blob: 8dd8c8983e0db4edba28d222365b4d6e566d11a1 [file] [log] [blame]
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# See private/crash_dump.te
define(`dumpable_domain',`{
domain
-apexd
-bpfloader
-crash_dump
-crosvm # TODO(b/236672526): Remove exception for crosvm
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
}')
# Allow heap profiling by heapprofd.
# Zygotes are excluded due to potential issues with holding open file
# descriptors or other state across forks. Other exclusions conflict with
# neverallows, and are not considered important to profile.
can_profile_heap({
dumpable_domain
-app_zygote
-hal_configstore_server
-logpersist
-recovery
-recovery_persist
-recovery_refresh
-webview_zygote
-zygote
})
# Allow profiling using perf_event_open by traced_perf.
can_profile_perf({
dumpable_domain
-app_zygote
-hal_configstore_server
-webview_zygote
-zygote
})
# Everyone can access the IncFS list of features.
r_dir_file(domain, sysfs_fs_incfs_features);
# Everyone can access the fuse list of features.
r_dir_file(domain, sysfs_fs_fuse_features);
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
allow domain cgroup_v2:dir search;
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
# Read access to bq configuration values
get_prop(domain, bq_config_prop);
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process), and MTE bootloader override to be
# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
get_prop(domain, device_config_runtime_native_boot_prop);
get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({coredomain shell}, userspace_reboot_test_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
# Public readable properties
get_prop(domain, aaudio_config_prop)
get_prop(domain, apexd_select_prop)
get_prop(domain, arm64_memtag_prop)
get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
get_prop(domain, build_vendor_prop)
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, locale_prop)
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
get_prop(domain, property_service_version_prop)
get_prop(domain, soc_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, timezone_prop)
get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
get_prop(domain, vts_config_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
get_prop(domain, binder_cache_telephony_server_prop)
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
')
# Allow access to linkerconfig file
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
# Allow all processes to read the file_logger property that liblog uses to check if file_logger
# should be used.
get_prop(domain, log_file_logger_prop)
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
# Allow calls to system(3), popen(3), ...
allow {
domain
# Except domains that explicitly neverallow it.
-kernel
-init
-vendor_init
-app_zygote
-webview_zygote
-system_server
-artd
-audioserver
-cameraserver
-mediadrmserver
-mediaextractor
-mediametrics
-mediaserver
-mediatuner
-mediatranscoding
-ueventd
-hal_audio_server
-hal_camera_server
-hal_cas_server
-hal_codec2_server
-hal_configstore_server
-hal_drm_server
-hal_omx_server
} {shell_exec toolbox_exec}:file rx_file_perms;
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
# this partition for testing purposes.
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
-fastbootd
-hal_bootctl_server
-init
-uncrypt
-update_engine
-vendor_init
-vendor_misc_writer
-vold
-recovery
-ueventd
-mtectrl
-misctrl
-kcmdlinectrl
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow {
domain
-init
-system_server
userdebug_or_eng(`-dumpstate')
} dropbox_data_file:dir *;
neverallow {
domain
-init
-system_server
userdebug_or_eng(`-dumpstate')
} dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
-app_zygote
-artd # compile secondary dex files
-dexoptanalyzer
-installd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
-viewcompiler
-zygote
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
domain
-appdomain
-app_zygote
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
-artd # compile secondary dex files
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
neverallow {
domain
-init
-system_server
-apexd
-installd
-priv_app
-virtualizationmanager
} staging_data_file:dir *;
neverallow {
domain
-init
-system_app
-system_server
-apexd
-adbd
-kernel
-installd
-priv_app
-shell
-virtualizationmanager
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
{ append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
# Only init is allowed to write cgroup.rc file
neverallow {
domain
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
-artd
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
-artd
} dalvikcache_data_file:dir no_w_dir_perms;
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:file no_w_file_perms;
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:dir no_w_dir_perms;
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-appdomain
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
apexd
artd
dnsmasq
dumpstate
init
installd
userdebug_or_eng(`llkd')
lmkd
migrate_legacy_obb_data
netd
postinstall_dexopt
recovery
rss_hwm_reset
sdcardd
tee
ueventd
uncrypt
vendor_init
vold
vold_prepare_subdirs
zygote
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
# have dac_override should also have dac_read_search to eliminate spurious
# denials. Some domains have dac_read_search without having dac_override, so
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
traced_perf
traced_probes
heapprofd
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type
-sdcard_type
-fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
neverallow {
domain userdebug_or_eng(`-init')
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
')
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
-kernel
-gsid
-init
-recovery
-ueventd
-uncrypt
-tee
-hal_bootctl_server
-fastbootd
} self:global_capability_class_set sys_rawio;
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
-fsck
-init
-installd
-zygote
} mirror_data_file:dir *;
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
# Only core domains are allowed to access package_manager properties
neverallow { domain -init -system_server } pm_prop:property_service set;
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
# Allow ART to set its config properties in its oneshot boot service, in
# addition to the common init and vendor_init access.
neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
# On TREBLE devices, most coredomains should not access vendor_files.
# TODO(b/71553434): Remove exceptions here.
full_treble_only(`
neverallow {
coredomain
-appdomain
-bootanim
-crash_dump
-heapprofd
userdebug_or_eng(`-profcollectd')
-init
-kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
# Vendor domains are not permitted to initiate communications to core domain sockets
full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-appdomain
-socket_between_core_and_vendor_violators
}, {
coredomain
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
-prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
-heapprofd
-traced
-traced_perf
});
')
full_treble_only(`
# Do not allow system components access to /vendor files except for the
# ones allowed here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-crosvm # loads vendor-specific disk images
-init # starts vendor executables
-kernel # loads /vendor/firmware
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
-vold # loads incremental fs driver
} {
vendor_file_type
-same_process_hal_file
-vendor_app_file
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_framework_file
-vendor_public_lib_file
-vendor_task_profiles_file
-vendor_uuid_mapping_config_file
-vndk_sp_file
-vendor_aconfig_storage_file
}:file *;
')
# mlsvendorcompat is only for compatibility support for older vendor
# images, and should not be granted to any domain in current policy.
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
# Only init and otapreopt_chroot should be mounting filesystems on locations
# labeled system or vendor (/product and /vendor respectively).
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Only allow init and vendor_init to read/write mm_events properties
# NOTE: dumpstate is allowed to read any system property
neverallow {
domain
-init
-vendor_init
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
# kernel traces. Addresses are not disclosed, they are repalced with symbol
# names (if available). Traces don't disclose KASLR.
neverallow {
domain
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
# debugfs_kcov type is not included in this neverallow statement since the KCOV
# tool uses it for kernel fuzzing.
# vendor_modprobe is also exempted since the kernel modules it loads may create
# debugfs files in its context.
enforce_debugfs_restriction(`
neverallow {
domain
-vendor_modprobe
userdebug_or_eng(`
-init
-hal_dumpstate
-incidentd
')
} { debugfs_type
userdebug_or_eng(`-debugfs_kcov')
-tracefs_type
}:file no_rw_file_perms;
')
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
# Restrict CAP_PERFMON.
neverallow {
domain
-init
-vendor_modprobe
userdebug_or_eng(`-simpleperf_boot')
-kernel
-uprobestats
} self:capability2 perfmon;
# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
# artd doesn't need to access /data/local/tmp, but it needs to access
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
# dex files.
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
# artd doesn't need to access /data/local/tmp, but it needs to access
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
# dex files.
neverallow {
domain
-adbd
-artd
-dumpstate
-installd
-init
-shell
-vold
} shell_data_file:dir no_w_dir_perms;
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir open;
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
} shell_data_file:dir search;
# respect system_app sandboxes
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
isolated_app_all
ephemeral_app
priv_app
sdk_sandbox_all
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow { domain -init } mtectrl:process { dyntransition transition };
neverallow { domain -init } kcmdlinectrl:process { dyntransition transition };
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
# Do not allow write access to aconfig flag value files except init and aconfigd
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *;
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;