| # ============================================== |
| # MTK Policy Rule |
| # ============================================== |
| |
| # Rules for all domains. |
| |
| # Do not allow access to the generic sysfs label. This is too broad. |
| # Instead, if access to part of sysfs is desired, it should have a |
| # more specific label. |
| full_treble_only(` |
| neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *; |
| |
| neverallow { |
| coredomain |
| -apexd |
| -init |
| -ueventd |
| -vold |
| } sysfs:file *; |
| |
| neverallow { |
| init |
| ueventd |
| vold |
| } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto }; |
| |
| neverallow ~{ |
| init |
| ueventd |
| } sysfs:lnk_file ~r_file_perms; |
| |
| neverallow { |
| init |
| ueventd |
| } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto }; |
| |
| neverallow ~{ |
| init |
| otapreopt_chroot |
| ueventd |
| vendor_init |
| } sysfs:dir ~r_dir_perms; |
| |
| neverallow { |
| init |
| otapreopt_chroot |
| ueventd |
| vendor_init |
| } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr }; |
| ') |
| |
| |
| # Do not allow access to the generic proc label. This is too broad. |
| # Instead, if access to part of proc is desired, it should have a |
| # more specific label. |
| # TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. |
| # |
| # r_dir_file(hal_audio, proc) |
| # hal_server_domain(mtk_hal_audio, hal_audio) |
| # hal_client_domain(audioserver, hal_audio) |
| # |
| full_treble_only(` |
| neverallow * proc:{ chr_file blk_file sock_file fifo_file } *; |
| |
| neverallow { |
| coredomain |
| -audioserver |
| -bluetooth |
| -init |
| -system_server |
| -vold |
| } proc:file *; |
| |
| neverallow { |
| audioserver |
| bluetooth |
| init |
| system_server |
| vold |
| } proc:file ~r_file_perms; |
| |
| neverallow vendor_init proc:file ~{ read setattr map open }; |
| |
| neverallow { |
| coredomain |
| -audioserver |
| -bluetooth |
| -init |
| -system_server |
| } proc:lnk_file ~{ read getattr }; |
| |
| neverallow { |
| audioserver |
| bluetooth |
| init |
| system_server |
| } proc:lnk_file ~r_file_perms; |
| |
| neverallow ~{ |
| init |
| vendor_init |
| } proc:dir ~{ r_file_perms search }; |
| |
| neverallow { |
| init |
| vendor_init |
| } proc:dir ~{ r_file_perms search setattr }; |
| ') |
| |
| |
| # Do not allow access to the generic debugfs label. This is too broad. |
| # Instead, if access to part of debugfs is desired, it should have a |
| # more specific label. |
| full_treble_only(` |
| neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *; |
| |
| neverallow ~{ |
| dumpstate |
| init |
| vendor_init |
| } debugfs:file *; |
| |
| neverallow dumpstate debugfs:file ~r_file_perms; |
| |
| neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto }; |
| |
| neverallow vendor_init debugfs:file ~{ read setattr open map }; |
| |
| neverallow ~init debugfs:lnk_file *; |
| |
| neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto }; |
| |
| neverallow ~{ |
| init |
| vendor_init |
| } debugfs:dir ~{ search getattr }; |
| |
| neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto userdebug_or_eng(`mounton') }; |
| |
| neverallow vendor_init debugfs:dir ~{ search getattr read setattr open }; |
| ') |
| |
| |
| # Do not allow access to the generic system_data_file label. This is |
| # too broad. |
| # Instead, if access to part of system_data_file is desired, it should |
| # have a more specific label. |
| # TODO: Remove merged_hal_service and so on once there are no violations. |
| # |
| # allow hal_drm system_data_file:file { getattr read }; |
| # hal_server_domain(merged_hal_service, hal_drm) |
| # |
| full_treble_only(` |
| neverallow ~{ |
| init |
| installd |
| system_server |
| } system_data_file:{ chr_file blk_file sock_file fifo_file } *; |
| |
| neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto }; |
| |
| neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; |
| |
| neverallow installd system_data_file:{ chr_file blk_file } *; |
| |
| neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; |
| |
| neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; |
| |
| neverallow { |
| coredomain |
| -appdomain |
| -app_zygote |
| -init |
| -installd |
| -iorap_prefetcherd |
| -iorap_inode2filename |
| -system_server |
| -toolbox |
| -vold |
| -vold_prepare_subdirs |
| with_asan(`-asan_extract') |
| } system_data_file:file ~r_file_perms; |
| |
| neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; |
| |
| neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; |
| |
| neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; |
| |
| neverallow iorap_inode2filename system_data_file:file ~getattr; |
| |
| neverallow iorap_prefetcherd system_data_file:file ~{ open read }; |
| |
| neverallow { |
| mediadrmserver |
| mediaextractor |
| mediaserver |
| } system_data_file:file ~{ read getattr }; |
| |
| neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; |
| |
| neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; |
| |
| neverallow vold system_data_file:file ~read; |
| |
| with_asan(` |
| neverallow asan_extract system_data_file:file ~{ create_file_perms relabelfrom execute }; |
| ') |
| |
| neverallow ~{ |
| appdomain |
| app_zygote |
| init |
| installd |
| iorap_prefetcherd |
| iorap_inode2filename |
| logd |
| rs |
| runas |
| simpleperf_app_runner |
| system_server |
| tee |
| vold |
| webview_zygote |
| with_asan(`asan_extract') |
| zygote |
| } system_data_file:lnk_file ~getattr; |
| |
| neverallow { |
| appdomain |
| app_zygote |
| logd |
| webview_zygote |
| } system_data_file:lnk_file ~r_file_perms; |
| |
| neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; |
| |
| neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; |
| |
| neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; |
| |
| neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; |
| |
| neverallow rs system_data_file:lnk_file ~{ read }; |
| |
| neverallow { |
| runas |
| simpleperf_app_runner |
| tee |
| } system_data_file:lnk_file ~{ read getattr }; |
| |
| neverallow system_server system_data_file:lnk_file ~create_file_perms; |
| |
| with_asan(` |
| neverallow asan_extract system_data_file:lnk_file ~create_file_perms ; |
| ') |
| |
| neverallow ~{ |
| artd |
| apexd |
| init |
| installd |
| iorap_prefetcherd |
| iorap_inode2filename |
| system_server |
| toolbox |
| traced_probes |
| vold |
| vold_prepare_subdirs |
| with_asan(`asan_extract') |
| zygote |
| } system_data_file:dir ~{ search getattr }; |
| |
| neverallow artd system_data_file:dir ~r_dir_perms; |
| |
| neverallow apexd system_data_file:dir ~r_dir_perms; |
| |
| neverallow init system_data_file:dir ~{ |
| create search getattr open read setattr ioctl |
| mounton |
| relabelto |
| write add_name remove_name rmdir relabelfrom |
| }; |
| |
| neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; |
| |
| neverallow { |
| iorap_prefetcherd |
| iorap_inode2filename |
| traced_probes |
| } system_data_file:dir ~{ open read search getattr }; |
| |
| neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; |
| |
| neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; |
| |
| neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; |
| |
| with_asan(` |
| neverallow asan_extract system_data_file:dir ~{ create_dir_perms relabelfrom }; |
| ') |
| |
| neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; |
| ') |
| |
| |
| # Do not allow access to the generic vendor_data_file label. This is |
| # too broad. |
| # Instead, if access to part of vendor_data_file is desired, it should |
| # have a more specific label. |
| full_treble_only(` |
| neverallow ~{ |
| init |
| vendor_init |
| } vendor_data_file:file_class_set *; |
| |
| neverallow { |
| init |
| vendor_init |
| } vendor_data_file:{ chr_file blk_file } ~{ relabelto }; |
| |
| neverallow { |
| init |
| vendor_init |
| } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; |
| |
| neverallow { |
| init |
| vendor_init |
| } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto }; |
| |
| neverallow { |
| init |
| vendor_init |
| } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto }; |
| |
| neverallow ~{ |
| init |
| vendor_init |
| vold |
| vold_prepare_subdirs |
| } vendor_data_file:dir ~{ getattr search }; |
| |
| neverallow { |
| init |
| vendor_init |
| } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto }; |
| |
| neverallow vold vendor_data_file:dir ~create_dir_perms; |
| |
| neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom }; |
| ') |
| |
| # Do not allow access to the generic app_data_file label. This is too broad. |
| # Instead, if access to part of app_data_file is desired, it should have a |
| # more specific label. |
| #full_treble_only(` |
| # neverallow * app_data_file:dir_file_class_set *; |
| #') |
| |
| # Do not allow access to the generic default_prop label. This is too broad. |
| # Instead, if access to part of default_prop is desired, it should have a |
| # more specific label. |
| #full_treble_only(` |
| # neverallow * default_prop:dir_file_class_set *; |
| #') |
| |
| # Do not allow access to the generic vendor_default_prop label. This is |
| # too broad. |
| # Instead, if access to part of vendor_default_prop is desired, it should |
| # have a more specific label. |
| #full_treble_only(` |
| # neverallow * vendor_default_prop:dir_file_class_set *; |
| #') |
| |
| # Do not allow access to the generic device label. This is too broad. |
| # Instead, if access to part of device is desired, it should have a |
| # more specific label. |
| # TODO: Remove hal_camera and so on once there are no violations. |
| # |
| # allow hal_camera device:dir r_dir_perms; |
| # hal_client_domain(cameraserver, hal_camera) |
| # |
| full_treble_only(` |
| neverallow * device:{ sock_file fifo_file } *; |
| |
| neverallow ~{ |
| init |
| shell |
| ueventd |
| vendor_init |
| } device:chr_file *; |
| |
| neverallow { init vendor_init } device:chr_file ~setattr; |
| |
| neverallow shell device:chr_file ~getattr; |
| |
| neverallow ueventd device:chr_file ~{ getattr create setattr unlink }; |
| |
| neverallow ~{ |
| apexd |
| dumpstate |
| e2fs |
| fsck |
| fsck_untrusted |
| init |
| recovery |
| shell |
| ueventd |
| vendor_init |
| } device:blk_file *; |
| |
| neverallow { |
| dumpstate |
| e2fs |
| fsck |
| fsck_untrusted |
| shell |
| vendor_init |
| } device:blk_file ~getattr; |
| |
| neverallow init device:blk_file ~r_file_perms; |
| |
| neverallow recovery device:blk_file ~rw_file_perms; |
| |
| neverallow ueventd device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; |
| |
| neverallow ~{ |
| init |
| vendor_init |
| ueventd |
| } device:file *; |
| |
| neverallow init device:file ~{ create_file_perms relabelfrom }; |
| |
| neverallow ueventd device:file ~create_file_perms; |
| |
| neverallow vendor_init device:file ~{ read setattr map open getattr }; |
| |
| neverallow ~{ |
| init |
| vendor_init |
| ueventd |
| } device:lnk_file ~r_file_perms; |
| |
| neverallow { init vendor_init } device:lnk_file ~{ r_file_perms create }; |
| |
| neverallow ueventd device:lnk_file ~{ r_file_perms create unlink }; |
| |
| neverallow { |
| coredomain |
| -apexd |
| -cameraserver |
| -fastbootd |
| -hal_camera |
| -init |
| -otapreopt_chroot |
| -recovery |
| -shell |
| -slideshow |
| -system_server |
| -vendor_init |
| -vold |
| -ueventd |
| } device:dir ~{ search getattr }; |
| |
| neverallow { |
| cameraserver |
| fastbootd |
| hal_camera |
| system_server |
| shell |
| slideshow |
| recovery |
| } device:dir ~r_dir_perms; |
| |
| neverallow init device:dir ~{ create_dir_perms mounton relabelto }; |
| |
| neverallow vendor_init device:dir ~{ create_dir_perms mounton }; |
| |
| neverallow vold device:dir ~{ search getattr write }; |
| |
| neverallow ueventd device:dir ~create_dir_perms; |
| ') |
| |
| # Do not allow access to the generic socket_device label. This is too broad. |
| # Instead, if access to part of socket_device is desired, it should have a |
| # more specific label. |
| full_treble_only(` |
| neverallow * socket_device:{ file sock_file fifo_file } *; |
| |
| neverallow ~{ |
| init |
| shell |
| ueventd |
| vendor_init |
| } socket_device:chr_file *; |
| |
| neverallow { |
| init |
| vendor_init |
| } socket_device:chr_file ~{ setattr }; |
| |
| neverallow shell socket_device:chr_file ~{ getattr }; |
| |
| neverallow ueventd socket_device:chr_file ~{ getattr create setattr unlink }; |
| |
| neverallow ~{ |
| apexd |
| dumpstate |
| e2fs |
| fsck |
| fsck_untrusted |
| init |
| recovery |
| shell |
| ueventd |
| vendor_init |
| } socket_device:blk_file *; |
| |
| neverallow { |
| apexd |
| dumpstate |
| e2fs |
| fsck |
| fsck_untrusted |
| shell |
| vendor_init |
| } socket_device:blk_file ~getattr; |
| |
| neverallow init socket_device:blk_file ~r_file_perms; |
| |
| neverallow recovery socket_device:blk_file ~rw_file_perms; |
| |
| neverallow ueventd socket_device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; |
| |
| neverallow ~{ |
| init |
| ueventd |
| vendor_init |
| } socket_device:lnk_file ~r_file_perms; |
| |
| neverallow { |
| init |
| vendor_init |
| } socket_device:lnk_file ~{ r_file_perms create }; |
| |
| neverallow ueventd socket_device:lnk_file ~{ r_file_perms create unlink }; |
| |
| neverallow ~{ |
| init |
| ueventd |
| vendor_init |
| } socket_device:dir ~r_dir_perms; |
| |
| neverallow init socket_device:dir ~{ create_dir_perms relabelto }; |
| |
| neverallow { |
| ueventd |
| vendor_init |
| } socket_device:dir ~create_dir_perms; |
| |
| ') |
| |
| # Do not allow access to the generic block_device label. This is too broad. |
| # Instead, if access to part of block_device is desired, it should have a |
| # more specific label. |
| #full_treble_only(` |
| # neverallow * block_device:dir_file_class_set *; |
| #') |
| |
| # Do not allow access to the generic bootdevice_block_device label. This is |
| # too broad. |
| # Instead, if access to part of bootdevice_block_device is desired, it should |
| # have a more specific label. |
| #full_treble_only(` |
| # neverallow * bootdevice_block_device:dir_file_class_set *; |
| #') |