binder_call(apexd, system_server) # system_server serves statsbootstrap_service 197 198### 199### Neverallow rules 200### 201 202neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms; 203neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms; 204neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms; 205neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms; 206neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms; 207 208neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms; 209neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms; 210 211neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms; 212neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms; 213 214# only apexd can set apexd sysprop 215neverallow { domain -apexd -init } apexd_prop:property_service set; 216 217# only apexd can write apex-info-list.xml 218neverallow { domain -apexd } apex_info_file:file no_w_file_perms; 219 220# Only apexd and init should be allowed to manage /apex mounts 221# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs, 222# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies 223# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below. 224# dexopt_chroot_setup calls apexd to prepare /apex for Pre-reboot Dexopt, but it 225# needs to mount a tmpfs on /apex for apexd to work on. 226neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount }; 227neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton; 228 229# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service 230# and make binder calls to apexd. 231# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 232neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find; 233# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 234neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call; 235 236neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace; 237