private/domain.te - platform/system/sepolicy - Git at Google

 # Transition to crash_dump when /system/bin/crash_dump* is executed.
 # This occurs when the process crashes.
 domain_auto_trans(domain, crash_dump_exec, crash_dump);
 allow domain crash_dump:process sigchld;

 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {
   domain
   -vold
   -dumpstate
   -storaged
   -system_server
   userdebug_or_eng(`-perfprofd')
 } self:global_capability_class_set sys_ptrace;

 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;

 # Core domains are not permitted to use kernel interfaces which are not
 # explicitly labeled.
 # TODO(b/65643247): Apply these neverallow rules to all coredomain.
 full_treble_only(`
   # /proc
   neverallow {
     coredomain
     -dumpstate
     -platform_app
     -priv_app
     -system_app
     -vold
     -vendor_init
   } proc:file no_rw_file_perms;

   # /sys
   neverallow {
     coredomain
     -dumpstate
     -init
     -priv_app
     -system_app
     -ueventd
     -vold
     -vendor_init
   } sysfs:file no_rw_file_perms;

   # /dev
   neverallow {
     coredomain
     -fsck
     -init
     -shell
     -ueventd
     -vendor_init
   } device:{ blk_file file } no_rw_file_perms;

   # debugfs
   neverallow {
     coredomain
     -dumpstate
     -init
     -system_server
     -vendor_init
   } debugfs:file no_rw_file_perms;

   # tracefs
   neverallow {
     coredomain
     userdebug_or_eng(`-atrace')
     -dumpstate
     -init
     userdebug_or_eng(`-perfprofd')
     userdebug_or_eng(`-traced_probes')
     -shell
     userdebug_or_eng(`-traceur_app')
     -vendor_init
   } debugfs_tracing:file no_rw_file_perms;

   # inotifyfs
   neverallow {
     coredomain
     -init
     -vendor_init
   } inotify:file no_rw_file_perms;

   # pstorefs
   neverallow {
     coredomain
     -bootstat
     -charger
     -dumpstate
     -healthd
     -init
     -logd
     -logpersist
     -recovery_persist
     -recovery_refresh
     -shell
     -system_server
     -vendor_init
   } pstorefs:file no_rw_file_perms;

   # configfs
   neverallow {
     coredomain
     -init
     -system_server
     -vendor_init
   } configfs:file no_rw_file_perms;

   # functionfs
   neverallow {
     coredomain
     -adbd
     -init
     -mediaprovider
     -vendor_init
   }functionfs:file no_rw_file_perms;

   # usbfs and binfmt_miscfs
   neverallow {
     coredomain
     -init
     -vendor_init
   }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
	# Transition to crash_dump when /system/bin/crash_dump* is executed.
	# This occurs when the process crashes.
	domain_auto_trans(domain, crash_dump_exec, crash_dump);
	allow domain crash_dump:process sigchld;

	# Limit ability to ptrace or read sensitive /proc/pid files of processes
	# with other UIDs to these whitelisted domains.
	neverallow {
	domain
	-vold
	-dumpstate
	-storaged
	-system_server
	userdebug_or_eng(`-perfprofd')
	} self:global_capability_class_set sys_ptrace;

	# Limit ability to generate hardware unique device ID attestations to priv_apps
	neverallow { domain -priv_app } *:keystore_key gen_unique_id;

	# Core domains are not permitted to use kernel interfaces which are not
	# explicitly labeled.
	# TODO(b/65643247): Apply these neverallow rules to all coredomain.
	full_treble_only(`
	# /proc
	neverallow {
	coredomain
	-dumpstate
	-platform_app
	-priv_app
	-system_app
	-vold
	-vendor_init
	} proc:file no_rw_file_perms;

	# /sys
	neverallow {
	coredomain
	-dumpstate
	-init
	-priv_app
	-system_app
	-ueventd
	-vold
	-vendor_init
	} sysfs:file no_rw_file_perms;

	# /dev
	neverallow {
	coredomain
	-fsck
	-init
	-shell
	-ueventd
	-vendor_init
	} device:{ blk_file file } no_rw_file_perms;

	# debugfs
	neverallow {
	coredomain
	-dumpstate
	-init
	-system_server
	-vendor_init
	} debugfs:file no_rw_file_perms;

	# tracefs
	neverallow {
	coredomain
	userdebug_or_eng(`-atrace')
	-dumpstate
	-init
	userdebug_or_eng(`-perfprofd')
	userdebug_or_eng(`-traced_probes')
	-shell
	userdebug_or_eng(`-traceur_app')
	-vendor_init
	} debugfs_tracing:file no_rw_file_perms;

	# inotifyfs
	neverallow {
	coredomain
	-init
	-vendor_init
	} inotify:file no_rw_file_perms;

	# pstorefs
	neverallow {
	coredomain
	-bootstat
	-charger
	-dumpstate
	-healthd
	-init
	-logd
	-logpersist
	-recovery_persist
	-recovery_refresh
	-shell
	-system_server
	-vendor_init
	} pstorefs:file no_rw_file_perms;

	# configfs
	neverallow {
	coredomain
	-init
	-system_server
	-vendor_init
	} configfs:file no_rw_file_perms;

	# functionfs
	neverallow {
	coredomain
	-adbd
	-init
	-mediaprovider
	-vendor_init
	}functionfs:file no_rw_file_perms;

	# usbfs and binfmt_miscfs
	neverallow {
	coredomain
	-init
	-vendor_init
	}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
	')