1get_prop(coredomain, apex_ready_prop) 2get_prop(coredomain, boot_status_prop) 3get_prop(coredomain, camera_config_prop) 4get_prop(coredomain, dalvik_config_prop_type) 5get_prop(coredomain, dalvik_runtime_prop) 6get_prop(coredomain, exported_pm_prop) 7get_prop(coredomain, ffs_config_prop) 8get_prop(coredomain, graphics_config_prop) 9get_prop(coredomain, graphics_config_writable_prop) 10get_prop(coredomain, hdmi_config_prop) 11get_prop(coredomain, init_service_status_private_prop) 12get_prop(coredomain, lmkd_config_prop) 13get_prop(coredomain, localization_prop) 14get_prop(coredomain, pm_prop) 15get_prop(coredomain, radio_control_prop) 16get_prop(coredomain, rollback_test_prop) 17get_prop(coredomain, setupwizard_prop) 18get_prop(coredomain, setupwizard_mode_prop) 19get_prop(coredomain, sqlite_log_prop) 20get_prop(coredomain, storagemanager_config_prop) 21get_prop(coredomain, surfaceflinger_color_prop) 22get_prop(coredomain, systemsound_config_prop) 23get_prop(coredomain, telephony_config_prop) 24get_prop(coredomain, usb_config_prop) 25get_prop(coredomain, usb_control_prop) 26get_prop(coredomain, userspace_reboot_config_prop) 27get_prop(coredomain, vold_config_prop) 28get_prop(coredomain, vts_status_prop) 29get_prop(coredomain, zygote_config_prop) 30get_prop(coredomain, zygote_wrap_prop) 31 32# TODO(b/170590987): remove this after cleaning up default_prop 33get_prop(coredomain, default_prop) 34 35full_treble_only(` 36neverallow { 37 coredomain 38 39 # for chowning 40 -init 41 42 # generic access to sysfs_type 43 -apexd 44 -ueventd 45 -vold 46} sysfs_leds:file *; 47') 48 49# On TREBLE devices, a limited set of files in /vendor are accessible to 50# only a few allowlisted coredomains to keep system/vendor separation. 51full_treble_only(` 52 # Limit access to /vendor/app 53 neverallow { 54 coredomain 55 -appdomain 56 -artd 57 -dex2oat 58 -idmap 59 -init 60 -installd 61 -heapprofd 62 -postinstall_dexopt 63 -rs # spawned by appdomain, so carryover the exception above 64 -system_server 65 -traced_perf 66 } vendor_app_file:dir { open read getattr search }; 67') 68 69full_treble_only(` 70 neverallow { 71 coredomain 72 -appdomain 73 -artd 74 -dex2oat 75 -idmap 76 -init 77 -installd 78 -heapprofd 79 userdebug_or_eng(`-profcollectd') 80 -postinstall_dexopt 81 -profman 82 -rs # spawned by appdomain, so carryover the exception above 83 userdebug_or_eng(`-simpleperf_boot') 84 -system_server 85 -traced_perf 86 -mediaserver 87 } vendor_app_file:file r_file_perms; 88') 89 90full_treble_only(` 91 # Limit access to /vendor/overlay 92 neverallow { 93 coredomain 94 -appdomain 95 -artd 96 -dex2oat 97 -idmap 98 -init 99 -installd 100 -postinstall_dexopt 101 -rs # spawned by appdomain, so carryover the exception above 102 -system_server 103 -traced_perf 104 -app_zygote 105 -webview_zygote 106 -zygote 107 -heapprofd 108 } vendor_overlay_file:dir { getattr open read search }; 109') 110 111full_treble_only(` 112 neverallow { 113 coredomain 114 -appdomain 115 -artd 116 -dex2oat 117 -idmap 118 -init 119 -installd 120 -postinstall_dexopt 121 -rs # spawned by appdomain, so carryover the exception above 122 -system_server 123 -traced_perf 124 -app_zygote 125 -webview_zygote 126 -zygote 127 -heapprofd 128 userdebug_or_eng(`-profcollectd') 129 userdebug_or_eng(`-simpleperf_boot') 130 } vendor_overlay_file:file open; 131') 132 133# Core domains are not permitted to use kernel interfaces which are not 134# explicitly labeled. 135# TODO(b/65643247): Apply these neverallow rules to all coredomain. 136full_treble_only(` 137 # /proc 138 neverallow { 139 coredomain 140 -init 141 -vold 142 } proc:file no_rw_file_perms; 143 144 # /sys 145 neverallow { 146 coredomain 147 -apexd 148 -init 149 -ueventd 150 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler') 151 -vold 152 } sysfs:file no_rw_file_perms; 153 154 # /dev 155 neverallow { 156 coredomain 157 -apexd 158 -fsck 159 -init 160 -ueventd 161 } device:{ blk_file file } no_rw_file_perms; 162 163 # debugfs 164 neverallow { 165 coredomain 166 no_debugfs_restriction(` 167 -dumpstate 168 -init 169 -system_server 170 ') 171 } debugfs:file no_rw_file_perms; 172 173 # tracefs 174 neverallow { 175 coredomain 176 -atrace 177 -dumpstate 178 -gpuservice 179 -init 180 -lmkd 181 -traced_perf 182 -traced_probes 183 -shell 184 -system_server 185 -traceur_app 186 -prefetch 187 userdebug_or_eng(`-profcollectd') 188 userdebug_or_eng(`-simpleperf_boot') 189 } debugfs_tracing:file no_rw_file_perms; 190 191 # inotifyfs 192 neverallow { 193 coredomain 194 -init 195 } inotify:file no_rw_file_perms; 196 197 # pstorefs 198 neverallow { 199 coredomain 200 -bootstat 201 -charger 202 -dumpstate 203 userdebug_or_eng(`-incidentd') 204 -init 205 -logd 206 -logpersist 207 -recovery_persist 208 -recovery_refresh 209 -shell 210 -system_server 211 } pstorefs:file no_rw_file_perms; 212 213 # configfs 214 neverallow { 215 coredomain 216 -init 217 -system_server 218 } configfs:file no_rw_file_perms; 219 220 # functionfs 221 neverallow { 222 coredomain 223 -adbd 224 -adbd_tradeinmode 225 -init 226 -mediaprovider 227 -system_server 228 } functionfs:file no_rw_file_perms; 229 230 # usbfs and binfmt_miscfs 231 neverallow { 232 coredomain 233 -init 234 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 235 236 # dmabuf heaps 237 neverallow { 238 coredomain 239 -init 240 -ueventd 241 }{ 242 dmabuf_heap_device_type 243 -dmabuf_system_heap_device 244 -dmabuf_system_secure_heap_device 245 }:chr_file no_rw_file_perms; 246') 247 248# Following /dev nodes must not be directly accessed by coredomain, but should 249# instead be wrapped by HALs. 250neverallow coredomain { 251 iio_device 252 radio_device 253}:chr_file { open read append write ioctl }; 254 255# TODO(b/120243891): HAL permission to tee_device is included into coredomain 256# on non-Treble devices. 257full_treble_only(` 258 neverallow coredomain tee_device:chr_file { open read append write ioctl }; 259') 260