private/domain.te - platform/system/sepolicy - Git at Google

 # Transition to crash_dump when /system/bin/crash_dump* is executed.
 # This occurs when the process crashes.
 # We do not apply this to the su domain to avoid interfering with
 # tests (b/114136122)
 domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
 allow domain crash_dump:process sigchld;

 # Allow every process to check the heapprofd.enable properties to determine
 # whether to load the heap profiling library. This does not necessarily enable
 # heap profiling, as initialization will fail if it does not have the
 # necessary SELinux permissions.
 get_prop(domain, heapprofd_prop);
 # Allow heap profiling on debug builds.
 userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
   domain
   -bpfloader
   -init
   -kernel
   -keystore
   -llkd
   -logd
   -ueventd
   -vendor_init
   -vold
 })')

 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;

 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;

 # Allow all domains to read sys.use_memfd to determine
 # if memfd support can be used if device supports it
 get_prop(domain, use_memfd_prop);

 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 not_compatible_property(`
     get_prop(domain, core_property_type)
     get_prop(domain, exported_dalvik_prop)
     get_prop(domain, exported_ffs_prop)
     get_prop(domain, exported_system_radio_prop)
     get_prop(domain, exported2_config_prop)
     get_prop(domain, exported2_radio_prop)
     get_prop(domain, exported2_system_prop)
     get_prop(domain, exported2_vold_prop)
     get_prop(domain, exported3_default_prop)
     get_prop(domain, exported3_radio_prop)
     get_prop(domain, exported3_system_prop)
     get_prop(domain, vendor_default_prop)
 ')
 compatible_property_only(`
     get_prop({coredomain appdomain shell}, core_property_type)
     get_prop({coredomain appdomain shell}, exported_dalvik_prop)
     get_prop({coredomain appdomain shell}, exported_ffs_prop)
     get_prop({coredomain appdomain shell}, exported_system_radio_prop)
     get_prop({coredomain appdomain shell}, exported2_config_prop)
     get_prop({coredomain appdomain shell}, exported2_radio_prop)
     get_prop({coredomain appdomain shell}, exported2_system_prop)
     get_prop({coredomain appdomain shell}, exported2_vold_prop)
     get_prop({coredomain appdomain shell}, exported3_default_prop)
     get_prop({coredomain appdomain shell}, exported3_radio_prop)
     get_prop({coredomain appdomain shell}, exported3_system_prop)
     get_prop({domain -coredomain -appdomain}, vendor_default_prop)
 ')

 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {
   domain
   -vold
   userdebug_or_eng(`-llkd')
   -dumpstate
   userdebug_or_eng(`-incidentd')
   -storaged
   -system_server
   userdebug_or_eng(`-perfprofd')
 } self:global_capability_class_set sys_ptrace;

 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;

 neverallow {
   domain
   -init
   -vendor_init
   userdebug_or_eng(`-domain')
 } debugfs_tracing_debug:file no_rw_file_perms;

 # System_server owns dropbox data, and init creates/restorecons the directory
 # Disallow direct access by other processes.
 neverallow { domain -init -system_server } dropbox_data_file:dir *;
 neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };

 ###
 # Services should respect app sandboxes
 neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

 # Only the following processes should be directly accessing private app
 # directories.
 neverallow {
   domain
   -adbd
   -appdomain
   -app_zygote
   -dexoptanalyzer
   -installd
   userdebug_or_eng(`-perfprofd')
   -profman
   -rs # spawned by appdomain, so carryover the exception above
   -runas
   -system_server
   -viewcompiler
 } { privapp_data_file app_data_file }:dir *;

 # Only apps should be modifying app data. installd is exempted for
 # restorecon and package install/uninstall.
 neverallow {
   domain
   -appdomain
   -installd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;

 neverallow {
   domain
   -appdomain
   -app_zygote
   -installd
   userdebug_or_eng(`-perfprofd')
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;

 neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

 neverallow {
   domain
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

 # The staging directory contains APEX and APK files. It is important to ensure
 # that these files cannot be accessed by other domains to ensure that the files
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
 neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
 neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.
 neverallow { domain -init -system_server } staging_data_file:file
   { append create relabelfrom rename setattr write no_x_file_perms };

 neverallow {
     domain
     -appdomain # for oemfs
     -bootanim # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;

 #
 # Assert that, to the extent possible, we're not loading executable content from
 # outside the rootfs or /system partition except for a few whitelisted domains.
 # Executable files loaded from /data is a persistence vector
 # we want to avoid. See
 # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
 #
 neverallow {
     domain
     -appdomain
     with_asan(`-asan_extract')
     -shell
     userdebug_or_eng(`-su')
     -system_server_startup # for memfd backed executable regions
     -app_zygote
     -webview_zygote
     -zygote
     userdebug_or_eng(`-mediaextractor')
     userdebug_or_eng(`-mediaswcodec')
 } {
     file_type
     -system_file_type
     -system_lib_file
     -system_linker_exec
     -vendor_file_type
     -exec_type
     -postinstall_file
 }:file execute;

 # Only init is allowed to write cgroup.rc file
 neverallow {
   domain
   -init
   -vendor_init
 } cgroup_rc_file:file no_w_file_perms;
	# Transition to crash_dump when /system/bin/crash_dump* is executed.
	# This occurs when the process crashes.
	# We do not apply this to the su domain to avoid interfering with
	# tests (b/114136122)
	domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
	allow domain crash_dump:process sigchld;

	# Allow every process to check the heapprofd.enable properties to determine
	# whether to load the heap profiling library. This does not necessarily enable
	# heap profiling, as initialization will fail if it does not have the
	# necessary SELinux permissions.
	get_prop(domain, heapprofd_prop);
	# Allow heap profiling on debug builds.
	userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
	domain
	-bpfloader
	-init
	-kernel
	-keystore
	-llkd
	-logd
	-ueventd
	-vendor_init
	-vold
	})')

	# Path resolution access in cgroups.
	allow domain cgroup:dir search;
	allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
	allow { domain -appdomain -rs } cgroup:file w_file_perms;

	allow domain cgroup_rc_file:dir search;
	allow domain cgroup_rc_file:file r_file_perms;
	allow domain task_profiles_file:file r_file_perms;

	# Allow all domains to read sys.use_memfd to determine
	# if memfd support can be used if device supports it
	get_prop(domain, use_memfd_prop);

	# For now, everyone can access core property files
	# Device specific properties are not granted by default
	not_compatible_property(`
	get_prop(domain, core_property_type)
	get_prop(domain, exported_dalvik_prop)
	get_prop(domain, exported_ffs_prop)
	get_prop(domain, exported_system_radio_prop)
	get_prop(domain, exported2_config_prop)
	get_prop(domain, exported2_radio_prop)
	get_prop(domain, exported2_system_prop)
	get_prop(domain, exported2_vold_prop)
	get_prop(domain, exported3_default_prop)
	get_prop(domain, exported3_radio_prop)
	get_prop(domain, exported3_system_prop)
	get_prop(domain, vendor_default_prop)
	')
	compatible_property_only(`
	get_prop({coredomain appdomain shell}, core_property_type)
	get_prop({coredomain appdomain shell}, exported_dalvik_prop)
	get_prop({coredomain appdomain shell}, exported_ffs_prop)
	get_prop({coredomain appdomain shell}, exported_system_radio_prop)
	get_prop({coredomain appdomain shell}, exported2_config_prop)
	get_prop({coredomain appdomain shell}, exported2_radio_prop)
	get_prop({coredomain appdomain shell}, exported2_system_prop)
	get_prop({coredomain appdomain shell}, exported2_vold_prop)
	get_prop({coredomain appdomain shell}, exported3_default_prop)
	get_prop({coredomain appdomain shell}, exported3_radio_prop)
	get_prop({coredomain appdomain shell}, exported3_system_prop)
	get_prop({domain -coredomain -appdomain}, vendor_default_prop)
	')

	# Limit ability to ptrace or read sensitive /proc/pid files of processes
	# with other UIDs to these whitelisted domains.
	neverallow {
	domain
	-vold
	userdebug_or_eng(`-llkd')
	-dumpstate
	userdebug_or_eng(`-incidentd')
	-storaged
	-system_server
	userdebug_or_eng(`-perfprofd')
	} self:global_capability_class_set sys_ptrace;

	# Limit ability to generate hardware unique device ID attestations to priv_apps
	neverallow { domain -priv_app } *:keystore_key gen_unique_id;

	neverallow {
	domain
	-init
	-vendor_init
	userdebug_or_eng(`-domain')
	} debugfs_tracing_debug:file no_rw_file_perms;

	# System_server owns dropbox data, and init creates/restorecons the directory
	# Disallow direct access by other processes.
	neverallow { domain -init -system_server } dropbox_data_file:dir *;
	neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };

	###
	# Services should respect app sandboxes
	neverallow {
	domain
	-appdomain
	-installd # creation of sandbox
	} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

	# Only the following processes should be directly accessing private app
	# directories.
	neverallow {
	domain
	-adbd
	-appdomain
	-app_zygote
	-dexoptanalyzer
	-installd
	userdebug_or_eng(`-perfprofd')
	-profman
	-rs # spawned by appdomain, so carryover the exception above
	-runas
	-system_server
	-viewcompiler
	} { privapp_data_file app_data_file }:dir *;

	# Only apps should be modifying app data. installd is exempted for
	# restorecon and package install/uninstall.
	neverallow {
	domain
	-appdomain
	-installd
	-rs # spawned by appdomain, so carryover the exception above
	} { privapp_data_file app_data_file }:dir ~r_dir_perms;

	neverallow {
	domain
	-appdomain
	-app_zygote
	-installd
	userdebug_or_eng(`-perfprofd')
	-rs # spawned by appdomain, so carryover the exception above
	} { privapp_data_file app_data_file }:file_class_set open;

	neverallow {
	domain
	-appdomain
	-installd # creation of sandbox
	} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

	neverallow {
	domain
	-installd
	} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

	# The staging directory contains APEX and APK files. It is important to ensure
	# that these files cannot be accessed by other domains to ensure that the files
	# do not change between system_server staging the files and apexd processing
	# the files.
	neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
	neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
	neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
	# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
	# except for `link` and `unlink`.
	neverallow { domain -init -system_server } staging_data_file:file
	{ append create relabelfrom rename setattr write no_x_file_perms };

	neverallow {
	domain
	-appdomain # for oemfs
	-bootanim # for oemfs
	-recovery # for /tmp/update_binary in tmpfs
	} { fs_type -rootfs }:file execute;

	#
	# Assert that, to the extent possible, we're not loading executable content from
	# outside the rootfs or /system partition except for a few whitelisted domains.
	# Executable files loaded from /data is a persistence vector
	# we want to avoid. See
	# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
	#
	neverallow {
	domain
	-appdomain
	with_asan(`-asan_extract')
	-shell
	userdebug_or_eng(`-su')
	-system_server_startup # for memfd backed executable regions
	-app_zygote
	-webview_zygote
	-zygote
	userdebug_or_eng(`-mediaextractor')
	userdebug_or_eng(`-mediaswcodec')
	} {
	file_type
	-system_file_type
	-system_lib_file
	-system_linker_exec
	-vendor_file_type
	-exec_type
	-postinstall_file
	}:file execute;

	# Only init is allowed to write cgroup.rc file
	neverallow {
	domain
	-init
	-vendor_init
	} cgroup_rc_file:file no_w_file_perms;