1# Rules for all domains. 2 3# Allow reaping by init. 4allow domain init:process sigchld; 5 6# Intra-domain accesses. 7allow domain self:process { 8 fork 9 sigchld 10 sigkill 11 sigstop 12 signull 13 signal 14 getsched 15 setsched 16 getsession 17 getpgid 18 getcap 19 setcap 20 getattr 21 setrlimit 22}; 23allow { domain -artd_subprocess_type } self:process setpgid; 24allow domain self:fd use; 25allow domain proc:dir r_dir_perms; 26allow domain proc_net_type:dir search; 27r_dir_file(domain, self) 28allow domain self:{ fifo_file file } rw_file_perms; 29allow domain self:unix_dgram_socket { create_socket_perms sendto }; 30allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; 31 32# Inherit or receive open files from others. 33allow domain init:fd use; 34 35userdebug_or_eng(` 36 allow domain su:fd use; 37 allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; 38 allow domain su:unix_dgram_socket sendto; 39 40 allow { domain -init } su:binder { call transfer }; 41 42 # Running something like "pm dump com.android.bluetooth" requires 43 # fifo writes 44 allow domain su:fifo_file { write getattr }; 45 46 # allow "gdbserver --attach" to work for su. 47 allow domain su:process sigchld; 48 49 # Allow writing coredumps to /cores/* 50 allow domain coredump_file:file create_file_perms; 51 allow domain coredump_file:dir ra_dir_perms; 52') 53 54with_native_coverage(` 55 # Allow writing coverage information to /data/misc/trace 56 allow domain method_trace_data_file:dir create_dir_perms; 57 allow domain method_trace_data_file:file create_file_perms; 58') 59 60# Allow everyone to read aconfig flags 61get_prop(domain, device_config_aconfig_flags_prop); 62 63# Root fs. 64allow domain tmpfs:dir { getattr search }; 65allow domain rootfs:dir search; 66allow domain rootfs:lnk_file { read getattr }; 67 68# Device accesses. 69allow domain device:dir search; 70allow domain dev_type:lnk_file r_file_perms; 71allow domain devpts:dir search; 72allow domain dmabuf_heap_device:dir r_dir_perms; 73allow domain socket_device:dir r_dir_perms; 74allow domain owntty_device:chr_file rw_file_perms; 75allow domain null_device:chr_file rw_file_perms; 76allow domain zero_device:chr_file rw_file_perms; 77 78# /dev/ashmem is being deprecated by means of constraining and eventually 79# removing all "open" permissions. We preserve the other permissions. 80allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; 81# This device is used by libcutils, which is accessible to everyone. 82allow domain ashmem_libcutils_device:chr_file rw_file_perms; 83 84# /dev/binder can be accessed by ... everyone! :) 85allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; 86get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop) 87# Checking for the existance of the hwservicemanager binary is done in the client API 88# isHwServiceManagerInstalled 89dontaudit domain hwservicemanager_exec:file r_file_perms; 90 91 92# Restrict binder ioctls to an allowlist. Additional ioctl commands may be 93# added to individual domains, but this sets safe defaults for all processes. 94allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; 95 96# /dev/binderfs needs to be accessed by everyone too! 97allow domain binderfs:dir { getattr search }; 98allow domain binderfs_logs_proc:dir search; 99allow domain binderfs_features:dir search; 100allow domain binderfs_features:file r_file_perms; 101 102allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; 103allow domain ptmx_device:chr_file rw_file_perms; 104allow domain random_device:chr_file rw_file_perms; 105allow domain proc_random:dir r_dir_perms; 106allow domain proc_random:file r_file_perms; 107allow domain properties_device:dir { search getattr }; 108allow domain properties_serial:file r_file_perms; 109allow domain property_info:file r_file_perms; 110 111# Let everyone read log properties, so that liblog can avoid sending unloggable 112# messages to logd. 113get_prop(domain, log_property_type) 114dontaudit domain property_type:file audit_access; 115allow domain property_contexts_file:file r_file_perms; 116 117allow domain init:key search; 118allow domain vold:key search; 119 120# logd access 121write_logd(domain) 122 123# Directory/link file access for path resolution. 124allow domain { 125 system_file 126 system_lib_file 127 system_seccomp_policy_file 128 system_security_cacerts_file 129}:dir r_dir_perms; 130allow domain system_file:lnk_file { getattr read }; 131 132# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, 133# /(system|product|system_ext)/etc/(group|passwd), linker and its config. 134allow domain system_seccomp_policy_file:file r_file_perms; 135# cacerts are accessible from public Java API. 136allow domain system_security_cacerts_file:file r_file_perms; 137allow domain system_group_file:file r_file_perms; 138allow domain system_passwd_file:file r_file_perms; 139allow domain system_linker_exec:file { execute read open getattr map }; 140allow domain system_linker_config_file:file r_file_perms; 141allow domain system_lib_file:file { execute read open getattr map }; 142# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. 143allow domain system_linker_exec:lnk_file { read open getattr }; 144allow domain system_lib_file:lnk_file { read open getattr }; 145 146allow domain system_event_log_tags_file:file r_file_perms; 147 148allow { appdomain coredomain } system_file:file { execute read open getattr map }; 149 150# Make sure system/vendor split doesn not affect non-treble 151# devices 152not_full_treble(` 153 allow domain system_file:file { execute read open getattr map }; 154 allow domain vendor_file_type:dir { search getattr }; 155 allow domain vendor_file_type:file { execute read open getattr map }; 156 allow domain vendor_file_type:lnk_file { getattr read }; 157') 158 159# All domains are allowed to open and read directories 160# that contain HAL implementations (e.g. passthrough 161# HALs require clients to have these permissions) 162allow domain vendor_hal_file:dir r_dir_perms; 163 164# Everyone can read and execute all same process HALs 165allow domain same_process_hal_file:dir r_dir_perms; 166allow { 167 domain 168 -coredomain # access is explicitly granted to individual coredomains 169} same_process_hal_file:file { execute read open getattr map }; 170 171# Any process can load vndk-sp libraries, which are system libraries 172# used by same process HALs 173allow domain vndk_sp_file:dir r_dir_perms; 174allow domain vndk_sp_file:file { execute read open getattr map }; 175 176# All domains get access to /vendor/etc 177allow domain vendor_configs_file:dir r_dir_perms; 178allow domain vendor_configs_file:file { read open getattr map }; 179 180full_treble_only(` 181 # Allow all domains to be able to follow /system/vendor and/or 182 # /vendor/odm symlinks. 183 allow domain vendor_file_type:lnk_file { getattr open read }; 184 185 # This is required to be able to search & read /vendor/lib64 186 # in order to lookup vendor libraries. The execute permission 187 # for coredomains is granted *only* for same process HALs 188 allow domain vendor_file:dir { getattr search }; 189 190 # Allow reading and executing out of /vendor to all vendor domains 191 allow { domain -coredomain } vendor_file_type:dir r_dir_perms; 192 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; 193 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; 194') 195 196# read and stat any sysfs symlinks 197allow domain sysfs:lnk_file { getattr read }; 198 199# libc references /system/usr/share/zoneinfo for timezone related information. 200# This directory is considered to be a VNDK-stable 201allow domain { system_zoneinfo_file }:file r_file_perms; 202allow domain { system_zoneinfo_file }:dir r_dir_perms; 203 204# Lots of processes access current CPU information 205r_dir_file(domain, sysfs_devices_system_cpu) 206 207r_dir_file(domain, sysfs_usb); 208 209# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically 210# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. 211allow domain sysfs_transparent_hugepage:dir search; 212allow domain sysfs_transparent_hugepage:file r_file_perms; 213 214# Allow search access, and sometimes getattr access, to various directories 215# under /data. We are fairly lenient in allowing search access to top-level 216# dirs that commonly need to be traversed to get access to the "real" files, as 217# this greatly simplifies the policy and doesn't open up much attack surface. 218not_full_treble(` 219 allow domain system_data_file:dir getattr; 220') 221allow { coredomain appdomain } system_data_file:dir getattr; 222# Anything that accesses anything in /data needs search access to /data itself. 223# This includes vendor components, as they need to access /data/vendor. 224allow domain system_data_root_file:dir { search getattr } ; 225# system_data_file is the default type for directories in /data. Anything 226# accessing data files with a more specific type often has to traverse a 227# system_data_file directory such as /data/misc to get there. 228allow domain system_data_file:dir search; 229# Anything that accesses files in /data/user (and /data/user_de, etc.) needs 230# search access to these directories themselves. getattr access is sometimes 231# needed too. 232allow { coredomain appdomain } system_userdir_file:dir { search getattr }; 233# Anything that accesses files in /data/media needs search access to /data/media 234# itself. 235allow { coredomain appdomain } media_userdir_file:dir search; 236# TODO restrict this to non-coredomain 237allow domain vendor_userdir_file:dir { getattr search }; 238allow domain vendor_data_file:dir { getattr search }; 239 240# required by the dynamic linker 241allow domain proc:lnk_file { getattr read }; 242 243# /proc/cpuinfo 244allow domain proc_cpuinfo:file r_file_perms; 245 246# /dev/cpu_variant:.* 247allow domain dev_cpu_variant:file r_file_perms; 248 249# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate 250allow domain proc_perf:file r_file_perms; 251 252# toybox loads libselinux which stats /sys/fs/selinux/ 253allow domain selinuxfs:dir search; 254allow domain selinuxfs:file getattr; 255allow domain sysfs:dir search; 256allow domain selinuxfs:filesystem getattr; 257 258# Almost all processes log tracing information to 259# /sys/kernel/debug/tracing/trace_marker 260# The reason behind this is documented in b/6513400 261allow domain debugfs:dir search; 262allow domain debugfs_tracing:dir search; 263allow domain debugfs_tracing_debug:dir search; 264allow domain debugfs_trace_marker:file w_file_perms; 265 266# Linux lockdown mode offered coarse-grained definitions for access controls. In 267# previous versions of the policy, the integrity permission was neverallowed. 268# It was found that this permission mainly duplicates pre-existing rules in 269# the policy (see b/285443587). Additionally, some access were found to be 270# required (b/269377822). The access vector was removed from kernel 5.16 271# onwards. Grant unconditional access, these rules should be removed from the 272# policy once no kernel <5.16 are supported. 273allow domain self:lockdown { confidentiality integrity }; 274 275# Filesystem access. 276allow domain fs_type:filesystem getattr; 277allow domain fs_type:dir getattr; 278 279# Restrict all domains to an allowlist for common socket types. Additional 280# ioctl commands may be added to individual domains, but this sets safe 281# defaults for all processes. Note that granting this allowlist to domain does 282# not grant the ioctl permission on these socket types. That must be granted 283# separately. 284allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } 285 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 286# default allowlist for unix sockets. 287allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } 288 ioctl unpriv_unix_sock_ioctls; 289 290# Restrict PTYs to only allowed ioctls. 291# Note that granting this allowlist to domain does 292# not grant the wider ioctl permission. That must be granted 293# separately. 294allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; 295 296# All domains must clearly enumerate what ioctls they use 297# on filesystem objects (plain files, directories, symbolic links, 298# named pipes, and named sockets). We start off with a safe set. 299allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; 300 301# If a domain has ioctl access to tun_device, it must clearly enumerate the 302# ioctls used. Safe defaults are listed below. 303allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; 304 305# Allow a process to make a determination whether a file descriptor 306# for a plain file or pipe (fifo_file) is a tty. Note that granting 307# this allowlist to domain does not grant the ioctl permission to 308# these files. That must be granted separately. 309allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; 310allowxperm domain domain:fifo_file ioctl { TCGETS }; 311 312# If a domain has access to perform an ioctl on a block device, allow these 313# very common, benign ioctls 314allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; 315 316# Support sqlite F2FS specific optimizations 317# ioctl permission on the specific file type is still required 318# TODO: consider only compiling these rules if we know the 319# /data partition is F2FS 320allowxperm domain { file_type sdcard_type }:file ioctl { 321 F2FS_IOC_ABORT_VOLATILE_WRITE 322 F2FS_IOC_COMMIT_ATOMIC_WRITE 323 F2FS_IOC_GET_FEATURES 324 F2FS_IOC_GET_PIN_FILE 325 F2FS_IOC_SET_PIN_FILE 326 F2FS_IOC_START_ATOMIC_WRITE 327}; 328 329# Workaround for policy compiler being too aggressive and removing hwservice_manager_type 330# when it's not explicitly used in allow rules 331allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; 332# Workaround for policy compiler being too aggressive and removing vndservice_manager_type 333# when it's not explicitly used in allow rules 334allow { domain -domain } vndservice_manager_type:service_manager { add find }; 335 336# Under ASAN, processes will try to read /data, as the sanitized libraries are there. 337with_asan(`allow domain system_data_file:dir getattr;') 338# Under ASAN, /system/asan.options needs to be globally accessible. 339with_asan(`allow domain system_asan_options_file:file r_file_perms;') 340 341# read APEX dir and stat any symlink pointing to APEXs. 342allow domain apex_mnt_dir:dir { getattr search }; 343allow domain apex_mnt_dir:lnk_file r_file_perms; 344 345# Allow reading /sys/kernel/mm/pgsize_migration/enabled 346allow domain sysfs_pgsize_migration:dir search; 347allow domain sysfs_pgsize_migration:file r_file_perms; 348 349# Linker is executed from the context of the process requesting the dynamic linking, 350# so this prop must be "world-readable". 351get_prop(domain, bionic_linker_16kb_app_compat_prop) 352 353# Allow everyone to read media server-configurable flags, so that libstagefright can be 354# configured using server-configurable flags 355get_prop(domain, device_config_media_native_prop) 356 357# Transition to crash_dump when /system/bin/crash_dump* is executed. 358# This occurs when the process crashes. 359# We do not apply this to the su domain to avoid interfering with 360# tests (b/114136122) 361domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); 362allow domain crash_dump:process sigchld; 363 364# Allow every process to check the heapprofd.enable properties to determine 365# whether to load the heap profiling library. This does not necessarily enable 366# heap profiling, as initialization will fail if it does not have the 367# necessary SELinux permissions. 368get_prop(domain, heapprofd_prop); 369 370# See private/crash_dump.te 371define(`dumpable_domain',`{ 372 domain 373 -apexd 374 -bpfloader 375 -crash_dump 376 -crosvm # TODO(b/236672526): Remove exception for crosvm 377 -init 378 -kernel 379 -keystore 380 -llkd 381 -logd 382 -ueventd 383 -vendor_init 384 -vold 385}') 386 387# Allow heap profiling by heapprofd. 388# Zygotes are excluded due to potential issues with holding open file 389# descriptors or other state across forks. Other exclusions conflict with 390# neverallows, and are not considered important to profile. 391can_profile_heap({ 392 dumpable_domain 393 -app_zygote 394 -hal_configstore_server 395 -logpersist 396 -recovery 397 -recovery_persist 398 -recovery_refresh 399 -webview_zygote 400 -zygote 401}) 402 403# Allow profiling using perf_event_open by traced_perf. 404can_profile_perf({ 405 dumpable_domain 406 -app_zygote 407 -hal_configstore_server 408 -webview_zygote 409 -zygote 410}) 411 412# Everyone can access the IncFS list of features. 413r_dir_file(domain, sysfs_fs_incfs_features); 414 415# Everyone can access the fuse list of features. 416r_dir_file(domain, sysfs_fs_fuse_features); 417 418# Path resolution access in cgroups. 419allow domain cgroup:dir search; 420allow { domain -appdomain -rs } cgroup:dir w_dir_perms; 421allow { domain -appdomain -rs } cgroup:file w_file_perms; 422 423allow domain cgroup_v2:dir search; 424allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; 425allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; 426 427allow domain cgroup_desc_file:file r_file_perms; 428allow domain cgroup_rc_file:dir search; 429allow domain cgroup_rc_file:file r_file_perms; 430allow domain task_profiles_file:file r_file_perms; 431allow domain vendor_cgroup_desc_file:file r_file_perms; 432allow domain vendor_task_profiles_file:file r_file_perms; 433 434# Allow all domains to read sys.use_memfd to determine 435# if memfd support can be used if device supports it 436get_prop(domain, use_memfd_prop); 437 438# Read access to sdkextensions props 439get_prop(domain, module_sdkextensions_prop) 440 441# Read access to bq configuration values 442get_prop(domain, bq_config_prop); 443 444# Allow all domains to check whether MTE is set to permissive mode. 445get_prop(domain, permissive_mte_prop); 446 447# Allow ART to be configurable via device_config properties 448# (ART "runs" inside the app process), and MTE bootloader override to be 449# observed by everything 450get_prop(domain, device_config_memory_safety_native_boot_prop); 451get_prop(domain, device_config_memory_safety_native_prop); 452get_prop(domain, device_config_runtime_native_boot_prop); 453get_prop(domain, device_config_runtime_native_prop); 454 455# For now, everyone can access core property files 456# Device specific properties are not granted by default 457not_compatible_property(` 458 # DO NOT ADD ANY PROPERTIES HERE 459 get_prop(domain, core_property_type) 460 get_prop(domain, exported3_system_prop) 461 get_prop(domain, vendor_default_prop) 462') 463compatible_property_only(` 464 # DO NOT ADD ANY PROPERTIES HERE 465 get_prop({coredomain appdomain shell}, core_property_type) 466 get_prop({coredomain appdomain shell}, exported3_system_prop) 467 get_prop({coredomain appdomain shell}, exported_camera_prop) 468 get_prop({coredomain shell}, userspace_reboot_exported_prop) 469 get_prop({coredomain shell}, userspace_reboot_log_prop) 470 get_prop({coredomain shell}, userspace_reboot_test_prop) 471 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 472') 473 474# Public readable properties 475get_prop(domain, aaudio_config_prop) 476get_prop(domain, apexd_select_prop) 477get_prop(domain, arm64_memtag_prop) 478get_prop(domain, bluetooth_config_prop) 479get_prop(domain, bootloader_prop) 480get_prop(domain, build_odm_prop) 481get_prop(domain, build_prop) 482get_prop(domain, build_vendor_prop) 483get_prop(domain, debug_prop) 484get_prop(domain, exported_config_prop) 485get_prop(domain, exported_default_prop) 486get_prop(domain, exported_dumpstate_prop) 487get_prop(domain, exported_secure_prop) 488get_prop(domain, exported_system_prop) 489get_prop(domain, fingerprint_prop) 490get_prop(domain, framework_status_prop) 491get_prop(domain, gwp_asan_prop) 492get_prop(domain, hal_instrumentation_prop) 493get_prop(domain, hw_timeout_multiplier_prop) 494get_prop(domain, init_service_status_prop) 495get_prop(domain, libc_debug_prop) 496get_prop(domain, locale_prop) 497get_prop(domain, logd_prop) 498get_prop(domain, mediadrm_config_prop) 499get_prop(domain, property_service_version_prop) 500get_prop(domain, soc_prop) 501get_prop(domain, socket_hook_prop) 502get_prop(domain, surfaceflinger_prop) 503get_prop(domain, telephony_status_prop) 504get_prop(domain, timezone_prop) 505get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app -app_zygote }, userdebug_or_eng_prop) 506get_prop(domain, vendor_socket_hook_prop) 507get_prop(domain, vndk_prop) 508get_prop(domain, vold_status_prop) 509get_prop(domain, vts_config_prop) 510 511# Binder cache properties are world-readable 512get_prop(domain, binder_cache_bluetooth_server_prop) 513get_prop(domain, binder_cache_system_server_prop) 514get_prop(domain, binder_cache_telephony_server_prop) 515 516# Binderfs logs contain sensitive information about other processes. 517neverallow { 518 domain 519 -init 520 -vendor_init 521 userdebug_or_eng(`-dumpstate') 522 userdebug_or_eng(`-system_server') 523} binderfs_logs_transactions:file no_rw_file_perms; 524 525# Binderfs transaction history is less sensitive than transactions, but it 526# still contains global information about the system. 527neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms; 528 529# Allow access to fsverity keyring. 530allow domain kernel:key search; 531# Allow access to keys in the fsverity keyring that were installed at boot. 532allow domain fsverity_init:key search; 533# For testing purposes, allow access to keys installed with su. 534userdebug_or_eng(` 535 allow domain su:key search; 536') 537 538# Allow access to linkerconfig file 539allow domain linkerconfig_file:dir search; 540allow domain linkerconfig_file:file r_file_perms; 541 542# Allow all processes to check for the existence of the boringssl_self_test_marker files. 543allow domain boringssl_self_test_marker:dir search; 544 545# Allow all processes to read the file_logger property that liblog uses to check if file_logger 546# should be used. 547get_prop(domain, log_file_logger_prop) 548 549# Allow all processes to connect to PRNG seeder daemon. 550unix_socket_connect(domain, prng_seeder, prng_seeder) 551 552# Allow calls to system(3), popen(3), ... 553allow { 554 domain 555 # Except domains that explicitly neverallow it. 556 -kernel 557 -init 558 -vendor_init 559 -app_zygote 560 -webview_zygote 561 -system_server 562 -artd 563 -dexopt_chroot_setup 564 -audioserver 565 -cameraserver 566 -mediadrmserver 567 -mediaextractor 568 -mediametrics 569 -mediaserver 570 -mediatuner 571 -mediatranscoding 572 -ueventd 573 -hal_audio_server 574 -hal_camera_server 575 -hal_cas_server 576 -hal_codec2_server 577 -hal_configstore_server 578 -hal_drm_server 579 -hal_omx_server 580} {shell_exec toolbox_exec}:file rx_file_perms; 581 582# Allow all processes to read aconfig flag storage files. The format is hidden behind 583# code-generated APIs, but since the libraries are executed in the context of the caller, 584# all processes need access to the underlying files. 585is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, ` 586 r_dir_file(domain, aconfig_storage_metadata_file); 587') 588 589r_dir_file({ coredomain appdomain }, system_aconfig_storage_file); 590 591# processes needs to access storage file stored at /metadata/aconfig/boot, require search 592# permission on /metadata dir 593allow domain metadata_file:dir search; 594 595### 596### neverallow rules 597### 598 599# All ioctls on file-like objects (except chr_file and blk_file) and 600# sockets must be restricted to an allowlist. 601neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 602 603# b/68014825 and https://android-review.googlesource.com/516535 604# rfc6093 says that processes should not use the TCP urgent mechanism 605neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; 606 607# TIOCSTI is only ever used for exploits. Block it. 608# b/33073072, b/7530569 609# http://www.openwall.com/lists/oss-security/2016/09/26/14 610neverallowxperm * devpts:chr_file ioctl TIOCSTI; 611 612# Do not allow any domain other than init to create unlabeled files. 613neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; 614 615# Limit device node creation to these allowed domains. 616neverallow { 617 domain 618 -kernel 619 -init 620 -ueventd 621 -vold 622} self:global_capability_class_set mknod; 623 624# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). 625neverallow * self:memprotect mmap_zero; 626 627# No domain needs mac_override as it is unused by SELinux. 628neverallow * self:global_capability2_class_set mac_override; 629 630# Disallow attempts to set contexts not defined in current policy 631# This helps guarantee that unknown or dangerous contents will not ever 632# be set. 633neverallow * self:global_capability2_class_set mac_admin; 634 635# Once the policy has been loaded there shall be none to modify the policy. 636# It is sealed. 637neverallow * kernel:security load_policy; 638 639# Only init prior to switching context should be able to set enforcing mode. 640# init starts in kernel domain and switches to init domain via setcon in 641# the init.rc, so the setenforce occurs while still in kernel. After 642# switching domains, there is never any need to setenforce again by init. 643neverallow * kernel:security setenforce; 644neverallow { domain -kernel } kernel:security setcheckreqprot; 645 646# No booleans in AOSP policy, so no need to ever set them. 647neverallow * kernel:security setbool; 648 649# Adjusting the AVC cache threshold. 650# Not presently allowed to anything in policy, but possibly something 651# that could be set from init.rc. 652neverallow { domain -init } kernel:security setsecparam; 653 654# Only the kernel hwrng thread should be able to read from the HW RNG. 655neverallow { 656 domain 657 -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG 658 -shell # For CTS, restricted to just getattr in shell.te 659 -ueventd # To create the /dev/hw_random file 660} hw_random_device:chr_file *; 661# b/78174219 b/64114943 662neverallow { 663 domain 664 -shell # stat of /dev, getattr only 665 -ueventd 666} keychord_device:chr_file *; 667 668# Ensure that all entrypoint executables are in exec_type or postinstall_file. 669neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; 670 671# The dynamic linker always calls access(2) on the path. Don't generate SElinux 672# denials since the linker does not actually access the path in case the path 673# does not exist or isn't accessible for the process. 674dontaudit domain postinstall_mnt_dir:dir audit_access; 675 676#Ensure that nothing in userspace can access /dev/port 677neverallow { 678 domain 679 -shell # Shell user should not have any abilities outside of getattr 680 -ueventd 681} port_device:chr_file *; 682neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; 683# Only init should be able to configure kernel usermodehelpers or 684# security-sensitive proc settings. 685neverallow { domain -init } usermodehelper:file { append write }; 686neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; 687neverallow { domain -init -vendor_init } proc_security:file { append open read write }; 688 689# Init can't do anything with binder calls. If this neverallow rule is being 690# triggered, it's probably due to a service with no SELinux domain. 691neverallow * init:binder *; 692neverallow * vendor_init:binder *; 693 694# Binderfs logs contain sensitive information about other processes. 695neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms; 696neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms; 697 698# Don't allow raw read/write/open access to block_device 699# Rather force a relabel to a more specific type 700neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; 701 702# Do not allow renaming of block files or character files 703# Ability to do so can lead to possible use in an exploit chain 704# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html 705neverallow * *:{ blk_file chr_file } rename; 706 707# Don't allow raw read/write/open access to generic devices. 708# Rather force a relabel to a more specific type. 709neverallow domain device:chr_file { open read write }; 710 711# Files from cache should never be executed 712neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; 713 714# The test files and executables MUST not be accessible to any domain 715neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; 716neverallow domain nativetest_data_file:dir no_w_dir_perms; 717neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; 718 719neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; 720neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; 721neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; 722neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; 723neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; 724 725# Only the init property service should write to /data/property and /dev/__properties__ 726neverallow { domain -init } property_data_file:dir no_w_dir_perms; 727neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; 728neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; 729neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; 730neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; 731 732# Nobody should be doing writes to /system & /vendor 733# These partitions are intended to be read-only and must never be 734# modified. Doing so would violate important Android security guarantees 735# and invalidate dm-verity signatures. 736neverallow { 737 domain 738 with_asan(`-asan_extract') 739 recovery_only(`userdebug_or_eng(`-fastbootd')') 740} { 741 system_file_type 742 vendor_file_type 743 exec_type 744}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; 745 746neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; 747 748# Don't allow mounting on top of /system files or directories 749neverallow * exec_type:dir_file_class_set mounton; 750 751# Nothing should be writing to files in the rootfs. 752neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; 753 754# Restrict context mounts to specific types marked with 755# the contextmount_type attribute. 756neverallow * {fs_type -contextmount_type}:filesystem relabelto; 757 758# Ensure that context mount types are not writable, to ensure that 759# the write to /system restriction above is not bypassed via context= 760# mount to another type. 761neverallow * contextmount_type:dir_file_class_set 762 { create setattr relabelfrom relabelto append link rename }; 763neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; 764 765# Do not allow service_manager add for default service labels. 766# Instead domains should use a more specific type such as 767# system_app_service rather than the generic type. 768# New service_types are defined in {,hw,vnd}service.te and new mappings 769# from service name to service_type are defined in {,hw,vnd}service_contexts. 770neverallow * default_android_service:service_manager *; 771neverallow * default_android_vndservice:service_manager *; 772neverallow * default_android_hwservice:hwservice_manager *; 773 774# Looking up the base class/interface of all HwBinder services is a bad idea. 775# hwservicemanager currently offer such lookups only to make it so that security 776# decisions are expressed in SELinux policy. However, it's unclear whether this 777# lookup has security implications. If it doesn't, hwservicemanager should be 778# modified to not offer this lookup. 779# This rule can be removed if hwservicemanager is modified to not permit these 780# lookups. 781neverallow * hidl_base_hwservice:hwservice_manager find; 782 783# Require that domains explicitly label unknown properties, and do not allow 784# anyone but init to modify unknown properties. 785neverallow { domain -init -vendor_init } mmc_prop:property_service set; 786neverallow { domain -init -vendor_init } vndk_prop:property_service set; 787 788compatible_property_only(` 789 neverallow { domain -init } mmc_prop:property_service set; 790 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 791 neverallow { domain -init } exported_secure_prop:property_service set; 792 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; 793 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 794 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 795') 796 797compatible_property_only(` 798 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; 799 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; 800') 801 802# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop. 803neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set; 804neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms; 805 806# ART may introduce new sysprops. SELinux denials due to reading new sysprops on 807# old platforms shouldn't be regarded as a problem. 808dontaudit domain future_pm_prop:file read; 809 810neverallow { domain -init } aac_drc_prop:property_service set; 811neverallow { domain -init } build_prop:property_service set; 812neverallow { domain -init } userdebug_or_eng_prop:property_service set; 813 814# Do not allow reading device's serial number from system properties except form 815# a few allowed domains. 816neverallow { 817 domain 818 -adbd 819 -adbd_tradeinmode 820 -dumpstate 821 -fastbootd 822 -hal_camera_server 823 -hal_cas_server 824 -hal_drm_server 825 -hal_keymint_server 826 userdebug_or_eng(`-incidentd') 827 -init 828 -mediadrmserver 829 -mediaserver 830 -recovery 831 -shell 832 -system_server 833 -vendor_init 834} serialno_prop:file r_file_perms; 835 836neverallow { 837 domain 838 -init 839 -recovery 840 -system_server 841 -ueventd # Further restricted in ueventd.te 842} frp_block_device:blk_file no_rw_file_perms; 843 844# The metadata block device is set aside for device encryption and 845# verified boot metadata. It may be reset at will and should not 846# be used by other domains. 847neverallow { 848 domain 849 -init 850 -recovery 851 -vold 852 -e2fs 853 -fsck 854 -fastbootd 855 -hal_fastboot_server 856} metadata_block_device:blk_file { append link rename write open read ioctl lock }; 857 858# No domain other than recovery, update_engine and fastbootd can write to system partition(s). 859neverallow { 860 domain 861 -fastbootd 862 userdebug_or_eng(`-fsck') 863 userdebug_or_eng(`-init') 864 -recovery 865 userdebug_or_eng(`-remount') 866 -update_engine 867} system_block_device:blk_file { write append }; 868 869# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager 870neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; 871# The service managers are only allowed to access their own device node 872neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; 873neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; 874neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; 875neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; 876neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; 877neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; 878 879full_treble_only(` 880 # Vendor apps are permited to use only stable public services. If they were to use arbitrary 881 # services which can change any time framework/core is updated, breakage is likely. 882 # 883 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. 884 neverallow { 885 appdomain 886 -coredomain 887 } { 888 service_manager_type 889 890 -app_api_service 891 -ephemeral_app_api_service 892 893 -hal_service_type # see app_neverallows.te 894 895 -apc_service 896 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed 897 -cameraserver_service 898 -drmserver_service 899 -credstore_service 900 -keystore_maintenance_service 901 -keystore_service 902 -legacykeystore_service 903 -mediadrmserver_service 904 -mediaextractor_service 905 -mediametrics_service 906 -mediaserver_service 907 -nfc_service 908 -radio_service 909 -virtual_touchpad_service 910 -vr_manager_service 911 userdebug_or_eng(`-hal_face_service') 912 }:service_manager find; 913') 914 915# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. 916full_treble_only(` 917 neverallow { 918 coredomain 919 -shell 920 userdebug_or_eng(`-su') 921 -ueventd # uevent is granted create for this device, but we still neverallow I/O below 922 } vndbinder_device:chr_file rw_file_perms; 923') 924full_treble_only(` 925 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; 926') 927full_treble_only(` 928 neverallow { 929 coredomain 930 -shell 931 userdebug_or_eng(`-su') 932 } vndservice_manager_type:service_manager *; 933') 934full_treble_only(` 935 neverallow { 936 coredomain 937 -shell 938 userdebug_or_eng(`-su') 939 } vndservicemanager:binder *; 940') 941 942# On full TREBLE devices, socket communications between core components and vendor components are 943# not permitted. 944 # Most general rules first, more specific rules below. 945 946 # Core domains are not permitted to initiate communications to vendor domain sockets. 947 # We are not restricting the use of already established sockets because it is fine for a process 948 # to obtain an already established socket via some public/official/stable API and then exchange 949 # data with its peer over that socket. The wire format in this scenario is dicatated by the API 950 # and thus does not break the core-vendor separation. 951full_treble_only(` 952 neverallow_establish_socket_comms({ 953 coredomain 954 -init 955 -adbd 956 }, { 957 domain 958 -coredomain 959 -socket_between_core_and_vendor_violators 960 }); 961') 962 963 # Vendor domains are not permitted to initiate create/open sockets owned by core domains 964full_treble_only(` 965 neverallow { 966 domain 967 -coredomain 968 -appdomain # appdomain restrictions below 969 -data_between_core_and_vendor_violators # b/70393317 970 -socket_between_core_and_vendor_violators 971 -vendor_init 972 } { 973 coredomain_socket 974 core_data_file_type 975 unlabeled # used only by core domains 976 }:sock_file ~{ append getattr ioctl read write }; 977') 978full_treble_only(` 979 neverallow { 980 appdomain 981 -coredomain 982 } { 983 coredomain_socket 984 unlabeled # used only by core domains 985 core_data_file_type 986 -app_data_file 987 -privapp_data_file 988 -pdx_endpoint_socket_type # used by VR layer 989 -pdx_channel_socket_type # used by VR layer 990 }:sock_file ~{ append getattr ioctl read write }; 991') 992 993 # Core domains are not permitted to create/open sockets owned by vendor domains 994full_treble_only(` 995 neverallow { 996 coredomain 997 -init 998 -ueventd 999 -socket_between_core_and_vendor_violators 1000 } { 1001 file_type 1002 dev_type 1003 -coredomain_socket 1004 -core_data_file_type 1005 -app_data_file_type 1006 -unlabeled 1007 }:sock_file ~{ append getattr ioctl read write }; 1008') 1009 1010# On TREBLE devices, vendor and system components are only allowed to share 1011# files by passing open FDs over hwbinder. Ban all directory access and all file 1012# accesses other than what can be applied to an open FD such as 1013# ioctl/stat/read/write/append. This is enforced by segregating /data. 1014# Vendor domains may directly access file in /data/vendor by path, but may only 1015# access files outside of /data/vendor via an open FD passed over hwbinder. 1016# Likewise, core domains may only directly access files outside /data/vendor by 1017# path and files in /data/vendor by open FD. 1018full_treble_only(` 1019 # only coredomains may only access core_data_file_type, particularly not 1020 # /data/vendor 1021 neverallow { 1022 coredomain 1023 -appdomain # TODO(b/34980020) remove exemption for appdomain 1024 -data_between_core_and_vendor_violators 1025 -init 1026 -vold_prepare_subdirs 1027 } { 1028 data_file_type 1029 -core_data_file_type 1030 -app_data_file_type 1031 }:file_class_set ~{ append getattr ioctl read write map }; 1032') 1033full_treble_only(` 1034 neverallow { 1035 coredomain 1036 -appdomain # TODO(b/34980020) remove exemption for appdomain 1037 -data_between_core_and_vendor_violators 1038 -init 1039 -vold_prepare_subdirs 1040 } { 1041 data_file_type 1042 -core_data_file_type 1043 -app_data_file_type 1044 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 1045 # neverallow. Currently only getattr and search are allowed. 1046 -vendor_data_file 1047 }:dir *; 1048 1049') 1050full_treble_only(` 1051 # vendor domains may only access files in /data/vendor, never core_data_file_types 1052 neverallow { 1053 domain 1054 -appdomain # TODO(b/34980020) remove exemption for appdomain 1055 -coredomain 1056 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1057 -vendor_init 1058 } { 1059 core_data_file_type 1060 with_native_coverage(`-method_trace_data_file') 1061 }:file_class_set ~{ append getattr ioctl read write map }; 1062 neverallow { 1063 vendor_init 1064 -data_between_core_and_vendor_violators 1065 } { 1066 core_data_file_type 1067 -unencrypted_data_file 1068 with_native_coverage(`-method_trace_data_file') 1069 }:file_class_set ~{ append getattr ioctl read write map }; 1070 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 1071 # The vendor init binary lives on the system partition so there is not a concern with stability. 1072 neverallow vendor_init unencrypted_data_file:file ~r_file_perms; 1073') 1074full_treble_only(` 1075 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 1076 neverallow { 1077 domain 1078 -appdomain # TODO(b/34980020) remove exemption for appdomain 1079 -coredomain 1080 -data_between_core_and_vendor_violators 1081 -vendor_init 1082 } { 1083 core_data_file_type 1084 -system_data_file # default label for files on /data. Covered below... 1085 -system_data_root_file 1086 -vendor_userdir_file 1087 -vendor_data_file 1088 with_native_coverage(`-method_trace_data_file') 1089 }:dir *; 1090 neverallow { 1091 vendor_init 1092 -data_between_core_and_vendor_violators 1093 } { 1094 core_data_file_type 1095 -unencrypted_data_file 1096 -system_data_file 1097 -system_data_root_file 1098 -vendor_userdir_file 1099 -vendor_data_file 1100 with_native_coverage(`-method_trace_data_file') 1101 }:dir *; 1102 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. 1103 # The vendor init binary lives on the system partition so there is not a concern with stability. 1104 neverallow vendor_init unencrypted_data_file:dir ~search; 1105') 1106full_treble_only(` 1107 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 1108 neverallow { 1109 domain 1110 -appdomain # TODO(b/34980020) remove exemption for appdomain 1111 -coredomain 1112 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1113 } { 1114 system_data_file # default label for files on /data. Covered below 1115 }:dir ~{ getattr search }; 1116') 1117 1118full_treble_only(` 1119 # coredomains may not access dirs in /data/vendor. 1120 neverallow { 1121 coredomain 1122 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1123 -init 1124 -vold # vold creates per-user storage for both system and vendor 1125 -vold_prepare_subdirs 1126 } { 1127 vendor_data_file # default label for files on /data. Covered below 1128 }:dir ~{ getattr search }; 1129') 1130 1131full_treble_only(` 1132 # coredomains may not access dirs in /data/vendor. 1133 neverallow { 1134 coredomain 1135 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 1136 -init 1137 } { 1138 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. 1139 }:file_class_set ~{ append getattr ioctl read write map }; 1140') 1141 1142full_treble_only(` 1143 # Non-vendor domains are not allowed to file execute shell 1144 # from vendor 1145 neverallow { 1146 coredomain 1147 -init 1148 -shell 1149 -ueventd 1150 } vendor_shell_exec:file { execute execute_no_trans }; 1151') 1152 1153full_treble_only(` 1154 # Do not allow vendor components to execute files from system 1155 # except for the ones allowed here. 1156 neverallow { 1157 domain 1158 -coredomain 1159 -appdomain 1160 -vendor_executes_system_violators 1161 -vendor_init 1162 } { 1163 system_file_type 1164 -system_lib_file 1165 -system_bootstrap_lib_file 1166 -system_linker_exec 1167 -crash_dump_exec 1168 -netutils_wrapper_exec 1169 userdebug_or_eng(`-tcpdump_exec') 1170 # Vendor components still can invoke shell commands via /system/bin/sh 1171 -shell_exec 1172 -toolbox_exec 1173 }:file { entrypoint execute execute_no_trans }; 1174') 1175 1176full_treble_only(` 1177 # Do not allow coredomain to access entrypoint for files other 1178 # than system_file_type and postinstall_file 1179 neverallow coredomain { 1180 file_type 1181 -system_file_type 1182 -postinstall_file 1183 }:file entrypoint; 1184 # Do not allow domains other than coredomain to access entrypoint 1185 # for anything but vendor_file_type and init_exec for vendor_init. 1186 neverallow { domain -coredomain } { 1187 file_type 1188 -vendor_file_type 1189 -init_exec 1190 }:file entrypoint; 1191') 1192 1193full_treble_only(` 1194 # Do not allow system components to execute files from vendor 1195 # except for the ones allowed here. 1196 neverallow { 1197 coredomain 1198 -init 1199 -shell 1200 -system_executes_vendor_violators 1201 -ueventd 1202 } { 1203 vendor_file_type 1204 -same_process_hal_file 1205 -vndk_sp_file 1206 -vendor_app_file 1207 -vendor_public_framework_file 1208 -vendor_public_lib_file 1209 }:file execute; 1210') 1211 1212full_treble_only(` 1213 neverallow { 1214 coredomain 1215 -shell 1216 -system_executes_vendor_violators 1217 } { 1218 vendor_file_type 1219 -same_process_hal_file 1220 }:file execute_no_trans; 1221') 1222 1223full_treble_only(` 1224 # Do not allow vendor components access to /system files except for the 1225 # ones allowed here. 1226 neverallow { 1227 domain 1228 -appdomain 1229 -coredomain 1230 -vendor_executes_system_violators 1231 # vendor_init needs access to init_exec for domain transition. vendor_init 1232 # neverallows are covered in public/vendor_init.te 1233 -vendor_init 1234 } { 1235 system_file_type 1236 -cgroup_desc_file 1237 -crash_dump_exec 1238 -file_contexts_file 1239 -netutils_wrapper_exec 1240 -property_contexts_file 1241 -system_event_log_tags_file 1242 -system_group_file 1243 -system_lib_file 1244 -system_bootstrap_lib_file 1245 with_asan(`-system_asan_options_file') 1246 -system_linker_exec 1247 -system_linker_config_file 1248 -system_passwd_file 1249 -system_seccomp_policy_file 1250 -system_security_cacerts_file 1251 -system_zoneinfo_file 1252 -task_profiles_file 1253 userdebug_or_eng(`-tcpdump_exec') 1254 # Vendor components still can invoke shell commands via /system/bin/sh 1255 -shell_exec 1256 -toolbox_exec 1257 }:file *; 1258') 1259 1260# Only system_server should be able to send commands via the zygote socket 1261neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; 1262neverallow { domain -system_server } zygote_socket:sock_file write; 1263 1264neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; 1265neverallow { domain -system_server } webview_zygote:sock_file write; 1266neverallow { domain -system_server } app_zygote:sock_file write; 1267 1268neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; 1269 1270# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to 1271# the tombstoned intercept socket. 1272neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; 1273neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; 1274 1275# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. 1276neverallow { domain -init -system_server } heapdump_data_file:file read; 1277 1278# Android does not support System V IPCs. 1279# 1280# The reason for this is due to the fact that, by design, they lead to global 1281# kernel resource leakage. 1282# 1283# For example, there is no way to automatically release a SysV semaphore 1284# allocated in the kernel when: 1285# 1286# - a buggy or malicious process exits 1287# - a non-buggy and non-malicious process crashes or is explicitly killed. 1288# 1289# Killing processes automatically to make room for new ones is an 1290# important part of Android's application lifecycle implementation. This means 1291# that, even assuming only non-buggy and non-malicious code, it is very likely 1292# that over time, the kernel global tables used to implement SysV IPCs will fill 1293# up. 1294neverallow * *:{ shm sem msg msgq } *; 1295 1296# Do not mount on top of symlinks, fifos, or sockets. 1297# Feature parity with Chromium LSM. 1298neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; 1299 1300# Nobody should be able to execute su on user builds. 1301# On userdebug/eng builds, only dumpstate, shell, and 1302# su itself execute su. 1303neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; 1304 1305# Do not allow the introduction of new execmod rules. Text relocations 1306# and modification of executable pages are unsafe. 1307# The only exceptions are for NDK text relocations associated with 1308# https://code.google.com/p/android/issues/detail?id=23203 1309# which, long term, need to go away. 1310neverallow * { 1311 file_type 1312 -apk_data_file 1313 -app_data_file 1314 -asec_public_file 1315}:file execmod; 1316 1317# Do not allow making the stack or heap executable. 1318# We would also like to minimize execmem but it seems to be 1319# required by some device-specific service domains. 1320neverallow * self:process { execstack execheap }; 1321 1322# Do not allow the introduction of new execmod rules. Text relocations 1323# and modification of executable pages are unsafe. 1324neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; 1325 1326# Ensure that all types assigned to processes are included 1327# in the domain attribute, so that all allow and neverallow rules 1328# written on domain are applied to all processes. 1329# This is achieved by ensuring that it is impossible to transition 1330# from a domain to a non-domain type and vice versa. 1331# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; 1332neverallow ~domain domain:process { transition dyntransition }; 1333 1334# 1335# Only system_app and system_server should be creating or writing 1336# their files. The proper way to share files is to setup 1337# type transitions to a more specific type or assigning a type 1338# to its parent directory via a file_contexts entry. 1339# Example type transition: 1340# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) 1341# 1342neverallow { 1343 domain 1344 -system_server 1345 -system_app 1346 -init 1347 -toolbox # TODO(b/141108496) We want to remove toolbox 1348 -installd # for relabelfrom and unlink, check for this in explicit neverallow 1349 -vold_prepare_subdirs # For unlink 1350 with_asan(`-asan_extract') 1351} system_data_file:file no_w_file_perms; 1352# do not grant anything greater than r_file_perms and relabelfrom unlink 1353# to installd 1354neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; 1355 1356# 1357# Only these domains should transition to shell domain. This domain is 1358# permissible for the "shell user". If you need a process to exec a shell 1359# script with differing privilege, define a domain and set up a transition. 1360# 1361neverallow { 1362 domain 1363 -adbd 1364 -init 1365 -runas 1366 -zygote 1367} shell:process { transition dyntransition }; 1368 1369# Only domains spawned from zygote, runas and simpleperf_app_runner may have 1370# the appdomain attribute. 1371# 1372# simpleperf is excluded as a domain transitioned to when running an app-scoped 1373# profiling session. 1374# 1375# tradeinmode is excluded; it is only run when adbd is in trade-in mode, 1376# transitioned from the limited adbd_tradeinmode context. It is a wrapper 1377# around "am" to avoid exposing the shell context when adbd is in trade-in 1378# mode. 1379neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { 1380 appdomain -shell -simpleperf userdebug_or_eng(`-su') -tradeinmode 1381}:process { transition dyntransition }; 1382 1383# Minimize read access to shell- or app-writable symlinks. 1384# This is to prevent malicious symlink attacks. 1385neverallow { 1386 domain 1387 -appdomain 1388 -artd 1389 -installd 1390} { app_data_file privapp_data_file }:lnk_file read; 1391 1392neverallow { 1393 domain 1394 -shell 1395 userdebug_or_eng(`-uncrypt') 1396 -installd 1397} shell_data_file:lnk_file read; 1398 1399# servicemanager and vndservicemanager are the only processes which handle the 1400# service_manager list request 1401neverallow * ~{ 1402 servicemanager 1403 vndservicemanager 1404 }:service_manager list; 1405 1406# hwservicemanager is the only process which handles hw list requests 1407neverallow * ~{ 1408 hwservicemanager 1409 }:hwservice_manager list; 1410 1411# only service_manager_types can be added to service_manager 1412# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; 1413 1414# Prevent assigning non property types to properties 1415# TODO - rework this: neverallow * ~property_type:property_service set; 1416 1417# Domain types should never be assigned to any files other 1418# than the /proc/pid files associated with a process. The 1419# executable file used to enter a domain should be labeled 1420# with its own _exec type, not with the domain type. 1421# Conventionally, this looks something like: 1422# $ cat mydaemon.te 1423# type mydaemon, domain; 1424# type mydaemon_exec, exec_type, file_type; 1425# init_daemon_domain(mydaemon) 1426# $ grep mydaemon file_contexts 1427# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 1428neverallow * domain:file { execute execute_no_trans entrypoint }; 1429 1430# Do not allow access to the generic debugfs label. This is too broad. 1431# Instead, if access to part of debugfs is desired, it should have a 1432# more specific label. 1433# TODO: fix dumpstate 1434neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; 1435 1436# Do not allow executable files in debugfs. 1437neverallow domain debugfs_type:file { execute execute_no_trans }; 1438 1439# Don't allow access to the FUSE control filesystem, except to vold and init's 1440neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; 1441 1442# Profiles contain untrusted data and profman parses that. We should only run 1443# it from installd and artd forked processes. 1444neverallow { 1445 domain 1446 -installd 1447 -profman 1448 -artd 1449} profman_exec:file no_x_file_perms; 1450 1451# Enforce restrictions on kernel module origin. 1452# Do not allow kernel module loading except from system, 1453# vendor, boot, and system_dlkm partitions. 1454# TODO(b/218951883): Remove usage of system and rootfs as origin 1455neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; 1456 1457# Only allow filesystem caps to be set at build time. Runtime changes 1458# to filesystem capabilities are not permitted. 1459neverallow * self:global_capability_class_set setfcap; 1460 1461# Enforce AT_SECURE for executing crash_dump. 1462neverallow domain crash_dump:process noatsecure; 1463 1464# Do not permit non-core domains to register HwBinder services which are 1465# guaranteed to be provided by core domains only. 1466neverallow ~coredomain coredomain_hwservice:hwservice_manager add; 1467 1468# Do not permit the registeration of HwBinder services which are guaranteed to 1469# be passthrough only (i.e., run in the process of their clients instead of a 1470# separate server process). 1471neverallow * same_process_hwservice:hwservice_manager add; 1472 1473# If an already existing file is opened with O_CREAT, the kernel might generate 1474# a false report of a create denial. Silence these denials and make sure that 1475# inappropriate permissions are not granted. 1476 1477# These filesystems don't allow files or directories to be created, so the permission 1478# to do so should never be granted. 1479neverallow domain { 1480 proc_type 1481 sysfs_type 1482}:dir { add_name create link remove_name rename reparent rmdir write }; 1483 1484# cgroupfs directories can be created, but not files within them. 1485neverallow domain cgroup:file create; 1486neverallow domain cgroup_v2:file create; 1487 1488dontaudit domain proc_type:dir write; 1489dontaudit domain sysfs_type:dir write; 1490dontaudit domain cgroup:file create; 1491dontaudit domain cgroup_v2:file create; 1492 1493# These are only needed in permissive mode - in enforcing mode the 1494# directory write check fails and so these are never attempted. 1495userdebug_or_eng(` 1496 dontaudit domain proc_type:dir add_name; 1497 dontaudit domain sysfs_type:dir add_name; 1498 dontaudit domain proc_type:file create; 1499 dontaudit domain sysfs_type:file create; 1500') 1501 1502# Platform must not have access to /mnt/vendor. 1503neverallow { 1504 coredomain 1505 -init 1506 -ueventd 1507 -vold 1508 -system_writes_mnt_vendor_violators 1509} mnt_vendor_file:dir *; 1510 1511# Only apps are allowed access to vendor public libraries. 1512full_treble_only(` 1513 neverallow { 1514 coredomain 1515 -appdomain 1516 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; 1517') 1518 1519# Vendor domian must not have access to /mnt/product. 1520neverallow { 1521 domain 1522 -coredomain 1523} mnt_product_file:dir *; 1524 1525# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL 1526full_treble_only(` 1527 neverallow { 1528 coredomain 1529 -shell 1530 # For access to block device information under /sys/class/block. 1531 -apexd 1532 # Read sysfs block device information. 1533 -init 1534 # Generate uevents for health info 1535 -ueventd 1536 # Recovery uses health HAL passthrough implementation. 1537 -recovery 1538 # Charger uses health HAL passthrough implementation. 1539 -charger 1540 # TODO(b/110891300): remove this exception 1541 -incidentd 1542 } sysfs_batteryinfo:file { open read }; 1543') 1544 1545neverallow { 1546 domain 1547 -hal_codec2_server 1548 -hal_omx_server 1549} hal_codec2_hwservice:hwservice_manager add; 1550 1551# Only apps targetting < Q are allowed to open /dev/ashmem directly. 1552# Apps must use ASharedMemory NDK API. Native code must use libcutils API. 1553neverallow { 1554 domain 1555 -ephemeral_app # We don't distinguish ephemeral apps based on target API. 1556 -untrusted_app_25 1557 -untrusted_app_27 1558} ashmem_device:chr_file open; 1559 1560neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; 1561 1562# No domains other than a select few can access the misc_block_device. This 1563# block device is reserved for OTA use. 1564# Do not assert this rule on userdebug/eng builds, due to some devices using 1565# this partition for testing purposes. 1566neverallow { 1567 domain 1568 userdebug_or_eng(`-domain') # exclude debuggable builds 1569 -fastbootd 1570 -hal_bootctl_server 1571 -init 1572 -uncrypt 1573 -update_engine 1574 -vendor_init 1575 -vendor_misc_writer 1576 -vold 1577 -recovery 1578 -ueventd 1579 -mtectrl 1580 -misctrl 1581 -kcmdlinectrl 1582} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 1583 1584# Limit ability to ptrace or read sensitive /proc/pid files of processes 1585# with other UIDs to these allowlisted domains. 1586neverallow { 1587 domain 1588 -vold 1589 userdebug_or_eng(`-llkd') 1590 -dumpstate 1591 userdebug_or_eng(`-incidentd') 1592 userdebug_or_eng(`-profcollectd') 1593 userdebug_or_eng(`-simpleperf_boot') 1594 -storaged 1595 -system_server 1596} self:global_capability_class_set sys_ptrace; 1597 1598# Limit ability to generate hardware unique device ID attestations to priv_apps 1599neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; 1600neverallow { domain -system_server } *:keystore2_key use_dev_id; 1601neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; 1602 1603neverallow { 1604 domain 1605 -init 1606 -vendor_init 1607 userdebug_or_eng(`-domain') 1608} debugfs_tracing_debug:file no_rw_file_perms; 1609 1610# System_server owns dropbox data, and init creates/restorecons the directory 1611# Disallow direct access by other processes. 1612neverallow { 1613 domain 1614 -init 1615 -system_server 1616 userdebug_or_eng(`-dumpstate') 1617} dropbox_data_file:dir *; 1618neverallow { 1619 domain 1620 -init 1621 -system_server 1622 userdebug_or_eng(`-dumpstate') 1623} dropbox_data_file:file ~{ getattr read }; 1624 1625### 1626# Services should respect app sandboxes 1627neverallow { 1628 domain 1629 -appdomain 1630 -artd # compile secondary dex files 1631 -installd # creation of sandbox 1632} { 1633 privapp_data_file 1634 app_data_file 1635 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1636}:dir_file_class_set { create unlink }; 1637 1638is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1639 neverallow { 1640 domain 1641 -artd # compile secondary dex files 1642 -installd # creation of sandbox 1643 -vold_prepare_subdirs # creation of storage area directories 1644 } {storage_area_app_dir storage_area_dir }:dir { create unlink }; 1645') 1646 1647# Only the following processes should be directly accessing private app 1648# directories. 1649neverallow { 1650 domain 1651 -adbd 1652 -appdomain 1653 -app_zygote 1654 -artd # compile secondary dex files 1655 -installd 1656 -profman 1657 -rs # spawned by appdomain, so carryover the exception above 1658 -runas 1659 -system_server 1660 -zygote 1661} { 1662 privapp_data_file 1663 app_data_file 1664 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1665}:dir *; 1666 1667is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1668 neverallow { 1669 domain 1670 -appdomain 1671 -app_zygote 1672 -artd # compile secondary dex files 1673 -installd 1674 -rs # spawned by appdomain, so carryover the exception above 1675 -system_server 1676 -vold # encryption of storage area directories 1677 -vold_prepare_subdirs # creation of storage area directories 1678 -zygote 1679 } { storage_area_dir storage_area_app_dir }:dir *; 1680') 1681 1682is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1683 # only vold and installd can access the storage area key files 1684 # (and init, in case of a recursive restorecon) 1685 neverallow { 1686 domain 1687 -init 1688 -vold 1689 -vold_prepare_subdirs 1690 -installd 1691 } { storage_area_key_file }:dir_file_class_set *; 1692') 1693 1694# Only apps should be modifying app data. installd is exempted for 1695# restorecon and package install/uninstall. 1696neverallow { 1697 domain 1698 -appdomain 1699 -artd # compile secondary dex files 1700 -installd 1701 -rs # spawned by appdomain, so carryover the exception above 1702} { 1703 privapp_data_file 1704 app_data_file 1705 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1706}:dir ~r_dir_perms; 1707 1708is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1709 neverallow { 1710 domain 1711 -appdomain 1712 -artd # compile secondary dex files 1713 -installd 1714 -rs # spawned by appdomain, so carryover the exception above 1715 -vold_prepare_subdirs # creation of storage area directories 1716 } { storage_area_dir storage_area_app_dir }:dir ~r_dir_perms; 1717') 1718 1719neverallow { 1720 domain 1721 -appdomain 1722 -app_zygote 1723 -artd # compile secondary dex files 1724 -installd 1725 -rs # spawned by appdomain, so carryover the exception above 1726} { 1727 privapp_data_file 1728 app_data_file 1729 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1730}:file_class_set open; 1731 1732neverallow { 1733 domain 1734 -appdomain 1735 -artd # compile secondary dex files 1736 -installd # creation of sandbox 1737} { 1738 privapp_data_file 1739 app_data_file 1740 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1741}:dir_file_class_set { create unlink }; 1742 1743neverallow { 1744 domain 1745 -artd # compile secondary dex files 1746 -installd 1747} { 1748 privapp_data_file 1749 app_data_file 1750 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file') 1751}:dir_file_class_set { relabelfrom relabelto }; 1752 1753is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 1754 neverallow { 1755 domain 1756 -artd # compile secondary dex files 1757 -installd 1758 -vold_prepare_subdirs 1759 } { storage_area_dir storage_area_app_dir }:dir { relabelfrom relabelto }; 1760') 1761 1762# The staging directory contains APEX and APK files. It is important to ensure 1763# that these files cannot be accessed by other domains to ensure that the files 1764# do not change between system_server staging the files and apexd processing 1765# the files. 1766# The update_provider can also stage files before apexd processes them. 1767neverallow { 1768 domain 1769 -init 1770 -system_server 1771 -apexd 1772 -installd 1773 -priv_app 1774 -virtualizationmanager 1775 -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL! 1776} staging_data_file:dir *; 1777neverallow { 1778 domain 1779 -init 1780 -system_app 1781 -system_server 1782 -apexd 1783 -adbd 1784 -kernel 1785 -installd 1786 -priv_app 1787 -shell 1788 -virtualizationmanager 1789 -crosvm 1790 -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL! 1791} staging_data_file:file *; 1792# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 1793neverallow { domain -init -system_server -installd -update_provider } staging_data_file:dir no_w_dir_perms; 1794# apexd needs the link/unlink/rename permissions 1795# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL! 1796neverallow { domain -init -system_server -installd -apexd -update_provider } staging_data_file:file { 1797 no_w_file_perms no_x_file_perms 1798}; 1799neverallow apexd staging_data_file:file { 1800 append create relabelfrom setattr write # no_w_file_perms -link -unlink -rename 1801 no_x_file_perms 1802}; 1803 1804neverallow { 1805 domain 1806 -appdomain # for oemfs 1807 -bootanim # for oemfs 1808 -recovery # for /tmp/update_binary in tmpfs 1809} { fs_type -rootfs }:file execute; 1810 1811# 1812# Assert that, to the extent possible, we're not loading executable content from 1813# outside the rootfs or /system partition except for a few allowlisted domains. 1814# Executable files loaded from /data is a persistence vector 1815# we want to avoid. See 1816# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1817# 1818neverallow { 1819 domain 1820 -appdomain 1821 with_asan(`-asan_extract') 1822 -shell 1823 userdebug_or_eng(`-su') 1824 -system_server_startup # for memfd backed executable regions 1825 -app_zygote 1826 -webview_zygote 1827 -zygote 1828 userdebug_or_eng(`-mediaextractor') 1829 userdebug_or_eng(`-mediaswcodec') 1830} { 1831 file_type 1832 -system_file_type 1833 -system_lib_file 1834 -system_bootstrap_lib_file 1835 -system_linker_exec 1836 -vendor_file_type 1837 -exec_type 1838 -postinstall_file 1839}:file execute; 1840 1841# Only init is allowed to write cgroup.rc file 1842neverallow { 1843 domain 1844 -init 1845 -vendor_init 1846} cgroup_rc_file:file no_w_file_perms; 1847 1848# Only authorized processes should be writing to files in /data/dalvik-cache 1849neverallow { 1850 domain 1851 -init # TODO: limit init to relabelfrom for files 1852 -zygote 1853 -installd 1854 -postinstall_dexopt 1855 -cppreopts 1856 -dex2oat 1857 -otapreopt_slot 1858 -artd 1859} dalvikcache_data_file:file no_w_file_perms; 1860 1861neverallow { 1862 domain 1863 -init 1864 -installd 1865 -postinstall_dexopt 1866 -cppreopts 1867 -dex2oat 1868 -zygote 1869 -otapreopt_slot 1870 -artd 1871} dalvikcache_data_file:dir no_w_dir_perms; 1872 1873# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it 1874# contains boot class path and system server AOT artifacts following an ART APEX Mainline update. 1875neverallow { 1876 domain 1877 # art-related processes 1878 -composd 1879 -compos_fd_server 1880 -odrefresh 1881 -odsign 1882 # others 1883 -apexd 1884 -init 1885 -vold_prepare_subdirs 1886} apex_art_data_file:file no_w_file_perms; 1887 1888neverallow { 1889 domain 1890 # art-related processes 1891 -composd 1892 -compos_fd_server 1893 -odrefresh 1894 -odsign 1895 # others 1896 -apexd 1897 -init 1898 -vold_prepare_subdirs 1899} apex_art_data_file:dir no_w_dir_perms; 1900 1901# Protect most domains from executing arbitrary content from /data. 1902neverallow { 1903 domain 1904 -appdomain 1905} { 1906 data_file_type 1907 -apex_art_data_file 1908 -dalvikcache_data_file 1909 -system_data_file # shared libs in apks 1910 -apk_data_file 1911}:file no_x_file_perms; 1912 1913# Minimize dac_override and dac_read_search. 1914# Instead of granting them it is usually better to add the domain to 1915# a Unix group or change the permissions of a file. 1916define(`dac_override_allowed', `{ 1917 apexd 1918 artd 1919 dnsmasq 1920 dumpstate 1921 init 1922 installd 1923 userdebug_or_eng(`llkd') 1924 lmkd 1925 migrate_legacy_obb_data 1926 netd 1927 postinstall_dexopt 1928 recovery 1929 rss_hwm_reset 1930 sdcardd 1931 tee 1932 ueventd 1933 uncrypt 1934 vendor_init 1935 vold 1936 vold_prepare_subdirs 1937 zygote 1938}') 1939neverallow ~dac_override_allowed self:global_capability_class_set dac_override; 1940# Since the kernel checks dac_read_search before dac_override, domains that 1941# have dac_override should also have dac_read_search to eliminate spurious 1942# denials. Some domains have dac_read_search without having dac_override, so 1943# this list should be a superset of the one above. 1944neverallow ~{ 1945 dac_override_allowed 1946 traced_perf 1947 traced_probes 1948 heapprofd 1949} self:global_capability_class_set dac_read_search; 1950 1951# Limit what domains can mount filesystems or change their mount flags. 1952# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger 1953# set of domains need this capability, including device-specific domains. 1954neverallow { 1955 domain 1956 -apexd 1957 -dexopt_chroot_setup 1958 recovery_only(`-fastbootd') 1959 -init 1960 -kernel 1961 -otapreopt_chroot 1962 -recovery 1963 -update_engine 1964 -vold 1965 -zygote 1966} { fs_type 1967 -sdcard_type 1968 -fusefs_type 1969}:filesystem { mount remount relabelfrom relabelto }; 1970 1971enforce_debugfs_restriction(` 1972 neverallow { 1973 domain userdebug_or_eng(`-init') 1974 } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; 1975') 1976 1977# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. 1978neverallow { 1979 domain 1980 userdebug_or_eng(`-domain') 1981 -kernel 1982 -gsid 1983 -init 1984 -recovery 1985 -ueventd 1986 -uncrypt 1987 -tee 1988 -hal_bootctl_server 1989 -fastbootd 1990} self:global_capability_class_set sys_rawio; 1991 1992# Limit directory operations that doesn't need to do app data isolation. 1993neverallow { 1994 domain 1995 -fsck 1996 -init 1997 -installd 1998 -zygote 1999} mirror_data_file:dir *; 2000 2001# This property is being removed. Remove remaining access. 2002neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; 2003neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; 2004 2005# Only core domains are allowed to access package_manager properties 2006neverallow { domain -init -system_server } pm_prop:property_service set; 2007neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 2008 2009# Do not allow reading the last boot timestamp from system properties 2010neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 2011 2012# Allow ART to set its config properties in its oneshot boot service, in 2013# addition to the common init and vendor_init access. 2014neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set; 2015 2016# Kprobes should only be used by adb root 2017neverallow { domain -init -vendor_init } debugfs_kprobes:file *; 2018 2019# On TREBLE devices, most coredomains should not access vendor_files. 2020# TODO(b/71553434): Remove exceptions here. 2021full_treble_only(` 2022 neverallow { 2023 coredomain 2024 -appdomain 2025 -bootanim 2026 -crash_dump 2027 -heapprofd 2028 userdebug_or_eng(`-profcollectd') 2029 -init 2030 -kernel 2031 userdebug_or_eng(`-simpleperf_boot') 2032 -traced_perf 2033 -ueventd 2034 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 2035') 2036 2037# Vendor domains are not permitted to initiate communications to core domain sockets 2038full_treble_only(` 2039 neverallow_establish_socket_comms({ 2040 domain 2041 -coredomain 2042 -appdomain 2043 -socket_between_core_and_vendor_violators 2044 }, { 2045 coredomain 2046 -logd # Logging by writing to logd Unix domain socket is public API 2047 -netd # netdomain needs this 2048 -mdnsd # netdomain needs this 2049 -prng_seeder # Any process using libcrypto needs this 2050 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 2051 -init 2052 -tombstoned # linker to tombstoned 2053 -heapprofd 2054 -traced 2055 -traced_perf 2056 }); 2057') 2058 2059full_treble_only(` 2060 # Do not allow system components access to /vendor files except for the 2061 # ones allowed here. 2062 neverallow { 2063 coredomain 2064 # TODO(b/37168747): clean up fwk access to /vendor 2065 -crash_dump 2066 -crosvm # loads vendor-specific disk images 2067 -init # starts vendor executables 2068 -kernel # loads /vendor/firmware 2069 -heapprofd 2070 userdebug_or_eng(`-profcollectd') 2071 -shell 2072 userdebug_or_eng(`-simpleperf_boot') 2073 -system_executes_vendor_violators 2074 -traced_perf # library/binary access for symbolization 2075 -ueventd # reads /vendor/ueventd.rc 2076 -vold # loads incremental fs driver 2077 } { 2078 vendor_file_type 2079 -same_process_hal_file 2080 -vendor_app_file 2081 -vendor_apex_file 2082 -vendor_apex_metadata_file 2083 -vendor_boot_ota_file 2084 -vendor_cgroup_desc_file 2085 -vendor_configs_file 2086 -vendor_microdroid_file 2087 -vendor_service_contexts_file 2088 -vendor_framework_file 2089 -vendor_idc_file 2090 -vendor_keychars_file 2091 -vendor_keylayout_file 2092 -vendor_overlay_file 2093 -vendor_public_framework_file 2094 -vendor_public_lib_file 2095 -vendor_task_profiles_file 2096 -vendor_uuid_mapping_config_file 2097 -vndk_sp_file 2098 -vendor_aconfig_storage_file 2099 }:file *; 2100') 2101 2102# mlsvendorcompat is only for compatibility support for older vendor 2103# images, and should not be granted to any domain in current policy. 2104# (Every domain is allowed self:fork, so this will trigger if the 2105# intsersection of domain & mlsvendorcompat is not empty.) 2106neverallow domain mlsvendorcompat:process fork; 2107 2108# Only init and otapreopt_chroot should be mounting filesystems on locations 2109# labeled system or vendor (/product and /vendor respectively). 2110neverallow { domain -dexopt_chroot_setup -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton; 2111 2112# Only allow init and vendor_init to read/write mm_events properties 2113# NOTE: dumpstate is allowed to read any system property 2114neverallow { 2115 domain 2116 -init 2117 -vendor_init 2118 -dumpstate 2119} mm_events_config_prop:file no_rw_file_perms; 2120 2121# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize 2122# kernel traces. Addresses are not disclosed, they are repalced with symbol 2123# names (if available). Traces don't disclose KASLR. 2124neverallow { 2125 domain 2126 -init 2127 userdebug_or_eng(`-profcollectd') 2128 -vendor_init 2129 userdebug_or_eng(`-simpleperf_boot') 2130 -traced_probes 2131 -traced_perf 2132} proc_kallsyms:file { open read }; 2133 2134# debugfs_kcov type is not included in this neverallow statement since the KCOV 2135# tool uses it for kernel fuzzing. 2136# vendor_modprobe is also exempted since the kernel modules it loads may create 2137# debugfs files in its context. 2138enforce_debugfs_restriction(` 2139 neverallow { 2140 domain 2141 -vendor_modprobe 2142 userdebug_or_eng(` 2143 -init 2144 -hal_dumpstate 2145 -incidentd 2146 ') 2147 } { debugfs_type 2148 userdebug_or_eng(`-debugfs_kcov') 2149 -tracefs_type 2150 }:file no_rw_file_perms; 2151') 2152 2153# Restrict write access to etm sysfs interface. 2154neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms; 2155 2156# Restrict CAP_PERFMON. 2157neverallow { 2158 domain 2159 -init 2160 -vendor_modprobe 2161 userdebug_or_eng(`-simpleperf_boot') 2162 -kernel 2163 -uprobestats 2164} self:capability2 perfmon; 2165 2166# Restrict direct access to shell owned files. The /data/local/tmp directory is 2167# untrustworthy, and non-allowed domains should not be trusting any content in 2168# those directories. We allow shell files to be passed around by file 2169# descriptor, but not directly opened. 2170# artd doesn't need to access /data/local/tmp, but it needs to access 2171# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 2172# dex files. 2173neverallow { 2174 domain 2175 -adbd 2176 -appdomain 2177 -artd 2178 -dumpstate 2179 -installd 2180 userdebug_or_eng(`-uncrypt') 2181 userdebug_or_eng(`-virtualizationmanager') 2182 userdebug_or_eng(`-virtualizationservice') 2183 userdebug_or_eng(`-crosvm') 2184} shell_data_file:file open; 2185 2186# In addition to the symlink reading restrictions above, restrict 2187# write access to shell owned directories. The /data/local/tmp 2188# directory is untrustworthy, and non-allowed domains should 2189# not be trusting any content in those directories. 2190# artd doesn't need to access /data/local/tmp, but it needs to access 2191# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 2192# dex files. 2193neverallow { 2194 domain 2195 -adbd 2196 -artd 2197 -dumpstate 2198 -installd 2199 -init 2200 -shell 2201 -vold 2202} shell_data_file:dir no_w_dir_perms; 2203 2204neverallow { 2205 domain 2206 -adbd 2207 -appdomain 2208 -artd 2209 -dumpstate 2210 -init 2211 -installd 2212 -simpleperf_app_runner 2213 -system_server # why? 2214 userdebug_or_eng(`-uncrypt') 2215} shell_data_file:dir open; 2216 2217neverallow { 2218 domain 2219 -adbd 2220 -appdomain 2221 -artd 2222 -dumpstate 2223 -init 2224 -installd 2225 -simpleperf_app_runner 2226 -system_server # why? 2227 userdebug_or_eng(`-uncrypt') 2228 userdebug_or_eng(`-virtualizationmanager') 2229 userdebug_or_eng(`-crosvm') 2230} shell_data_file:dir search; 2231 2232# respect system_app sandboxes 2233neverallow { 2234 domain 2235 -appdomain 2236 -artd # compile secondary dex files 2237 -system_server #populate com.android.providers.settings/databases/settings.db. 2238 -installd # creation of app sandbox 2239 -traced_probes # resolve inodes for i/o tracing. 2240 # only needs open and read, the rest is neverallow in 2241 # traced_probes.te. 2242} system_app_data_file:dir_file_class_set { create unlink open }; 2243neverallow { 2244 isolated_app_all 2245 ephemeral_app 2246 priv_app 2247 sdk_sandbox_all 2248 untrusted_app_all 2249} system_app_data_file:dir_file_class_set { create unlink open }; 2250 2251neverallow { domain -init } mtectrl:process { dyntransition transition }; 2252neverallow { domain -init } kcmdlinectrl:process { dyntransition transition }; 2253 2254# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin 2255neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *; 2256 2257neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton; 2258neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton; 2259 2260# Only init/vendor are allowed to write sysfs_pgsize_migration; 2261# ueventd needs write access to all sysfs files. 2262neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms; 2263 2264# We need to be able to rely on vsock labels, so disallow changing them. 2265neverallow domain *:vsock_socket { relabelfrom relabelto }; 2266