Google Git
Sign in
android / device / mediatek / wembley-sepolicy / refs/heads/android11-d1-s1-release / . / plat_public / domain.te
blob: 3feb68128f6596df0d247e6e45b09d4477a626e4 [file] [log] [blame]
# ==============================================
# MTK Policy Rule
# ==============================================
# Rules for all domains.
# Do not allow access to the generic sysfs label. This is too broad.
# Instead, if access to part of sysfs is desired, it should have a
# more specific label.
full_treble_only(`
neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;
neverallow {
coredomain
-init
-ueventd
-vold
} sysfs:file *;
neverallow {
init
ueventd
vold
} sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
neverallow ~{
init
ueventd
} sysfs:lnk_file ~r_file_perms;
neverallow {
init
ueventd
} sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };
neverallow ~{
init
ueventd
vendor_init
} sysfs:dir ~r_dir_perms;
neverallow {
init
ueventd
vendor_init
} sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
')
# Do not allow access to the generic proc label. This is too broad.
# Instead, if access to part of proc is desired, it should have a
# more specific label.
# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
#
# r_dir_file(hal_audio, proc)
# hal_server_domain(mtk_hal_audio, hal_audio)
# hal_client_domain(audioserver, hal_audio)
#
full_treble_only(`
neverallow * proc:{ chr_file blk_file sock_file fifo_file } *;
neverallow {
coredomain
-audioserver
-bluetooth
-init
-system_server
-vold
} proc:file *;
neverallow {
audioserver
bluetooth
init
system_server
vold
} proc:file ~r_file_perms;
neverallow vendor_init proc:file ~{ read setattr map open };
neverallow {
coredomain
-audioserver
-bluetooth
-init
-system_server
} proc:lnk_file ~{ read getattr };
neverallow {
audioserver
bluetooth
init
system_server
} proc:lnk_file ~r_file_perms;
neverallow ~{
init
vendor_init
} proc:dir ~{ r_file_perms search };
neverallow {
init
vendor_init
} proc:dir ~{ r_file_perms search setattr };
')
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
full_treble_only(`
neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *;
neverallow ~{
dumpstate
init
vendor_init
} debugfs:file *;
neverallow dumpstate debugfs:file ~r_file_perms;
neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto };
neverallow vendor_init debugfs:file ~{ read setattr open map };
neverallow ~init debugfs:lnk_file *;
neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto };
neverallow ~{
init
vendor_init
} debugfs:dir ~{ search getattr };
neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto };
neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
')
# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
# allow hal_drm system_data_file:file { getattr read };
# hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
neverallow ~{
init
installd
system_server
} system_data_file:{ chr_file blk_file sock_file fifo_file } *;
neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };;
neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
neverallow installd system_data_file:{ chr_file blk_file } *;
neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };
neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;
neverallow {
coredomain
-appdomain
-app_zygote
-init
-installd
-iorap_prefetcherd
-iorap_inode2filename
-system_server
-toolbox
-vold
-vold_prepare_subdirs
} system_data_file:file ~r_file_perms;
neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
neverallow iorap_inode2filename system_data_file:file ~getattr;
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
neverallow {
mediadrmserver
mediaextractor
mediaserver
} system_data_file:file ~{ read getattr };
neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
neverallow vold system_data_file:file ~read;
neverallow ~{
appdomain
app_zygote
init
installd
iorap_prefetcherd
iorap_inode2filename
logd
rs
runas
simpleperf_app_runner
system_server
tee
vold
webview_zygote
zygote
} system_data_file:lnk_file ~getattr;
neverallow {
appdomain
app_zygote
logd
webview_zygote
} system_data_file:lnk_file ~r_file_perms;
neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
neverallow rs system_data_file:lnk_file ~{ read };
neverallow {
runas
simpleperf_app_runner
tee
} system_data_file:lnk_file ~{ read getattr };
neverallow system_server system_data_file:lnk_file ~create_file_perms;
neverallow ~{
apexd
init
installd
iorap_prefetcherd
iorap_inode2filename
system_server
toolbox
traced_probes
vold
vold_prepare_subdirs
zygote
} system_data_file:dir ~{ search getattr };
neverallow apexd system_data_file:dir ~r_dir_perms;
neverallow init system_data_file:dir ~{
create search getattr open read setattr ioctl
mounton
relabelto
write add_name remove_name rmdir relabelfrom
};
neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };
neverallow {
iorap_prefetcherd
iorap_inode2filename
traced_probes
} system_data_file:dir ~{ open read search getattr };
neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };
neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };
neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };
neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr };
neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
')
# Do not allow access to the generic vendor_data_file label. This is
# too broad.
# Instead, if access to part of vendor_data_file is desired, it should
# have a more specific label.
full_treble_only(`
neverallow ~{
init
vendor_init
} vendor_data_file:file_class_set *;
neverallow {
init
vendor_init
} vendor_data_file:{ chr_file blk_file } ~{ relabelto };
neverallow {
init
vendor_init
} vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
neverallow {
init
vendor_init
} vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };
neverallow {
init
vendor_init
} vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };
neverallow ~{
init
vendor_init
vold
vold_prepare_subdirs
} vendor_data_file:dir ~{ getattr search };
neverallow {
init
vendor_init
} vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };
neverallow vold vendor_data_file:dir ~create_dir_perms;
neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
')
# Do not allow access to the generic app_data_file label. This is too broad.
# Instead, if access to part of app_data_file is desired, it should have a
# more specific label.
#neverallow * app_data_file:dir_file_class_set *;
# Do not allow access to the generic default_prop label. This is too broad.
# Instead, if access to part of default_prop is desired, it should have a
# more specific label.
#neverallow * default_prop:dir_file_class_set *;
# Do not allow access to the generic vendor_default_prop label. This is
# too broad.
# Instead, if access to part of vendor_default_prop is desired, it should
# have a more specific label.
#neverallow * vendor_default_prop:dir_file_class_set *;
# Do not allow access to the generic device label. This is too broad.
# Instead, if access to part of device is desired, it should have a
# more specific label.
#neverallow * device:dir_file_class_set *;
# Do not allow access to the generic socket_device label. This is too broad.
# Instead, if access to part of socket_device is desired, it should have a
# more specific label.
#neverallow * socket_device:dir_file_class_set *;
# Do not allow access to the generic block_device label. This is too broad.
# Instead, if access to part of block_device is desired, it should have a
# more specific label.
#neverallow * block_device:dir_file_class_set *;
# Do not allow access to the generic bootdevice_block_device label. This is
# too broad.
# Instead, if access to part of bootdevice_block_device is desired, it should
# have a more specific label.
#neverallow * bootdevice_block_device:dir_file_class_set *;